Notre Dame CIO recommends advance planning to offset computer security risks

by William G. Gilroy

Even as efforts continue to mitigate the immediate threat of the latest computer worm outbreak, the co-chairs of the Educause/Internet 2 Security Task Force are stressing the need to prepare for future events.p. Gordon Wishon, chief information officer (CIO) at the University of Notre Dame and Dan Updegrove, CIO at the University of Texas, discussed a variety of security issues related to technology in higher education during an interactive Web-based seminar last week.p. Wishon and Updegrove, both of whom have faced major security events head-on when hackers tried to harvest sensitive data from servers at their respective universities, noted that security problems are a fact of life. Moreover, they believe attempts by hackers to invade computers at institutions and businesses, whether for destruction, sport or profit, likely will accelerate.p. Advance planning, according to Wishon and Updegrove, won’t stop intrusion attempts, but it goes a long way toward nipping a security incident in the bud before it becomes a major problem.p. “You need to plan in advance of an incident and have relationships, processes and procedures in place for quick action,” Wishon said.p. Knowing who should be involved within the organization may change according to the incident, he said. Therefore, IT managers need to anticipate what types of incidents may occur and have contacts and procedures in place to handle them. Colleges and universities, for example, might engage general counsel, law enforcement or risk management depending on the severity or type of security incident.p. It is also important to have strong relationships with high-level university leaders and have people in media communications who have some understanding of IT issues, Updegrove added.p. “You cannot communicate enough during a security incident,” Updegrove said.p. In the early stages of a problem, a lot of face-to-face meetings are necessary. But as IT people get a handle on the problem, the number of meetings diminishes, and you can rely more on e-mail and perhaps a special Web site, according to Updegrove.p. When it comes to security, Wishon recommends placing a high priority on both prevention and remediation. “Sacrificing prevention to the demands of everyday operations is a big mistake,” he said.p. Updegrove takes it a step further. “Prepare through security incident drills,” he advises.

TopicID: 4079