In the technology and information security arena, it is a commonly accepted fact that maintaining the status quo really means falling behind; security must be proactively managed due to the ever-changing nature of technology, risks faced by higher education, and security threats. All institutions of higher education face risks in meeting their core missions. Information security and privacy safeguards help to reduce the likelihood and/or impact of threats. Comprehensive management and committed response are critical to supporting educational missions and protecting the university and its community.
After analysis based on independent research, interviews, and subsequent analysis, the review team finds the general state of information technology security and privacy at UI is:
(Excellent, Very Good, Good, FAIR, Poor, Very Poor)
The FAIR rating, while subjective, is based on the review team’s experience and rates UI’s environment against other similar higher education institutions.
The fundamental issues, as stated by many of the interviewed individuals and observed by the review team, are: widespread and decentralized responsibility for IT; inadequate staffing in ITS, particularly in the security arena; lack of formalized incident handling and response processes; and the absence of IT control auditing capability.
- Decentralized responsibility for IT: Responsibility for IT services is highly decentralized at UI. Many departments and units maintain facilities, infrastructure, and common services outside of institutional investments in ITS-managed services. Even within ITS, there are many silos of responsibilities. This decentralization dramatically and unnecessarily increases physical, cybersecurity, as well as personal and institutional privacy risks. In addition, it results in avoidable resource consumption related to power, physical space, and labor for maintenance and administration that contradict the institution’s sustainability goals.
- Inadequate security staffing: No one at UI is primarily charged to be the expert on and champion of secure and resilient operations; to manage incident response functions; to receive specialized security training; to advise ITS and university leadership on best practices; and to consult with functional leaders and technicians on secure practices. Such a position is critical to the creation and ongoing evolution of a security program for the university. Overall, ITS staffing is below the number needed to appropriately manage and secure the IT infrastructure. In understaffed IT organizations, staff members do not have the time needed to adequately maintain systems and databases, and proactive security safeguards are often skipped so that staff can complete more urgent tasks.
- Lack of deliberate risk assessment and mitigation: Negative consequences if serious risks are realized could have a direct impact on the ability of UI to perform its core missions. Enterprise systems, core network connections and data sources could become unavailable for an extended period if these risks aren’t appropriately recognized and mitigated; loss of data and subsequent recovery time could interrupt student education and other university activities. Incidents including breaches of personally identifiable information could cause financial and reputational harm and require significant staff resources, up to and including the president of the university.
- No formalized incident response function: Awareness of how to proceed during an information security incident is not widespread. There is no written incident response procedure for ITS servers, and very few schools and departments have such a procedure. Some incident tracking is done using FootPrints, but not consistently. While incident response at ITS may have been effective, it has relied mainly on a talented individual doing the “right thing.” If that person leaves UI or goes on vacation, there is very little procedure to fall back on. Stress and emotions run high during an incident, and mistakes can be made without documented steps and guidance.
- IT controls auditing capabilities: There is no unit at UI currently tasked with and skilled in auditing IT controls to determine the existence, applicability, and efficacy of such controls. Without such an organization, ITS and departments have no way of knowing if they are in compliance with policies and laws or what steps are needed for compliance. Lack of IT control auditing functionality also significantly limits the ability to engage in meaningful enterprise risk management.
These issues cannot be solved by ITS alone; they require the engagement and support of the entire UI community. University discussions and decisions regarding risk tolerance, cost/benefit analysis, actions, and accountability all have to occur to adequately address the fundamental issues and recommendations outlined in this report.
The report recommendations are listed as discreet individual efforts. While addressing any one of them alone might be relatively simple, treating all recommendations as a system of needs can be much more challenging; the underlying processes are knitted together – and impacted – by addressing each item. In addition, addressing the report recommendations will require prioritization and reallocation of scarce resources (i.e., time, money, and staff) throughout the UI community.
While all universities face challenges in managing and mitigating information security and privacy risks, there are important immediate steps that UI can – and should – take to protect the university and meet best practices for higher education. The issues highlighted above are intended to provide a sense of some of the most critical areas of concern. In addition, the prioritized list of recommendations contained in Appendix C provides guidance on some of the safeguards that require more immediate attention.