EDUCAUSE | Security Management

Information Security Program Assessment Tool

Mon, 15 Apr 2013 17:03:26 +0000

This self-assessment tool was created to evaluate the maturity of higher education information security programs using as a framework the International Organization for Standardization (ISO) 27002 "Information technology Security techniques. Code of practice for information security management." This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by chief information officer, chief information security officer or equivalent, or a designee. There are a total of 104 questions and on average it takes about 2 hours for an information security officer or equivalent, familiar with their environment, to complete this tool.

Call for Participation: The Multi-Factor Authentication Cohortium

Wed, 20 Mar 2013 15:49:09 +0000

The Internet2 Scalable Privacy Project (ScalePriv), funded with the recent National Strategy for Trusted Identities in Cyberspace (NSTIC) grant to Internet2, is seeking campuses to participate in the Multi-Factor Authentication (MFA) Cohortium*. Applications are open until April 26, 2013 (note the deadline extension).

An Incremental Approach to Building an Information Security Program

Tue, 05 Mar 2013 20:59:20 +0000

Constraints such as tight budgets, increased responsibilities, lack of resources or incentive, and disagreement on a common approach to information security pose challenges for higher education IT organizations wanting to establish a comprehensive information security program.
An iterative approach to a security program takes advantage of regular audits to find problems and address them according to risk and priority of each lapse identified.
The IT organization’s security program gets stronger with every audit cycle, and the approach provides a good basis for comparing past performance and measuring progress.

2012 CDS Executive Summary Report

Thu, 24 Jan 2013 15:34:52 +0000

This report summarizes results from the EDUCAUSE Core Data Service (CDS) survey. Using a matched set of 616 CDS 2011 and CDS 2012 participating institutions, this year’s report is a detailed look at the most pertinent and interesting IT financial and staffing findings, with a high-level summary of the state of IT services. Key findings, important trends, and similarities and differences across different types of institutions are highlighted.

Citation for this Work: Lang, Leah, and Pam Arroway. 2012 CDS Executive Summary Report. Louisville, CO: EDUCAUSE, January 2013, available from http://www.educause.edu/coredata.

Note from EDUCAUSE, February 19, 2013: The original PDF of this report was corrupted and has been replaced. If you were unable to download the PDF, please dump your cache and try again. We apologize for any inconvenience. Thank you.

A Model for Today: Partnering with Industry to Enhance Institutional Information Security Capabilities

Sat, 12 Jan 2013 16:15:07 +0000

Many academic organizations are facing the same problems: an aging decentralized computing infrastructure, growing use of mobile devices, increasing use of network resources, and ever-present external threats. To keep pace with growing security risks, higher education organizations must implement state-of-the-art core security components, enabling them to understand information security risks holistically and provide support for teaching, learning, and research. Join representatives of the Rochester Institute of Technology and McAfee as they discuss their partnership and how it's helping RIT use McAfee solutions to provide countermeasures and controls to understand and defend against the current and future threats.

ERO Video Conversation: The Relationship Between Privacy and Security

Tue, 08 Jan 2013 17:13:46 +0000

Privacy, Security, and Compliance: Strange Bedfellows, or a Marriage Made in Heaven?

Fri, 04 Jan 2013 18:00:24 +0000

The authors examine several campus issues lying at the intersection of privacy, security, and compliance and provide insight for institutional leaders planning strategic directions.

Creating an IT Security Baseline

Sat, 29 Dec 2012 00:03:12 +0000

The UW–Madison Office of Campus Information Security has worked with the campus community to develop a baseline information systems security standard that's intended to help departments on campus create a measurable and minimally acceptable baseline security program. The technical controls have been developed collaboratively with campus departments and vetted through various on- and off-campus groups. The baseline security standard outlines security controls all campus IT departments should implement including controls for endpoint security, access control, physical security, policy and awareness, and application security for custom web applications.

Security Smackdown: End-User Awareness Programs vs. Technology Solutions

Sat, 29 Dec 2012 00:03:09 +0000

How effective is end-user security awareness education? Would it be better to allocate our scarce resources to improving our technology? Two members of the same information security team at the University of Pennsylvania will square off on opposite sides: "They'll never learn and they shouldn't have to!" versus "We're only as strong as our weakest user!" In a point-counterpoint format, we will consider various types of end-user awareness tools (blogs, videos, etc.) and the sorts of problems they aim to solve. We'll debate whether we are effectively reaching our end users and if technological alternatives are within our reach that can accomplish similar ends.

A Practitioner's Approach for Developing Information Security Policy

Fri, 28 Dec 2012 23:40:59 +0000

An institution developing its information security policy by basing it on lofty ideals and stringent standards may demand far more than its staff is capable of delivering, which risks frustrating staff to the point of resistance, outright rebellion, or clandestine noncompliance. This strategy can also create a risk of legal liability, as an institution may instantly place itself out of compliance with its own documented policy. This session will outline a strategy for phasing in policy provisions, inclusive of key executive, managerial, and technical staff members, and provide a template of policies, standards, and procedures.

A Practitioner's Approach for Developing Information Security Policy

Fri, 28 Dec 2012 23:32:21 +0000

Practical Project Management for Security Implementation in Enterprise Systems

Fri, 28 Dec 2012 23:32:10 +0000

Security implementation is, or should be, a part of every enterprise system, not an add-on after the fact. One of the best ways to ensure effective IT security is to have a seat at the table throughout the life cycle of the project. Project management strategies provide a systematic approach for including the appropriate areas while assigning responsibility and accountability for projects. Join University of Wisconsin•Milwaukee staff to learn how project management strategies are improving information security in enterprise systems and how to employ the same strategies at your institution.

The Enemy Is Us: Doing the Work of Information Security Better

Fri, 28 Dec 2012 23:32:07 +0000

Within information security departments, staff often get so bogged down in "getting the job done" that they can never assess how they are doing their job and whether they can do anything to improve the quality and efficiency of their work. If you're part of an information security group, this presentation will help you evaluate how things get done, figure out how to make policies and regulations work for you, teach you new techniques for getting a better sense of the problem, and help you set up relationships that can assist any group with achieving its goals.

A Pragmatic Information Security Program for Small Institutions

Fri, 28 Dec 2012 23:02:18 +0000

When no one has "information security" in their job title, how can a small institution develop (and maintain) a reasonable IT security profile? An institution's information security profile is increasingly important, and it's not just IT's problem anymore. But for smaller institutions with limited resources, effectively implementing a security program can be a real challenge. The goal of this session is to provide those who have ownership of information security oversight with a pathway to implement a security program with controls that are reasonable, sustainable, comprehensive, and effective—and with resources that probably aren't tagged just for security.

IT Service Metrics 101

Thu, 13 Dec 2012 18:35:26 +0000

These guidelines to service metrics explain what to measure and how, when, and why to measure it.
Trends reveal the most about services and performance, alerting an IT department to problems as they develop or to success in their service delivery efforts.
Service subscription rates and customer surveys provide the best metrics for identifying trends because the only way to know what customers think about your organization's ability to deliver services is to ask them.
Do not gather a bunch of metric data just because you can — start with high-level service goals and then identify the metrics that can help gauge how well those goals are being met.

Bootstrapping IT Security

Tue, 11 Dec 2012 01:29:53 +0000

This session will cover the history of the Brown Security Round Table, the benefits of this committee, and lessons learned. Come and talk to some of the founding members of this committee to learn how we are expanding security coverage without expanding resources. Learn how the committee provides great value and an excellent opportunity for cross-pollination, and why we believe it will help us innovate in this area into the future. Get a leg up by taking away our best practices and skip over the bumps we encountered when we got started.

Advice from Lance Spitzner on Information Security Careers

Mon, 29 Oct 2012 19:46:59 +0000

I often get requests asking how to get started in information security. I can't blame people, it is an extremely exciting field. What I like most about it is that everything is so new; often there are no rules on how to do things. You make the rules up as you go along, almost like blazing a path in the wild jungle just as the explorers did hundreds of years ago.

Here are some suggestions on how to get started based on my experience. I feel these work regardless if you are an existing IT person or coming from a different field. Personally, my background was a History major that spent four years in the Army driving around in tanks, so if you have the passion anyone can get started in this field.

Advice from Lance Spitzner on Cybersecurity Careers

Mon, 29 Oct 2012 19:45:51 +0000

EDUCAUSE Core Data Service 2012 Almanacs

Thu, 25 Oct 2012 19:39:40 +0000

These two-page, easy-to-scan summaries distill CDS data in a variety of categories that include IT Financing, IT Staffing, Support Services, and many other service areas.

Security and Privacy Sessions at EDUCAUSE 2012

Tue, 16 Oct 2012 19:47:48 +0000

The annual EDUCAUSE Conference (November 6-9) offers a variety of security and privacy-related sessions. Whether you plan to join us in Denver or participate online, we encourage you to attend as many of these presentations as possible. Also remember to mark your calendar for the upcoming Security Professionals Conference, which will be held April 15-17, 2013 in St. Louis, Missouri, and Online. A Call for Proposals is currently out, with a November 13, 2012 deadline.

Tuesday, November 6, 2012

Preconference Seminars (separate registration required)

The Real Reason the Human is the Weakest Link

Mon, 15 Oct 2012 14:35:29 +0000

Computers and mobile devices store, process, and transfer highly valuable information. As a result, your organization most likely invests a great deal of resources to protect them. Protect the end point and you protect the information. Humans also store, process, and transfer information. Employees are in many ways another operating system -- the HumanOS. Yet if you compare how much organizations invest in securing people compared to computers and mobile devices, you would be stunned at the difference. Let's take a look. Organizations typically invest the following in protecting an end device, including:

UploadsAttachments:

ncsam-sans-blog-sm.jpg

Security Awareness and Communication in the C-Suite

Thu, 04 Oct 2012 15:52:43 +0000

Drawing on more than 30 years of global experience, Dave Cullinane will share challenges that CISOs face while in the C-suite. This session will focus on how to advance executive understanding and awareness of recent challenges such as cloud security, privacy, compliance, BYOD, enterprise risk management, and other issues currently faced by campuses.

This webinar is part of National Cyber Security Awareness Month. Find out how you can participate in activities like this one throughout the month. Learn more >>

Security Awareness on Social Media

Mon, 01 Oct 2012 14:23:38 +0000

Social media is one of the fastest growing areas of online activity, and one of the fastest growing areas for malicious cyber activity. Even if your organization blocks access to social media sites, there are a tremendous number of risks you have to make your faculty, staff and students aware of. Here are some of the key points we recommend in any awareness program concerning social media sites.

National Cyber Security Awareness Month

Fri, 17 Aug 2012 21:35:40 +0000

National Cyber Security Awareness Month, held each October, is the perfect time to raise awareness among students, faculty, staff, and administrators about ways they can be safer and more secure online. No one person, company, or agency is responsible for the security of the Internet; everyone must do his or her part. Cybersecurity is our shared responsibility.

Prepare for National Cyber Security Awareness Month

Wed, 08 Aug 2012 20:00:04 +0000

Two Easy Ways to Increase Awareness

October is National Cyber Security Awareness Month (NCSAM). Below are two easy ways to increase information security awareness on your campus.

UploadsAttachments:

HEISC_FaceBookBanner2.jpg

twitterBG.jpg

NCSAM logo.jpg