Main Nav

Participate in this Group

Search This Group

November 15, 2012 | Greg Schmalhofer

Educause security group,


Can anyone recommend a particular vulnerability scanner software, product, appliance, or service that you are using at your campus? This is a need at our campus and I am trying to review the different options available for a small campus. Thanks for any help, insight, or feedback you can provide.



Greg Schmalhofer


Millersville University

Information Security Coordinator

Millersville, PA

November 14, 2012 | Christopher Jones

We have experienced a number of targeted phishing attacks recently.  Because the most recent phish led its victims to provide their network credentials via a realistic looking OWA logon page, we took the following steps to deal with some resultant compromised accounts:


·         immediately reset the passwords for the affected accounts,

·         restarted, the IIS service to stop any active webmail sessions

·         alerted the user community



It got me to wondering how other institutions deal with similar situations where user accounts have been compromised.  If anyone...

November 13, 2012 | Nick Recchia
We have a couple question regarding PCI SAQ D version 2.0. requirement 8.5.

Requirement 8.5:
"Are proper user identification and authentication management controls in place for non-consumer users and administrators on all system components, as follows...." [1]
1) We had proposed to use Active Directory (AD) to manage requirement 8.5. Does anyone have experience to indicate that AD will not work for this implementation?

2) Is anyone managing local user accounts, instead of AD user accounts, within their PCI implementation?  

Thanks for your input.


[1] there are 16 sub-requirements (8.5.1 - 8.5.16) that I did not paste into this e-mail, but maybe found on

November 13, 2012 | Eric Weakland

I am the manager of the AU Staff who work in rooms 417 and 418.  I wanted to bring this to your attention directly.  Please let me know if you have questions or need more information.

Thank you,

Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology
American University
eric at

AU IT will never ask for your password via e-mail.
Don't share your password with anyone!
----- Forwarded by Eric Weakland/eric/AmericanU on 11/13/2012 12:05 PM -----

From:        Homer Manila/homer/AmericanU
To:        Funda Topcuoglu/ftopcuog/AmericanU@AmericanU
Cc:        Eric Weakland/eric/AmericanU@AmericanU, Cathy Hubbs/hubbs/AmericanU@AmericanU, Isabelle Graham/graham/AmericanU
November 13, 2012 | Andrew Scott



I am looking at improving the integration of information security in IT processes (project development, maintenance, etc.). I am interested on what others have successfully done to improve the integration of security.




Andy Scott, CISSP

Information Security Officer, IT Services

British Columbia Institute of Technology

3700 Willingdon Ave, Burnaby, BC, V5G 3H2


Tel: 604-432-8683  Mobile: 778-928-2444

Email:  Web:


November 13, 2012 | Valerie M. Vogel
Last Call for Security Proposals

Today is the last day to submit a proposal for the 2013 Security Professionals Conference! The online submission form is available here:


Thank you,



Valerie Vogel Program Manager

Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 |


Sent: Tuesday, October...

November 9, 2012 | Bryan McLaughlin
We are currently Postini users and are looking to move to a new product to battle incoming spam and viruses, and encrypt sensitive data leaving the university as well as outbound spam filtering. We have narrowed our search to Proofpoint, Barracuda, McAfee, and Axway. I looking for input from other Universities who are using one of these products to get real world feedback. Thanks, Bryan McLaughlin Information Security Officer Creighton University
November 9, 2012 | Donald J. Schattle, II

Hello All,


Looking to see if anyone has any security/compliance feedback on a company called Vivature which is a division of OrchestrateHR (  






Donald J. Schattle II, CISM

Information Security Officer

GLB-Act Coordinator

Providence College



November 8, 2012 | Bruce Entwistle

Our current IPS is reaching EOS, so we would take this opportunity to look at alternatives to our existing Tipping Point unit.  I was looking to see what everyone else is using and how well it is working for them.


Thank you

Bruce Entwistle

University of Redlands


November 5, 2012 | William Kyle
We currently have two positions available here at Johns Hopkins University, one is an entry level, requisition # 48873, and the other a senior level, requisition #54345. Entry level: Senior level: Links are provided on job description pages above to the Hopkins' information on benefits, pay (These are "Administrative/Technical Professional Role" positions.), policies, etc. Even though these are University positions we also have the responsibility for the Johns Hopkins Medical...
November 5, 2012 | Yvonne Poul

Dear all,


I would like to invite you to submit a paper to the the 2013 Asian Conference on Availability, Reliability and Security (AsiaARES 2013) which will take place in Yogyakarta (Indonesia) 25th-29th March 2013 (


AsiaARES will be held as a Special Track Conference within ICT-EurAsia 2013 (, which is supported by ASEA-Uninet (ASEAN-European University Network), EPU (Eurasian Pacific University Network), IFIP (International Federation for Information Processing).


AsiaARES is a new conference that builds on the success of seven subsequent annual ARES conferences and specifically aims at a...

November 2, 2012 | Yvonne Poul

Dear all,


I would like to invite you to submit a paper to the Information Communication Technology-Eurasia Conference (ICT-EurAsia 2013) which will take place in Yogyakarta (Indonesia) 25th-29th March 2013.




The conference is supported by ASEA-Uninet (ASEAN-European University Network), EPU (Eurasian Pacific University Network), IFIP (International Federation for Information Processing).


ICT-Eurasia 2013 provides an international forum for researchers and practitioners to present their latest research findings and innovations. The conference is...

October 29, 2012 | Andrea Di Fabio
Please contact me for a free CompTIA Certified Digital Information Architect (CDIA+) voucher. See email below for further information. Please request a voucher, by emailing me offline, ONLY if you fall under the following target candidate description: "The target participant is a records management and/or digital information solutions provider with 24 months of experience in business and workflow analysis, integration of content imaging systems with business applications, project management, and knowledge and design of secure scanning technology infrastructure and capture solutions." Feel free to pass this along to qualified candidates. Vouchers are transferable, they are provided free of charge but cannot be sold or used for personal gain. ------------------ CompTIA is looking for digital information management professionals to participate in a beta exam of our revised CDIA+ (Certified Digital Information Architect) certification. Those who pass the exam will become CDIA+...
October 25, 2012 | Valerie M. Vogel
The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) recently published a Data Breach Response Checklist that institutions of higher education may use to develop a comprehensive data breach response plan. The checklist is meant to be used as a general example illustrating some current industry best practices in data breach response and mitigation applicable to education community.
Thank you,
Valerie Vogel Program Manager

Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil |...
October 23, 2012 | Quinn Shamblin

Hello All,


A few questions related to application vulnerability scanning and management:


·         Do you have a program to ensure that applications are tested for vulnerabilities?

o   Is it embedded in the application QA or release process, or is scanning done once the app is in prod (or both)?

o   Who runs the tests?  (Developers?  QA?  InfoSec personnel?  Other?)

·         What tool do you use for static cost testing?

·         What tool do you use for dynamic code testing?


October 17, 2012 | James Pardonek
We currently have several computers in our Health Sciences Information Commons area that require an ID and password for authentication.  We have discovered that this is a pain point for our helpdesk as we have doctors and clinical faculty that come over from our neighboring hospital to use the computers.  Although they all have credentials, the hospital does not require them to use them and many of them don't remember what they are or that their password expired several months (years) ago.
We are looking for a way to allow them to use a method similar to our guest wireless where we ask for a name and email address in order to connect.  We would like the workstation to boot up and present them with this type of screen prior to getting a desktop.
Is there anyone that is already doing this or even a commercial product that we can look at?
October 16, 2012 | Mary Baltes Dunker
Virginia Tech Information Technology is seeking a qualified individual for the Manager of Quality Assurance and Verification in Secure Enterprise Technology Initiatives. Manager, Quality Assurance and Verification The successful candidate will direct efforts to design and implement testing procedures for multiple enterprise software development projects involving middleware, authentication, directories, and PKI, in order to ensure successful and secure implementations. A strong understanding of testing methodologies including black and white box testing, unit testing, bounds testing, and experience in testing and troubleshooting enterprise applications is required. The candidate must have experience programming in languages such as Perl, SAS, SQL, in configuring and using digital certificates for multiple browsers, S/MIME, and SSL, and must be familiar with Web-based products, LDAP, and multiple operating systems (UNIX, Linux, Macintosh, Windows.) Bachelor's degree in IT-related...
October 16, 2012 | Listserv Anonymous User
Message from

Colleagues, the University of Colorado Colorado Springs is looking for an IT Security Analyst.  UCCS is one of the fastest growing universities in the country with 9,850 students enrolled this fall and 15,000 to 17,000 expected by 2020.


Short description: To assist the IT Security Principal in the development, monitoring, and enforcement of security policy and baseline standards to ensure that the University of Colorado Colorado Springs maintain confidentiality, integrity, and availability of university systems. 


Examples of Work Performed 
- Leverage various resources (NIDS, HIDS, netflow, SCCM, etc) to identify and remediate potential security issues 
- Assist in risk assessments, security incidents and investigations 
- Assist in...

October 14, 2012 | Chris Kidd
We have several departments that have entered into contracts with Health and Human Services and other federal agencies. The contracts require compliance with Part 352.239-70-73 ( The Contracting Officers from the federal government are now asking for the documentation associated with compliance. I'm hoping others have had the opportunity to respond to similar language. If so, could I bounce a few questions off of you privately? Or - even better - let me know if you are willing to share any documentation or checklists! Regards, Chris Kidd Chief Information Security and Privacy Officer University of Utah and University of Utah Health Sciences 650 Komas Suite 102 Salt Lake City, UT 84108 office 801.587.9241 cell 801.747.9028
October 11, 2012 | Listserv Anonymous User
Message from

Colleagues on the EDUCAUSE Security List,


This is a second announcement.  My apologies for reposting, but we’re looking for as many responses as we can get to the survey.  We’ll re-post this one or two more times before we close the survey.  I am hoping that you might take a few minutes to complete a survey about your experience in cyber security.  Below is the link to the survey and the official recruiting email:


You are being asked to participate in a survey research project entitled “Cyber Security Task Analysis” which is being conducted...

January 9, 2012 | Randy Marchany
VA Tech will offering another in its series of SANS  onsite classes at a substantial discount for EDU, State/Local Govt staff. Here are the details:

WHAT: SANS SEC 503 - Intrusion Detection in Depth, Instructor: Mike Poor
WHEN: 3/5-10/2012
WHERE: VA Tech, Blacksburg, VA 24060
COST: $999/person (class only) $1499 (class + GIAC (GCIA) cert exam) for EDU (higher-ed, K-12, community college), State/local govt, State/local LEO

If you have any questions, let me know.

Randy Marchany
VA Tech IT Security Office
Blacksburg, VA

January 3, 2012 | Listserv Anonymous User
Message from

We're about to review our liability coverage for cyber events and before we got started I wanted to see how involved any of you had been in this process at your institutions, and what you found? Please share your experience and findings. Thank you, -- David Scott Freed-Hardeman University 731.989.6434
December 16, 2011 | Ronald King

We are evaluating options for AAA/TACACS+.  We have done some research and found open source options, but, they seem to be homegrown which doesn’t quite give us the “warm and fuzzy” feeling.  We have looked at RADIUS, but, so far, it seems there is limited accounting for network gear.  I wanted to ask other EDUs what they suggest for a TACACS+ solution.  Please email offline.


Thank you and Happy Holidays.


Ronald King

Security Engineer

Norfolk State University

Marie V. McDemmond Center for Applied Research

Suite 401

555 Park Ave.

Norfolk, Virginia  23504


December 14, 2011 | Martin Manjak
We're planning on enrolling in the InCommon certificate program next FY and staff here were wondering what vetting and management processes other schools who have been using the service may have put in place. Specifically, how do you vet requests for certs? What, if any, workflow management tools do you use to track the status of a request? Who has the authority to submit the CSR at your institution? Who is responsible for managing/renewing the certificate once issued? If you prefer, you can respond off list by replying to I'll summarize any responses I receive directly for the list. -- Martin Manjak CISSP, GIAC GSEC-G Information Security Officer University at Albany MSC 209 518/437-3813 The University at Albany will never ask you to reveal your password. Please ignore all such requests.
December 6, 2011 | Valerie M. Vogel
Today's IAM Online is about to begin (at 3 pm EST). Please join us if you are available and interested in hearing more about multifactor authentication in higher ed: Thank you, Valerie _______________ Valerie M. Vogel Program Manager, EDUCAUSE office: (202) 331-5374 e-mail:
November 22, 2011 | Janice Moyer

I am looking to understand what applications/methods are being used by your organization to share Personally Identifiable Information (PII) with third parties? Secure email,  document management, secure ftp, etc?


Thank you,


Janice Moyer, CISSP, Sec+, CISM

Network Security Engineer

Information Technology Services

Metropolitan Community College

Desk 402-457-2925

Cell 402-429-0979


Do what it is that you do just a little bit better everyday in every way!


March 11, 2014 | Richard H. Lesniak

We would appreciate assistance in spreading the word on our search for an Information Security Officer at The State University of New York at Buffalo.  Details on the search can be viewed at:

Rick Lesniak
UBIT Policy and Communication
SUNY University at Buffalo

March 10, 2014 | Doug Pearson
March 10, 2014 To: IT Security Staff and Network and System Administrators (A CIO version of this Alert is available at [6]) REN-ISAC ALERT: NTP-Based Distributed Denial of Service Attacks - Prevent your institution from being an unwitting partner in these attacks The REN-ISAC [1] wants to raise awareness and drive change concerning common network time protocol (NTP) and network configurations that fall short of best practices and which, if left uncorrected, open the door for your institution to be exploited as an unwitting partner in delivering crippling distributed denial of service (DDoS) attacks against third parties. In a companion note to CIOs, the REN-ISAC recommends the following: === ACTIONS === 1. Distribute a copy of this message to your network administrators, information security staff, system administrators, and other relevant personnel. 2. Identify hosts on your network with ntpd installed and running. Disable "monlist" capabilities on those NTP servers. Or, for...
February 27, 2014 | Tracy Mitrano
Not a word from the NACAU list, folks, just thought I would report … and usually responses, when they come, come quickly ….

Cheers, Tracy

January 9, 2014 | Larry Carson

We are currently undertaking a major initiative to enhance our existing information security standards which will enable us to further align them with ISO 27005 and integrate additional security requirements which we feel reflect the current and foreseeable security risk landscape for the University and the higher education sector in general.


To facilitate a risk-based approach and ensure reasonable controls are required in the UBC standards, we have created a data classification scheme which comprises confidential, sensitive and public categories. Our legally protected personal information currently all falls under the confidential category, along with the PCI regulated data.  This category has the highest level of control requirements, which corresponds well to the Internet2 & HEISC Information Security Guide. 


One of the key challenges we are facing is ensuring that 'reasonable...

January 6, 2014 | Valerie M. Vogel
We are currently selecting program committee members for the 2015 Security Professionals Conference. If you would like to be a part of continuing the tradition of the Security Professionals Conference organized by EDUCAUSE, Internet2, and the REN-ISAC, then I would encourage you to volunteer for the Program Committee. Please visit the EDUCAUSE Volunteer Opportunities website and click on the Volunteer Now button. Be sure to select “Security Professionals Conference Program Committee” and include a note about why you are interested in participating. We will establish a program committee comprised of security and privacy professionals (of all ranks and titles) from a diverse range of institutions. The 2015 program committee will hold its first meeting during Security 2014 in St. Louis, MO, on Thursday,May 8. Thereafter, the program committee will meet via monthly conference calls starting in June. Please volunteer or submit your nominations to Valerie Vogel (
December 20, 2013 | Nick Recchia

I am interested to learn of other schools who have implemented SANS VLE with Canvas LMS.
Feel free to contact me offline.

Thanks in advance,

Nicholas Recchia, Ed.D.
Security Administrator
ITS - Security Services
December 20, 2013 | Brian Helman
I've noticed an uptick in the scanning of our network for http services over the last week.  These scans have been extremely basic -- sequentially looking for http only.  They are different in that, once they find a web server, they don't do anything other than move on to the next IP (unlike the usual php/cgi scans).

Anyone else noticing similar behavior?  The sheer number of them is making me wonder if there's a new tool out that is harvesting this information for later attempts at exploitation.

BTW, if your holiday has already past, I hope it was a good one.  If it's yet to come, I hope it is without stress.  And everyone have a happy new year!


December 17, 2013 | Kim Cary
PSoft is web based. HTTPS access is allowed from anywhere.



Kim Cary
Chief Information Security Officer
Pepperdine University

Please process all unexpected email requests according to the skills at - if suspicious, delete; if it seems real or you can't decide, contact the purported sender via published phone number, web or email address.

December 17, 2013 | Listserv Anonymous User
Message from

Has anyone out their become 3.0 compliant?  Would you mind sharing on how you got there?





November 12, 2013 | Doug Pearson
Dear EDUCAUSE security@, By now you're likely aware of the Adobe password database breach and how it potentially affects institutional security and the security of many individual users. We're providing the following Alert and User Alert Template for your institutional use. Feel free to modify and use. Feedback is welcome. Thanks to the REN-ISAC staff, Technical Advisory Group and members of the HEISC Security Leads for helping to develop the Alert. Regards, Doug Pearson Technical Director, REN-ISAC 24x7 Watch Desk +1(317)278-6630 ----- November 12, 2013 To: IT Executives and Security Staff REN-ISAC ALERT: Threat to institutional computer accounts by the Adobe breach BACKGROUND: In October 2013, Adobe suffered a data breach. Their database of 38 million usernames and passwords was stolen and subsequently posted online [1]. The passwords were encrypted, but the...
November 12, 2013 | Jason Rinne

Anyone using a software restriction policy found a way to allow GoTo Meeting?


Jason Rinne

Systems Administrator

500 E. College Street – Marshall, MO. 65340

P 660.831.4088

This document may contain confidential information and is intended solely for the use of the addressee. If you received it in error, please contact the sender at once and destroy the document. The document may contain information subject to restrictions of the Family Educational Rights and Privacy and the Gramm-Leach-Bliley Acts. Such information may not be disclosed or used in any fashion outside the scope of the service for which you are receiving the information.

November 6, 2013 | Omen Wild
Any thoughts on the FireEye devices? We have a chance to test one, but it would require some network ... rework ... to test optimally. Assuming they're awesome, does anyone have a business case they used to pitch it to management? I could use a head start. Thanks -- Omen Wild Security Administrator (530) 752-1700
November 5, 2013 | Dan Han
Good afternoon,

If your institution is using Google Apps, Office 365, or any other cloud based collaboration tools, how are the sharing options configured for these tools? Particularly, does your institution allow documents and files to be shared with the public without authentication? (e.g. Making a file publicly available or allow access to anyone with a link) 

If so, and feel free to ignore this part of the question, have you seen any sensitive information posted publicly, and how are you handling these potential incidents? Thank you.  

Dan Han
Virginia Commonwealth University

Dan Han
Virginia Commonwealth University

Sent from my mobile device

October 31, 2013 | Valerie M. Vogel
Greetings, The EDUCAUSE Security Professionals Conference will be held in St. Louis, MO, and online, May 6-8, 2014. The closing keynote speaker will be Charlie Miller (Security Engineer, Twitter). On behalf of the program committee, I invite you to submit a proposal to present on an information security, privacy, or IAM topic that would be of interest to this audience of higher education CISOs, CIOs, CPOs, and other security practitioners. You have two more weeks (until November 14) to submit your proposal. Providing a content-rich session as an individual or a team is a wonderful way to learn from each other as we share experiences, ideas, and information. Submit a proposal to share future directions, best practices, stories on successful collaborations, or solutions to community-wide issues of interest for this audience. Please let me know if you have any questions or would like to discuss this opportunity with me. Thank you, Valerie Valerie Vogel Program Manager...

Group Leaders

University of Florida
University of Maryland, Baltimore

Related to this Group...


View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.


EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center

Leadership and Management Programs

EDUCAUSE Institute
Project Management



Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.


EDUCAUSE organizes its efforts around three IT Focus Areas



Join These Programs If Your Focus Is


Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.



2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations

Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.