Not able to create a dedicated Chief Information Security Officer or cybersecurity team in your environment? Or are you uncertain about whether such an investment would yield the desired programmatic risk-mitigation results? It didn’t make sense in our context to prioritize creation of a CISO or new dedicated information security roles. We have taken an alternative path at Bryn Mawr College to prioritizing information security at the institutional level and to designing and developing a holistic campus program with a strong sense of shared ownership across constituent groups.
This do-it-yourself (DIY) guide explains how you can put the key elements of a robust program in place with or without a dedicated security officer or team, leveraging all relevant existing members of your IT organization and the full “village” of your institution.
Bryn Mawr College, like every organization with systems and data connected to the internet, is vulnerable to data breaches. The college has a robust information security program to mitigate against the risks of continuous breach attempts and of accidental data exposure. We articulate that program as a set of elements that represent our required due diligence, areas of excellence in our current practice, and additional measures the institution intends to implement as the standards for information security are evolving.
The first tool in the DIY guide is to learn what standards are currently relevant to your institution. We do this in two ways. We look at formal standards and have adopted the NIST framework as our primary reference point, while also studying UK guidelines and other security and privacy laws and developments in the EU as part of informing ourselves about the national and international terrain. We connect informally with colleagues who have established strong models, both in terms of holistic information security programs, and when we’re seeking templates, we can adapt for particular components of our own program.
The second tool is the concept that risk mitigation in the cybersecurity realm requires “the whole village.” It’s relatively simple to mitigate against attacks on our networks and our systems. It’s a more significant quest to reduce the risk brought by every individual with credentials and access to data in our systems, and, of course, the people are the most frequent vector for breaches. Cyber criminals focus efforts on leveraging computing resources to find vulnerabilities in firewalls and databases, but the easiest target for bad actors is the social engineering that causes well-meaning citizens of our communities to give away their credentials and the keys to our data kingdoms.
For this reason, we focused early at Bryn Mawr on education for all, accountability for all, and working together to learn the terrain and to enact best practices. We invested significantly in information security education as a regular program for all members of the community, as well as more focused training for those who steward particular kinds of data. We also invested in education to enhance awareness and practice across campus, such as PCI compliance for those involved with e-commerce, FERPA and HIPAA training, financial aid requirements, and GDPR awareness and protocols. We also created a College Data Handling Policy to articulate expectations for the responsibilities that we all hold for educating ourselves and stewarding institutional data across classifications with appropriate care.
In 2014, I convened a group of representatives from across academic and administrative areas of the institution to form our Information Stewardship Council (ISC), a group that is always co-chaired by a colleague from another area of the institution to signify that information stewardship is not just an IT issue; it’s an issue for all of us, campus-wide. This ISC is endorsed by our institution’s president because information security is an institutional priority. Senior leaders from across the institution are ex officio members of the ISC, and they identify ISC representatives from their divisions who have key roles in data stewardship. We pointedly charged this group to focus on information stewardship broadly for the institution—not only information privacy and security, but also stewardship of our critically important digital assets, which range from unique special collections and archives assets to research data produced at the institution. We think holistically about how to manage, protect, and ensure appropriate availability of this full set of institutional assets for which we’re collectively responsible.
The local institutional village doesn’t stand alone. For our technical teams, we connected with REN-ISAC to ensure early awareness of new threats and developments in this space. We learn from what others are doing via EDUCAUSE and share best practices in smaller higher education IT networks. We talk regularly with trusted peers to share experiences and to figure out appropriate models for implementing particular policies, technological measures, and processes.
Below are key components of our information security program that we continuously review and update as part of due diligence.
As I continue to read about developments in the field and to learn about models that colleagues have built at other institutions, I continue to reflect on the relative merits of dedicated security resources as compared to the integrated “village-wide” model we have adopted thus far. Through engaging the full community from the start, we’ve developed a shared mindset among constituents that we each have responsibility and that we collectively learn the terrain and enhance our policies and practices in an ongoing way as a community. I’m not sure a CISO introduced into our institutional culture could have moved the community to this place of shared investment and responsibility. I hope this model resonates for other smaller institutions or for institutions of any size that are grappling with questions about how best to invest in this critical area.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of the Tambellini Group. To become a Top of Mind guest author, please contact us.
© Copyright 2023, The Tambellini Group. All Rights Reserved.