Security audits: why they happen

This post is to give an idea of one of the less glamorous parts of working in information technology. Everybody answers to somebody, and sometimes that somebody wants to inspect your work.

Disclaimer: I’m speaking from my own experience, which is in higher education at a public university, and that university is a member of a larger university system. My own chain of commands looks something like this:

1. manager of my section in IT
2. chief information officer of the university
3. president of the university
4. chancellor of the university system
5. board of regents of the university system (who are appointed by the governor)

And somewhere between #4 and #5 there’s an office of internal audit.

Although my university usually does pretty well, higher education in general has at times had a poor record of information security. The office of inadequate security has plenty of announcements involving higher education institutions.

When an organization experiences a data breach, they frequently don’t discover it themselves. Notification sometimes comes in the form of a phone call from the Federal Bureau of Investigation. The university administrators have to notify the entire university community, and the university typically has to pay for credit monitoring for everyone affected. That can add up quickly, because a higher education data breach can potentially affect a lot of people: students and their families, alumni, staff and faculty (past and present), job applicants, even donors. Larger universities mean larger numbers of people.

Imagine that you’re on the board of regents, and you’re addressing a bunch of donors. Some freaked-out-looking assistant hands you the phone, and it’s the feds telling you that they’ve discovered people selling the names, dates of birth, and social security numbers of thousands of students currently attending the university for which you are at this very moment trying to convince these donors (who are staring at you wondering why you’re talking on the phone and not to them) to cough up money for a new sports facility. Awkward.

So when this kind of thing happens, breach victims (understandably) tend to complain to their elected leaders. State legislatures have taken notice and are increasingly putting the screws to state agencies to get their digital affairs in order.

In the next post we’ll see what security audits are like (and how they affect people who work in IT).