Security Program Development

Table of Contents

Getting Started

Information security or IT staff responsible for developing and maintaining an effective information security program can take advantage of information and resources in the HEISC Information Security Guide that can assist with key information security initiatives. Following are some additional recommendations:

  1. Adopt a standardized (best practices) approach to developing your information security program. A wealth of guidance is provided in the below standards and frameworks:

    1. NIST Cybersecurity Framework

    2. NIST Special Publication 800-53 Revision 4

    3. ISO/IEC 27001:2013

    4. ISO/IEC 27002:2013

    5. COBIT 5

    6. 20 Critical Security Controls
  2. Incorporate compliance requirements that may apply to your institution:

    1. FERPA (Family Educational Rights and Privacy Act)

    2. GLBA (Gramm-Leach-Bliley Act) Safeguards Rule

    3. HIPAA (Health Insurance Portability and Accountability Act)

    4. PCI-DSS (Payment Card Industry Data Security Standard)

    5. Additional resources include the Higher Education Compliance Alliance's Compliance Matrix and an article describing New Mexico State University's IT Compliance Framework for Higher Education.

  3. Review the following HEISC resources for additional recommendations:

    1. Toolkit for New CISOs

    2. Mentoring Toolkit

    3. Mobile Internet Device Security Guidelines

    4. Developing Your Campus Information Security Website

    5. Top Information Security Concerns for Campus Executives & Data Stewards

    6. Top Information Security Concerns for HR Leaders & Process Participants

    7. Top Information Security Concerns for Researchers

    8. Many more resource are available under Hot Topics and Toolkits!

  4. Identify the roles and responsibilities of staff with direct responsibility for information security. Use the standards and frameworks below as references. 

    1. National Cybersecurity Workforce Framework
    2. National Initiative for Cybersecurity Careers and Initiatives (NICCS) Workforce Planning
  5. Use the Information Security Program Assessment Tool to help you determine the maturity level of your institution’s information security program. Identify opportunities for improvements and potential collaborations with key stakeholders.
  6. Review the results of prior risk assessments and IT controls audits to help identify and prioritize areas that need the most attention.

  7. Develop an information security plan that addresses:

    1. Gaps in coverage (information security controls, policies, and/or program initiatives that need to be developed)

    2. Compliance requirements

    3. How your information security program’s initiatives align with IT and Institutional goals and objectives

  8. Engage with other higher education information security professionals at the annual EDUCAUSE Security Professionals Conference

  9. Join the EDUCAUSE Security Discussion List

  10. Consider whether your institution may benefit from becoming a member of Research and Education Networking - Information Sharing and Analysis Center (REN-ISAC)


Top of page


Security Program Development can be thought of as having an emphasis on establishing information security related roles and responsibilities throughout an institution of higher education. Two major areas are addressed in this section:

  1.  Developing an effective Information Security Organization
  2.  Mobile Computing and Teleworking standards (and the "BYOD challenge")

Establishing an effective internal Information Security Organization can be further sub-divided into multiple topics of interest:

Mobile Computing and Teleworking relates to the risks of working with mobile devices in unprotected environments.

Top of page

Internal Organization

Objective: Institutions of higher education need to establish a mechanism to manage information security across the entire enterprise and gain the support of institutional leadership to assist in providing overall direction.

Implementing a Security Strategy

Key Question: Do we have a regularly updated information security strategy that supports the mission and strategic objectives of our institution? 

An effective information security strategy for a higher education institution must take into account the overall strategic objectives of the institutions and varied campus groups, including academic (research included), administrative (or business), clinical, and residential environments. Even when focusing on critical processes and legal mandates, it is necessary to extend protective measures beyond the underlying IT systems and associated administrative staff. For example, many faculty members have access to student records, and this access must be considered when assessing the security risks associated with these data. A failure to provide faculty with securely configured workstations increases the risk of sensitive data being exposed via their computers. This risk can also be reduced by implementing a middleware solution to properly control which records each faculty member can access and to minimize the amount of sensitive data stored on their computers. Also, to be effective, security practices cannot rely completely on technological solutions. Continuing the example, policies are required to clearly define faculty members' responsibilities relating to student data and the security of their workstations. Also, awareness programs aimed specifically at faculty members and their responsibilities to safeguard student information might be developed, possibly in conjunction with the institution's student information steward (e.g., at many institutions this is the Registrar).

To complicate matters, the operational needs of college and university networks often directly conflict with security practices such as perimeter firewalls, port authentication, centralized configuration management, and strong authentication. Higher education networks must therefore be designed to balance security and privacy requirements while accommodating a wide variety of end users and their needs – e.g., visitors, new students arriving with computers, researchers sharing large quantities of data with members of other academic institutions, remote access to a variety of network services for individuals who are traveling or telecommuting, and mobile users moving between classrooms, libraries, and indoor and outdoor study spots on campus. Although firewalls are becoming widely used to protect critical systems on university networks, their use at the perimeter is less common because it is difficult to reconcile their restrictiveness with the need for an open networking environment that supports research, learning, and high-speed networking. Although centralized management is feasible for certain hosts on a university network, this approach is not suitable for most student computers and many faculty, research, and clinical systems. In the end, security and privacy practices need to be integrated into operational practices in a way that makes the most sense for each campus.

This is not to say that higher education institutions cannot be secured; many colleges and universities are successfully balancing the need for security and an open, collaborative networking environment. Throughout this Information Security Guide readers will find general advice, as well as specific institutional examples, of successful approaches to managing information security within higher education.

Here's a reference to one approach to strategic planning, "The Shifting Landscape Strategic Security Model" (presented at the 2010 Security Professionals Conference, which might prove to be a useful aid).

Top of page

Information Security Governance

Key Question: Have we established governance structures and groups that foster awareness and shared ownership of information security issues and objectives?

Effective institutional governance of the information security function is critical to a successful program. It can be both the "proof of the pudding..." with regard to management commitment and provide necessary guidance when deciding where to allocate scarce resources. This well researched section draws from experts in the field and provides useful background and advice which can be adapted to a wide variety of campus cultures. The topical outline shown below reflects the broad array of subjects covered in this very deep Information Security Governance article. Additional resources are available on the EDUCAUSE IT Governance, Risk, and Compliance website or in the U.S. Department of Education's Privacy Technical Assistance Center (PTAC) Toolkit.

 Building ISO 27001 Certified Information Security Programs (University of Tampa, 2017)

This case study describes a decision and process used by the University of Tampa to go beyond compliance with ISO 27002 (essentially the controls portion of the ISO standard) and become certified under 27001 (ISO/IEC 27001:2013 Information technology -- Security techniques -- Specification for an Information Security Management System) which required complete commitment from top management.

Some additional resources and examples of higher education information security governance:

  1. Information Security Council Charter (University at Albany - SUNY)
  2. Information Security Advisory Council Charge (Appalachian State University)
  3. Initiating Security Initiatives Through System-Wide IT Governance (University of Alaska, 2011 presentation)

Top of page

Managing the Information Security Program

Here are several useful references that provide insight into the process of managing information security within the higher education community. There are no magic bullets provided but each reference does develop some ideas that may prove useful.

Gaining the Confidence of Others

While information security offices generally have the authority to help establish policies and standards, transitioning these policies and standards into actual practice often involves extensive communication, relationship management, and development of influence. The resources below can also help provide some outside perspective.

Getting Along with Less

Another common issue faced by campus information security offices is limited resources (in terms of funding, personnel, or both).

Top of page

Information Security Program Self-Assessment Tool

The Information Security Program Self-Assessment Tool allows colleges and universities to evaluate the maturity of their campus security programs. This tool is intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by chief information officer, chief information security officer or equivalent, or a designee.

Top of page

Information Security Roles and Responsibilities 

Key Question: Have we established well-defined roles and responsibilities at all levels of our institution to help support and address our information security strategy and objectives?

Information security is the responsibility of everyone at the institution. It is important to establish roles and responsibilities for campus staff, faculty, and students so that everyone knows what is expected of them when handling information. Leadership is also very important, and many institutions have at least one person who is primarily responsible for organizing the information security program. Typically this is a Chief Information Security Officer (CISO), Information Security Officer (ISO), Director of Information Security, although the title may vary depending on the campus. No matter what title is selected, there should be someone at the institution who can provide a high level of decision-making support to campus leadership when considering information security issues and solutions. Read more in the EDUCAUSE Review article, Evolution and Ascent of the CISO

It is also important to establish data ownership and data handling roles (e.g., data owners, stewards, custodians, and users). Many institutions formally identify and document these roles within their information security policies and data management frameworks.

Top of page

Segregation of Duties

Key Question: Have we reviewed areas where procedures and tasks for critical data and systems can be segmented between multiple individuals and/or roles to lower the risk of insider threats?

Segregation of duties is the concept of having more than one person required to complete a task. This is a best practice, especially in cases where sensitive data is being handled. Segregation of duties is a control put in place by many institutions to mitigate the risk of an insider threat or accidental employee mistakes. Sometimes this isn't practical or possible, but the institution should be aware of the risks of a single person having too much access.

Ideally, critical processes or activities should be split up between multiple people. For example the initiation of a process, its execution, and authorization should be separated when possible.

When this is not possible, monitoring and auditing critical processes is very important.

Top of page

Contact with Authorities

Key Question: Have we identified and established a relationship and contacts with relevant agencies including law enforcement partners who may be called upon during emergencies?

Relationships with law enforcement are important to an institution, and should be established prior to an emergency. Having a protocol for engagement established before there is an emergency will help in handling an incident appropriately.

A protocol for engagement with law enforcement can be a part of the security incident response plan or a broader crisis management procedure for the campus. The plan should be clear about which situations require working with law enforcement, such as when laws are broken. The plan should also clearly state who contacts authorities and under what circumstances (e.g., when law enforcement should be contacted by the information security office or campus safety).

Law Enforcement Resources and Contacts

Note: It is also important to establish relationships with key campus partners prior to an emergency - e.g., internal audit, human resources, and legal counsel.

Top of page

Contact with Special Interest Groups

Key Question: Have we engaged with groups within our community of practice to share and receive ideas and information?

There are many groups that support Information Security that an institution can collaborate and participate in. The information security threat landscape is ever changing and security professionals can benefit from collaborating together. Being connected to special interest groups allows for knowledge transfer and best practice development. Warnings about potential threats can also help security operations prepare and respond appropriately. Some organizations include:

Top of page

Information Security in Project Management

Key Question: Do we have a formal IT project management discipline and does it include integration with relevant information security roles for risk assessment?

Information Security should be a part of the project management lifecycle in any institution.  From project concept to completion, information security should be consulted so that information assets are properly protected. Often information security is an afterthought or not included in the project process. This approach can dramatically increase project costs and expose the institution to unnecessary risk. 

Practical Project Management For Security Implementation in Enterprise Systems

Top of page

Mobile Computing and Teleworking

Objective: To cover the appropriate safeguards that an institution can implement to prevent the unauthorized access to institutional information resources while using mobile computing and teleworking facilities.

Teleworking (i.e., telecommuting), e-commerce, use of intranets, online education, and the increase use of portable computing devices (e.g., laptops, tablets, smartphones) are driving the need for access to information resources from any place at any time. Today's mobile workforce or users are no longer just staff faculty, and students trying to check e-mail from home but part and full-time telecommuters, business partners, full-time students. and patients who rely on access to institutional networks to accomplish day-to-day business functions, attend classes, and follow-up on medical treatments. Information security controls specifically targeting mobile computing and remote access to information resources are becoming an increasingly critical component of any institution information security program ensuring the protection of the integrity of the institutional networks while allowing remote access to it.

Challenges of Mobile Computing:

To enable remote access to institutional information resources, institutions of higher education are implementing Virtual Private Networks (VPN) technology to provide a secure connection to the institutional network. VPNs send data securely through a shared network. VPNs can be established between remote users and a network or between two or more networks thus using the Internet as the medium for transmitting information securely over and between networks via a process called tunneling.

The EDUCAUSE Mobile Internet Device Security Guidelines page contains helpful advice to develop mobile Internet device security policy, standards, guidelines and procedures. It is organized into easy to follow steps to define objectives, develop a plan, and answer some of the questions being asked by users and security professionals alike.

Top of page


Campus Case Studies On This Page
Building ISO 27001 Certified Information Security Programs (University of Tampa, 2017)

EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

Top of page






2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 6: Organization of Information Security
ISO 27001:2013
ISO/IEC 27003:2010
ISO/IEC 27004:2009
ISO 27014:2013

800-100: Information Security Handbook: A Guide for Managers
800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems


Req 3
Req 4
Req 6
Req 8


45 CFR 164.308(a)(2)
45 CFR 164.308(b)(1)
45 CFR 164.314(a)(1)

Top of page

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).