Step 2: Policy and compliance management Academic institutions have to comply with many regulations and industry standards, from HIPAA to the PCI Data Security Standard. Gatewood says a formalized group policy and compliance program is essential, and must outline the ramifications of not complying with the rules.
Step 3: Strategic planning and leadership No organization can achieve security on the fly. To that end, Gatewood is a big proponent of strategic planning and having specific people take the lead in specific areas. "You must map out specific goals and how you will get there -- we're starting here and going to point B, C, and D. Here is the roadmap to get to where we need to be, not just for IT but at the strategic level." Meanwhile, he adds, "You need someone at the helm who is experienced, educated and driven."
Step 4: Community awareness training and education University security leaders must educate contractors, staff, students and faculty on security awareness, where the dangers are, the what, why and how, Gatewood says. Universities need an official program that speaks to those points.
Step 5: Proper incident response and reporting Security pros must always remember that things are going to happen despite the best-laid plans. When that's the case, organizations need to be able to respond in a standardized way. There must be a high degree of confidence that an individual will respond to an incident properly without fear of their job or how bad they'll look, he says. The plan needs to account for the risk level and criticality of the incident at hand.
Step 6: Contingency planning. This step goes hand in hand with Step 5, Gatewood says, adding, "Bad things happen. No one at the University of LA thought something like Hurricane Katrina would happen. You have to know what to do when these things take place, make sure you protect the human element, and that you have backup systems.
Academic security pros speak out
The challenges Gatewood outlines and the steps taken are similar to those experienced by others in the academic world. CSOonline.com surveyed several administrators on their biggest concerns. Here are some of the responses:
Kevin Hardcastle, information security officer at the Washington University School of Medicine: "In my case, I provide information security and risk management for the medical school campus which has a completely different focus from our main academic campuses. Not only do we have various regulatory requirements to consider, we also must be able to allow the free flow of information not covered by those requirements. I quickly see a move back to the basics: establishing clear data classification, building layers of security and policies based on those classifications and a constant communication plan. Human factors will always be the most challenging aspect of this job. You cannot just throw a tool in place to solve smart people behaving badly.