EDUCAUSE | Data Security

Cloud Computing in Education

Tue, 12 Mar 2013 22:09:43 +0000

This video, produced by TeachPrivacy, discusses the benefits and risks of educational institutions using cloud computing providers. Advice is provided for how educational institutions should choose cloud providers, establish a relationship with them, and maintain that relationship with the appropriate protections for privacy and data security.

The Wild-Card Character of "Bring Your Own": A Panel Discussion

Tue, 12 Mar 2013 17:36:16 +0000

Panelists on the front lines of higher education information technology share their thoughts on BYOD and what it could mean for colleges and universities.

Privacy and Security Initiatives and Recommendations from the U.S. Department of Education

Wed, 13 Feb 2013 20:53:58 +0000

At EDUCAUSE 2012, U.S. Department of Education speakers discussed new privacy and security initiatives, as well as offering recommendations on navigating privacy efforts and preparing for and managing security breaches.
Many of the new amendments to FERPA exceptions were developed in order to improve accountability in data sharing.
At the heart of breach prevention and response are solid, established processes and targeted oversight.

Top Information Security Concerns for Researchers

Tue, 12 Feb 2013 17:08:56 +0000

Communicating information security issues with campus researchers is a common challenge in the higher education community. Often, researchers may not see information security or data protection as their concern. A new HEISC resource, Top Information Security Concerns for Researchers: Protecting Your Intellectual Assets, provides 10 sets of questions for researchers to consider about their data while also offering relevant resources for protecting that research data.

Questions or comments about this resource? Please contact us: security-council@educause.edu.

Data Privacy Day 2013 Event

Tue, 29 Jan 2013 01:43:35 +0000

The National Cyber Security Alliance (NCSA), a non-profit public-private partnership focused on helping all digital citizens stay safer and more secure online, kicked off Data Privacy Day 2013 with a forum at the George Washington University Law School, along with Federal Trade Commissioner Maureen Ohlhausen and other privacy and security experts from AT&T, Facebook, Intel, MasterCard, Microsoft and the federal government. The theme of the event was "Respecting Privacy, Safeguarding Data, and Enabling Trust." The forum explored a wide range of issues including respecting privacy, safeguarding data, privacy innovation, and the implications for personal information in the digital age and the mobile environment.

Writing a Data Management Plan

Fri, 25 Jan 2013 22:50:56 +0000

The University of Colorado at Boulder Libraries has created a useful page to assist in writing data management plans, which are now requried by funding agencies and are part of the grant application process.

Managing Risk and Compliance by Implementing DLP to Ensure Data Security

Fri, 18 Jan 2013 23:30:07 +0000

Did a university e-mail contain employee PII data? Did we just FTP a file that contains alumni PCI data? In this seminar, you will learn how Saint Louis University increased its ability to prevent the loss of restricted, sensitive, and confidential data. Hear the university's strategy to use DLP to elevate compliance and win grants. Detection of data loss is the first step in preventing loss. In this session, we will discuss simple means to mitigate the risk and exposure of the data-loss problem.

Data Privacy Month Awareness Video, 2013

Mon, 14 Jan 2013 17:08:11 +0000

SANS and EDUCAUSE have developed a free privacy awareness video that colleges and universities can use during Data Privacy Month in January, and throughout the year, in their privacy education and training efforts. High and low resolution versions of the video are available.

ERO Video Conversation: The Relationship Between Privacy and Security

Tue, 08 Jan 2013 17:13:46 +0000

Amassing Student Data and Dissipating Privacy Rights

Fri, 04 Jan 2013 19:26:49 +0000

Changes to student privacy regulations and government programs such as the Education Data Initiative underscore the need for meaningful oversight for the protection of student data.

Bring Your Own Cloud: Data Management Challenges in a Click-Through World

Fri, 28 Dec 2012 23:32:10 +0000

Consumer cloud-based services are easy to set up, low cost, and familiar. It's understandable why clients would automatically turn to them for their data-storage needs. But what happens when data security challenges expediency? We will explore a complex case study to examine a university group that turned to free cloud services to share sensitive data. Our discussion will focus on challenges conducting distributed research with limited resources and computing personnel. Solutions to the case will be considered, including working across organizational borders to advocate for customers, building client awareness, and conducting routine security assessments.

Third-Party Assessments: Not Just a Questionnaire

Fri, 28 Dec 2012 23:02:21 +0000

Four years ago, Indiana University began assessing the security of cloud vendors and other third parties using a simple questionnaire. Over time, the process has matured to take advantage of IU's data-classification system and a more formal governance structure involving institutional data stewards and compliance groups. We've also improved our assessment questionnaire and the data-protection language that goes into our contracts. In this presentation, we will track IU's progress on third-party assessments, including successes and obstacles, while encouraging attendees and online participants to share parallel experiences from their own institutions. We'll also discuss goals for future improvements.

January 2013 is Data Privacy Month! Free Webinars and Easy Ways to Increase Awareness

Fri, 21 Dec 2012 19:05:38 +0000

Data Privacy Month is an annual effort to empower people to protect their privacy and control their digital footprint, as well as escalate the protection of privacy and data as everyone's priority. Spend the month helping to ensure your campus community is respecting privacy, safeguarding data, and enabling trust. This year’s Data Privacy Month Planning Task Force has selected weekly themes for the higher education community to focus on. Several free webinars will also be offered throughout the month of January.

UploadsAttachments:

PrivacyTower2.jpg

PrivacyHero2.jpg

Data Classification, Security, and Compliance: Helping Users Help Themselves

Thu, 13 Dec 2012 18:26:05 +0000

Being able to accurately identify, manage, and secure data is imperative in an era where every sector, higher education included, is data-driven.
The goal of data classification policy is to allow users to understand, better manage, and employ an appropriate level of security for the data.
Using a risk-based approach, the University of Michigan targeted sensitive regulated data because such data have specific legal and regulatory requirements, as well as fines and penalties for non-compliance.
Development of a database-driven tool will better explain why specific types of data may be used in specific IT services and under what conditions, as well as provide for a self-service model for users to identify sensitive data and compliant IT systems.

Cloud Security Debate: Cloud Now or Cloud How?

Fri, 30 Nov 2012 21:28:33 +0000

During the often-fiery 2012 presidential debate season, a lively debate of a different sort held at Indiana University (IU) featured passionate arguments on the nature, status, and future of cloud security in and beyond the higher education environs. Moderated by Brad Wheeler, IU's vice president for IT and CIO, the debate featured two figures characterized by Wheeler as symbolic leaders of the "Cloud Now" and "Cloud How" parties:

Shel Waggener (Cloud Now) is Senior Vice President at Internet2, where he leads the non-profit's cloud initiative, called NET+ Services. Waggener was previously CIO for a networking division at Lucent Technologies and CIO and Associate Chancellor at the University of California, Berkeley.

Fred H. Cate (Cloud How) is Distinguished Professor and C. Ben Dutton Professor of Law at IU's Maurer School of Law, and director of both the Center for Applied Cybersecurity Research and the Center for Law, Ethics, and Applied Research in Health Information.

Following are highlights of the Waggener–Cate debate, including salient points, key quotes, and a bit of the color and passion that permeated the sometimes sprawling and always interesting discussion. A full, unabridged transcript is available here. —Editor

Data Custodians, It's 11 p.m.: Do You Know Where Your Confidential Data Is?

Mon, 26 Nov 2012 20:02:21 +0000

Many campuses find that the proliferation and continued storage of confidential data on desktop and laptop computers to be one of their top security risks. In combination with policy and awareness programs, data loss prevention products can be used to proactively identify and directly notify end users of these sources of risk for proper remediation. Our panelists will share their experiences working with academic, administrative, and governance units to protect data—legally, ethically, and technically. Bring your experience and questions to this important session.

Joint AAU/COGR Letter on FAR FISMA Rule

Tue, 23 Oct 2012 18:58:42 +0000

This October 18, 2012 letter from the Association af American Universities (AAU) and the Council on Governmental Relations (COGR) sent to the U.S. General Services Administration (GSA) is a response to the proposed amendment to the Federal Acquisition Regulation (FAR) to hold contractors responsible "for the basic safeguarding of contractor information systems that contain information provided by or generated for the Government (other than public information)" (see https://www.federalregister.gov/articles/2012/08/24/2012-20881/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems#h-4).

AAU and COGR had previously commented on the DFARS (Case 2008-D028, “Safeguarding Unclassified Information”). In this letter, they express concern "about the broad potential scope of the information subject to these requirements."

Sensitive Regulated Data: Permitted and Restricted Uses

Tue, 07 Aug 2012 21:18:50 +0000

The University of Michigan engages in research, teaching, clinical, and business activities that encompass a variety of sensitive regulated data. This standard defines permitted and restricted uses of such university-owned data, including the IT environments in which these data are maintained by university faculty and staff.

Can Big Data Help Universities Tackle Security, BYOD?

Tue, 07 Aug 2012 19:35:10 +0000

Universities have some of the most complex IT infrastructures around, and BYOD is a reality they can't escape. Chief Security Officers at universities are increasingly turning to Big Data analytics technologies to mine the data in their logs and improve their security footing.

Policy Implications of Big Data and Analytics

Wed, 01 Aug 2012 21:32:45 +0000

EDUCAUSE Policy recently asked association representatives from ACE, AACC, NACUBO, AASCU, and NAICU what they think are the policy implications that arise with the increased use of big data and analytics in higher education?

For BYOD Best Practices, Secure Data, Not Devices

Mon, 23 Jul 2012 15:41:00 +0000

Author, Thor Olavsrud, writes for CIO Magazine that "IT organizations are justifiably concerned about the security risks inherent in bringing your own device (BYOD). Many are turning to mobile device management (MDM) products and services to address the problem. But a number of mobile security vendors believe organizations are focusing the device when they should be focusing on the data."

Podcast: Larry Conrad on IT Security Then and Now

Tue, 17 Jul 2012 21:18:36 +0000

Larry D. Conrad serves as the vice chancellor for information technology and chief information officer at UNC Chapel Hill. He has over 40 years experience in the field of information technology with a diverse background in both university and corporate settings. In this conversation, Larry discusses IT security then and now.

Music: "New Pop Wave" by sebastian6

EDUCAUSE Podcast Sponsor

Understanding and Managing the Risks of Analytics in Higher Education: A Guide

Tue, 03 Jul 2012 14:43:27 +0000

This guide provides an introduction to the major risk categories faced by a higher education institution considering investments in time, energy, and money in analytics work. Under the right circumstances, decision making can be enhanced by the tools and techniques of analytics; large data sets, analytics engines, and new data visualization techniques have considerable potential to enhance both student learning and institutional business intelligence. However, careful consideration must be given to the risks of such investments for those in institutional leadership roles as well as the risks associated with data and information governance, compliance, and quality.

Policy Dimensions of Analytics in Higher Education

Wed, 27 Jun 2012 20:17:29 +0000

With the increasing demand for more and better analytics, the IT community needs to work with other campus stakeholders to ensure that appropriate data governance, classification, roles and responsibilities, and other policies and procedures are in place.

Security Professionals Conference 2012 Recap

Thu, 07 Jun 2012 21:47:49 +0000

Security and IT professionals from the higher education community gathered to celebrate the 10th anniversary of the Security Professionals Conference in Indianapolis, May 15-17, 2012. This year's face-to-face event had a record-breaking 438 attendees (an increase of almost 100 participants from the 2011 conference in San Antonio). The online security conference, offered for the second year in a row, was a great success with over 100 registered attendees (estimated exposure to the full online event was approximately 250 participants).