EDUCAUSE | Access Control

Information Security Program Assessment Tool

Mon, 15 Apr 2013 17:03:26 +0000

This self-assessment tool was created to evaluate the maturity of higher education information security programs using as a framework the International Organization for Standardization (ISO) 27002 "Information technology Security techniques. Code of practice for information security management." This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by chief information officer, chief information security officer or equivalent, or a designee. There are a total of 104 questions and on average it takes about 2 hours for an information security officer or equivalent, familiar with their environment, to complete this tool.

An Incremental Approach to Building an Information Security Program

Tue, 05 Mar 2013 20:59:20 +0000

Constraints such as tight budgets, increased responsibilities, lack of resources or incentive, and disagreement on a common approach to information security pose challenges for higher education IT organizations wanting to establish a comprehensive information security program.
An iterative approach to a security program takes advantage of regular audits to find problems and address them according to risk and priority of each lapse identified.
The IT organization’s security program gets stronger with every audit cycle, and the approach provides a good basis for comparing past performance and measuring progress.

Leadership Discussion: Identity and Access Management in Higher Education

Fri, 11 Jan 2013 22:30:08 +0000

Has your campus established an enterprise strategy for identity and access management? Does your IAM architecture facilitate easy migration to the cloud? Is your IAM system standards-based and interoperable with other identity providers and service providers? Are you prepared to federate with other institutions of higher education, the federal government, and the private sector? Are you working toward InCommon Silver certification? This discussion session is designed to bring together CIOs, IT directors, IT architects, managers, and other leaders responsible for IAM to discuss effective practices and solutions, current challenges, and future opportunities.

Creating an IT Security Baseline

Sat, 29 Dec 2012 00:03:12 +0000

The UW–Madison Office of Campus Information Security has worked with the campus community to develop a baseline information systems security standard that's intended to help departments on campus create a measurable and minimally acceptable baseline security program. The technical controls have been developed collaboratively with campus departments and vetted through various on- and off-campus groups. The baseline security standard outlines security controls all campus IT departments should implement including controls for endpoint security, access control, physical security, policy and awareness, and application security for custom web applications.

7 Ways BYOD Could Get You Sued

Tue, 07 Aug 2012 20:27:47 +0000

The author, Sam Narisi, discusses some of the biggest legal issues to consider when coming up with a BYOD policy and strategy.

Transitioning between Access Management Products: Sun to Oracle

Wed, 27 Jun 2012 20:05:19 +0000

The University of Guelph converted its key systems from Sun Access Manager to Oracle Access Manager and is now finalizing the transition. While OAM is a commercial product, we will discuss a number of custom solutions we added to expand functionality, to minimize the impact of the transition between two distinct products, and to lower costs.

There's Data Lurking in Your Labs!

Mon, 30 Jan 2012 15:48:18 +0000

Securing the research data spread across your institution is a challenge requiring robust processes of discovery, triage, and diplomacy. Almost inevitably some of your most critical research data will be stored lovingly in a wetlab on an SGI Indy that "must not be patched." This presentation will describe how the School of Arts and Sciences at UPenn has combined university policy with data "interventions" to entice researchers to move critical data to centralized services. We'll discuss access control, service agreements, and charge-backs and how to convince faculty without using FUD (fear, uncertainty, and doubt). Attendees will leave with a reproducible model for finding and securing research data.

Protecting the Security of Research Data

Mon, 07 Nov 2011 22:35:47 +0000

The effective protection and management of research data has become a hot topic in U.S. higher education. Funding agencies increasingly require data management plans as part of grant submittals, and research offices are being asked to certify the security of research data generated by grant activity. Heretofore, the context for data management and information security activities and initiatives in higher education largely focused on the “enterprise” (administrative) data of the institution, not those data generated by research activities. IT professionals need to be aware that many academic research endeavors include the collection, analysis, and/or storage of sensitive data, the integrity, confidentiality, and availability of which must be asserted and demonstrated. In many cases, the security of sensitive information gathered in the conduct of research is required by law. This research bulletin discusses an over-arching approach by which campus IT solutions can be architected and deployed in such a way as to provide adequate management of research data assets without hindering the research process.

Citation for this Work: Conrad, Larry D., Ruth Marinshaw, and Stan Waddell. “Protecting the Security of Research Data.” (Research Bulletin). Boulder, CO: EDUCAUSE Center for Applied Research, November 8, 2011, available from http://www.educause.edu/ecar.

September 14 IAM Online: Get Schooled on the New Grouper 2.0

Tue, 30 Aug 2011 17:18:29 +0000

Tune in to the next IAM Online, which will take place Wednesday, September 14, at 3 p.m. EDT, to "Get Schooled on the New Grouper 2.0" with Grouper Development Team members Tom Barton (University of Chicago) and Chris Hyzer (University of Pennsylvania). For more details, or to access archived sessions, visit http://www.incommon.org/iamonline.

Guide to Enterprise Telework and Remote Access Security (SP 800-46 Revision 1)

Fri, 10 Jun 2011 14:52:11 +0000

Many organizations’ employees and contractors use enterprise telework technologies to perform work from external locations. Most teleworkers use remote access technologies to interface with an organization’s non-public computing resources. The nature of telework and remote access technologies—permitting access to protected resources from external networks and often external hosts as well—generally places them at higher risk than similar technologies only accessed from inside the organization, as well as increasing the risk to the internal resources made available to teleworkers through remote access.

This publication, authored by Karen Scarfone and Murugiah Souppaya, provides information on security considerations for several types of remote access solutions, and it makes recommendations for securing a variety of telework and remote access technologies. It also gives advice on creating telework security policies.

e-academy

Mon, 02 May 2011 19:05:06 +0000

With over 10 years of experience, e-academy has grown to be the global leader in software delivery solutions for the worldwide education market. Over 30,000 academic organizations in more than 100 countries trust e-academy to help manage their software licensing and distribution. Come visit our booth to find out how we can help you! http://www.e-academy.com

April 13 IAM Online: Social Identities, Open IDs and Guest/Affiliate Access

Fri, 22 Apr 2011 17:20:54 +0000

Miss the April 13 IAM Online? The session archive and slides for “Social Identities, Open IDs and Guest/Affiliate Access” are available for review online. This presentation focused on the pros and cons of using social networking identities or Open IDs to provide guest access to low-risk campus services, and included a demo from Penn State. The presenters were: Dedra Chamberlin, University of California Berkeley; Debbie Bucci, National Institutes of Health; and Chris Hubing, Penn State. For more details, or to access other archived sessions, visit http://www.incommon.org/iamonline.

Day CAMP: Getting Started with InCommon (February 15-16)

Fri, 28 Jan 2011 23:23:11 +0000

Thinking about joining the InCommon Federation, but want to know more about what's involved? Or have you just become a member and are now working on next steps? Consider attending Day CAMP: Getting Started with the InCommon Federation, February 15-16, 2011. This session will be hosted in Providence, Rhode Island, by NEREN, OSHEAN and Five Colleges, Inc with support from Internet2. Registration is now open and all are welcome.

The meeting will feature technical and management information for higher education institutions looking to run an identity provider to access federated services. Attendees will:

Penn State Electronic Security and Access Systems

Mon, 24 Jan 2011 22:04:52 +0000

It is the policy of The Pennsylvania State University to preserve an open access environment for students, faculty, staff, and the general community while facilitating safety and security by establishing and maintaining standards for electronic security and access control. To that end, standards and procedures, as established by this policy, shall be implemented for all new construction or facility alterations, for access to electronic security information including surveillance and electronically stored information, and for all applicable safety and security enhancements.

Pressure Cooker: Access Controls in New and Existing ERP Systems

Mon, 24 Jan 2011 22:01:45 +0000

This session will address security access control from the dual perspectives of new and existing ERP implementations. The challenges range from demonstrating effective audit controls immediately after an implementation to unraveling the complexities of an existing system that has organically changed over the years. The University of Arizona used an array of pretesting and process validations to prepare for an audit of 12,000 faculty/staff accounts and role assignments in the PeopleSoft payroll system six months after conversion. Pima Community College used strategic planning, business process revision, and data steward empowerment to rearchitect 1,700 faculty/staff accounts in the Banner ERP system.

December 9 IAM Online: Federated Access to Science Services and Infrastructures

Thu, 02 Dec 2010 17:14:49 +0000

Tune in to the next IAM Online, “Federated Access to Science Services and Infrastructures,” which will take place Thursday, December 9, at 1 p.m. EST. Increasingly Virtual Organizations (VOs) of scientists are collaborating across organizational boundaries, using large-scale cyberinfrastructure and hosted cloud services. For small and medium VOs the adoption burden is high to leverage such resources and enable secure access. This IAM Online will look at work being done to enable federated access to these services and infrastructures, and lower the barriers for such adoption.

Top Information Security Concerns for Campus Executives & Data Stewards

Wed, 22 Sep 2010 18:17:32 +0000

This new Higher Education Information Security Council (HEISC) resource, Top Information Security Concerns for Campus Executives & Data Stewards, is the first in a series of awareness messages targeted to different institutional audiences. This resource may help encourage campus executives, data stewards, and others to explore information security from their own perspective and see how it relates to their responsibilities on campus. This resource also may serve as a tool to help an information security professional start a conversation on campus and share additional resources.

Top Information Security Concerns for Campus Executives & Data Stewards

Tue, 21 Sep 2010 20:54:20 +0000

One of the Higher Education Information Security Council's goals is to help information security professionals frame information security challenges in a way that appeals more broadly to institutional leaders. This new HEISC resource, Top Information Security Concerns for Campus Executives & Data Stewards, is the first in a series of awareness messages targeted to different institutional audiences. We want to encourage campus executives, data stewards, and others to explore information security from their own perspective and see how it relates to their responsibilities on campus. This resource may serve as a tool to help start a conversation on campus and share additional resources.

Your feedback is welcome! Please send an e-mail to security-council@educause.edu.

New EDUCAUSE Web Access: Now Easier and More Secure

Wed, 07 Jul 2010 19:49:31 +0000

EDUCAUSE has now made access to its web resources available through the InCommon Federation. As a result, any college or university that participates in InCommon can easily provide their staff or representatives with federated access to the EDUCAUSE site by leveraging its existing campus identity management system. In other words, after a short set up process, you can use the same User Name and Password you use at your institution to access our site. No more need to remember yet another set of login credentials!

To learn more about this topic, please see the following resources:

Federating With EDUCAUSE

Wed, 07 Jul 2010 19:47:16 +0000

To learn more about this topic, please see the following resources:

Spotlight on Cloud Computing Series: Community Clouds

Mon, 21 Jun 2010 15:27:46 +0000

Many institutions in the education community are considering moving some aspect of their business to "the cloud." Moving to the cloud could mean outsourcing your e-mail to Google or migrating your existing server infrastructure to a virtualization platform such as VMWare. What are some of the alternatives in between? Can our community apply some of the lessons learned in developing advanced networks for education to so-called community clouds?

One of the useful ways to look at cloud computing is through the variables of access and control. At one extreme everyone has access to resources in the cloud, while at the other access is limited to only the owner. Looking at control, the owner can have complete control or a third party can be making all the key decisions. In the middle of this matrix lies a hybrid that is best called "community cloud computing." A community cloud seems to be particularly attractive to educational institutions. The reasons why educational institutions have chosen community cloud–based applications and resources include to reduce cost, improve performance, ease troubleshooting, and enhance privacy and control.

In this session, we'll hear about what community clouds are and what they offer from representatives of two major U. S. regional networks.

Electronic Records Management: Today’s High Stakes

Tue, 20 Apr 2010 14:12:39 +0000

This ECAR research bulletin discusses the issues involved in successful electronic records management and provides guidance on how to start and sustain an electronic records management program at your institution. As a foundation for this bulletin, the authors base their insights on professional experience as well as careful exploration of the proceedings of an electronic records forum, “Managing University Digital Assets and Resources: Collaborative Approaches and Persistent Challenges,” held at Michigan State University in September 2008, and Ronald Yanosky’s 2009 ECAR research study, Institutional Data Management in Higher Education. The research bulletin also draws upon the experiences of many higher education institutions to recommend strategies for institutions moving forward.

Citation for this Work: Ghering, Cynthia, Judith Borreson Caruso, and David Gift. “Electronic Records Management: Today’s High Stakes” (Research Bulletin 8, 2010). Boulder, CO: EDUCAUSE Center for Applied Research, 2010, available from http://www.educause.edu/ecar.

April 8 IAM Online: Making Federation Happen

Mon, 05 Apr 2010 19:49:42 +0000

The next IAM Online will take place Thursday, April 8, at 1 p.m. EDT. John O’Keefe (Lafayette College) and Joel Cooper (Carleton College) will present “Federated Identity Essentials: Making Federation Happen.” This session will demonstrate how schools of all sizes can get started with InCommon and federated identity management. The speakers will identify the specific policy and technical steps that lead to successfully joining InCommon and leveraging your identity management system for use with resource providers. For more details, or to access archived sessions, visit http://www.incommon.org/iamonline/.

Exploring or Supporting Federated Access? Come to InCommon CAMP

Wed, 31 Mar 2010 16:15:29 +0000

New to InCommon or federating now? Manager or technical implementer? This year’s CAMP (Campus Architecture and Middleware Planning) has something for you. Check out the program that’s available now; speakers will be added weekly. Register by May 10 to save money with low early-bird rates at www.incommon.org/camp.

If you are new to InCommon or thinking about joining, come to CAMP and leave with a plan and practical advice including

Session Podcast: A Vision for Identity and Access Management in Higher Education

Tue, 30 Mar 2010 22:40:51 +0000

Access to electronic institutional resources requires a robust identity management system, including processes for federation of credentials and services. This session provides a vision for identity and access management in higher education and an overview of federation services provided by InCommon, as well as review other community efforts to advance institutional adoption of policies, processes, and solutions for identity and access management.

Presenters for this session include:

Linda Hilton,CIO for Vermont State Colleges
John Seuss, Vice President of IT and CIO for the University of Maryland, Baltimore County

Music: "Memorial Day" by Jaime Beauchamp