A Multi-State Strategy For Complying With Privacy Laws

By Monique Lucey

While many states have individual data disclosure laws that dictate how organizations are to handle privacy breaches, universities are trying to find the commonalities and ensure their network security accounts for them.

One IT executive at a state college said he is hoping for an overarching federal law so that he doesn’t have to dig into the particulars of each state’s mandates. Although his campus is only in one state, he says, to be safe, he follows the guidelines of the numerous states where the college’s students are considered residents.

It’s a best practice that IT executives at other institutions could follow.

The first step is to determine what the states consider to be sensitive data. For instance, Indiana’s state law encompasses social security numbers (beyond the last four digits), driver’s license numbers, state ID card numbers, credit card numbers, debit card numbers, financial account information and any security code, access code, or password of a financial account.

Then study how the states expect you to secure that data. Do they want data encrypted while at rest and during transmission? Do they specifically call for you to use firewalls, network access controls, authentication and other security measures? What types of auditing or reporting should you be able to carry out to prove compliance?

Next, you have to understand when the notice must be given. Some states mandate that notice be given “without unreasonable delay,” but this is too vague. If this is the case, then IT and university leaders should set your own time limit for notifying affected parties and alert users in your public security policy.

Another key factor in following state privacy laws is to be clear on how notice is to be given. Some states require you to contact users in writing, depending on the size of the breach and the cost. If the cost would be too great, states may allow you to disclose the information to the media or post it on your site.

Finally, you should have a good grip on when you must share a breach with the state attorney general’s office. Each state has different thresholds for this escalation.

As you develop baselines for complying with multiple state laws, make sure you fully test your reporting and alerting systems in terms of technology and business procedures. For instance, it doesn’t do any good for you to have great security tools in place that tell you when a breach occurs if you have no process in place for university leaders to respond in a timely and compliant fashion.

For more information, check out your state’s disclosure laws.  As an example, here is legislation from  Indiana and Massachusetts.

Buyer beware of the vendor who tells you a mixed-vendor network is bad

By Monique Lucey

Last week’s blog looked at new and interesting issues in higher education from various Educause sessions. I was struck that none of these presentations addressed the implications of a multivendor network, and thought I would take this opportunity to introduce a guest blogger, John Gray. John is a product marketing manager at 3Com, focused on H3C enterprise brand products and in particular, on data center solutions. John recently posted this discussion about the advantages of a mixed-vendor network on the official 3Com blog.

Buyer beware of the vendor who tells you a mixed-vendor network is bad

By John Gray

I recently listened to a presentation in which an IT analyst presented a case for how mixed-vendor networks are less reliable, more complex and costlier than a single-source vendor strategy.

While the analyst made some interesting points, he failed to acknowledge any of the key benefits that a dual- or multivendor-network strategy offers customers.

For starters, a multivendor network provides enterprises with the freedom to choose.

Rather than having to adhere to one vendor’s proprietary or monolithic architectural view of the world, a multivendor strategy enables enterprises to leverage open standards‐based solutions that are aligned to a customer’s business priorities, and not the other way around. This freedom enables enterprises to choose the best possible solution, rather than having to settle or compromise for a certain product simply based on the logo on the front of the box.

Decades of standards work by industry groups such as the IETF have enabled this broad multivendor interoperability across L2/3 networks for key networking functions like switch trunking, VLANs, QoS and Power over Ethernet (PoE), to name just a few.

What is it going to take to earn YOUR business?

Furthermore, multivendor competition levels the playing field and creates an environment where competing vendors become VERY focused and innovative on how they can earn a customer’s business through aggressive pricing, value-added services and feature/product commitments.

If nothing else, this type of open competition at least keeps an incumbent vendor honest and as sharp as it can possibly be on pricing and support. In a best-case scenario, customers may learn they can save tens or hundreds of thousands of dollars.

But my (single-source) vendor keeps telling me about multivendor complexity, issues, etc., etc. …

There’s a reason they keep telling you this: There isn’t much upside for an incumbent supplier if you bring in a second vendor! The reality is that current best practices for running today’s network infrastructures apply to both a single or multivendor network. For example, establishing well-defined, open standards boundaries between the access and core network layers provides a logical demark to deploy a different vendor solution if it makes feature/function or economic sense to do so.

In fact Gartner recently published a research note around this very topic citing that: “The operational impacts of introducing a second vendor for basic network infrastructure are modest and easily handled by most organizations.” It continued: “Introducing a second vendor will reduce capital expenditures (capex) by at least 30% (and often more), while only minimally increasing operational expenditures (opex).”

I’d be interested in hearing your stance on single- versus multi-vendor networks. Which do you think is more advantageous?

Looking for top-notch researchers? Bring IT to the table

By Monique Lucey

There is always a push-pull when it comes to managing and securing higher education networks, and nowhere is that more evident than at universities with strong research arms.

Researchers want flexibility in their computing resources while IT teams must keep data, applications and infrastructure secure and optimized. It’s a difficult balance made more challenging by a mounting stack of compliance mandates.

Suddenly, IT must ensure that not only is research data protected because it’s a valued asset for the university, but also because not doing so would be in direct violation of laws such as HIPAA and those issued by the FDA.  In fact, failing to adequately protect sensitive data can result in fines and public disclosure – not a risk you want to take.

Yet top researchers are beginning to examine the openness of IT departments as part of their decision to join a university’s staff. They know that too many obstacles from the technology team could inhibit their ability to conduct experiments, share data with colleagues and other key tasks.

Often, this strife comes from a lack of communication between college administrators, faculty and IT. Administrators and recruiters often promise an open network to attract talent, but then once on-campus, the researcher finds that IT has too many constraints on infrastructure, applications and communications.

Therefore, administrators and recruiters should involve IT in the search and interview process. As university chiefs narrow their pool of candidates, they should book one-on-ones between IT and the applicants so IT can explain the environment and understand what types of support and infrastructure the researcher expects.

For example, if a researcher aims to collaborate with other universities on a regular basis, IT could consider joining InCommon, a federation for securely sharing protected resources. At the very least, the candidate and IT would be on the same page regarding IT’s duty to uphold government mandates surrounding the candidate’s research.  Such conversations would also give IT enough time to get up to speed on compliance requirements and allocate appropriate human and technology resources.

As one IT exec recently said to us in an interview, IT does not want to be the reason that famed and lucrative research goes elsewhere.

What do you think? Should IT play a greater role in attracting research talent to universities? Do you think IT can have a positive impact by understanding the goals of researchers? Let us know.

The Role of IT in Virtual Learning

By Monique Lucey

An increasing number of higher education institutions are noticing the appeal of virtual learning environments (VLE), where students have flexible access to classes, coursework, faculty and supplementary materials. However, they might not be as aware of the toll these projects can take on IT infrastructure and resources.

Students, teachers and staff expect anytime, anywhere access to VLEs, including from potentially unsecured home and mobile networks. They require the platform and infrastructure to feature high performance and high availability at all times. And they take for granted that the information downloaded, posted, exchanged and stored will be protected.

At the same time, the parameters of what constitutes a VLE are constantly changing. Some VLEs have HD components, such as videoconferencing, that can be incredibly draining to network resources if not monitored closely. Others use social networking to share information, which must be managed to comply with government privacy mandates.

To ensure that all bases are covered with VLEs and that users are getting the highest quality of access to learning, higher education institutions should bring IT to the table early on in their VLE deployment discussions. That way, VLE stakeholders can have a proactive discussion about the capacity, compliance, management, security and storage needs that comprise a sound VLE strategy.

As an example, to guarantee that VLE users can’t get into unauthorized areas of the system, IT can work with VLE administrators to establish user and group access policies. They can map those policies to government and university guidelines. Centralized management tools enable IT to automatically dispatch, deploy, update and enforce these policies to all endpoints. In addition, with centralized management tools, IT can run reports and handle audits to prove compliance.

IT also successfully impacts the resiliency of the VLE environment by studying spikes in usage through centralized network management and optimizing network resources accordingly. If a professor posts a new HD video lecture, IT can make sure that the server and network bandwidth are capable of handling increased user access without negatively affecting the rest of the network.

Finally, IT will be the key to benchmarking VLE success. Using centralized network management, IT can chart how often users are accessing the VLE and what components they are finding most effective. They can also alert stakeholders to growing pains and expand infrastructure before performance takes a hit and users complain.

Click here for more information about how the H3C Intelligent Management Center (IMC) network management platform can play a positive role in virtual learning.

How have you handled the relationship between VLEs and IT? Did your institution bring you into the discussion early on or did you have to play catch-up once the platform was deployed? What advice do you have for others that are deploying VLEs to meet security and infrastructure demands? Let us know below.