Kolowich, S. (2011) Security hacks Inside Higher Education, January 27
This should be required reading for every research academic who collects data, for every CIO, and for every university board, which ultimately has responsibility for governance.
This article, about a medical researcher who was fired for a breach of data security at the University of North Carolina at Chapel Hill, is a classic case of why every institution needs to have an IT security protocol in place that is communicated and understood by all academics.
In this particular case, there are no winners, not the patients whose personal information was compromised, the professor who did not pay sufficient attention to the technical aspects of data security, the CIO, who should have ensured that there was a system in place for effectively tracking and monitoring the security of data, and for the board, who are ultimately responsible for ensuring that there is a coherent and effective governance structure. This is, as one of many interesting comments on the article put it, a complete system failure. But there for the grace of God go most universities.
Dr. Tony Bates is the author of eleven books in the field of online learning and distance education. He has provided consulting services specializing in training in the planning and management of online learning and distance education, working with over 40 organizations in 25 countries. Tony is a Research Associate with Contact North | Contact Nord, Ontario’s Distance Education & Training Network.
Couldn’t agree more. I do think that central IT organisations in most universities do a poor job of communicating security policies and the requirements behind those policies to faculty. Having said that I also believe that a significant minority of academic staff see security policies as being one more attempt to stifle their innovation and ‘academic freedom’. As a result they are often inclined to just not listen or ignore those policies.
This makes it difficult when we (speaking as an IT person now) get requests for publicly accessible ‘innovation servers’ on which academics can place anything they like. The open educationalist in me wants to do that and make it as easy as possible. The IT person in me knows that someone will post student grades and contact details and that the IT group will be blamed.
All of which is a bit crazy because increasingly it’s out of the hands of IT anyway as academics set up cloud spaces to do what they want. It just means that the custodians of corporate data security will have to be more vigilant in getting the message across to faculty.
Cheers
Mark