Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Organization and Information Sharing
Organization and Information Sharing
This is the final in a series of introductory postings to describe the goals and initiatives of the Security Task Force. The strategic goal associated Organization and Information Sharing is “to create the capacity for a college or university to effectively deploy a comprehensive security architecture (people, process, and technology) and to leverage the collective wisdom and expertise of the higher education community.” As part of the process of developing the National Strategy to Secure Cyberspace, we were asked the following questions:
- How can universities best organize to address the IT security questions they face in common?
- Should best practices or standards be agreed to on a national level?
- Should there be a mechanism for information sharing on threats and vulnerabilities among university CIOs and systems administrators?
In 2002, when these questions were first posed to us by the government, we unfortunately did not have any concrete actions identified. However, as you will see, a lot of progress has been made.
First, we established the Security Discussion Group as an informal method for information sharing among college and university security professionals and others with an interest or responsibility for security. Today, that discussion list has almost 1,200 subscribers and is a useful forum for information exchange among member institutions and between the Security Task Force and the higher education community.
Second, the annual Security Professionals Conference is THE EVENT where higher education security practitioners come together to share effective practices and solutions and gain new knowledge. It also provides an opportunity for professional networking and exposes institutions of higher education to government and industry initiatives. I should also note that the conference replace the previous annual meetings held by the College and University Information Security Professionals when they determined that the community was growing to be too large for the volunteer organization to continue to hold an annual event. The Security Task Force also promotes the use of state or regional forums for information sharing, networking, and professional development. A list of state or regional events is highlighted on the task force web site.
Third, the Research and Education Networking ISAC supports higher education and the research community by providing advanced security services to national supporting networks, and supports efforts to protect the national cyberinfrastructure by participating in the formal sector ISAC infrastructure. Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC is an integral part of higher education’s strategy to improve network security through information collection, analysis and dissemination, early warning, and response - specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks.
Finally, the Security Task Force web site was established to serve as a clearinghouse for higher education security practitioners and contains a number of resources, including security officer job descriptions, Effective Security Practices Guide, and presentations or documents on a number of Cybersecurity topics.
There is much work, however, that remains to be done. For example, the National Strategy encourages higher education to develop “model guidelines empowering chief information officers to address cybersecurity”. In an earlier letter from ACE President David Ward to college and university presidents, we urged the campus leadership to “establish responsibility for campus-wide Cybersecurity at the cabinet level.”
We have also been working with institutions to “identify and define the roles of other entities on campus who share responsibility for security (e.g. campus police, internal audit, procurement)”. The Risk Assessment Working Group of the Security Task Force includes a number of campus stakeholders and is seeking to reach out to functional communities beyond the IT organization. The working group is “focused on identifying and promoting practices, tools, techniques, and procedures to encourage institutions of higher education in the application of security risk management including risk identification, evaluation, mitigation, strategic and operational planning, and monitoring to address information security and assurance.”
A key initiative during 2004 and 2005 is to provide assistance to small colleges, including a small college security issues discussion session at all of the EDUCAUSE regional conferences and a pre-conference seminar at the EDUCAUSE 2004 Annual Conference.
I should note and thank the National Science Foundation for their generous support that made the development of the strategic goals of the Security Task Force possible. The goals and corresponding recommendations resulted from four workshops held in 2003 where the advice and input of the community was solicited. We are grateful to the NSF for their support and thank the higher education community for your ideas and suggestions. You have played a critical role in helping higher education to collectively make significant progress these past several months.
I am amazed at how far we have come since soliciting comments on the original survey questions as part of the National Strategy. However, as in other areas, we should note it as “progress” but not completion of the task. Therefore, your ideas and suggestions are welcome (send comments to firstname.lastname@example.org).