#TEISS15: ‘Universities are a different beast for information security’

Ahead of The European Information Security Summit 2015, Marion Rosenberg, head of IT security, IT audit and compliance at the London School of Hygiene & Tropical Medicine, gives her thoughts on why universities present a unique information security challenge.


“Well, you just lock down their machines – it’s as easy as that!”

I would be rich if I had a pound for every time I have heard that. There’s so much wrong with this statement as a panacea for all information security risks – at least in universities.

So what are the problems that are unique to universities?

Students! Students exist in two states – when they are on campus or doing university work, and when they are at home or in residences. Universities have to provide connections in residences akin to normal home broadband – students have rights, you know.

Students go to university for a limited period, usually. They want things to work, but often want to forward their student email to their existing accounts. Collaborative working also happens more often on social media, where they all have accounts already (and they will be on there all day anyway), than on the facilities provided within virtual learning environments.

Students rarely read policies. They just want to get up and running quickly, and policy documents play no part in that.

Then there are all those times in the year that IT departments have to keep their paws off the systems – clearing, registration, exams… This means that upgrades to student systems cannot be scheduled in academic term time, which leaves the Christmas holidays and summer, but then IT staff are away because there is less pressure to deal with problems then.

And speaking of staff, academics want to have unmanaged machines. They want to be able to install things on their machines without asking, although they don’t want to worry about maintaining them. There is a great variation between departments – computer science departments are often bleeding-edge, often run courses on information security and (ethical) hacking and have a need for fast, modern, self-managed machines, whilst an English department probably just wants to have functioning, managed, basic machines.

Professional services departments are easier to control, with staff more used to standard office environments. They often work on managed machines and don’t complain so much.

I’ve not come across a university that has standardised on a particular operating system… Writes she, on a machine that is unmanaged and a different flavour from the majority.

And then there’s BYOD! Universities have been doing this for years – it is probably the norm.

It’s a wonderful, challenging environment to in which to work and, maybe I’m wrong, but perhaps these problems are not unique to universities? Maybe similar problems exist in all organisations?

See the London School of Hygiene & Tropical Medicine’s Marion Rosenberg speak alongside other industry leaders at The European Information Security Summit 2015

Tags: , , ,