Access the Business Officer Magazine menu by clicking or touching here.
Business Officer Magazine logo, click or touch this logo to return to the homepageClick or touch the Business Officer Magazine logo to return to the homepage.
Get back to the Business Officer Magazine homepage by clicking the logo.

Business Intel

October 2019


RISK MANAGEMENT

Have a Plan in Hand

The first step in expeditiously handling any threat or incident is to have a tested plan in place. During their “Planning to Respond—Physical and Virtual Security” session at the NACUBO 2019 Annual Meeting, presenters Michael Kasitz, assistant vice president for public safety, and Judy Molnar, associate vice president for information technology and CIO, shared the steps Austin Peay State University, Clarksville, Tenn., has taken to build robust emergency management and cyber-incident response plans. For in-depth coverage of the annual meeting, read “Austin Inspired.”

Recent incidents of a gunman roaming the Austin Peay campus and of a phishing scam that compromised an employee’s direct deposit payment spurred leadership to strengthen action plans for safeguarding individuals, campus infrastructure, and the wider community.

Institutional response plans encompass a broad range of concerns—from business continuity to disaster recovery to cybersecurity. Ensuring that each plan remains fresh and relevant for those responsible for enacting it means providing up-to-date contact information and protocols about who needs to be notified. For instance, listed in Austin Peay’s cyber-response plan are the mobile phone numbers for IT, public relations, HR staff, legal counsel, and law enforcement to expedite the appropriate outreach.

The plan also includes external contact information, since the state of Tennessee requires that within 24 hours of any cybersecurity incident, its higher education institutions notify the state’s comptroller, secretary of state, and department of education, Molnar said.

Molnar and Kasitz offered additional advice for building effective response plans:

Envision the full range of potential threats. Beyond planning for the most likely natural disasters for your area—such as tornadoes, hurricanes, and flooding—identify the possible hazards hidden from view that may exist within the larger community. Are there industries in your region storing potentially lethal chemicals on-site?

Austin Peay’s annual review of its cyber response includes tabletopping a potential incident—playing out an incident as a means of assessing where to tighten business continuity protocols. Consider a scenario in which your institution’s finance system is brought down, and you can’t quickly bring it back online. How will that impact daily operations? Is there a workaround you can implement in the interim?

Scenario planning should also include incidents that could potentially damage the institution’s reputation and carry significant PR fallout, Kasitz said. Consider a situation where a high-level administrator is caught with pornography on his or her computer. Addressing this from a law enforcement standpoint may be unambiguous, but such an incident could potentially be disastrous for your institution’s brand if mishandled from a communications standpoint. Identify who is responsible for talking to the media and provide training so those individuals are comfortable speaking under stress in front of the cameras.

Train everyone. Trying toget all essential personnel to commit the time for training is difficult enough, but it may be nearly impossible to get everyone in the room at the same time. One solution is to run individual departments through an incident at separate times rather than trying to coordinate schedules for all departments. If full-day training proves too difficult, what can you do in two hours?

Training is essential not only for practicing a coordinated response, but also as a way to gather input and perspective. While IT staff best understand the technical nature of a cyberthreat, legal counsel, student services, HR, and other staff can provide important insights about how a situation may adversely impact the institution, students, or employees. At Austin Peay, cybersecurity student interns add another fresh perspective in helping the university assess specific components of cyberthreats.

Identify chain of response. In addition to leadership response, think about the range of support functions you need to include in your training—firefighting, environmental response, food services, utilities, and so forth. Develop an organizational chart of operations and support functions that could be impacted for any given incident. Likewise, consider that in an actual incident your president, provost, or other senior leaders may not even be on campus. Tabletopping with the full line of succession is important to ensure that you are training people in support roles to step in and take charge.

Don’t forget the details. Make clear to responders what should be documented in the moment so that you don’t forget what occurred in the heat of a crisis. For a cybersecurity response, the final report you may need to send to state officials and to your internal auditor should include a basic incident log of who you talked to, when, and about what.

In addition to a campuswide text-alert system, practice drills for securing-in-place until an all-clear signal is given. This helps ensure that everyone knows what to do when they are required to act in a crisis.

Finally, don’t forget about your larger community. Consider how you can direct volunteers who might show up to help in the event of a disaster. Where should they go, and what can you ask them to do?

KARLA HIGNITE, Fort Walton Beach, Fla., is a contributing editor for Business Officer.


The total number of websites on the World Wide Web in September 2019 was approximately 1.7 billion.
—Internet Stats Live

Fast Fact

Quick Clicks

Latino Students Are Underrepresented

When it comes to enrolling and graduating Latinos, public colleges and universities in most states are flunking, according to Broken Mirrors II: Latino Student Representation at Public State Colleges and Universities, a new study by the Education Trust. In 40 of the 44 states (90 percent) examined, Latino students are underrepresented at community and technical colleges. In 33 of the 44 states (75 percent), Latino enrollment at four-year public institutions is not on par with the state’s proportion of Latino residents.

Wi-Fi Budgeting Is a Concern

Sixty-eight percent of business officers who participated in the 2019 ACUHO-I State of the ResNet Study support expansive Wi-Fi coverage for the entire campus—an 11 percent increase according to the report. Strategic plans are becoming a collective vision with IT and housing officers meeting more frequently, but the connection between business and IT officers is lagging, the study said. Sixteen percent of business officers do not meet at all with their IT departments. Sixty-eight percent of business officers have growing concerns about Wi-Fi management and budgeting—a rise of 10 percent since 2017.


By The Numbers

2019 SFS Benchmarking Report

Student financial service offices across U.S. colleges and universities oversee student and staff account operations to ensure fiscal accountability and address student needs. Their operations include: student account and loan receivables, student payments, credit balance refunds, third-party payments, staffing, and expenditures for student financial services. The 2019 Student Financial Services Benchmarking Report provides data on these measures for FY19 (July 1, 2017, to June 30, 2018, at most institutions). The report was released in September and is now available at www.nacubo.org.

NACUBO, 2019 Student Financial Services Benchmarking Report. Available online at www.nacubo.org/Research/2018/NACUBO-Student-Financial-Services-Benchmarking-Report.