Main Nav

Colleagues,
 
Today’s New York Times has a top story regarding the increase in university cyber attacks (link below), and a number of our EDUCAUSE/CIO colleagues are quoted in the story.  This follows a number of stories in 2013 that documented intrusions at a number of leading news organizations and pointed out that hacked university systems were often used as an intermediary.
 
By RICHARD PÉREZ-PEÑA

The hacking attempts, many thought to be from China, are forcing universities to spend more to prevent and detect intrusions and to constrict their culture of openness.

 
The challenge for institutions, as noted in the NYT piece, is the clash of culture that occurs between the long-held individual rights at colleges/universities and the growing need for proactive institutional risk management.
 
In recent months, the IU IT community has developed a new Cyber Risk Mitigation Policy (IT-28) and commenced its implementation on all campuses.  It affirms responsibilities for IT services and primary and secondary means of mitigating cyber risks. It mandates reviews with each administrative/academic unit and formal sign-off by each dean and the VP for IT -- much like CFOs do for financial sub-certification of accounting transactions. 
 
It will be a long journey for us, but we believe the change in our environment necessitates renewed, proactive work for both leveraged and edge IT services.
 
The complete policy is at:
 
IU Cyber Risk Mitigation Responsibilities (IT-28)
Policy Statement (excerpts)
  1. University Information Technologies Services (UITS) is responsible for operating IT facilities that maximize physical security, provide reasoned protections for IT systems from natural disasters, and minimize cyber security risks for IU data and systems.

    UITS is also responsible for provisioning an evolving set of information technology infrastructure and services that meet the common, evolving needs of all campuses and units. This may include contracting for services via cloud and off-site services providers that offer desirable and secure common services of value to the IU community.

  2. All Units of Indiana University will deploy and use IT systems and services in ways that vigilantly mitigate cyber security risks, maximize physical security for IT systems, and minimize unacceptable risks to IT systems and data from natural disasters (collectively, "Cyber Risks").

    a.     The primary means of reducing and mitigating Cyber Risks at IU is for units to use the secure facilities, common information technology infrastructure, and services provided by UITS to the greatest extent practicable for achieving their work.

    b.     To the extent that the primary means of Cyber Risk mitigation is not practicable for achieving a unit’s work, the secondary means is for Group-level and Unit-level IT providers to formally document their role, responsibilities, and ongoing vigilance to mitigate Cyber Risks to IU.
 --Brad
----------------------------------------------------------------------
IU Vice President for IT & CIO, Dean, and Professor
Indiana University, http://ovpit.iu.edu
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Colleagues,

(resend with shortened NYT URL to avoid spam flagging)
 
Today’s New York Times has a top story regarding the increase in university cyber attacks (link below), and a number of our EDUCAUSE/CIO colleagues are quoted in the story.  This follows a number of stories in 2013 that documented intrusions at a number of leading news organizations and pointed out that hacked university systems were often used as an intermediary.
 
Universities Face a Rising Barrage of Cyberattacks
By RICHARD PÉREZ-PEÑA

The hacking attempts, many thought to be from China, are forcing universities to spend more to prevent and detect intrusions and to constrict their culture of openness.

 
The challenge for institutions, as noted in the NYT piece, is the clash of culture that occurs between the long-held individual rights at colleges/universities and the growing need for proactive institutional risk management.
 
In recent months, the IU IT community has developed a new Cyber Risk Mitigation Policy (IT-28) and commenced its implementation on all campuses.  It affirms responsibilities for IT services and primary and secondary means of mitigating cyber risks. It mandates reviews with each administrative/academic unit and formal sign-off by each dean and the VP for IT -- much like CFOs do for financial sub-certification of accounting transactions. 
 
It will be a long journey for us, but we believe the change in our environment necessitates renewed, proactive work for both leveraged and edge IT services.
 
The complete policy is at:
 
IU Cyber Risk Mitigation Responsibilities (IT-28)
Policy Statement (excerpts)
  1. University Information Technologies Services (UITS) is responsible for operating IT facilities that maximize physical security, provide reasoned protections for IT systems from natural disasters, and minimize cyber security risks for IU data and systems.

    UITS is also responsible for provisioning an evolving set of information technology infrastructure and services that meet the common, evolving needs of all campuses and units. This may include contracting for services via cloud and off-site services providers that offer desirable and secure common services of value to the IU community.

  2. All Units of Indiana University will deploy and use IT systems and services in ways that vigilantly mitigate cyber security risks, maximize physical security for IT systems, and minimize unacceptable risks to IT systems and data from natural disasters (collectively, "Cyber Risks").

    a.     The primary means of reducing and mitigating Cyber Risks at IU is for units to use the secure facilities, common information technology infrastructure, and services provided by UITS to the greatest extent practicable for achieving their work.

    b.     To the extent that the primary means of Cyber Risk mitigation is not practicable for achieving a unit’s work, the secondary means is for Group-level and Unit-level IT providers to formally document their role, responsibilities, and ongoing vigilance to mitigate Cyber Risks to IU.
 --Brad
----------------------------------------------------------------------
IU Vice President for IT & CIO, Dean, and Professor
Indiana University, http://ovpit.iu.edu
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Good morning, colleagues! This article opened an interesting discussion with my staff on how we, as a small liberal arts college, are addressing cyber attacks, especially from this perspective. We know that China is not coming after a Wiley College for research data (yet), but we still need to ensure that we are protecting ourselves.

 

From a “physical” security perspective, i.e. network, we have employed various network security monitoring and other systems to assist with the identification and prevention of “hacks.” This is in addition to monitoring the various “credible” cyber attack and virus notification websites, SPAM filtering tools,  Barracuda, encryption on transmittal tools, and updated firewalls.

 

The second part of this, for us, is education/communication. We constantly strive to educate the Wiley College community about internet security, especially around responding to SPAM, protection of passwords and logins, and accessing/participating in malicious activities promoted by outside entities (for example, responding to the “I need help, please send money” e-mail scams.

 

Finally, the third part is action. As soon as we identify network-related security breaches, potential attacks, network port compromises, viruses, etc., we alert the community and address them.

 

Now, while this, for us, is VERY basic, what types of things are you doing?

 

Nathaniel E. Hewitt, III

Vice President for Information Systems and Technology

Wiley College

711 Wiley Avenue

Marshall, Texas 75670

903-923-2404 (office)

903-263-9630 (cell)

903-927-2672 (fax)

nhewitt@wileyc.edu

Visit us on the web at www.wileyc.edu

Wiley College: Home of The Great Debaters

 

 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.