Search| Browse| Contribute
Library| Blogs| Jobs| Podcasts| Wikis| Feeds
Page Location:
Home > Browse > Information Technology Management and Leadership > Information Policies > Security Policies (14 records)
Alternate ViewsRSS

Security Policies

Recent blog entries tagged with Security Policies.

EDUCAUSE Summit: The Role of IT in Campus Security and Emergency Management
Created by Carie Lee Page (EDUCAUSE) on August 15, 2008

Colleges and universities are subject to all-hazards, ranging from natural disasters to man-made events.  Recent shootings at Virginia Tech and Northern Illinois University, coupled with the devastation of floods and hurricanes and the threat of domestic and international terrorism have created a new sense of urgency on our campuses as we continue to explore new practices and policies for security and emergency management, from preparedness through recovery. 

In February, EDUCAUSE joined NACUBO and several other higher education associations to launch a new initiative aimed at helping institutions of higher education to develop comprehensive, all-hazards emergency management plans. This month, EDUCAUSE will bring together campus and IT leaders to continue the dialogue.

| | | | | | | | | |
Carie417's blog  Login to post comments  Read more  Send to Friend  139 reads

Building a Security Program to Include Metrics
Created by Valerie M. Vogel (EDUCAUSE) on August 13, 2008

In "Security Metrics: A Solution in Search of a Problem", a recent EDUCAUSE Quarterly article, Joel Rosenblatt (Manager of Computer and Network Security, Columbia University) describes how the creation and collection of appropriate metrics can enhance an institution's security program. Learn about some potential metrics in the following areas: policy and compliance, network and machine monitoring, outreach and education, legal compliance, authorization and authentication, asset protection, and privacy.

| | | | | |
vvogel's blog  Login to post comments  Send to Friend  182 reads

Podcast: The FTC as an Educational Partner in Improving Data Security and Privacy
Created by Gerry Bayne (EDUCAUSE) on May 19, 2008

This 38 minute podcast features a keynote address by Mary Beth Richards, Deputy Director of the Bureau of Consumer Protection for the Federal Trade Commission. Her speech, "The FTC as an Educational Partner in Improving Data Security and Privacy," was recorded at the EDUCAUSE 2008 Policy Conference in Arlington, Virgina.

| | | | | |
gbayne's blog  Login to post comments  Read more  1 attachment  Send to Friend  56 reads

Security Professionals Conference to Focus on Security and Privacy Compliance, Planning, and Trends in Higher Ed
Created by Colleen Luckett (EDUCAUSE) on February 08, 2008

SEC08 logoRebecca Whitener, vice president, enterprise risk management and chief risk officer, EDS, and Greg Garcia, assistant secretary for cyber security and communications, United States Department of Homeland Security, will present keynote sessions at the 2008 Security Professionals Conference, May 4–6 in Arlington, Virginia.

The conference program will cover these topic areas, with a focus on higher education:

| | | | | | |
cluckett's blog  Login to post comments  Read more  Send to Friend  250 reads

Call for Proposals Now Open for 2008 Security Professionals Conference
Created by Colleen Luckett (EDUCAUSE) on October 04, 2007

SEC08 logoThe Security Professionals Conference 2008—featuring keynote speakers Rebecca Whitener of Electronic Data Systems and Greg Garcia of the United States Department of Homeland Security—will address technical solutions and management issues, including security training and awareness, as well as security policies and procedures. Presentation proposals are due before November 16, 2007. For additional information on cybersecurity in higher education, see the EDUCAUSE & Internet2 Security Task Force Web page.

| | | | |
cluckett's blog  Login to post comments  Send to Friend  2072 reads

EDUCAUSE Security Conference: Herding cats and campuses: addressing distributed security and compliance issues
Created by Lida L. Larsen (EDUCAUSE) on April 17, 2007
Summary
Herding cats and campuses: addressing distributed security and compliance issues
Kathleen Kimball, Senior Director, ITS Security Operations and Services, PennState
David Lindstrom, Chief Privacy Office, PennState
 
2007 EDUCAUSE Security Professionals Conference
Thursday, April 12, 2007
Denver, CO
 
Notes:
Kimball and Lindstrom began their presentation with a quick overview of their statewide environment which serves 83,721 students plus more than 60K staff and faculty at 24 campuses, a medical school, agriculture extensions, and their World Campus online learning program. They have one backbone network statewide and push terabits of data.
 
Their distributed governance and other issues make the security problem more difficult. Many users aren’t doing the “traditional” things like teaching and many are “home users” and that’s the level of their skills as well. In addition, culturally there is a tradition of independence among the campuses and the emphasis on process by committee and consensus makes for a slow process.
 
They see their major security threats coming from constant hostile probes in a situation where security is often dependent on non-technical users.
 
What’s happening in the security arena?
Watching trends they note that there is
  • growing sophistication of network attacks (bots, bots, and more bots)
  • increasing complexity of detecting and removing residual malicious software
  • growing number of vendor security updates to be handled
  • Increasingly mobile population of Internet capable devices connecting to unmanaged networks and then returning to PennState nets.
At the same time they see
  • decreasing amount of time for global spread of worms and other malware
  • less ability to stop intruders at the network border
  • less time available to keep up with vendor security updates
  • Decreasing window of time to detect and deter network based attacks.
Legal and regulatory landscape
Lindstrom suggested that when in doubt, laws are passed, or policy is written, in an attempt to control what is increasingly becoming uncontrollable. He pointed out the 9 or so policies that PennState has produced relating to security and privacy. 
 
Lindstrom and Kimball represent the two sides of the house:  administrative and academic and find that they work together well in their respective institutional duties to reasonably secure sensitive data in their care.
 
At PennState, the network is distributed and so is the responsibility for data security. Each Dean or Administrative Officer is responsible for the data security policies and security implementations in their respective units. These local policies have the force of overall university policy and are intended to be guidelines for systems administrators.
 
In order for any unit to connect to the university network they must have a network administrative, technical, and security contact. These folks are key in incident notifications. There are financial officers in each unit and they help with compliance issues. Currently the biggest problem is that only a network address is generally knows for university systems when an incident response begins.
 
Lindstrom noted that units handing administrative data have additional requirements that are outlined in their “Trusted Network Specifications” and access to the net is not given unless they sign in ink that they’ll be responsible. Units with an exception to hold SSNs have even more requirements. In spite of these policies and security precautions--there is a perceived gap between policy and performance for a number of reasons. Those reasons are primarily the plethora of compliance issues such as FERPA, HIPPA, Graham Leach Bliley, Pennsylvania’s Breach of Personal Information Notification, PCI-DSS (credit card industry standards) and undoubtedly more coming.
 
PennState feels that they must do better.
  • Improving the state of privacy and network security practices is essential and it is a distributed problem that needs a distributed solution
  • Raising the bar with regard to security practices and policies, ability to comply with existing policies and laws, and increase their agility for responding to new laws that come along. 
--and all of this across the 24+ fiefdoms that comprise PennState.
 
From this the PennState Information Privacy and Security (IPAS) project was born.
It developed from a joint effort between ITS and the Corporate Controller who sold university leadership on the gap between policy and practice. It is sponsored jointly by the Provost and CFO and the responsibility for oversight rests on the CIO and University Controller. Similarly, Kimball and Lindstrom represent the two sides of the house in their roles. It is a big enough central project that it was split 3 ways between budgets/budget executives. Audit, finance, corporate controller and firewall audit (small piece of the overall) was something they could all get their arms around.
 
IPAS
This is a multi-year, multi-phase, university-wide project with some overlap in the timing of the phases.
Phase 1 – evaluate and remediate if necessary PCI-DSS systems and networks
Phase 2 – take lessons learned and apply to systems and networks handling sensitive university information
 
Three project team members were drafted from existing staff for two year assignments to the project: Project Manager, Senior Network Analyst, and Project Technical Coordinator. Copies of the brochure for IPAS were distributed to the session attendees and it was noted that it includes these three staff members, their responsibilities, and their contact information. Leadership from distributed units provided the staff resources.
 
Lindstrom and Kimball listed the specifics of the two phases.
| | | | |
llarsen's blog  Login to post comments  Read more  Send to Friend  3617 reads

EDUCAUSE2006 Podcast: Implementing an IT Security Plan
Created by Carie Lee Page (EDUCAUSE) on March 31, 2007

In this 39-minute recording from the 2006 EDUCAUSE Annual Conference, we'lll hear from Gary DeClute and Stefan Wahe in a session entitled Implementing an Information Technology Security Program. They will share how the University of Wisconsin-Madison is implementing a comprehensive information technology security program suitable for both large enterprise systems and diverse departmental systems.

| | | | |
Carie417's blog  Login to post comments  1 attachment  Send to Friend  3473 reads

EDUCAUSE Enterprise 2006. Summary: Enterprise-wide Security
Created by Lida L. Larsen (EDUCAUSE) on June 07, 2006
Summary:
Enterprise-wide Security
Mark Bruhn and Jack Suess
Enterprise 2006
May 24, 2006
Chicago, Illinois
 
Abstract:
During 2005, more than 50 universities notified thousands of individuals that their campuses had data-security breaches, which might affect them personally. Many states have passed data privacy laws. This session will focus on the current challenges in data security, compliance, and disaster recovery: how new standards related to security and compliance are impacting university planning, and some of the critical activities on which we must collectively work together.
 
Security is #1 on the Top 10 Issues survey.  Bruhn and Suess asked if this was true for the participants.  Two thirds of the participants in this session agreed that it was their top issue.  All participants agreed that it was in the top five issues.
 
They then asked “Who has security as a goal on their performance evaluations?”
A few do. One participant indicated that under the new university strategic plans at his institution this will become one of his personal goals and that it will trickle down to others in the organization.
 
A key to good enterprise-wide security is to determine how to use/do security as a part of everyone’s every day work  In addition, some have state IT security policies to which they must be responsive.  Part of evaluation criteria may be to determine if the organization or institution have an aligned policy.
 
Suess said it was important “to have a good IT audit.”   He noted their performance evaluations have a Staff Development component in which every person has a security development component.   Unless you are building it in to your performance evaluations then staff will do the other things that you are evaluating. 
 
Question:  How do you measure security itself (re audit) when there is so very much that “can/should” be done?   Suess says they have tried to look at specific incidents (compromised machines) about through very specific design to do this and work towards a full audit report.   He said it was helpful to translate these into “insurance/risk” language for a Board of Regents.
 
Question:  Is security in the strategic plan?  For the most part, security is in strategic plans but this is new and some institutions have not figured out how to include it yet.   It may be harder to quantify/qualify security in a strategic plan than it may be for other goals in areas like research and teaching/learning.
 
Question:  Who has a perimeter based firewall or an appliance?  Response: Fewer have an appliance.  Most use filtering and other mechanisms.
A participant from DeVry indicated that corporate policy came from the top with the decision to get an appliance and the people to administer it.  Every bit of the traffic in and out goes through the appliance.
 
In a recent survey they found that 90+% have a firewall “somewhere.”  Most have VPNs and have added intrusion detection and prevention.  The worry is the education and use.  Everyone is buying technology but not all may have use policies and educational awareness in place to support it.
 
Question:  How many detect and automatically react?  A quick show of hands indicated that not that many do.  One participant had a situation where a system in the Radio/TV department was really bad and so was blocked.  This turned into a political issue because this was the machine receiving Public Radio feeds.
| | | |
llarsen's blog  Login to post comments  Read more  Send to Friend  3804 reads

EDUCAUSE Security Professionals Conference 2006. Summary: Defining the Security Domain
Created by Lida L. Larsen (EDUCAUSE) on April 25, 2006

Defining the Security Domain

 

 

 

Marilu Goodyear, ECAR Fellow and Professor, University of Kansas
John H. Louis, Assistant Vice Provost for Information Systems, University of Kansas
 
This session took a detailed look at how an institution might define their various domains (network, users, and data) for writing and implementing security policy.
 
To prepare for writing and implementing security policy one needs to know for whom the policy will apply, how it will apply, and when.  This defines the scope statement for your security policy.  It is a statement of the network, people, data, and administrative structure of the institution. 
 
This can be a daunting task in the academic community.   This session provided a grid of decision points to help identify the gates that need to be kept to ensure that freely available university data is available to all and that restricted or confidential data is protected and made available to only those who are authorized to have access. 
 
Public networks are available to anyone for a price.  Universities networks are considered private and therefore must manage the network and the privacy of both users and data.  Because of additional federal requirements it is important to understand all relevant boundaries.   When academic institutions run their own networks, whether centralized or decentralized they are responsible the security of the data and the privacy of the user.  If the network is outsourced there must be clear contract language that delineates responsibility for these issues.  Academic institutions also must be aware of public and other networks where members of the community may have individual accounts. 
 
However, the security domain for academic institutions is limited to networks managed by the institution be they centrally managed or run by a department.  A good network policy should define the network boundary which in turn affects the definition of the security domain.  Along with creating a good network policy, the institution must also consider the “who, what, how” of providing awareness training across the boundaries.
| | |
llarsen's blog  Login to post comments  Read more  Send to Friend  4420 reads

EDUCAUSE Security Professionals Conference 2006. Summary:System-wide Strategies for Achieving IT Security at Univ. of California
Created by Lida L. Larsen (EDUCAUSE) on April 25, 2006
System-wide Strategies for Achieving IT Security at the University of California
Jacqueline Craig, Director of Policy, University of California Office of the President
David H. Walker, Director of Advanced Technology, University of California Office of the President
 
How do you effectively achieve appropriate stewardship of both personal and restricted information which is used across an institution’s academic, administrative, and other operations?  This session took a close look at the efforts of the University of California system efforts.
 
UC has experienced a number of serious security breaches across the 18 campuses, centers and labs.  In 2003, California passed legislation requiring notification if there is a reasonable belief that unauthorized access of information has occurred and there is reason to believe that privacy of individuals has been compromised.  UC responded by instituting a university-wide security workgroup to come up with solutions.  The workgroup was comprised of faculty, deans, vice-chancellors, general counsel, security officers, CIOs and directors.
 
The working group agreed upon a number of recommendations:
  • Leadership actions to achieve accountability
  • University-wide communication and security education & training
  • Stronger IT security policies
  • Risk assessment guidelines and mitigation with focus on both academic and administrative strategies.
| | | | | |
llarsen's blog  Login to post comments  Read more  Send to Friend  4079 reads
12next ›last »