Main Nav

Cybersecurity Standards, Policies, and Procedures

The Security Task Force’s strategic goal associated with Standards, Policies, and Procedures is “to develop information technology standards, policies, and procedures that are appropriate, enforceable, and effective within the higher education community.”  To date, much of our focus has been on the creation of IT security policies and procedures that are agreed to by the community, balance consideration of both cyber and physical vulnerabilities, include clear expectations of user behavior, provide significant incentives for faculty to operate secure computing facilities, are enforceable, and include appropriate consequences for violations.

Policies and standards are often dictated by legal issues; therefore, we've been identifying or developing resources related to describing the legal environment in which information security operates. We commissioned the development of a white paper entitled “IT Security for Higher Education:  A Legal Perspective” in the Spring of 2003.   In the preparation of our book on Computer and Network Security in Higher Education, we were also fortunate to engage Nancy Tribbensee (Arizona State University) who developed a chapter also published in EDUCAUSE Review about “Liability for Negligent Security”.   We have also benefited from related research conducted by the National Academies (“Critical Information Infrastructure Protection and the Law:  An Overview of Key Issues”) and Congressional Research Service (“Computer Security:  A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives”).

We have been collecting security policies developed by colleges and universities and making them accessible via the EDUCAUSE Resource Center.  Additionally, Mark Bruhn (Indiana University) and I wrote a chapter for the security book on “Policy Development for Information Security”.  We have also been encouraging the submission of Effective Security Practices and Solutions and program proposal submissions for both the Security Professionals Conference and annual EDUCAUSE conference on cybersecurity policy topics.

Initiatives under this strategic goal are developed and implemented by the Policy and Legal Issues Working Group of the Security Task Force that is co-chaired by Tracy Mitrano (Cornell University) and Steve Worona (EDUCAUSE).  Steve and Tracy are also the co-directors of the Cornell/EDUCAUSE Institute for Computer Policy and Law.  The Policy and Legal Issues Working Group identifies security issues that may be impacted by current and proposed laws and the implications for institutional policies. The Working Group identifies and develops material to promote understanding of security-related policies and laws among security professionals, computer administrators, and users. The Working Group also identifies and develops examples of effective institutional policies and procedures related to security issues.

Finally, we are also focusing on standards and assessment tools that create a minimum level of security required to remain connected to the network, serve as guidelines for system administrators, use benchmarks and annual evaluations of improvement.  The Effective Security Practices Guide is one attempt to provide the community with resources and an attempt to satisfy a recommendation in the National Strategy to Secure Cyberspace (which encourages colleges and universities to secure their cyber systems by establishing “one or more sets of best practices for IT security”).  We will have several announcements of new initiatives in the coming weeks that will demonstrate more progress in this area.

If your institution has developed effective standards, policies, and procedures in the area of cybersecurity, I would invite you to tell me about your challenges and successes ( or encourage you to share your experiences with the community in one of the many forums that are available (e.g., Security Discussion Group, Security Professionals Conference, Effective Security Practices submission form).

Tags from the EDUCAUSE Library