About the Guide

Welcome to the HEISC Information Security Guide!

Wish you didn't have to reinvent the wheel every time you start a new project, policy, or function? Looking for a guide that will provide you with a variety of information and resources relevant to higher education information security programs? You're in the right place!

The Information Security Guide is mapped to several popular standards, including ISO/IEC 27002:2013, NIST, HIPAA, COBIT, PCI DSS, and the federal Cybersecurity Framework. There are currently 17 chapters on information security, privacy, identity and access management, governance, risk, and compliance.

What makes the guide so unique is that resources and content included in the chapters are provided by higher education information security and privacy professionals. You'll find hot topics, toolkits, case studies, best practices, and recommendations for 'getting started' that will help you jumpstart key information security and privacy initiatives or programs at your institution!

Executive Overview of the Guide

Campus leaders are grappling with how to effectively manage and understand challenges and issues associated with information security and privacy. They also have an interest in knowing how other campuses are handling information security and privacy risks and challenges. It's absolutely critical to gain executive support in order to achieve information security and privacy goals and objectives. By using this guide in the development, implementation, and ongoing maintenance of information security and privacy programs, campus information security, privacy, and IT professionals can provide assurances that their campuses are using effective practices that are relevant to higher education and adopted by their peers.

Organization of the Guide

The Home page is your starting point to explore the wealth of content contained in the guide. To your left, you'll find links to toolkits, hot topics, and guide chapters on high-level topics of interest.

Every topic page (chapter) includes:

  • A Table of Contents which links to key parts of the page
  • Getting Started section that provides recommendations on how to apply the guidance included in each chapter
  • An Overview which describes the general intent of each chapter's topic
  • Subtopics with objectives, descriptions and/or implementation suggestions, as well as links to articles, presentations, and institutional case studies or examples
  • A comprehensive list of Resources referencing other materials relevant to the topic
  • Mappings to popular information security standards 

The navigation pane on the left side of every page includes direct links to important resources:

  • Home – News and links to key publications and resources
  • About the Guide – The page you are reading now, which provides an overview of the guide
  • Toolkits – A list of resources specifically developed or collected by HEISC volunteers (most are also available from their relevant topic pages; this list collects them all in one place)
  • Hot Topics – A list of resources related to topics currently receiving increased attention (most are developed by HEISC volunteers)
  • Contribute a Case Study – Provides a submission form and instructions for contributing new case studies, as well as a complete list of case studies included in the guide (case studies are also linked from their relevant topic pages; this list collects them all in one place)
  • 17 links connect to topical pages, including new chapters on Privacy and Career and Workforce Development
  • Glossary – Provides links to information security terminology and definitions maintained by other organizations

Providing Feedback and Suggestions

The Information Security Guide is a living document, constantly being updated and improved. Resources are continuously added or updated through the work of various information security and privacy professionals volunteering in working groups of the Higher Education Information Security Council (HEISC). Our volunteers cannot fully cover all relevant topics for all information security and privacy professionals on all of the EDUCAUSE and Internet2 member campuses. That is why we ask that you share your expertise by providing feedback; we depend upon the feedback of our readers to keep the guide updated, relevant, and timely.

This can be accomplished by clicking on the " Contact Us" link near the bottom of each page or by sending e-mail to [email protected].

Top of page

Description of Case Studies

Case studies are descriptions of real-world, practical, proven solutions to information security challenges implemented by one or more institutions. The intent of these case studies is to provide ideas for approaches which may be adopted or adapted to another institution's particular situation.

By filling in a relatively simple form, a case study is written up and submitted to the Higher Education Information Security Council (HEISC). Once received, it is typically reviewed by one or more of the HEISC working groups. This vetting process gives the institution submitting the case study an opportunity to answer questions or add content that enhances its value.

Instructions for submitting a case study, as well as a complete list of case studies currently available throughout the guide, are available on the Case Study Submissions page.

Submitting a case study not only documents a successful institutional approach to information security, as well as providing useful guidance to other institutions, it also gives the author(s) the opportunity to publish.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).