Main Nav

EDUCAUSE Security Professionals Conference 2006. Summary: Defining the Security Domain

Defining the Security Domain




Marilu Goodyear, ECAR Fellow and Professor, University of Kansas
John H. Louis, Assistant Vice Provost for Information Systems, University of Kansas
This session took a detailed look at how an institution might define their various domains (network, users, and data) for writing and implementing security policy.
To prepare for writing and implementing security policy one needs to know for whom the policy will apply, how it will apply, and when.  This defines the scope statement for your security policy.  It is a statement of the network, people, data, and administrative structure of the institution. 
This can be a daunting task in the academic community.   This session provided a grid of decision points to help identify the gates that need to be kept to ensure that freely available university data is available to all and that restricted or confidential data is protected and made available to only those who are authorized to have access. 
Public networks are available to anyone for a price.  Universities networks are considered private and therefore must manage the network and the privacy of both users and data.  Because of additional federal requirements it is important to understand all relevant boundaries.   When academic institutions run their own networks, whether centralized or decentralized they are responsible the security of the data and the privacy of the user.  If the network is outsourced there must be clear contract language that delineates responsibility for these issues.  Academic institutions also must be aware of public and other networks where members of the community may have individual accounts. 
However, the security domain for academic institutions is limited to networks managed by the institution be they centrally managed or run by a department.  A good network policy should define the network boundary which in turn affects the definition of the security domain.  Along with creating a good network policy, the institution must also consider the “who, what, how” of providing awareness training across the boundaries. Goodyear and Louis provide a checklist to determine who is inside or outside of the security domain.  It incorporates three dimensions: who (student, employee, visiting scholar, etc), what (public system, public data, institutional data, institutional systems, etc), and how (network – public or private). These are the same dimensions that determine the affect on an institution if a security breach occurs.
The presentation slides include a number of hypothetical examples who is in the “security domain.”
Defining the Security Domain – presentation slides
Individuals in the Security Domain - spreadsheet

Tags from the EDUCAUSE Library

Tags from the Community


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.


Digital Badges
Member recognition effort
Earn yours >

Career Center

Leadership and Management Programs

EDUCAUSE Institute
Project Management



Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.


EDUCAUSE organizes its efforts around three IT Focus Areas



Join These Programs If Your Focus Is


Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.



2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations

Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.