The Virginia Alliance for Secure Computing and Networking (VA SCAN) is a voluntary consortium of security practitioners from the Commonwealth of Virginia's higher education institutions. VA SCAN exists for the purpose of strengthening information technology (IT) security programs within the commonwealth.
The founding institutions (George Mason University, University of Virginia, Virginia Tech, and James Madison University) received a 2003 Governor’s Technology Award, just a few months after the launch of the alliance. In 2005, EDUCAUSE, a national consortium of higher education institutions that promotes the intelligent use of IT, recognized the alliance for its value as a resource-sharing and collaboration hub.
Since VA SCAN was established, it has grown to include representatives from other institutions such as the College of William and Mary, Radford University, the University at Mary Washington, Virginia Commonwealth University, and the Virginia Institute of Marine Science.
Twelve years later, many higher education security practitioners still rely on VA SCAN as a go-to resource for general security discussions, periodic information-sharing meetings and workshops, and an annual conference open to all.
VA SCAN Annual Conference
Each fall, the VA SCAN conference is hosted at a local college or university campus. An annual theme is selected, along with a keynote speaker. Additional professional development and training options are usually offered in conjunction with the two-day event.
The VA SCAN conference typically includes attendees from Virginia institutions of higher education and colleagues from other Virginia State agencies. This year, several people attended from out-of-state higher education institutions and organizations.
The 2015 Conference — themed "They Will Get In. What Are We Doing About It?" [http://www.virginia.edu/vascan2015/] — was hosted by the University of Virginia in Charlottesville. Despite heavy rain and some flooding, 245 people from as far away as Arizona, Oklahoma, and Pennsylvania took advantage of two full days of conference activities. Commonwealth colleagues from the Virginia Departments of Alcoholic Beverage Control, Corrections, Labor and Industry, Transportation, Social Services, Historic Resources, and the Auditor of Public Accounts attended and benefited from the sessions and networking opportunities. Conference sessions included "this worked vs. this did NOT work" presentations, "how will this work at my institution?" discussions with 22 leading security vendors, and "what's grinding your gears?" side conversations during the breaks with colleagues.
In addition, VA SCAN organizers continue to partner with the SANS Institute to provide an advanced security course on the second day of the conference. Participants of the Incident Response Management MGT535 (one-day version) course, led by SANS instructor and Virginia Tech Information Security Officer Randy Marchany, included 70 face-to-face participants and several remote attendees.
The VA SCAN conference provides a chance for regional attendees to access discounted professional development opportunities while also fulfilling a rarely used but significant in-person networking opportunity on an annual basis. Some attendees maintain their membership and security certifications with professional development organizations, such as ISACA, by submitting hours for credit under the Continuing Professional Education (CPE) category of "Non-ISACA professional education activities and meetings." Still others get as many as six CPEs for simply attending the one-day SANS training. Local or regional events like VA SCAN allow higher education security practitioners to maintain certifications that are essential to their profession.
Recognizing Leaders in the Security Community
This year also marked the first award ceremony at the VA SCAN conference when the first annual "Shirley C. Payne IT Security Advancement Award" was given in recognition of outstanding service and dedication to the VA SCAN community. The award was presented to three of VA SCAN's founding members: Darlene Quackenbush (planning and information security officer, James Madison University), Wayne Donald (IT security officer, Virginia Tech, retired 2010), and Shirley Payne (assistant vice president for Information Security, Policy, and Records, University of Virginia, retired 2014). These three community leaders created the alliance in 2002 and launched it across the Commonwealth of Virginia in March 2003. They worked tirelessly to develop it, and for 12 years now, we have all received the benefits.
Thanks to their leadership, Quackenbush, Donald, and Payne brought together information security practitioners and researchers to build a guide for new higher education information security programs in the Commonwealth of Virginia with the following principles:
- We will teach and guide clients to develop and maintain strong security programs; we will not develop and maintain programs for them.
- We will base alliance offerings on state and federal standards, and those offerings will support the objectives of federal and state information sharing.
- Our offerings will reflect the business need to balance security risks and other organizational priorities.
- Our offerings will promote the notion that security is not just a technical issue. It is a concern that should be transfused into everything an organization does.
- Research will be used to keep offerings on the cutting edge.
- Cooperation will transcend competition.
All in all this is an excellent example of a community trying to build an up-and-coming generation of well-networked and well-educated information security professionals.
Jenny Patterson is the policy, awareness, and training coordinator in the Information Security Office at her alma mater, Longwood University. She transitioned from a technology coordinator role in Student Affairs to Information Security in March 2010. Three years later she was GSEC certified through GIAC, and in October 2013 she joined the HEISC Awareness and Training Working Group.
© 2015 Jenny Patterson. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.