The Top 3 Strategic Information Security Issues

Joanna Lyn Grama is IT GRC and Cybersecurity Program Director, EDUCAUSE. Valerie Vogel is Program Manager, EDUCAUSE.

Visit the EDUCAUSE top 10 IT issues web page for additional resources, including a video summary, interactive graphics, recommended readings, and more. 

The EDUCAUSE Top 10 IT Issues list presents a yearly look at the issues facing higher education institutions. This year, the EDUCAUSE IT Issues Panel invited the Higher Education Information Security Council (HEISC) to identify the top strategic issues facing campus information security departments. By responding to a brief survey, members of the higher education information security community—including Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), IT directors and managers, and IT staff members—identified and selected their top three issues:

1. Developing an effective information security strategy that responds to institutional organization and culture and that elevates information security concerns to institutional leadership
2. Ensuring that members of the institutional community (students, faculty, and staff) receive information security education and training
3. Developing security policies for mobile, cloud, and digital resources (including issues of data handling/protection, access control, and end-user awareness)

Underpinning these strategic issues is the notion of addressing institutional risks and employing enterprise risk management practices. "All of the issues identified on an institution's list should be there based on an institutional risk assessment," said Melissa Woo, the CIO and Vice Provost for Information Services at the University of Oregon and a HEISC co-chair. Mature information security programs in higher education have a strong history of using well-established risk management concepts, which help an institution identify the unique information security risks that it faces. Woo added: "Not every institution will address the identified risks in the same way—you have to respond to them in a way that makes sense for the institution's organization and culture."

Developing an effective information security strategy was the top issue identified by the information security community. Developing such a strategy is the first step in establishing information security as an institutional strategic partner rather than an operational concern. An information security strategic plan is a high-level set of priorities for achieving information security goals and objectives. It is more than a recitation of the types of technologies to implement in order to help keep institutional data and resources secure; in addition, it is a forward-looking document that relates information security goals and objectives to the overall institutional mission. An information security strategic plan must be flexible in response to emerging information security issues and changing regulatory environments. It also should contain short-term and long-term objectives, performance targets, and metrics. The information security strategic plan is the vehicle that helps elevate important information security concerns to leadership.

Ensuring that members of the institutional community receive information security education and training was the second issue identified by the information security community. Members of the institutional community use information technology systems and the data in those systems daily. Making sure that students, faculty, and staff have adequate training on how to use and protect the data entrusted to and generated by the institution is of critical importance. From 2005 to 2013, unintentional human error (e.g., posting sensitive information on a website or otherwise mishandling data) and insider threats (e.g., an intentional breach of information by someone with legitimate access) accounted for 33 percent of data breaches in higher education, as compiled from a data set drawn from data breach information reported by the Privacy Rights Clearinghouse.¹ "Our community has noted the importance of a strategy to promote and expand information security awareness and education. Information security is everyone's responsibility," said Peter Murray, the CIO and Vice President for Information Technology at the University of Maryland, Baltimore. "We know that risks are reduced when information security becomes an integral part of an institution's culture."

Finally, the information security community identified developing security policies for mobile, cloud, and digital resources as the third information security strategic issue for 2015. This issue is also represented on the 2015 EDUCAUSE Top 10 IT Issues list (#8), highlighting that the information security community and the larger IT community both recognize the importance of security policies that protect institutional data no matter where it is stored or how it is accessed. The proliferation of cloud services and mobile devices is forcing institutions to move beyond frameworks that rely on specific technologies and to instead focus on data governance and data management issues that are technology-agnostic. The move to the cloud and users' mobile access to cloud resources also force institutions to rethink already established institutional policies. "Incident response policies are also impacted by the move to mobile access and cloud services," said Elias Eldayrie, the Vice President and CIO at the University of Florida and a HEISC Co-Chair. "We have to quickly learn about incidents that affect third-party service providers, and we need to be able to rely on vendors to implement or recommend fixes so that we can protect institutional data."

EDUCAUSE has a number of resources that colleges and universities can consult for their information security activities, including resources on developing strategies, promoting training and awareness, and developing policies and procedures. The HEISC Information Security Guide: Effective Practices and Solutions for Higher Education is the only resource developed by higher education information security practitioners for higher education information security practitioners. The guide features toolkits, case studies, best practices, and recommendations to help jump-start campus information security initiatives. Another resource is the annual EDUCAUSE Security Professionals Conference, which will be held in Minneapolis in May 2015. The conference showcases information security thought leadership and offers numerous professional development activities for information security professionals at all career levels. We hope these resources will be useful in helping campus information security departments successfully address the top three strategic information security issues.

1. See Figure 6, Types of Data Breaches in Higher Education, 2005–2013, in Joanna L. Grama, "Just in Time Research: Data Breaches in Higher Education," EDUCAUSE Center for Analysis and Research (ECAR) research report, May 20, 2014.