EDUCAUSE | Data Security

August 8: Free Web Seminar on Identity Management at University of Southern California

cluckett — Fri, 01 Aug 2008 15:54:42 -0500

The EDUCAUSE Live! Spotlight on Identity Management series is a six-month series that will feature one or two speakers from a campus that have analyzed or solved a problem in a way that many people will find instructive.

Identity and access management (IAM) at University of Southern California (USC) has been a policy-driven, grassroots effort for the past five years. During that time collaborative committees with representatives from many academic and administrative units have enabled the accelerated growth of applications relying on identity data while governing the release of that data. With the backing of the university data stewards in the offices of the registrar, provost, and personnel services, policies have been implemented regarding the release of identifying sensitive information to both internal departments and external vendors. In this free web seminar on August 8, Identity Management at USC: Collaboration, Governance, and Access, presenters Brendan Bellina, identity services architect and manager of enterprise middleware development, and Margaret Harrington, director of the Office of Organization Improvement Services, both at USC, will discuss the composition of these committees, the governance policies that have been implemented, and some of the dozens of applications that have been enabled securely through this process.

The event is free, but registration is required and virtual seating is limited. Register now.

Podcast: The FTC as an Educational Partner in Improving Data Security and Privacy

gbayne — Mon, 19 May 2008 16:40:38 -0500

This 38 minute podcast features a keynote address by Mary Beth Richards, Deputy Director of the Bureau of Consumer Protection for the Federal Trade Commission. Her speech, "The FTC as an Educational Partner in Improving Data Security and Privacy," was recorded at the EDUCAUSE 2008 Policy Conference in Arlington, Virgina.

The Federal Trade Commission deals with issues that touch the economic lives of most Americans. The current portfolio includes protecting consumers in the areas of data security and privacy, identity theft, Social Security number misuse, identity management, spam, maintaining the National Do Not Call Registry, and other IT issues of interest to colleges and universities. The FTC's Bureau of Consumer Protection, although a regulator of businesses, is also an educator: it seeks to educate consumers and provide businesses and other organizations with the information they need to comply with the rules of the road and to provide consumers with the necessary tools to engage in commerce intelligently. This session highlights information policy issues the FTC is addressing and educational resources institutions of higher education can leverage to improve student, faculty, and staff awareness of data security and privacy risks.

EDUCAUSE Live! Podcast: What Price Insularity? Reflections About Computer Security Failings.

gbayne — Mon, 07 Jan 2008 12:27:05 -0600

In this EDUCAUSE Live! podcast, join host, Steve Worona, for the topic "What Price Insularity? Reflections About Computer Security Failings". Steve's guest is Fred Schneider, Professor of Computer Science at Cornell University.

Presentation slides for this audio can be found here.

Why is it risky for technologists to ignore the nontechnical context where their systems will be deployed? Furthermore, what is the risk when policymakers ignore the limits and potential of technology? How can we structure dialogue between technologists and policymakers to address security failings—to revisit identity theft, electronic voting machines, digital rights management, and network neutrality? Fred Schneider, editor of the National Research Council study Trust in Cyberspace and longtime researcher on what makes computer systems secure, considers these and other questions.

E07 Video & Podcast: "Bruce Schneier on Information Security: Ten Trends"

vvogel — Thu, 29 Nov 2007 16:51:51 -0600

Watch the video or listen to the podcast of Bruce Schneier's recent keynote speech, "Bruce Schneier on Information Security: Ten Trends", which was delivered at the EDUCAUSE 2007 Annual Conference in Seattle, Washington on October 26, 2007.

You can also hear a 14 minute interview with Bruce Schneier. Listen in as he shares some insightful words about privacy along with interesting commentary about ethics, cybersecurity, and blogging.

E07 Podcast: Bruce Schneier on Information Security: Ten Trends

gbayne — Wed, 31 Oct 2007 15:35:49 -0500

In this 43 minute podcast, we feature a keynote speech by Bruce Schneier, author and Chief Technology Officer for BT Counterpane, Inc. This speech was delivered at the EDUCAUSE 2007 Annual Conference in Seattle, Washington on October 26th, 2007. It is entitled "Bruce Schneier on Information Security: Ten Trends".

Surveying current trends in information security, it’s clear that a myriad of forces are at work. But fundamentally, security is all about economics: both attacker and defender are trying to maximize the return on their investments. Economics can both explain why security fails so often and offer new solutions for its success. For example, often the people who could protect a system are not those who suffer the costs of failure. Changing these economic incentives will do more to improve security than will more technology.

Tune In September 5: Free Web Seminar on Payment Card Industry (PCI) Compliance in Higher Education

cluckett — Tue, 28 Aug 2007 15:46:56 -0500

Many of us are working within our institutions to achieve Payment Card Industry (PCI) compliance. We see a number of merchants on campuses with different business needs, systems, and vendor relationships in place. In many cases, achieving compliance with PCI DSS, the Data Security Standard, is proving difficult. In this free Sept. 5 EDUCAUSE Live! Web seminar, Lessons Learned on the Road to PCI Compliance, Mark Welch, project coordinator for the Credit Card Support Program at University of Notre Dame, and Walt Conway, president of Walter Conway Associates, LLC, will share experiences and valuable lessons learned in implementing PCI DSS, including merchant levels (does it matter?), limiting the scope of the PCI effort (yes, it can be done), the Payment Applications Best Practices list (is it required?), and recent findings on information security breaches.

In addition, Welch and Conway will represent NACUBO and all of higher education at the first PCI Security Standards Council meeting of participating organizations to be held in Toronto next month. Bring your questions, suggestions, and observations to share with them in advance of that meeting.

Those unable to attend may wish to visit the archives after the event or browse related EDUCAUSE resources on PCI DSS.

Podcast: Privacy and Security in Higher Education: Filling the Policy Vacuum

gbayne — Mon, 13 Aug 2007 11:57:22 -0500

In this hour and ten minute long podcast from the 2007 Seminars on Academic Computing, we hear from Fred H. Cate, Distinguished Professor at the School of Law and Director of the Center for Applied Cybersecurity Research at Indiana University, with a speech entitled, Privacy and Security in Higher Education: Filling the Policy Vacuum .

Colleges and universities possess an exceptional volume and variety of personal information. Our stewardship of such information has been inconsistent and inadequate, and we often implement new technologies and systems without considering systemic privacy and security implications. Although many publicly reported security breaches occur on campuses, we have been slow to provide training in privacy and security issues, rarely audit for compliance, and lag far behind industry and government in appointing privacy and security officers. This session will address the information policy challenges facing colleges and universities, today and in the future, and will offer practical steps for overcoming them.

New PCI DSS Resource Page Posted on EDUCAUSE Connect

cluckett — Mon, 06 Aug 2007 13:42:12 -0500

EDUCAUSE has posted the new Connect resource page, Payment Card Industry Data Security Standard (PCI DSS). Explore conference resources, member blogs, wikis, and more.

GAO Releases Report on Data Breaches and Identity Theft

Rodney — Tue, 24 Jul 2007 15:00:19 -0500

The Government Accountability Office (GAO) has released a Report on Data Breaches that concludes while "breaches of sensitive information have occurred frequently and under widely varying circumstances, . . . the extent to which data breaches have resulted in identity theft is not well known." It further concludes that "should Congress choose to enact a federal notification requirement, use of a risk-based standard could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk."

Some further higher education references in the report:

EDUCAUSE, a nonprofit association that addresses technology issues in higher education, conducted a survey in 2005 on data security at higher education institutions in the United States and Canada. Twenty-six percent of the 490 institutions that responded said they had experienced a security incident in the past year that resulted in the compromise of confidential information." (page 16)
Representatives of the American Council on Education and two other higher education associations stated that while data breaches at colleges and universities were not uncommon, they were aware of little to no identity theft that had resulted from such breaches. (page 23)
7 higher education institutions are identified (although not by name) among the 24 large publicly reported data breaches from January 2000 - June 2005 that were examined by the GAO which included interviews with educational institutions. (page 26)
There are also costs associated with actual notifications - potentially including printing, postage, legal, investigate, and public relations expenses . . . Entities also may incur costs related to staffing call centers to field inquiries from consumers about the breach. For example, representatives of the University of California at Berkeley told us that following a 2005 breach of 98,000 records, the university spent $75,000 in staffing, telecommunications, and other call center costs. (page 34)

The report also makes frequent reference to the President's Identity Theft Task Force Report released in April.

Podcast:: Security Breaches and Identity Theft

gbayne — Tue, 26 Jun 2007 15:05:47 -0500

In this 55 minute podcast, we present a general session from the EDUCAUSE 2007 Policy Conference entitled, “Security Breaches and Identity Theft”. This is a panel discussion moderated by EDUCAUSE Government Relations Officer and Security Task Force Coordinator, Rodney Peterson. The discussion features:

Michael Atleson, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission

Liz Gasster, General Counsel and Acting Executive Director of the Cyber Security Industry Alliance

As Congress strives to pass legislation that would provide a uniform federal law for security breach notifications, a number of related privacy and security policy proposals are under consideration in the Congress and executive branch agencies. This panel will address topics such as preventing misuse of Social Security numbers, requirements for a personal data privacy and security programs, and measures to prevent identity theft.