Here’s an industry with no regulation, no oversight, no one looking over their shoulders. And they collect A LOT of data about individuals, and they have a lousy record of securing this information. The industry in question is higher education, and as anyone who has gone through the college application and financial aid gauntlet can attest, colleges collect extremely detailed information on applicants and their parents. They get a copy of your taxes, income and expense info., SSN for student and parents, and much more.
My son heads off to college in the fall, and did a great job in high school, got into a great school. We could not be prouder, but I digress. I don’t want to trash the school, but the university he is headed off to recently disclosed that a computer that had lots of records (thousands) of current and former students, and faculty, was stolen. Said computer had PII, including SSN’s on these individuals. Apparently not encrypted. No identity theft that they know of yet, and they are not saying much other than “we’re investigating”. C’mon folks, it’s 2009, identify systems that contain PII, restrict access to this information, and implement encryption. It’s just not that hard, and it’s not that expensive.
It struck me how frequently educational institutions pop up in news stories about security breaches, how much information they collect on students and parents, and there’s absolutely zero oversight in the industry. Higher education accrediting organizations care a lot about quality of education, but I am not aware of any IT security standards they’ve put in place.
Having worked with some .edu’s, (and in the very distant past I worked for one), I know that they have funding challenges (maybe more so than most other industries, in funding IT security initiatives), and their cultures tend to be open, sharing, etc., both of which make securing their assets tough. But really, given the kinds of data they collect and store about us, there’s just no excuse for poor security.
And from a big picture standpoint, I clearly see why we need a national data breach law, both to reconcile and make sense of conflicting state laws, and to cover all the gaps that exist in various industries, including (in this example) higher education. For better or worse (and I would argue better, on balance), the payment card industry took it upon itself to develop an industry-wide set of IT security standards, and a mechanism to enforce them. Maybe higher education needs something similar.
Jim Hietala
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
