WikiLeaks’ release of classified government information and Edward Snowden’s exposé of National Security Agency files underscore the vulnerabilities of computer systems, including those at Dartmouth.
From left, Patrick Perry, Adam Goldstein, and Steve Nyman maintain Dartmouth’s defenses against cybercrime. (Photo by Eli Burakian ’00)
“This is a war that will never end,” says Steve Nyman, chief information security officer for the College. “It’s like the war on drugs that America has been fighting since the 1960s, a war that is still going on.”
Assisted by Information Technology (IT) Security Engineer Adam Goldstein and IT Security Analyst Patrick Perry, Nyman mans the barricades of Dartmouth’s defenses against cybercrime. “Between the three of us, we deal with all aspects of IT and information security, focusing basically on three areas: the technical area, the policy area, and training,” Nyman says.
At the heart of the College’s defensive strategy is the Dartmouth Information Security Committee (DISC), chaired by Nyman. Its members are director level or above, from all areas of the College. As a group, the committee has developed a policy approved by the school’s leadership.
In addition to DISC, there is a cadre of information security representatives. “These are the boots on the ground, so to speak, folks in the different areas of the College that we train to help implement this policy,” says Nyman. “They work in their own areas and do their jobs, but this is a collateral duty.”
The Dartmouth policy takes a risk-based approach. This is a proven system that Nyman successfully implemented during his 10 years with the pharmaceutical giant Pfizer. It comprises several elements:
- Concentrating on where in the organization the information is
- Clearly identifying who has access to it
- Determining what the risk may be if that information is disclosed, modified, or lost
- Applying the appropriate controls
“While corporations have long been a target, higher education is now experiencing intruders whose goal is to access the intellectual property of the institution,” says Ellen Waite-Franzen, vice president for Information Technology. “To do this they use very stealthy techniques that are hard to detect. A great thing about the higher ed community is that we share our techniques so that we can help build upon each other’s experiences and best practices.”
Nyman says that attempts to infiltrate and steal intellectual property are Dartmouth’s most serious challenge. Dartmouth conducts extensive research, much of it producing results that may be proprietary but are not yet patented. Federally funded research is another sensitive area in need of protection, as well as student records, faculty and staff confidential data, and Dartmouth’s financial systems.
“The crucial factor is finding where the information is. If we don’t know where it is, we can’t protect it,” he says. “Then we want to make sure we are applying the appropriate policy controls to the information that would have the most negative impact on the College, should the systems be penetrated.”
While breaches from the outside constitute a threat to confidential data, Nyman also worries about internal security. “I believe that an insider can do far more damage than attacks from the outside,” he says. “If you don’t have role-based security, you are broadening the risk when you have too many people who have access to stuff they shouldn’t have.” However, Nyman doesn’t want the school to enter the realm of shutting things down so people can’t collaborate.
Dartmouth differs from many organizations that use a policy document that requires thorough reading to identify applicable security measures. Instead, Dartmouth uses a matrix or grid format. “It’s just right there. Look at the elements,” says Nyman. “It tells you every control mapped to everything that is required, including various government regulations that may apply, like HIPAA and data privacy laws. I think that streamlines the process.”
Nyman also points to DISC as a feature that sets Dartmouth apart, adding that few institutions would have a group as engaged as the College’s. Since the committee had a hand in developing Dartmouth’s policies, he says this encourages buy-in from the areas in which its members work.
“Many organizations focus more on spending a lot of money on technical tools, tools that are constantly changing to keep up with what the bad guys are doing,” says Nyman. “The solution is to properly manage the people, the processes, the policies, the information, and not get laser-focused and myopic in looking at tools. We need a balanced strategy, employing a risk-based approach coupled with reasonable technical measures.
“This is a business process, not a technical-only process and many companies and universities forget that,” he says. “Executive leadership in a lot of places will try to push all this stuff to IT people to make a business problem an IT problem. Fortunately, Dartmouth isn’t looking at it that way.”