Forget the device -- protect the data. That’s the core of Temple University’s new data policy, which some chief information officers are praising for emphasizing security in the bring-your-own-device era.
“All members of the University community have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the University, irrespective of the medium on which the data resides and regardless of format (e.g., in electronic, paper or other physical form),” the policy, enacted this January, reads.
The “device explosion” is a familiar problem for university information technology and security officers, and policies that allow students and employees to bring their own devices have only made the situation worse.
Most noticeable is the congestion. Students not only bring wifi-enabled laptops and cell phones to campus, but also tablets, video game consoles and media streaming devices. With so many devices hogging a share of the bandwidth, many campus networks struggle to keep up.
But while sluggish browsing speeds can be annoying, BYOD policies also present serious data security issues. As members of the university community bring their own devices to campus, they also bring their own malware, including keystroke loggers, which can compromise confidential or sensitive information.
At Temple, IT officers are less concerned with protecting the myriad devices on campus than the data they access. The policy splits data into three categories -- unrestricted, sensitive and confidential, designated by green, yellow and red lights -- and creates a set of protocols to ensure the information is accessed responsibly based on its classification.
Larry Brandolph, chief information security officer and an associate vice president at Temple, said the policy change was brought on by a rush of faculty members, researchers and staffers asking which cloud services they could use for which purposes.
“We started looking at this saying, ‘Where should people really be allowed to store data?’ ” Brandolph said. “Then it became more of a conversation not about where to store data, but what type of data we can store where.”
In practice, unrestricted data such as names and job titles are publicly available. Sensitive data, including emergency contacts and home mailing addresses, can generally be accessed by employees conducting university business. Social Security numbers, credit card information and other types of confidential information, however, can only be accessed with approval from a university-designated data steward -- and all access attempts are audited on an annual basis.
Initially, unrestricted data was known as "public data" -- an industry term, said Brandolph, who added, “I’ll tell you that no one liked the term public.”
The policy also extends to cloud computing services. The online note-taking app Evernote should be used only for unrestricted data, for example, while Temple’s secure file transfer service, TUsafesend, may handle data from all three categories. By glancing at the guidelines, university employees can confirm they’re not supposed to send bank account information using Gmail.
Robert P. Howard, chief information officer at Armstrong Atlantic State University, said the categories -- which he described as a “three-part litmus test” -- could make information security a more meaningful issue to university employees who are unfamiliar with it.
“I think this is the reality and the zeitgeist of our time,” Howard said. “People have [data], and it’s wherever they are, so we can stick our heads in the sand, or we can plan around it.”
At Temple, the data stewardship duties are assigned according to the institution’s enterprise resource planning system. The stewards are split into four modules, one each dedicated to finances, human resources, students or advancement. Stewards in each module determine how their data should be classified with input from the university’s IT and legal offices, Brandolph said.
By enlisting officers across campus to serve as data stewards, Howard said, institutions can also raise awareness about privacy issues and proper handling of data on a grassroots level. “The main thing I’m adamant on is that it can’t live solely in IT,” he said. “IT can help frame the discussion of what it means, but ... you need to have someone in the office who has a general concept about data integrity and stewardship about the data they’re handling.”
One alternative to protecting the data would be to hand every employee a device for conducting university business. Such a policy may help IT officers monitor how employees gain access to data, but it can also be expensive -- and, Howard said, even counterintuitive. “If you make things too cumbersome and complex, you’re actually going in the opposite direction, and people will take more shortcuts and expose more data,” he said.
Although the focus has shifted away from protecting individual devices at Temple, Brandolph and Howard suggested IT offices’ tonal shift may be more significant.
“The conversation has changed over the last couple of years,” Brandolph said. “Security used to be just the bottleneck. Now we’re trying to flip it and say, ‘Here’s how you can do it.’ ”