Current Issue
May/June 2013
EDUCAUSE Review
Annual Conference
October 15–18, 2013
Register now!
Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.
EDUCAUSE Institute
Leadership/Management Programs
Explore More
Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.
Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
This EDUCAUSE discussion group is sponsored by the EDUCAUSE/Internet2 Higher Education Information Security Council (formerly the Security Task Force). The purpose of the discussion group is to provide a forum to identify problems and share strategies or solutions to improve the security of college and university computers and networks. The discussion group will also inform the Information Security Council leadership of current issues and trends and will help identify and promote effective practices.
All participants must follow the Participation Guidelines.
If you have questions or concerns about this listserv, please e-mail security-council@educause.edu.
Ben,
We use Touchnet hosting services and have limited our PCI scope. We’ve had no problems. We’ve been using it for several years. If you need further info from me – contact me directly.
Thanks,
Cheryl
Cheryl O’Dell, CISSP
Emporia State University
Information Technology
Director, Information Security and Compliance
1200 Commercial, Campus Box 4018, Emporia, Kansas 66801
codell@emporia.edu 620-341-5969
Hello all,
I’ve seen other U’s that have the email directory behind the portal log-in—still allows for collaboration, but is not “public” or open to the world. I would love to see this model here—just cuts down on external crawling of our site and protects the users.
We have 2 things at KU—one a student may choose to restrict their email address from showing up in the public/online directory if they do that in the privacy settings.
Second, at KU we have email as directory info, however, our policy states that email in bulk is not released due to privacy issues.
Further, our state Open Records/Sunshine laws allows us to not provide bulk listings e.g. name + email of all students if the requesting party is asking for the listing for...
Greetings,
Perhaps like many others, we are continuously adding applications that can be accessed through our single sign on portal. Some of these applications are administrative and provide access to sensitive data. We are taking a number of steps to reduce the risks associated with the portal but we are wondering what steps other entities are taking?
Do any of you have double or separate factor authentication for critical administrative applications provided within the portal?
Below are some of the things that we have/are effecting;
· An “I have read this checkbox” containing security best practices upon first logon
...We are deliberating over whether we should or shouldn't include student email addresses in our list of directory information elements as allowed by FERPA. If you institution has chosen not to include email addresses as part of directory information, how do you control unauthorized access in a way that doesn't stymy collaboration among students and among students and industry representatives If your institution has chosen email addresses to be part of directory information, have you faced a barrage of Freedom of Access requests under your state laws (if applicable)?
----------------
John...
Yeah, it sounds scary, but don’t most systems protect the password file so that hackers don’t have easy attack access? Or are we to assume that attackers have easy access to our password files? If that’s the case, then we probably all need to convert to two or three factor authentication, including tokens or biometrics.
Kevin
We use SCEP with SCCM and it works well. The price is great and its really easy to manage using SCCM. With SCCM you have good built in reports and it allows you to create custom reports as well if you like to look at reports.
Matt
Does anyone use the DNS service OpenDNS, either the free version or the purchased product called Umbrella, for their campus DNS service? If so I’d appreciate it if you could provide your thoughts on service. Or info if you are using another similar product.
- How long have you used OpenDNS?
- Have you seen a reduction in phishing attempts and/or malware on your campus network?
- Have you seen any difference with performance?
- Are you using the free or purchased version?
- ...
I’m trying to gauge what other institutions are doing regarding clickable links in instant messaging programs. We currently block links that are sent through our Microsoft Lync implementation but we’d like to determine what other peer institutions are doing.
Does your university block clickable links through technical means? Do you allow clickable links but display a pop-up or warning message? Or do you deal with this issue strictly from an awareness perspective?
Thanks for any information you can share!
Becky Thurmond Fowler, CISSP
Information Security and Access Management
Division of Information Technology
University of Missouri
(573)...
Greetings:
I’m hiring an Information Security Analyst (ISA) for Salem State University in Salem Massachusetts. An ideal candidate is motivated and enthusiastic about security. The ISA is responsible for monitoring the university network for security vulnerabilities and compromised systems. The candidate accomplishes these goals by monitoring intrusion detection systems, performing vulnerability assessments and management of network firewalls.
Qualifications:
1. Three years of information security experience.
2. A bachelor degree in appropriate area of expertise or industry recognized certification such as SANS/GIAC, or CISSP.
3. Strong knowledge of security flaws such as weak configurations, SQL injection, cross site scripting, buffer overflows and social engineering.
We have just posted a newly created position here in the System Administration division of the University of Colorado. This division is similar to what some other multi-campus systems call the Office of the President. That means we’re small (<400 staff, 100 of which are IT) and have no faculty or students – purely administrative staff. We are located in our own office building in downtown Denver (1800 Grant St), just a few blocks from the capital. We have a focus on our ERP systems (PeopleSoft) and other multi-campus services (research administration, data warehouse, etc.), as well as the IT services for the division staff (AD, Exchange, SharePoint, etc).
The position is for a mid-level (or ambitious junior) information security analyst to take the lead on operational security technical work in...
Hi Folks....
Has anyone else been approached by Google Maps to allow them to "map your campus" in detail - presumably, for student navigation purposes?? Here's the "agreement" that they want us to sign off on. I have some basic concerns, but - then again - my concerns
may be completely unfounded. So - I thought I'd offer this up to this group to see what your collective wisdom would respond with....(note the
italicized entry)....
Let me know what you all think....
Thanks,
Michael
Agreement
We (the “Property Owner”, “Property Manager”, or “Property Operator”) hereby permit Google Inc. (through its employees, affiliates or agents) to enter the publicly accessible areas of the properties described above, at a time and in the manner directed by our designated...
Hey Educause…..any thoughts here?
We come on this discussion group for the free exchange of ideas – and THIS is allowed!?
Wow…..
From: Dennis Meharchand [mailto:dennis@valtx.com]
Sent: Wednesday, December 07, 2011 1:25 PM
To: SCHALIP, MICHAEL
Subject: RE: Michael - Patent Infringement Notice
Michael,
I think your response was bad form.
I am instructing my lawyers to file the first patent infringement lawsuit against CNM.
Let’s see how much of a bad publicity stunt this is.
...Hello Colleagues,
At your University, what department or function is responsible for the overall administration of the PCI DSS program i.e. administrator of policy(PCI requirement 12), etc.?
I would really appreciate your responses.
Carlos
Carlos S. Lobato, CISA, CIA
IT Compliance Officer
New Mexico State University
Information and Communication Technologies
MSC 3AT PO Box 30001
Las Cruces, NM 88003
Phone (575) 646-5902
Fax (575) 646-5278
Hello,
We are in the process of implementing whole disk encryption on our university owned laptops. Initially, we will be using bitlocker on our Windows computers and I was looking to get some feedback from others on their experiences with roll out and management issues with this technology.
Thanks,
Jim
Please let me know if there is anything additional I can assist you with to ensure the service you received today has been excellent.
James R. Pardonek Assistant Director... |
Hello All,
For those PCI DSS Compliance Gurus, how do you assure University-Wide PCI DSS compliance?
I would really appreciate any feedback I can get from experts as Audit Committees have a tendency to ask basic compliance questions and request global assurance.
I would also appreciate approches used at your University to address global compliance assurance or other general opinions, comments, etc.
Carlos
Carlos S. Lobato, CISA, CIA
IT Compliance Officer
New...
Hi All,
Quick Poll Please:
1 Is your campus using, or does it plan to use, Two-Factor authentication for its most privileged users (e.g., system administrators logging in remotely)?
2 Do you think you should?
Thanks!
:: Daniel Sarazen, CISSP, CISA :: Senior Information Technology Auditor |
Hi All,
Polling to see how other campuses are handling DMCA take down notices. Ours has risen to a level current process is not working efficiently. We are hearing some universities are:
1) Ignoring notices from copyright holders
2) Outright blocking of file sharing as "95% are used for nefarious purposes"
Interested to see how other institutions are addressing.
Thanks
Ed
Ed Hudson, CISM
Information Security Office
California State University, Chico
http://www.csuchico.edu/isec/index.shtml
Office: (530) 898-6307
ewhudson@csuchico.edu
...
Hi All,
We have some folks who’d like to see Deepfreeze installed on all lab PCs, but the IT department is balking. What do people think is the best reason to not install deepfreeze? Is there one?
Thanks,
Dan
It’s also important to note that different states have different requirements for the content of a notification letter, so you probably want to check with your counsel’s office regarding whether your letter meets those requirements.
Kerry L. Childe, CIPP/US
Senior Privacy and Regulatory Counsel
TG
P.O. Box 83100
Round Rock, Texas 78683-3100
512.219.2921
800.252.9743 x 2921
kerry.childe@tgslc.org
ACC IT, Privacy, and eCommerce Committee Vice Chair
We are thinking about changing our network architecture.
As our network has grown and the complexity of our public facing systems and connectivity needs of those systems has increased, we are wondering what value our DMZ delivers.
As an example, public facing systems in the DMZ that require access to LDAP/AD for AAA, SQL for database lookups, Exchange for mail delivery and relay, etc.
For those of you with non-trivial public facing systems, where do you draw the balance line between security and access? If our most visible public facing systems (most likely to be attacked) require internal AAA & SQL access, what are we protecting?
Given current system requirements and...
Current Issue
May/June 2013
EDUCAUSE Review
Annual Conference
October 15–18, 2013
Register now!
Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.
EDUCAUSE Institute
Leadership/Management Programs
Explore More
Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.
Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
