EDUCAUSE | IT Funding

EDUCAUSE 2007 Current Issues Report Spotlights Top-Ten Campus IT Challenges

cluckett — Fri, 04 May 2007 12:44:55 -0500

Which IT issues have the greatest strategic importance to higher education institutions today and which ones are likely to be important in the future? Find answers to these questions and learn about other current trends in the 2007 EDUCAUSE Current IT Issues Survey report, published in the current issue of EDUCAUSE Quarterly.

The 2007 survey gathered responses from 591 primary representatives (typcially CIOs) of EDUCAUSE member institutions, representing public and private and associate- through doctorate-granting institutions of all sizes.

Among this year's key findings:

Funding IT re-emerges as a top challenge.
Security and identity/access management split as separate issues.
Course/learning management systems move into the top ten for the first time.
Among issues expected to be more significant in the future, portals drop in rank from fifth to ninth.

The report is accompanied by a collection of helpful resources on the top issues.

EDUCAUSE Security Conference: Influencing the future of security in your organization

llarsen — Tue, 17 Apr 2007 16:23:04 -0500

Summary:

Influencing the future of security in your organization

Pamela Fusco, Former EVP and Head Global Information Security, Citigroup Inc.

2007 Security Professionals Conference

Thursday, April 12, 2007

Denver, CO

Notes:

Fusco began by talking of the importance of having a business process as an anchor for your work. She has worked at a number of different companies (Merck, Digex, WorldCom, Citigroup, etc.), each of which was different and had a specific kind of security need.

What people normally do but you shouldn’t and then what you should do

The normal first step is to identify and validate the existing security program in support of building an enterprise wide security risk management program 90% is the same but 10% is indigenous to the field. The second normal step is to enlist a phased approach to the work to be done that has tactical and strategic objects. This, however, she said was BORING…and apparently not an efficient way to move forward. Fusco also said “Don’t kill people with PowerPoints!”

Her advice was to “state the obvious and back it up with reality”

Unknowingly accepting risk levels far beyond an organization’s risk tolerance
Gaps in information security capabilities have business impacts
Underinvestment results in unacceptable risk tolerance
Security must become an enabler for business strategies – so be current, strategize, innovate, and have fun!
Launch a comprehensive information security program that meets today’s needs but prepares for the future
Business and Information Security leaders must own the process of moving information security to the next level

Value of information security (to the boss)

In one position, Fusco’s boss said “Why did I hire you? We haven’t had an incident so why do I need you?” It was her opportunity to be creative and show, graphically, what the risks were that were unknown. She created innovative visuals to get her messages across to those she needed to convince to fund information security work. She said that when you ask for money you must state the gaps in your current security to get what you need to do the work and plan towards the future. It’s not about the technology it’s about the power of influence.

Understanding compliance requirements

Fusco said we are all impacted by understanding compliance requirements today. Critical to your work of planning and implementing information security is to

Meet with your stakeholders AND listen to them
Know your audience, know your stakeholders, know their terminology and speak at their level. It’s critical to communicate appropriately. There is difference between knowledge and understanding such as the difference in the terms “delete” and “deleted”
- She described a situation in the pharmaceutical world where data retention compliance was taken to the letter of the law but without understanding what data retention actually is. Stacks and racks of laptops, desktops, servers, etc were warehoused because they had information on them and in the pharmaceutical world it has to be kept for 100 years. However, no one knew what was actually on these computers and there was no way to get to information if you actually needed it.
Ask for volunteers, both internal and external, and organize a sampling of users for a pilot group. This kind of activity fosters a sense of participation and encourages acceptance of new business process and security measures.
Test, evaluate, validate and document the experience.

Security begins at home, your employee’s home…

Fusco quoted InfoWorld that 93% of Bots and security issues are unknowingly generated via employees using consumer electronics in their homes. As more consumer communications and devices enter the corporate enterprise security professionals need to consider the risks for business security. Things to consider included IM, gmail, iphones, un-secure home networks, etc. Employees are using these devices at home and in the workplace.

If we can not say “no” to using them in the workplace, then we need to figure out how to permit it safely. Critical to this is awareness training but we can also look at low cost technology controls and practices, deploy AUP and content monitoring, disable port tunneling of unmanaged systems, and restrict downloads.

Cybercrime is a billion dollar business

Bot-herders, fraudsters and exploit writers
Super Trojan selling on the net for $600
Email address lists and login details for sites
Hacked root servers
Hosting servers for financial scams

Investing in information security

Use your power of influence.
Underinvestment in information security results in unacceptable risk tolerance.
Annual spending on information security is between 5-12% from the IT budget, though Finance always spends more (12=15%)
As a business model, figure out what percentage you spend on information security and compare it to what your competitors are spending.

Considerations

You need metrics and reporting; both hard numbers and benchmarking
You have to monitor & manage the information security program with such factors as compliance & oversight, data overload, standards & common builds.

Fusco noted that “making your own pizza can be more expensive than calling for a delivery” in other words, customization is expensive and supporting it can be a problem. Building a standard (one to many) is important. Also, it can be hard to test and evaluate “home grown” in a Sarbanes-Oxley world. She suggested that we look for solutions where we can leverage partnerships.

Introducing Security Changes in the Workplace

Change happens and most people think of change as negative so you must clearly tell them WHY you are doing what you need to do (outcomes). Change should not be pushed on people so be positive, involve them collaboratively so they are a part of the solution, celebrate successes and milestones as a community effort. Also, be upfront in setting expectations and owning up to mistakes or shortcomings.

Advice for the Future

Keep current and look forward to what may be coming by looking at where we’ve been and where we are.
Strategize where we want our organizations to be in 5 yrs and determine what will grow us to that point. Go from being reactive to being proactive and be predictive.

Re: information security practice:

Look to see what’s coming in and hitting us low now because it may be bigger later.
Look at what’s going out also because we may already have been compromised.
Understanding that no one will have 100% security, but we must show where we will be in 2 or 3 years (Be realistic – show initial stages and keep it flowing)

From Fusco’s experience

How do we know what’s happening when we have no reported incidents or disclosure?
Patches for everything – is everything patched?
Mountains of logs – how are they used?
Data information owners – who are they?
Key aspects of a holistic, sustainable, realistic and reliable compliance and security strategy include measurable controls and Point In Time (P-I-T) assessments but keep in mind that PIT assessments may provide a false sense of security

Rushing through closing comments Fusco said that security must become an enabler for business strategy and innovation and to have fun in the process and practice. She offered a few ideas for what security challenges we may see in the future including “anything” mobile being an computing information mechanism and more regulation.

Her final summary:

Security starts at the top but must be embraced by everyone in the organization

Create a culture of compliance and risk thought

People and their behavior are the key ingredients to good security

Process is important for reliability and “repeatability”

Collect and use data and facts to measure progress and success

Make information security part of the annual performance and business objectives

Leverage information security organizations for keeping current, directional advice and guidance.

Pamela Fusco’s presentation slides are posted to the conference web site at http://www.educause.edu/SEC07/Program/11616?PRODUCT_CODE=SEC07/GS03.

An Interview with Laurie Antolovic

mpasiewicz — Tue, 17 Oct 2006 19:28:46 -0500

In this 25 minute recording, Bill Hogue hosts an interview with Laurie Antolovic, CFO of Indiana University's Office of the Vice President for Research and Information Technology. Listen in as they chat about funding IT, the role of a CFO, and the vices and virtues of open source software.

Survey Report Spotlights Top Campus IT Challenges

ecoghlan — Thu, 04 May 2006 11:51:36 -0500

Which IT issues have the greatest strategic importance to higher education institutions today and which ones are likely to be important in the future? Find answers to these questions and learn about other current trends in the 2006 EDUCAUSE Current IT Issues Survey report, published in the current issue of EDUCAUSE Quarterly.

The 2006 survey gathered responses from 628 primary representatives (typcially CIOs) of EDUCAUSE member institutions, representing public and private, and associate- through doctorate-granting institutions of all sizes.

Among the report's findings:

Security/identity management has replaced IT funding as the top strategic challenge
Disaster recovery/business continuity has joined the list of top ten strategic issues.
Portals are no longer among the top ten strategic issues.

The report is accompanied by a collection of helpful resources on the top issues. And a condensed version of the report is available from the latest issue of EDUCAUSE Review.

E2005 Podcast: Funding the New Campus Connectivity

podcaster — Fri, 24 Mar 2006 17:50:00 -0600

This 53 minute recording provides coverage of the 2005 EDUCAUSE Annual Conference Session entitled Funding the New Campus Connectivity.

OpenBSD project out of cash

StuartYeates — Wed, 22 Mar 2006 02:30:36 -0600

The OpenBSD project is out of cash. They've been operating at a 20K USD loss in each of the last two years and have gone public with their issues.

While at first glance this is a case of one of the BSD family of operating systems losing out to the momentum of Linux in the POSIX market, OpenBSD is the most security-focused of all the open source operating systems and includes OpenSSH, the de-facto standard method of secure remote connection in the POSIX world.

OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods.

One of the issues may be that Theo, the lead developer (and often seen from the outside as the only developer) is seen as prickly and paranoid, but then this is a man who the open source software world has delegated their security worries and paranoia too. This is a space where a healthy paranoia is a good thing.

If you're wondering how you can keep your open source project from floundering from lack of cash, come to our Open Source and Sustainability 2006 Conference.

E2005 Podcast: Chicken or Egg: IT Services or IT Costs

podcaster — Wed, 15 Mar 2006 18:30:32 -0600

This 40 minute recording provides coverage of the 2005 EDUCAUSE Annual Conference Session entitled Chicken or Egg: IT Services or IT Costs.

An Interview with Joakim Nejdeby, CIO of Sweden's Linkopings Universitet.

mpasiewicz — Fri, 11 Nov 2005 18:08:00 -0600

In this recording from the 2005 EDUCAUSE Annual Conference, we'll gather some thoughts from one of our international attendees, Joakim Nejdeby, CIO of Sweden's Linkopings Universitet.