IT Security and Crisis Management Pose Continuing Challenges

IT security and crisis management present continuing challenges for college and university officials according to new data from 2007 Campus Computing Survey. The survey data reveal solid improvements in some areas but continuing problems in others. For example, just three-fifths (59.1 percent) of the institutions participating in the 2007 survey report a strategic plan for IT disaster recovery, up slightly from 2006 (55.7 percent) and reflecting only modest gains from 2004 (55.5 percent) or even 2002 (53.0 percent).

The good news is that the percentage of campuses reporting hacks or attacks on campus networks continues to decline, down to 45.6 percent in 2007 from 51.1 percent in 2005. Similarly, fewer campuses report major problems with computer viruses (14.8 percent, compared to 35.4 percent in 2005) and spyware (15.9 percent, compared to 40.8 percent in two years ago). But the incidents of stolen computers with sensitive data increased slightly from 2006 to 2007 (17.1 percent in 2007, compared to 13.5 percent in 2006 and 15.3 percent in 2005). And although the numbers are generally low (under 15 percent), more campuses report student security incidents linked to social networking sites such as Facebook or MySpace (13.2 percent in 2007 vs. 9.8 percent in 2006) and institutional data security due to data loss on a server not under the control of central IT services (14.6 percent this past year, compared to 11.3 percent in 2006). A new item on the 2007 survey reveals that 6.5 percent of institutions experienced an IT security incident this past year due to an intentional employee transgression.

Additionally, in the wake of the tragic events at Virginia Tech in spring 2007, many campuses are moving quickly to expand and enhance IT and communication services and resources as part of a broader IT and campus crisis management plan. As of fall 2007, more than two-fifths (44.0 percent) of institutions report a strategic plan for emergency communication or notification services. Yet for most institutions, the key elements of the emergency communication/notification plan appear based to be existing IT resources such as email (66.4 percent), campus web sites or portals (62.6 percent), and campus phone services (44.6 percent). Although there are some variations by sector, comparatively few institutions have emergency communication plans that incorporate notification to off-campus phones (18.0 percent) or cell phones (22.1 percent).

The 2007 survey data suggest that many campuses have “gone to the closet” to see what resources might be at hand in their efforts to create a notification system: across all sectors, the highest numbers for the functional components of the notification plan as of fall 2007 are (not surprisingly) posting messages on campus portals, sending email, and using the campus phone system. Comparatively few institutions have the capacity to provide notification messages to off-campus phones and to cell/mobile phones.

Six years after 9-11 and two years after Hurricane Katrina ravished the Gulf Coast area, a significant number of colleges and universities have yet to develop a strategic plan for IT disaster planning and crisis management. As for fall 2007, roughly 30 percent of public universities, private universities, and public four-year colleges report no strategic plan for IT disaster planning, rising to just over half of private four-year colleges. Given what we know about these events – that it is not necessarily matter if a crisis strikes but more likely when – it is striking and surprising that so many campuses have yet to develop an initial IT crisis management plan, let alone revise plans that may now be two, three, or four years old.

"The 2007 survey data confirm the continuing security and crisis management challenges confronting campus IT officials across all sectors of higher education," says Kenneth C. Green, founding director of The Campus Computing Project and a visiting scholar at the Center for Education Studies at the Claremont Graduate University in Claremont, CA. "Two years after Hurricanes Katrina and Rita and six years after the 9-11 attacks, it its still surprising that so many colleges and universities - approximately 40 percent - have yet to complete or update their IT disaster plans. Additionally, and not surprisingly, recent events at Virginia Tech, Delaware State, and other institutions have created new expectations, or in some cases new mandates, regarding emergency notification services that will now need to be incorporated into these campus plans and procedures."

Although IT security issues pose continuing challenges for campus IT officials, the proportion of CIOs who identify IT security as the "single most important IT issue affecting my institution over the next two-three years" declined slightly in 2007 to 25.5 percent, down from 30 percent in both 2005 and 2006. Ranked second in 2007 is "upgrading/replacing administrative IT/campus ERP systems" (13.0 percent), followed closely by "hiring/retaining qualified IT staff" (12.3 percent). The ERP upgrade/replacement issue moves from third in the 2004-2006 surveys to second in 2007, replacing "the instructional integration of information technology." The new concern about hiring suggests the growing competition for qualified IT talent in the campus and corporate sectors.

Wireless campus networks now reach two-thirds (60.1 percent) of college classrooms, compared to half (51.2 percent) in 2006 and just a third (31.1 percent) in 2004, according to the 2007 survey data. Additionally, more than three-fourths (76.7 percent) of the campuses participating in the annual survey have a strategic plan for deploying wireless as of fall 2007, up from 68.8 percent in and 55.3 percent in 2004. By sector, the proportion classrooms with wireless access ranges from over two- fifths (44.4 percent) in community colleges (up from 26.8 percent in 2005) to more than two-thirds (69.8 percent) in private research universities (up from 52.8 percent in 2005 and 47.4 percent in 2004).

"Wireless can be a wonderful resource for everyone on campus," says Green. "It fosters access, mobility, and collaborative work among students and faculty." But he also notes there is continuing evidence of backlash against wireless from some faculty who would prefer that students not hide behind their computer screens during class. Additionally, Green comments that the arrival of the Apple iPhone and other Wi-Fi phones and PDA devices will present new challenges for campus IT officials and new demands for access to the campus network from students, faculty, administrators and staff who will come to campus with these devices: "To date campus IT officials have preferred not to deal with mobile phones and PDAs on campus networks. That will have to change with the arrival of a new generation of network compatible phones and PDAs in the coming year. "

The 2007 survey data point to little change in the orientation towards Open Source applications among senior campus technology officers first reported in 2004. Almost three-fifths (57.3 percent, compared to 51.9 percent in 2004) agree that "Open Source will play an increasingly important role in our campus IT strategy." However, less than a third of the survey respondents (27.6 percent, compared to 28.9 percent in 2004) agree that Open Source "offers a viable alternative" for key campus administrative or ERP applications such as student information systems, campus finance systems, or personnel/human resource software.

Yet even with the continuing "affirmative ambivalence" about Open Source among many campus IT leaders, the 2007 survey data document key gains for Open Source applications, specifically Open Source Learning Management Systems (LMS). A growing number of colleges and universities have made an Open Source LMS their campus standard. The proportion of institutions that have established Sakai as the campus standard LMS remains steady at approximate 3 percent, while the proportion using Moodle as the campus standard LMS almost doubled between 2006 and 2007, rising from 4.2 to 7.8 percent over one year. Moodle is particularly popular among private four-year colleges: almost one-fifth (17.2 percent) of private four-year institutions have made Moodle the campus standard LMS, up from 10.2 percent in 2006.

"There is ample of evidence of growing interest in and the slow but rising deployment of Open Source applications," says Green. "The recent gains for Moodle and Sakai are very interesting, suggesting that ten years after the deployment of the first commercial LMS applications, campus officials and faculty advisory committees are reviewing seriously the various LMS offerings from both commercial providers and the collaborative Open Source movement."

The 2007 survey brings new data to the discussion of how campus officials are addressing the problem of peer-to-peer (P2P) downloading of music and movies on campus networks. As noted in past surveys, the vast majority of colleges and universities (82.9 percent) have campus policies to address inappropriate P2P downloading. The 2007 survey provides new information about the campus procedures that enforce these policies. More than two-thirds of institutions (70.5 percent) report that students can lose their campus network privileges for P2P violations, while almost half (45.9 percent) impose other kinds of sanctions for inappropriate P2P activity. Almost of a third (29.1 percent) of colleges and universities have installed some type technology product as part of campus efforts stem P2P piracy on campus networks, while 12.8 percent now have mandatory user education programs to inform students about copyright and P2P issues.

"The 2007 survey data confirm that colleges and universities are making significant efforts to address the problem of P2P piracy on campus networks," says Green. "Unfortunately, some critics will point to the survey data to argue that campuses are not doing enough in this area. But the fact remains that colleges are universities are far more conscientious, indeed far more aggressive about addressing P2P piracy issues than are the consumer market broadband service providers such as AT&T, Comcast, Earthlink, and TimeWarner. Colleges and universities are engaged in user education and are imposing sanctions for P2P violations. Additionally, many institutions are spending significant sums to deploy software that providers claim will stem P2P downloading. Yet we know that the proposed P2P software solutions are far from perfect, as was acknowledged in recent congressional hearings."

About the Campus Computing Survey

Begun in 1990, The Campus Computing Survey is the largest continuing study of computing and information technology in American higher education. The survey data are based on the responses provided by senior campus officials, typically the senior institutional technology officer (CIO/CTO, vice president for information technology, etc.). The 2007 survey report is based on data provided by campus officials representing 555 two- and four-year public and private colleges and universities across the United States. Survey respondents completed the online questionnaire during September and October, 2007.

Attachment

• Campus Computing - 2007 Executive Summary (PDF)

• Campus Computing - 2007 Report (PDF)