Main Nav

Participate in this Group

Search This Group

March 19, 2013 | Paul Howell

Good afternoon,

 There’s still time to register for the 2013 Security Professionals Conference!

 I hope that you will join us for the 11th annual gathering of security and privacy professionals. This year’s program includes many technical sessions, as well as new tracks on privacy and career development. We’ve also launched several new activities focusing on professional development, mentoring, and community building.

 If you can’t be there in person, please consider participating in the online conference, which will include 9 webcasts and 5 exclusive online sessions.

For more information about registering, visit:

March 13, 2013 | Tim Doty
On 03/13/2013 09:42 AM, Ken Connelly wrote: > Already received one query about this... mailserv is old and will barf > on html-only messages. The subscribe message needs to be plain-text or > at least multipart/mixed. It also chokes on signed messages. I'm kinda slow today... Tim Doty
March 13, 2013 | David Gillett
I recall (fondly) a recommendation that HTML emails should be answered in PostScript. David Gillett CISSP CCNP
March 13, 2013 | Christopher Jones

For those of you using Orbis’ Co-Curricular Record system, I would be interested in knowing what method of authentication you are employing.  Orbis recommends LDAPS authentication via Active Directory (for those who are Microsoft shops).  This would mean allowing Orbis access to our AD servers via port 686.  If anyone is using this application and is allowing AD authentication, I would be interested in hearing your comments/concerns.  Thanks in advance for your responses.


Christopher Jones

IT Security Analyst

University of the Fraser Valley


March 12, 2013 | Carlos S. Lobato

Hello Colleagues,


At your University, what department or function is responsible for the overall administration of the PCI DSS program i.e. administrator of policy(PCI requirement 12), etc.?


I would really appreciate your responses.




Carlos S. Lobato, CISA, CIA

IT Compliance Officer


New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003


Phone (575) 646-5902

Fax (575) 646-5278

March 11, 2013 | Edward Zawacki
I'm curious as to whether anyone has taken advantage of their campus' Microsoft licensing agreement to switch from say McAffee or Symantec's endpoint solution to Microsoft's? If so, how are you feeling about the Microsoft solution? Or, if you thought about it and decided not to do it, I'm also interested in the rationale/any documentation you might have on that decision. (Obviously, the cost savings would be nice, but I'm not too impressed by what I see from MS. Just wondering if I'm missing something) Thanks -- Ed Zawacki Chief Information Security and Privacy Officer Academic Computing and Communications Center University of Illinois at Chicago (312) 996-0658 General Security Line: (312) 432-0074
March 7, 2013 | Barron Hulver
I did the same thing when I moved us from open to closed. That is, I logged everything. I then used a combination of frequency analysis on the log files and researching the appropriate firewall rules to determine how to set the appropriate rules. It was a long process with a few ports denied incorrectly, but overall it went well. Barron Barron Hulver Director of Networking, Operations, and Systems Center for Information Technology Oberlin College 148 West College Street Oberlin, OH 44074 440-775-8702
March 7, 2013 | Kim Heimbrock

We are in the process of putting a banner on our ‘myNKU’ portal (which all fac, staff, students must use), as well as the password change page:


Usage of Northern Kentucky University systems, networks, and services is governed by official NKU Information Technology and NKU Security Policies.  By accessing these resources you agree to use all information technology resources responsibly, and comply with NKU policies and guidelines, found at " v:shapes="_x0000_s1026">Here is a sample of the banner:


March 6, 2013 | A. J. Wright

Is anyone using a Vulnerability (Information) Management tool that has been worth the money?

If so, which?





A. J. Wright 
Chief Information Security Officer


University of Tennessee – System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637



March 5, 2013 | Kris Monroe

I see there was a similar request on the list just over a year ago, but thought I’d ask again.

Anyone on the list use CampusGuard to help them with PCI-DSS compliance?

We’re thinking of using a 3rd party PCI DSS compliance consultant to evaluate us and give recommendations.

Please feel free to contact me off list if you so desire.

Open to other consultant companies as well.






Kris Monroe, CISSP, CISA, CISM

Information Security Officer


Ithaca College

953 Danby Rd. | Ithaca, NY 14850 | ithaca....

March 5, 2013 | Alex Everett

This may be slightly tangent, but-
One consideration you should have is what happens to single high bandwidth "streams" exceeding 1Gbps (or so).
Do they not get inspected, dropped, only the first so many bytes are inspected, or only a subset of inspections take place?
Today, we do not have a solution like I believe you are describing.
We use load/stream balancing to attain a theoretical max of 40Gbps, such that each device only receive a portion of our total traffic.


Alex Everett
University of North Carolina - Chapel Hill

March 4, 2013 | Josh Flaherty



We are working on our mobile device policy and are wondering how many require registration of mobile devices?  Also we are considering a limit on the number of devices allowed on the network per user and are wondering if others also enforce a similar policy.


Thank You.


Josh Flaherty

Information Technology Security Officer

Indiana State University



***The Office of Information Technology staff will never ask for your password or other confidential information via email.***


February 28, 2013 | Matt Morton



I have had very good experiences with SecureWorks.  Feel free to call or email offline if you want more information.


Matt Morton, CISSP, MHEA

Chief Information Security Officer

University of Nebraska at Omaha

6001 Dodge St., Omaha NE  68182

mmorton at

402.554.2425 (o)

402.214.5943 (m)


February 27, 2013 | Zachery S. Mitcham



I posted the survey in the EDUCAUSE Group Forum of Linkedin.




Zachery S. Mitcham, MSA | Information Technology Security Officer| Information Technology Systems (ITS)|

910 962 3047|mitchamz@uncw.edu |UNC Wilmington | 

601 South College Road | Wilmington, NC  28403-5616

"Security is Everyone's Business"

  AskTAC for self...

February 25, 2013 | Mark Reboli

Does anyone have a mobile phone disclaimer for a university app that they would be kind enough to share?


Mark Reboli

Network/Telcom Manager

Misericordia University

(570) 674-6753


February 21, 2013 | Phil Erlenbeck
I can tell you that after deploying Proofpoint the number of tickets I received for Phishing messages dropped from about 30 a month to 2 or 3 a month. I've been happy with support and we had a tech walk us through every step of the deployment. Some of our users were confused about the digest messages and thought that everything in the Audit section was being blocked, so do your best to communicate how it works as best you can. --Phil
February 21, 2013 | David A. Curry
As those of you at schools using Banner know, Ellucian has still not certified Banner to run on Java 7; Java 6 (including the browser plug-in) must be installed on end users' desktops. Java 6, of course, has reached the end of its public update period, which means any future updates after the end of this month will come through Ellucian rather than Oracle (or so they tell us).

Aside from the increased difficulty of trying to keep a down-rev version of Java installed on systems used by Banner users, especially since our users have admin rights and are therefore free to update Java when they want and will do so if another application asks them to, we are of course concerned that maintaining a down-rev version of the Java plug-in will expose these systems to increased risk of compromise because of security vulnerabilities. This is particularly worrying because, of course, the people who use Banner are also the people who work with lots of personally...
February 20, 2013 | Kevin Halgren
See here: I was amused to see my own words quoted as "according to one member." I don't mind, I don't feel that my words warranted attribution. However it's a good reminder to us all that this is a public forum and anyone can see what we've posted by going to this link: Kevin
February 20, 2013 | Matthew Milliron
To answer the community’s questions regarding who was notified by EDUCAUSE about the server breach, below is further information. Who was notified? Individuals with active EDUCAUSE website profiles and administrative and technical contacts for .edu domain accounts were notified via e-mail on Tuesday, February 19. Because e-mail delivery isn’t always guaranteed, EDUCAUSE also posted messages in social media, on its website, in several constituent and discussion groups, and on the .edu website. Members and individuals who do not have an EDUCAUSE website profile or are not a .edu domain holder were not notified because they do not need to take any action. This includes individuals who subscribe exclusively to our constituent and discussion groups. Prior to June 8, 2012, subscribers to EDUCAUSE groups were not required to have a profile; therefore, many individuals who only use this service are not affected. For more information, please visit our web page:...
February 20, 2013 | Karl Bernard
We (IT Security) have been asked to work on a project to do a POC setup of an AWS Virtual Private Cloud (VPC) that will in turn be IPsec tunneled back to our infrastructure using a Cisco ISA. We're slowly working our way through that part, but my biggest question is that when I was looking at the AWS management console, I couldn't find any activity logs for who's logged into the management console and what changes have been made. Does anyone know if this is available, or where I can find it if I've overlooked it? Ideally, we would like to see those logs come back to our 'real' network via syslog through the VPN tunnel, or via some kind of secure log streaming from AWS itself.

Related to this - has anyone setup a HIPAA-compliant VPC with AWS or with any other cloud infrastructure vendors?

Thanks for your input,

Karl Bernard
Senior Information Security Analyst
UTHealth, Academic Health Center at...
March 15, 2012 | Dean J. Williams
Is anyone allowing vendors to remote control your employees' computers with products such as LogMeIn?  

A company from whom we lease printers has been getting departmental staff to let them control their computers with LogMeIn, for the purposes of installing printer drivers and configuring campus printers.  Giving strangers access to institutional computers that are likely to contain sensitive information makes me a little nervous. 

Whether it's a printer vendor or an employee who wants to do it, though, the demand for remote control or remote desktop doesn't seem to be diminishing.  Has anyone found a secure and practical balance between the advantages of remote control, and the risks that come with it?   Any specific product experience, good or bad? 

(We use SimpleHelp for IT staff to share clients' screens, but I see that as quite different from letting a vendor do so...
March 8, 2012 | Walter Petruska
USF is investigating new solutions to the functions of DNS, DHCP and IP address management.

We would like something which is highly available, integrates well or can supplement/replace a windows-based DHCP service, has multi-level administration, logging and can provide DNSSEC/IPv6 functionality.

I've been looking at Bluecat Networks, but been repeatedly put off by their pre-sales approach and refusal to discuss pricing for planning.

Any comments/ suggestions regarding your own use of Bluecat Networks, or identification of alternative solutions is appreciated.

Walter Petruska CISSP, CISA, CGEIT
Information Security Officer

University of San Francisco
Lone Mountain North - 2nd Floor
2130 Fulton Street
San Francisco, CA 94117...
January 19, 2012 | Robert Bayn
When a user reports a phish message with a "click here" link that goes to a google doc, it's easy to submit an abuse notice using the link at the bottom of the doc form.  If a webserver is compromised, the phisher may install a SourceForge phpformgenerator.  I've found in several instances that you can go to the first level directory in the link to the form and see the phpformgenerator management screen.  And it often lets anyone who sees the page delete any of the forms created by the formgenerator.  That at least temporarily disables the mischief while I contact the site owner to check for the compromise.

Bob Bayn          (435)797-2396            IT Security Team
January 11, 2012 | Dennis Self
We are looking for an efficient, secure means to distribute new account information to our constituents.  Today we snail-mail letters with a temporary password to a setup system where the user can set their usable password.  If you have a solution that has worked well for you and is strong in security and identity verification, would you reply to me directly, please?

Dennis Self
Director, IT Security & Compliance
Technology Services
Samford University
(205) 726-2692
December 30, 2011 | Julie Myers

We have a four level data classification structure at the University of Rochester:  Legally Restricted, Confidential, Internal Use Only, Public. 


I know many university’s have a data classification policy and within that policy examples are highlighted for the reader.  I was wondering if anyone has taken their data classification process down to the next level and created a data map / schema to assist the end users and to try remove the shades of gray when trying to classify department specific information ?  We continually are question on “what is confidential” and are trying to more clearly define this for our end users. 


I hope you all have a wonderful New Year !


Thank you,


December 12, 2011 | James L. Mayne

TCU has always provided user’s with static ip addresses using dhcp reservations. However with the flood of new mobile devices it is straining our ability to efficiently assign these types of ip addresses. In discussing a movement to dynamic addresses the issue of incident response and troubleshooting comes up.


Would others using dynamic addresses share their tactics and any estimate of added effort involved when tracking down issues identified by ip addresses, whether they be from external complaints, IDS logs, firewall logs etc.





Jim Mayne
Information Security Services


December 11, 2011 | Listserv Anonymous User
Message from

Back in 2009 Daniel Sarazen University of Massachusetts asked the group about requiring SAS70's or third-party assessments of both large and small contracts/companies. Unfortunately, only one person responded to the question about "should an entity require SAS70 or equivalent for large contracts as well as small ones in the $300 range". Once again the question has come up across the security groups here at UNM-HSC. I am curious what other academic health centers positions are in regard to requiring "third-party analysis of controls" when outsourcing ePHI or PII. Given the risk of breach costs (reputational, notification, potential fines, etc.) IMHO the risks are too high to not require an independent assessment no matter the size of the contract. There are beneficial smaller services that our researchers and physicians find by companies that cannot afford SAS70 audits. So, for those smaller contracts with smaller companies does anyone...
December 1, 2011 | Michael Cole
Is anyone on the list using the CopySence appliance from Audible Magic to deter file sharing of copyright protected material instead of limiting or blocking p2p traffic altogether?  If so we be interested in hearing your experience with the product, good or bad.
Michael A. Cole '2010
Manager of Network Operations
Clark University
950 Main street
Worcester,  MA  01610
November 29, 2011 | Matthew Y. Giannetto

We’re experiencing a very frustrating issue with Microsoft BitLocker on our Dell Latitude E-Series laptops.  The problem is that occasionally and for no discernable reason, the TPM module for the laptop gets disabled in the BIOS.  This causes the system to prompt for a BitLocker Recovery Key at boot, rendering the system useless until the user contacts the help desk.  


I’m hoping to compare notes with other institutions that are using TPM with hard drive encryption so we can try to isolate a cause for our problem.  For anyone using hard drive encryption (BitLocker or otherwise) with TPM, would you mind giving me a little info about your deployment and experiences?

·         What laptop make and model do you use?  Approximately how many are in your environment?

November 23, 2011 | Paul Kelly


World Congress on Internet Security (WorldCIS-2012)
Technically Co-Sponsored by IEEE UK/RI Computer Chapter and IEEE K/W Section
June 10-12, 2012

The World Congress on Internet Security (WorldCIS-2012)
is Technically Co-Sponsored by IEEE UK/RI Computer Chapter
and IEEE K/W Section. The WorldCIS-2012 is an international
forum dedicated to the advancement of the theory and practical
implementation of security on the Internet and Computer Networks.
The inability to properly secure the Internet, computer networks,
protecting the Internet...

November 22, 2011 | Listserv Anonymous User
Message from

Hi everyone,

I'd like to encourage you to have a look at PenTest Magazine - the only publication devoted to penetration testing.

Each week around 20 pages to be downloaded for free, and lot of free stuff on a website.

Articles, interviews, tutorials and a lot more.

Visit us at:

See for yourself that PenTest is worth subscribing to.

Best regards, -- Maciej Kozuszek PenTest Magazine Managing Editor Software Media Sp z o.o.
November 18, 2011 | Dave Nevin
We're currently reevaluating how we perform Malware forensics here and wanted to see what others were doing. Are you doing it in-house or outsourcing? 

If in-house, do you have dedicated staff for this, or is this tasked distributed? How do you keep people current—do you have a preferred vendor for training?

If you outsource, do you use a major vendor such as one of the big consulting firms, or do you prefer a local specialist? How has this worked for you? 

Or have you implemented a blended solution, where certain cases are handled in-house and others referred to a vendor? 

Thanks all, and happy Friday,


Dave Nevin, IT Manager
Technology Support Services/Information Services
Oregon State University
Corvallis, OR

February 18, 2014 | Thomas Carter

I would like to tighten our password policy for better security, and I’m trying to avoid some pushback, I’ve been asked to review our password policies with respect to our peers for additional ammunition against the pushback.


I’ve created a quick survey of student and faculty/staff password policies:


I would appreciate any feedback any of you provide. I will summarize the results on this list.


Thanks in advance,

Thomas Carter

Network and Operations Manager

Austin College



February 13, 2014 | Carlos S. Lobato



NIST has just released its first Framework for Improving Critical Infrastructure Cybersecurity v1.


The Framework takes a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles.


The Framework Implementation Tiers section will give you a quick ruler to determine at a high level where you are and as you will see, it requires formality when it comes to policies, procedures and risk assessments.


In addition, all federal data privacy regulations (FERPA, HIPAA, GLBA, RFR, FISMA) including PCI now reference NIST...

February 11, 2014 | James Pardonek

I’m looking for some feedback on how other universities may have amended their data classification policies to include university generated audio and video content in the context of what types of content would cause a video to be classified as confidential or protected, or maybe just sensitive.  We are in the process of replacing our video repository and the question was brought to me.  Since Information Security owns most of the policy creation here, I’m struggling with how to word the thing.




James Pardonek, CISSP, CEH

Information Security Officer
Loyola University Chicago 
1032 W. Sheridan Road | Chicago, IL  60660

: (773) 508-6086


February 4, 2014 | Nick Lewis
Hi everyone, We have internally been discussing compliance recently. I'm working through the Higher Education Compliance Alliance resources to see what is already out there. The IT security and compliance program we are setting up is going to be proposed as an enterprise wide initiative, but only around IT security. I am trying to understand if anyone has their information security programs reporting into a formal Compliance Office/Officer? Or even a formal Compliance Office/Officer at their university? Thanks, Nick -- Nick Lewis Information Security Officer - Director, IT Security and Compliance ITS IT Security and Compliance Email: - Phone: 314-977-1786
January 19, 2014 | Listserv Anonymous User
Message from


I am grappling with security policy concerns with having honeypots on a campus network (DMZ). This is for research and a security class.  Do you allow these on your campus networks or require them on external provider/ISPs? If on campus, how did you deal with the policy issues?

December 9, 2013 | Listserv Anonymous User
Message from

<> Hello all, Some of you may know me from my previous life at Penn State. We started CampusGuard 5 years ago when we saw a need for a QSA/Information Security firm that understood higher ed. We are expanding our staff and are looking for some highly qualified security professionals interested in working with a team that focuses on higher education's security and compliance needs. Please pass this along to anyone that you think might be interested. Please respond to this email address. Craig A. Henninger CISSP, QSA Security Advisor CampusGuard (mobile) 814.571.1516
December 4, 2013 | Josh Drummond



We have opened a recruitment for an IT Application Security Engineer at University of California, Irvine.  This will replace a recently vacant position. 


A summary of the roles and responsibilities is noted below.  For full details, go to the HR recruitment page:


I'll be leading the recruitment activities and would be happy to answer any questions sent directly off-list.





November 11, 2013 | James Gramke
SECURITY Digest - 8 Nov 2013 to 10 Nov 2013 (#2013-197)

Hi All,


Does anybody log the URL’s which are visited from on campus?     If so, was the decision to do so met with resistance, or are there very tight policies around who can use the data?      Perhaps you do it for some groups (administration) and not for others (students, faculty?)   


I would like to do this, for example, to quickly see which users clicked on a link in a phishing email , or what site caused a dozen pcs to download the same malware, or even to block a particular site.


This appears to be a very controversial proposal here, and so I’m wondering if anybody has tried to go down this path.


Group Leaders

University of Florida
University of Maryland, Baltimore

Related to this Group...


View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.


EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center

Leadership and Management Programs

EDUCAUSE Institute
Project Management



Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.


EDUCAUSE organizes its efforts around three IT Focus Areas



Join These Programs If Your Focus Is


Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.



2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations

Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.