Spring 2014 issue of Horizons

COLLEGES & UNIVERSITIES

This problem seems to be compounded in higher education, given the number of decentralized departments with decision- making authority, as well as the related responsibilities that have been designated over time to long term faculty and staff. Further, this can be extended to faculty purchasing, developing or using external applications on their devices for their educational and/or research purposes.

Examples of such devices and tools that are commonly in use include:

∙ Personal laptops

∙ Tablets, smart phones, PDAs, etc.

∙ Google Docs/Google Drive, DropBox, etc.

∙ Teacher’s Aide (attendance application for Apple products)

In the majority of the risk-assessment models that are present at universities, information technology is generally assessed as a high- risk category and given significant attention and resources. The risk assessment (and related allocation of resources) is generally focused — and rightfully so — on securing student data (personal identifiable information, credit card information/PCI compliance, taxpayer information numbers, FERPA compliance, etc.) and on securing personnel records, all of which are primarily contained in an institution’s enterprise resource planning (ERP) system. However, the continued use and application of information technology in higher education is creating a new universe of risk factors. Risk Factors Like most traditional businesses, universities are experiencing a substantial demand from their employees to be able to use their own personal devices and applications for business purposes.

∙ Mental Case (application with customizable virtual flash cards for Apple products) ∙ Software programs purchased directly by faculty to store/manage/analyze research data

∙ Device cameras to store manual/written research notes

The presence of these devices and applications, unmonitored in an institutional environment, can create a number of different and new security risks. At a high level, most of these devices and applications should be subject to the same security protocols that are already in place at a given university inside the traditional ERP system. Some institutions have considered substantially limiting the use of such devices and applications for educational or research purposes, while others have embraced it.

page 34 | horizons Spring 2014