Information Privacy and Security Standards

I am working on the security chapter for the Cornell University Press book I am writing.  It has resurfaced so many memories. The theme is how we built something from virtually nothing. When Polley McClure tasked me with a security policy, not only was my own absence of technical training in bold relief, it reflected a new landscape where technology rolled ahead of law and policy, virtually no models existed, and we had to make something from scratch.  Moreover, we did not work theoretically or in a vacuum. With the release of script kitties and the copyright wars inspiring proxy servers, security incidents went through the roof. The People’s Republic of China was already sucking content out of our universities. The events of September 11 hung over us all ominously as information technology became the next target. 

 As “innovator” in Myers-Briggs speak, I thrived (notwithstanding the complex politics of Cornell’s unnecessarily competitive administration, which I did not like so much).  I like creating and building new stuff. As a Taurus in astrological speak, I have perseverance (although many, including Readers, might call it stubbornness).  Good thing, because the Information Technology Framework (now off line, or I would toss in a link) took us ten years to accomplish. The principal information security policy turned out to be a seven or eight-year project.  Some of the privacy policies, although now bread and butter disclosure procedures for just email and system data, occasioned many a knock-down drag out. I can hear my father, who never made it out of high school before the Great Depression and World War II swept him into a life of constant manual labor, say, “For what?” It seems so simple now, why was it such a fight? 

 If you are reading this blog as a part of the mini-series I am running this month, you already know the answer: there were no standards with which to work. Thank heavens, we are all now in a better place. All, as in not just higher education but every entity, every user, of the Internet.  Compliance and risk management was for a long time a “keep up with the Jones’” approach. If Berkeley had it, Cornell would use it.  If Cornell had it, then X institution would adopt the policy, procedure, technology or practice.  The good in this dynamic was that we shared happily, supported overall by then Vice President Mark Luker of EDUCAUSE and the security community nationally that he and his staff helped to create. I can’t imagine the gazillions of dollars saved by higher education to have collaborated on these efforts, or conversely those spent by for-profit industries to keep up. The Damoclean sword was a negligence suit not just because tort law exists, but because precedence had not yet set a rule against which we could test ourselves. 
 
How much easier it is for this generation of information security staff (CISO, or whatever your institution indicates). Go to ISO 27001 series, specifically 27013 and 27018, to get the international standards for security controls and privacy practices.  Done!  If you are into NIST, go for it.  There are translations. But I always think of higher education on an international basis because I think of the missions of higher education transcending nation-state politics. In some sense that might be naïve of me; in another, it might be far-reaching. But there it is.

Oh, you ask, how it was that I slipped in the privacy standards? Funny story, not sure this one will make the book. In about 2005, I indicated to the EDUCAUSE Policy Staff that even U.S. law had both security and privacy standards in its public privacy laws such as the Financial Services Modernization Act (otherwise known as GLBA after its authors in Congress) or the Health Insurance Portability Accountability Act, or HIPAA. “Privacy?!? What does that have to do with security?” was the response. I reveal no names to protect the innocent. We are all more informed now.  We know it is two sides of the same coin.  And we, in higher education, know that it is vital that we maintain pace with international standards even if our Congress wraps itself in “exceptionalism” and “isolationism.” The future viability of the United States in a global information economy is wrapped up in these distinctions, and overcoming them.

International standards now exist to take the guess work out of creating administrative, technical and physical approaches to information privacy and security. Higher education is broader than NIST; international standards facilitate research and scholarship, teaching, face to face or distributed, outreach is global.  Higher education should strive for it.  And make what once was a creative and fun experience into one that marries the relationship between the development of institutional information technology policy with higher education’s vaulting goals of global academic citizenship. The standards exist.  Let’s build them into our information security and privacy policies. And move the emphasis from where it was ten years ago, trying to figure out the basics, to implementation. Only in this approach can we begin to address the challenges of information security/privacy, compliance, and risk management.