Information Security Risk Management in Higher Education Institutions: From Processes to Operationalization

Abstract

Information security has successfully gained high levels of management attention in European higher education institutions (HEIs) over the past decade, but is the data stored in HEI data centers, IT departments, or faculty server rooms really more secure as a consequence? In this article, we first review how information security policies and risk management processes were typically introduced in HEIs as an important first step, but then argue that many HEIs still need to complement these “people and processes” steps with efforts to make efficient use of them on the “technology” layer. HEI servers that can be accessed from the public Internet have a long history of being lucrative targets for attacks by all kinds of miscreants because, e.g., the network bandwidth available at many HEIs can be misused for sending Spam emails or participating in high–volume denial–of–service attacks. More targeted attacks are performed, e.g., to spy on intellectual property related to research projects and HEI collaborations with industry partners. And in times of doxing, i.e., the black–hat hacker sport of making an organization’s internal documents and emails public, as in the 2014 Sony case, the demand for protecting certain data even against more determined attackers become obvious. Until about 10 years ago, most system administrators and service operators were sufficiently familiar with the information security implications of the hardware and software in their area of responsibility. But meanwhile, services such as private cloud hosting environments, groupware collaboration tools, and web–based learning management systems have grown to a complexity that practically cannot be mastered by individuals anymore. More often that not, complex software services are operated in production use without scrutiny regarding their security settings or thorough consideration of additional security measures that should be placed upstream. To cope with this increase in complexity in a structured manner, security management processes, e.g., based on the international ISO/IEC 27001 standard, have been introduced, along with the assignment of responsibilities to roles such as HEI Chief Information Security Officers (CISOs), the preparation of policies, e.g., regarding data classification and secure disposal of media, and check lists for handling security incidents and data breaches efficiently. According to the textbooks and for very valid practical reasons, risk management drives each of these activities. However, information security risk management is a process that requires a lot of information as input, and even more expertise. It can therefore quickly turn into a useless placebo paper tiger when it is not applied properly in practice. But when given only a high–level process description, many system administrators and service managers do not know how to do risk management in a meaningful way, i.e., with reasonable efforts and immediate benefits from the results. We therefore present our strategy for operationalizing information security risk management in a HEI data center with a focus on both HEI–internal IT services as well as HEI cooperation, e.g., in research projects, with the long–term goal of compiling the feedback we receive into a HEI best practice guide on information security risk management.