EDUCAUSE | Identity and Access Management

Fed. Regs. on Student Identity Verification, State Authorization of Distance Ed. Back on the Radar

Tue, 16 Apr 2013 21:13:20 +0000

As reported in today's Inside Higher Ed, the U.S. Department of Education (ED) has announced its intent to modify the rule-making effort it originally proposed last year to address federal student aid fraud concerns.

Call for Participation: The Multi-Factor Authentication Cohortium

Wed, 20 Mar 2013 15:49:09 +0000

The Internet2 Scalable Privacy Project (ScalePriv), funded with the recent National Strategy for Trusted Identities in Cyberspace (NSTIC) grant to Internet2, is seeking campuses to participate in the Multi-Factor Authentication (MFA) Cohortium*. Applications are open until April 26, 2013 (note the deadline extension).

The Wild-Card Character of "Bring Your Own": A Panel Discussion

Tue, 12 Mar 2013 17:36:16 +0000

Panelists on the front lines of higher education information technology share their thoughts on BYOD and what it could mean for colleges and universities.

An Incremental Approach to Building an Information Security Program

Tue, 05 Mar 2013 20:59:20 +0000

Constraints such as tight budgets, increased responsibilities, lack of resources or incentive, and disagreement on a common approach to information security pose challenges for higher education IT organizations wanting to establish a comprehensive information security program.
An iterative approach to a security program takes advantage of regular audits to find problems and address them according to risk and priority of each lapse identified.
The IT organization’s security program gets stronger with every audit cycle, and the approach provides a good basis for comparing past performance and measuring progress.

NSTIC Pilots at RSA Features Internet2 Scalable Privacy Project

Wed, 27 Feb 2013 14:01:28 +0000

The following announcement from the National Institute of Standards and Technology (NIST) concerns the pilots funded as part of the President's National Strategy for Trusted Identities in Cyberspace (NSTIC). Among the funded pilots that will be featured at RSA Conference is the Internet2 Piloting Mobile Device Multifactor Authentication on University Campuses. For more information about the Internet2 Scalable Privacy Pilot, see https://spaces.internet2.edu/display/scalepriv/Scalable+Privacy

Beyond User Names and Passwords: Meet the NSTIC Pilots at RSA

Top Information Security Concerns for Researchers

Tue, 12 Feb 2013 17:08:56 +0000

Communicating information security issues with campus researchers is a common challenge in the higher education community. Often, researchers may not see information security or data protection as their concern. A new HEISC resource, Top Information Security Concerns for Researchers: Protecting Your Intellectual Assets, provides 10 sets of questions for researchers to consider about their data while also offering relevant resources for protecting that research data.

Questions or comments about this resource? Please contact us: security-council@educause.edu.

ED CPO on Privacy, Emerging Technologies, and New Uses of Data

Mon, 28 Jan 2013 20:26:33 +0000

When I first accepted the position as ED’s Chief Privacy Officer the workload revolved heavily around privacy issues in the K-12 context, especially issues relating the Family Educational Rights Privacy Act (FERPA) and its applicability to State Longitudinal Databases. Recently our office is spending an increasing amount of time providing guidance in the higher ed arena. Colleges, universities, and other postsecondary institutions often have research agendas that involve data; they often have medical facilities; and most importantly, colleges and universities often function as change agents, particularly for technological and social change. The combination of new technologies and new uses of data create today’s cutting-edge privacy issues, including “Big Data,” matching with wage data, data sharing in general, the use of analytics, cloud computing, MOOCs, and school use of web engagement tools.

A Few Things about E-FERPA

Mon, 28 Jan 2013 16:34:17 +0000

Probably no statute affects higher education more, but is understood less, than the Family Educational and Privacy Rights Act, or “FERPA,” the primary federal law that regulates how we handle our records about our students. And that is no doubt especially true when it comes to electronic records (which for some reason seem to baffle us in almost every context). Data Privacy Month seems a good time to clear up some of the most common misunderstandings:

1. FERPA makes no distinction between electronic and other records. FERPA governs all records that we maintain about our students, be they written on paper; captured in film, photographs, or audiotape; made up solely of electrons; or, for that matter, carved into stone tablets, and it governs them in exactly the same way. At least for purposes of FERPA, the medium is not the message.

Higher Education Activities during Data Privacy Month

Fri, 18 Jan 2013 22:31:21 +0000

Although this is only the second year that colleges and universities are working together to observe and promote Data Privacy Month, many campuses are busy planning local or regional events, tweeting daily with the hashtags #dataprivacy and #dpd13, and writing blogs or articles about data privacy. We hope these activities will encourage you to consider ways to promote Data Privacy Month this year or begin thinking about how yor campus will participate in 2014.

January 28th is Data Privacy Day–Respecting Privacy, Safeguarding Data and Enabling Trust

Fri, 18 Jan 2013 21:57:21 +0000

As the National Cyber Security Alliance (NCSA), we have the honor of coordinating Data Privacy Day (DPD). Data Privacy Day is held on January 28th annually and is an effort to empower people to protect their privacy, control their digital footprint, and escalate the protection of privacy and data as everyone’s priority. The success of Data Privacy Day relies on everyone, including our trusted partners such as EDUCAUSE and the higher education community, to educate and create awareness about the importance of data privacy.

Lance Spitzner on Data Privacy Awareness

Fri, 18 Jan 2013 16:55:14 +0000

A common challenge many schools share is protecting the privacy of their students. Institutions maintain a surprising amount of highly confidential student information including medical, financial, personal, and educational data. As a result, institutions have to comply with numerous regulations including HIPAA, FERPA, or GLBA. Remembering all of these different compliance rules and regulations can be confusing or overwhelming for faculty and staff. However, if you take a step back, many of these regulations have the same goal–protection of private information. In addition, the steps people are expected to follow in order to protect data are often the same.

Leadership Discussion: Identity and Access Management in Higher Education

Fri, 11 Jan 2013 22:30:08 +0000

Has your campus established an enterprise strategy for identity and access management? Does your IAM architecture facilitate easy migration to the cloud? Is your IAM system standards-based and interoperable with other identity providers and service providers? Are you prepared to federate with other institutions of higher education, the federal government, and the private sector? Are you working toward InCommon Silver certification? This discussion session is designed to bring together CIOs, IT directors, IT architects, managers, and other leaders responsible for IAM to discuss effective practices and solutions, current challenges, and future opportunities.

Navigating the Clouds with an Enterprise IT Strategy

Fri, 28 Dec 2012 23:41:55 +0000

Should your institution be a cloud services leader? How do you balance the risks of innovation with the possible benefits? What about managing identity in the cloud? Furman University's IT Strategic Plan is guiding an aggressive move to cloud services. This session will look at lessons learned, opportunities, and challenges ahead. An enterprise IT strategy can guide strategic innovations using cloud services for your institution. We will discuss the forces that drove us at Furman University to pursue cloud solutions and cloud service models, as well as how identity management tied everything together. The lessons we've learned can help your institution's planning efforts for cloud services.

January 2013 is Data Privacy Month! Free Webinars and Easy Ways to Increase Awareness

Fri, 21 Dec 2012 19:05:38 +0000

Data Privacy Month is an annual effort to empower people to protect their privacy and control their digital footprint, as well as escalate the protection of privacy and data as everyone's priority. Spend the month helping to ensure your campus community is respecting privacy, safeguarding data, and enabling trust. This year’s Data Privacy Month Planning Task Force has selected weekly themes for the higher education community to focus on. Several free webinars will also be offered throughout the month of January.

UploadsAttachments:

PrivacyTower2.jpg

PrivacyHero2.jpg

Security and Privacy Sessions at EDUCAUSE 2012

Tue, 16 Oct 2012 19:47:48 +0000

The annual EDUCAUSE Conference (November 6-9) offers a variety of security and privacy-related sessions. Whether you plan to join us in Denver or participate online, we encourage you to attend as many of these presentations as possible. Also remember to mark your calendar for the upcoming Security Professionals Conference, which will be held April 15-17, 2013 in St. Louis, Missouri, and Online. A Call for Proposals is currently out, with a November 13, 2012 deadline.

Tuesday, November 6, 2012

Preconference Seminars (separate registration required)

Cloud Security Awareness

Thu, 11 Oct 2012 16:05:00 +0000

Cloud computing is similar to the Bring Your Own Device (BYOD) syndrome. You can fight it all you want, but sooner or later your organization will most likely have to accept it. A common failure with securing the Cloud is that most organizations focus on only the technical controls, such as where is the data stored or when and how is the data encrypted. However, you must also train and educate the very people using this technology or you can expose your organization to tremendous risk. Technical controls can only do so much. The following are some of the key awareness points to consider.

1. What Is The Cloud?

First, don't assume everyone in your organization knows or understands what the Cloud is. Before you start explaining policies for Cloud, explain what it is and how it works. Consider including examples; people may not realize that Google Docs or Dropbox is the Cloud.

2. Is The Cloud Allowed?

Identity and Access Management Topics at EDUCAUSE 2012

Tue, 09 Oct 2012 20:01:32 +0000

The National Strategy for Trusted Identities in Cyberspace (NSTIC) has certainly brought to light the importance of an international dialogue about the role of identity and access management (IAM) in helping to enable online services and improve cybersecurity. At the campus level, there is a need for an enterprise strategy on IAM to enable single sign-on, authenticate users, limit access to authorized individuals, and federate with other service providers. Movement away from on-campus systems to externally hosted systems and cloud providers make the need for robust identity management even more important.

The annual EDUCAUSE Conference in Denver will provide an opportunity to explore the range and depth of issues that campuses must consider as they build their enterprise IAM strategy. Below are the sessions that we would encourage you to attend.

National Cyber Security Awareness Month 2012 is HERE!

Mon, 01 Oct 2012 18:52:25 +0000

It’s that time of year again! October is National Cyber Security Awareness Month.

Help us raise awareness with your faculty, staff, and students this October by promoting National Cyber Security Awareness Month (NCSAM).

We will start the month off with an EDUCAUSE Live! webinar on October 4 (1-2 pm EDT). Register here and join Dave Cullinane, Chief Information Security Officer at eBay (retired) and Co-Founder of the Cloud Security Alliance, as he discusses “Security Awareness and Communication in the C-Suite.”

If you plan on holding an event in October, please share your plans and any applicable URL’s with this group or send an e-mail to security-council@educause.edu so your institution's activities can be included with our list of 2012 campus events.

More financial aid fraud rings targeting online learning busted

Wed, 19 Sep 2012 16:41:42 +0000

As reported in Inside Higher Ed, the U.S. Department of Education (ED) Office of the Inspector General (OIG) and the U.S. Attorney for the Eastern District of California announced yesterday the indictment of 21 people in California who were involved in financial aid fraud rings targeting online learning programs at community colleges and low-cost for-profit institutions. (You can access the PDF file of the press release here.) Collectively, the accused allegedly obtained over $770,000 using other individuals’ identities, whether freely supplied by co-conspirators or stolen, to fraudulently register for admissions and financial aid.

UploadsAttachments:

ED OIG PR FA Fraud Cases 09-18-12.pdf

Preparing for Back-to-School BYOD

Wed, 08 Aug 2012 16:51:48 +0000

With the BYOD trend on campus growing ever stronger, an IT network analyst shares his checklist to help ensure that your campus network is ready to manage the onslaught.

Can Big Data Help Universities Tackle Security, BYOD?

Tue, 07 Aug 2012 19:35:10 +0000

Universities have some of the most complex IT infrastructures around, and BYOD is a reality they can't escape. Chief Security Officers at universities are increasingly turning to Big Data analytics technologies to mine the data in their logs and improve their security footing.

Security Professionals Conference 2012 Recap

Thu, 07 Jun 2012 21:47:49 +0000

Security and IT professionals from the higher education community gathered to celebrate the 10th anniversary of the Security Professionals Conference in Indianapolis, May 15-17, 2012. This year's face-to-face event had a record-breaking 438 attendees (an increase of almost 100 participants from the 2011 conference in San Antonio). The online security conference, offered for the second year in a row, was a great success with over 100 registered attendees (estimated exposure to the full online event was approximately 250 participants).

Building a 21st Century Digital Government

Mon, 04 Jun 2012 19:20:15 +0000

President Obama has issued a directive entitled “Building a 21^st Century Digital Government” that launches a comprehensive Digital Government Strategy. According to the directive:

The innovative use of technology is fundamentally transforming how the American people do business and live their daily lives. Exponential increases in computing power, the rise of high-speed networks, and the growing mobile revolution have put the Internet at our fingertips, encouraging innovations that are giving rise to new industries and reshaping existing ones . . . However, it is time for the Federal Government to do more . . . at a time when Americans increasingly pay bills and buy tickets on mobile devices, Government services often are not optimized for smartphones or tablets, assuming the services even available online.

Software-as-a-Service Email Security: Risk vs. Trust

Tue, 29 May 2012 15:00:59 +0000

Many organizations would be interested in treating e-mail as a commodity—cutting costs and resource investments by outsourcing it to a software as a service (SaaS) provider. However, e-mail is a primary enterprise communication channel and often contains sensitive, proprietary content that needs to be protected. A significant amount of an enterprise's intellectual property is likely to be in the e-mail system's databases. Therefore, outsourcing e-mail to a third party raises important concerns about security and the risks associated with such an arrangement. This assessment provides enterprises with a framework to address these issues.

Citation for this Work: Gartner, Inc., Software-as-a-Service Email Security: Risk vs. Trust, by Bill Pray, Dan Blum, 27 March 2012.

ECAR Subscribers — You must be logged in to the EDUCAUSE website to access Gartner resources.

Access to the report expires on May 9, 2013.

May 9 IAM Online: Emerging Legal Framework for IAM

Mon, 30 Apr 2012 15:49:13 +0000

Tune in to the next IAM Online, Wednesday, May 9, 2012, at 3 p.m. ET, to learn more about "The Emerging Legal Framework for Identity and Access Management" with speaker Tom Smedinghoff (Edwards Wildman Palmer LLP) and moderator Chris Holmes (Baylor University). For more details, or to access archived sessions, visit http://www.incommon.org/iamonline.