Main Nav

EDUCAUSE Security Professionals Conference 2006. Summary: Defining the Security Domain

Defining the Security Domain

 

 

 

Marilu Goodyear, ECAR Fellow and Professor, University of Kansas
John H. Louis, Assistant Vice Provost for Information Systems, University of Kansas
 
This session took a detailed look at how an institution might define their various domains (network, users, and data) for writing and implementing security policy.
 
To prepare for writing and implementing security policy one needs to know for whom the policy will apply, how it will apply, and when.  This defines the scope statement for your security policy.  It is a statement of the network, people, data, and administrative structure of the institution. 
 
This can be a daunting task in the academic community.   This session provided a grid of decision points to help identify the gates that need to be kept to ensure that freely available university data is available to all and that restricted or confidential data is protected and made available to only those who are authorized to have access. 
 
Public networks are available to anyone for a price.  Universities networks are considered private and therefore must manage the network and the privacy of both users and data.  Because of additional federal requirements it is important to understand all relevant boundaries.   When academic institutions run their own networks, whether centralized or decentralized they are responsible the security of the data and the privacy of the user.  If the network is outsourced there must be clear contract language that delineates responsibility for these issues.  Academic institutions also must be aware of public and other networks where members of the community may have individual accounts. 
 
However, the security domain for academic institutions is limited to networks managed by the institution be they centrally managed or run by a department.  A good network policy should define the network boundary which in turn affects the definition of the security domain.  Along with creating a good network policy, the institution must also consider the “who, what, how” of providing awareness training across the boundaries. Goodyear and Louis provide a checklist to determine who is inside or outside of the security domain.  It incorporates three dimensions: who (student, employee, visiting scholar, etc), what (public system, public data, institutional data, institutional systems, etc), and how (network – public or private). These are the same dimensions that determine the affect on an institution if a security breach occurs.
 
The presentation slides include a number of hypothetical examples who is in the “security domain.”
 
Defining the Security Domain – presentation slides
 
Individuals in the Security Domain - spreadsheet

Tags from the EDUCAUSE Library

Tags from the Community

Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.