Main Nav

EDUCAUSE Security Professionals Conference 2006. Summary: Defining the Security Domain

Defining the Security Domain

 

 

 

Marilu Goodyear, ECAR Fellow and Professor, University of Kansas
John H. Louis, Assistant Vice Provost for Information Systems, University of Kansas
 
This session took a detailed look at how an institution might define their various domains (network, users, and data) for writing and implementing security policy.
 
To prepare for writing and implementing security policy one needs to know for whom the policy will apply, how it will apply, and when.  This defines the scope statement for your security policy.  It is a statement of the network, people, data, and administrative structure of the institution. 
 
This can be a daunting task in the academic community.   This session provided a grid of decision points to help identify the gates that need to be kept to ensure that freely available university data is available to all and that restricted or confidential data is protected and made available to only those who are authorized to have access. 
 
Public networks are available to anyone for a price.  Universities networks are considered private and therefore must manage the network and the privacy of both users and data.  Because of additional federal requirements it is important to understand all relevant boundaries.   When academic institutions run their own networks, whether centralized or decentralized they are responsible the security of the data and the privacy of the user.  If the network is outsourced there must be clear contract language that delineates responsibility for these issues.  Academic institutions also must be aware of public and other networks where members of the community may have individual accounts. 
 
However, the security domain for academic institutions is limited to networks managed by the institution be they centrally managed or run by a department.  A good network policy should define the network boundary which in turn affects the definition of the security domain.  Along with creating a good network policy, the institution must also consider the “who, what, how” of providing awareness training across the boundaries. Goodyear and Louis provide a checklist to determine who is inside or outside of the security domain.  It incorporates three dimensions: who (student, employee, visiting scholar, etc), what (public system, public data, institutional data, institutional systems, etc), and how (network – public or private). These are the same dimensions that determine the affect on an institution if a security breach occurs.
 
The presentation slides include a number of hypothetical examples who is in the “security domain.”
 
Defining the Security Domain – presentation slides
 
Individuals in the Security Domain - spreadsheet

Tags from the EDUCAUSE Library

Tags from the Community