This page contains a Flash digital edition of a book.
Q & A With Doug Badger HIGHER EDUCATION


REPORTING DIRECTLY TO THE CIO, DOUG BADGER, DIRECTOR, IT PORTFOLIO MANAGEMENT AND SYSTEMS ASSURANCE AT THE UNIVERSITY OF GUELPH, HAS A LOT ON HIS PLATE. BESIDES PROTECTING THE INSTITUTION AGAINST HACKERS AND DATA HIJACKERS, HE IS RESPONSIBLE FOR INCREASING THE SECURITY AWARENESS OF BOTH FACULTY AND STUDENTS — TASKS HE TACKLES HEAD ON WITH THE HELP OF HIS TRUSTED SECURITY VENDORS.


Security Matters: What do your respon- sibilities, particularly as they relate to security, entail? Doug Badger: The university’s IT security officer reports directly to me. This func- tion involves daily resolution of minor se- curity events, managing major incidents, such as data breaches or systems intru- sions, and generally advising the com- munity on best practices. We have defined IT security as a component of an over-arching “systems assurance” ap- proach that factors in risk management, compliance and governance. Coordinating the university’s IT gover- nance process is one of my responsibili- ties. Developing our IT security program and coordinating the process for devel- oping new IT policies and guidelines are key aspects of this role. In addition, main- taining a “mile high” overview of IT ac- tivity across campus falls under the portfolio management mandate. This in- volves tracking IT assets, initiatives/pro- jects and resources and making this information visible to the campus.


SM: What are some of the security is- sues and threats that most concern you and the school? DB: We have to respond to the fallout of compromised computer accounts that results in the “hijacking” of our com- puting resources. Otherwise, the major Internet service providers can blacklist e-mails originating from the university. So preventing phishing attacks from being successful has been something that we’ve focused on this year. A major component of that effort has been in- creased security awareness initiatives. The other emerging threat we’re con- scious of is the vulnerability of web ap- plications generally (e.g., persistent malware and botnets).


30 SECURITY MATTERS • NOVEMBER/DECEMBER 2010


SM: How have these issues and threats changed/evolved over the years? DB: Universities are attractive targets for hackers because of the computing ca- pacity available and relatively open aca- demic environment. We’re increasingly conscious of being compliant with pri- vacy legislation and expectations of our stakeholders. So balancing accessi- bility/openness against protection of sys- tems and information is our challenge.


SM: What are some of the security con- cerns specific to universities that other in- stitutions might not face or worry about? DB: Our environment is obviously a mix- ture of students, staff, faculty and the var- ious systems they interact with. There are expectations of accessibility (ease-of-use) and transparency that I think are quite dif- ferent than a corporate environment. Having a central directory of 40,000 ac- counts with annual turnover of 15 per cent is a specific higher education challenge.


SM: What steps has the University of Guelph taken to ensure data security? DB: We have articulated an IT security framework to guide our policies and se- curity initiatives going forward. This framework was developed through our IT governance process and was ap- proved by the university’s president. So an on-going process is underway to in- crease our security posture. This means increasing the number of for- malized policies and enterprise-level guidance on best practices, such as asset disposal, cloud computing and IT contracts.


Other recently approved policy initia- tives include mandatory scanning of en- terprise servers for vulnerabilities and protecting sensitive data residing on portable devices (i.e., encryption). We’re


particularly pleased with our pilot project partnership with Mississauga-based WinMagic, deploying its SecureDoc en- cryption software using a Software-as-a- Service (SaaS) delivery model. At the operational level, our increasing use of security appliances for message filtering is providing significant benefits.


SM: What steps has the University of Guelph taken to ensure network secu- rity and identity management of staff, students and visitors? DB: These are big challenges, however we’ve made significant progress in both areas. The university has now widely deployed wireless networking capa- bility, and it’s protected by network ac- cess control and limiting access by devices, which don’t have up-to-date patches or anti-virus software installed. Our central computing group has also been incrementally rolling out a “single-sign-on” authentication service that is being well received and em- braced by multiple application owners. It is a key part of their ongoing identity management enhancements.


SM: How do you go about selecting so- lutions and service providers to help you with your security? DB: Our office works closely with the central IT group especially the net- working services and managed server clusters. We share information and dis- cuss potential initiatives to strengthen se- curity on campus, and we study vendor-neutral research and interact with our peer institutions. We try to leverage our relationships with our pri- mary vendor partners, but in the IT se- curity field there are plentiful “point solutions” and small niche players that we try to maintain awareness of.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32