As a CIO, IT security is one of a few things that keep me up at night. I read headlines about companies with many more resources than most higher education institutions having systems or data compromised and it scares me. How can I ever keep up? How do I know what to focus on? Can I ever be secure? Maya Angelou altered a very old quote by saying, “Hoping for the best, prepared for the worst, and unsurprised by anything in between.”
In IT, and with IT security, this quote resonates and is good practice in general. I would like to achieve that level of confidence in my security posture. I can only say that I work towards it. Cybercrimes have increased in complexity, sophistication, and quantity. New vulnerabilities arise that will later be caught with system updates, but in the meantime there are current vulnerabilities. We are all vulnerable no matter how sophisticated our environment. Most analysts now say that it is not a matter of if, it is a matter of when you will have a security incident. So, where do you start and what do you do?
"Plan for a security event by purchasing insurance"
Everyone should be taking three steps. They are applicable with small or large resources.
First, commit yourself to continuous improvement throughout your systems and infrastructure. Keep your systems and network devices updated (patched). Set a manageable maintenance schedule and stick to it. Improve it over time. Do not let projects trump system maintenance; find time to do both.
Perform rotating audits. If your resources are not vast, consider rotating types of audits every few years so that your resources can address and mitigate the vulnerabilities found. Do not make the audit so comprehensive that you won’t be able to resolve the gaps for more than a year. Align resources to your audit so that you can mitigate risks identified. (See audit types below.)
Do a risk analysis after an audit to determine the most important vulnerabilities. A risk analysis takes just a few steps. Come up with the probability of the event occurring at your institution given your current technology. Then multiply that by the cost of the event that could occur. That dollar amount is the risk value. It is a simplistic approach. Your auditors will help with that. As a CIO, learn how to do a risk analysis. It is a fundamental tool in your tool belt that helps you to be a strategic thinker.
My personal top five audits:
1. Penetration Test
2. Social Engineering
3. Data Security
4. Web Application
5. Network Architecture
Second, get the best products that you can afford. Every business needs security at multiple layers: network layer, system layer, and application layer. For each layer, deploy the products available to you: anti-virus, anti-spam, firewalls, intrusion prevention, encryption, and biometric recognition. Pick the best products you can afford. Some of the free products are very good and it is a starting point. Keep improving over time. Learn about new products and plan to invest as you can.
Excellent Resources from Educause:
Educause released a tool from the Higher Education Information Security Council (HEISC). The self-assessment has been designed to be completed annually or at the frequency your institution feels is appropriate to track its maturity. I attained CISSP certification in 2010 and can complete this myself for my institution, but others may need support in completing this if you don’t have an IT Security Officer. An auditor may be able to help fill out section of this tool. The Educause Core Data Service has an optional module for IT Security. I recommend completing it if you have not. It will certainly educate you and it will allow you to benchmark yourself with peer institutions.
Other resources that are searchable on the Educause web site are:
• Computer Security Incident Response Team (CSIRT) checklist
• Recommended response strategies for a data breach
• Numerous presentations and articles about security, CSIRT, data security, and risk analysis
Lastly, and most importantly, plan for a security event by purchasing insurance. Insurance products are relatively new to the insurance marketplace and provide excellent resources when an incident occurs. Insurance products offer support for incident response, breach notification services, coverages for data destruction and loss of data, network business interruption, and cyber extortion. An option can be chosen from many available ones. The costs have decreased and many industries are purchasing coverage. One of the best things that come out of getting bids for insurance coverage is the conversation between IT and the CFO. Discussions must occur about risks that need to be involved in an incident and the potential costs associated with an incident. Part of the application for insurance requires answers to current security system in place. Indeed, the CFO will become a little more educated about the need for security products. In addition, discussions about a response team will occur as you complete an application for insurance. All of these communications can help move stagnant discussions about IT security. No matter what your resources and support are, I think having insurance is indispensable to have in order to be prepared for the worst–a security incident.