Skip navigation
Blog

With classes online, now is the time to assess your campus’s cybersecurity practices

March 30, 2020

In the wake of COVID-19 sweeping across the nation, higher education CIOs have implemented business continuity plans and enacted remote teaching, learning, and staffing policies.

At the same time, IT security personnel will wait with bated breath for the first COVID-19 related cyberattack. Security professionals worry that remote learning has weakened higher education’s cybersecurity and will require campus unity to patch the security holes. The remote teaching and learning platforms were not built for total campus-wide use, and the transition’s speed forced circumvention of the institution’s security protocols, creating vulnerabilities. In the coming weeks, IT leadership will assess the level of COVID-19 security damage, but the assessment’s scale and detail depend on campus motivation.

Successfully running virtual higher education during the COVID-19 pandemic requires campus participation on all fronts. Therefore, IT security leadership must use this crisis as motivation for rallying campus to assess and improve cybersecurity practices. An admirable first step is monitoring peer institutions and the private sector for any COVID-19 related cyberattacks.

Concrete examples will ease the burden of motivating campus stakeholders in supporting a campus-wide security assessment. IT security leadership bears the responsibility to ensure that the campus understands potential security threats. In the past, EAB’s IT Forum profiled Ohio State University and how they successfully leveraged a security crisis to motivate their board into approving the security survey. The survey results educated department staff on the technical nature of cyber threats and the positive role that they can play in preventing and mitigating breaches. Ensure stakeholders have the information and tools to prevent another COVID-19 related incident.

Ohio State’s campus security survey guided campus leaders

When the board of trustees at Ohio State University sought increased security reporting from IT, the CISO developed a simple self-grading survey mechanism for the campus. The survey was based on a standard National Institute of Standards and Technology (NIST) framework, with 100 questions developed in cooperation with campus experts (e.g., general counsel).

To maximize the impact of campus survey results and help individual units understand their vulnerability, the CISO produced department-level scorecards that compared units to their peers (e.g., academic departments, research centers) and the institution as a whole.

Example cybersecurity scorecard from Ohio State University

100%

participation in the second year of the security survey
participation in the second year of the security survey

The scorecards helped local academic and finance staff set benchmarks for improvement, understand peer comparisons, and identify key areas for remediation. Survey results were delivered and compiled through secure channels to remain confidential, as the results are sensitive information.

In its second year, the survey gained 100% participation from units, and instead of pushing units to accept cybersecurity policies, there was overwhelming department-initiated demand for CISO involvement with security consultation on asset tracking, policy writing, and vendor screening. Each unit maintained responsibility for configuring its security policies, but the department leaders began to understand that university-wide security was only as strong as the weakest department.

“We told units we couldn’t force them to participate in the surveys and scorecarding, but we’d report on who wasn’t participating to the trustees. No one wants to be the department in front of the board for not playing ball.”
Helen Patton, CISO, Ohio State University

3 lessons learned from Ohio State’s implementation of a security survey
While Ohio State University’s campus security survey may not be an appropriate tool for every campus, their implementation strategy can be broken down into individuals lessons suitable for a tailored security assessment.
1.
Any survey should be a lightweight tool for self-assessment and benchmarking
The purpose of these tools are not to replace existing audit frameworks but rather to drive additional value from existing auditing activities and empower department leadership in their own data protection.
2.
Leadership should be able to understand their results at a glance
Maximize survey results by translating numerical data to a “maturity level” and dividing departments by primary data usage to maximize the result’s benchmarking impact.
3.
Require leadership team sign-off before submitting survey results
The scorecard’s primary benefit is helping department leaders understand cybersecurity threats. Their signature is leadership’s promise that they have reviewed the survey results.

If you would like additional information and resources, members can access the IT Forum’s Elevating Security Awareness, Tool #5 “Department Security Scorecard Template“.

You may also like

More Blogs

Blog

How can you tame data sprawl? Consider a chief data officer

Data challenges are not new to higher education. Data and analytics are critical to the fundamental, institution-sustaining initiatives…
Data & Analytics Blog
Blog

Bringing a digital strategy to life: expert advice from the University of Greenwich’s Director of Information and Library Services

It’s one thing to acknowledge the need for digital innovation and digital dexterity in response to student expectations…
graphic of two individuals shaking hands
Blog

Institutional Research and IT are working together—here's what that means for campus analytics

Explore insights from this year's Association of Institutional Research (AIR) Forum, including how better collaboration will change campus…
Data & Analytics Blog