Cybersecurity Policy and Security PlanningRecent blog entries tagged with Cybersecurity Policy and Security Planning.
EDUCAUSE Live! Podcast: What Price Insularity? Reflections About Computer Security Failings.Created by Gerry Bayne (EDUCAUSE) on January 07, 2008
In this EDUCAUSE Live! podcast, join host, Steve Worona, for the topic "What Price Insularity? Reflections About Computer Security Failings". Steve's guest is Fred Schneider, Professor of Computer Science at Cornell University. Presentation slides for this audio can be found here. Tune In Nov. 14: Free Web Seminar on IT Security Essential Body of Knowledge for Workforce DevelopmentCreated by Valerie M. Vogel (EDUCAUSE) on November 08, 2007
Tune In Nov. 14: Free Web Seminar on IT Security Essential Body of Knowledge for Workforce DevelopmentCreated by Colleen Luckett (EDUCAUSE) on November 07, 2007
New Resource Page on PCI DSS (Payment Card Industry Data Security Standard)Created by Valerie M. Vogel (EDUCAUSE) on June 15, 2007
Explore the new PCI DSS Resource Page. View Community Resources (under the "Other" tab) or contribute your own resources. EDUCAUSE Enterprise 2006. Summary: Enterprise-wide SecurityCreated by Lida L. Larsen (EDUCAUSE) on June 07, 2006
Summary: Enterprise-wide Security Mark Bruhn and Jack Suess Enterprise 2006 May 24, 2006 Chicago, Illinois Abstract: During 2005, more than 50 universities notified thousands of individuals that their campuses had data-security breaches, which might affect them personally. Many states have passed data privacy laws. This session will focus on the current challenges in data security, compliance, and disaster recovery: how new standards related to security and compliance are impacting university planning, and some of the critical activities on which we must collectively work together. Security is #1 on the Top 10 Issues survey. Bruhn and Suess asked if this was true for the participants. Two thirds of the participants in this session agreed that it was their top issue. All participants agreed that it was in the top five issues. They then asked “Who has security as a goal on their performance evaluations?” A few do. One participant indicated that under the new university strategic plans at his institution this will become one of his personal goals and that it will trickle down to others in the organization. A key to good enterprise-wide security is to determine how to use/do security as a part of everyone’s every day work In addition, some have state IT security policies to which they must be responsive. Part of evaluation criteria may be to determine if the organization or institution have an aligned policy. Suess said it was important “to have a good IT audit.” He noted their performance evaluations have a Staff Development component in which every person has a security development component. Unless you are building it in to your performance evaluations then staff will do the other things that you are evaluating. Question: How do you measure security itself (re audit) when there is so very much that “can/should” be done? Suess says they have tried to look at specific incidents (compromised machines) about through very specific design to do this and work towards a full audit report. He said it was helpful to translate these into “insurance/risk” language for a Board of Regents. Question: Is security in the strategic plan? For the most part, security is in strategic plans but this is new and some institutions have not figured out how to include it yet. It may be harder to quantify/qualify security in a strategic plan than it may be for other goals in areas like research and teaching/learning. Question: Who has a perimeter based firewall or an appliance? Response: Fewer have an appliance. Most use filtering and other mechanisms. A participant from DeVry indicated that corporate policy came from the top with the decision to get an appliance and the people to administer it. Every bit of the traffic in and out goes through the appliance. In a recent survey they found that 90+% have a firewall “somewhere.” Most have VPNs and have added intrusion detection and prevention. The worry is the education and use. Everyone is buying technology but not all may have use policies and educational awareness in place to support it. Question: How many detect and automatically react? A quick show of hands indicated that not that many do. One participant had a situation where a system in the Radio/TV department was really bad and so was blocked. This turned into a political issue because this was the machine receiving Public Radio feeds.
UCISA Information Security ToolkitCreated by Stuart Yeates (University of Oxford) on March 15, 2006
UCISA were at the 2006 JISC Conference, touting their Information Security Toolkit: The UCISA Information Security Toolkit is intended to support UK Higher and Further Education Institutions in producing Information Security policies to address (and to demonstrate that they are addressing) threats to the confidentiality, integrity and availability of information systems for which they are responsible, and to help meet audit requirements. The sections draw heavily on British Standard BS 7799, not least by adopting its structure for control objectives and controls. Unfortunately it's very much embedded in the UK legislative framework, so only the technical bits will be of much use to those outside the UK. Strangely enough, I spent three days in Blackpool last week at their big annual event and didn't catch up with the toolkit at all, presumably they were all too busy running the event to promote their own documents. |
Contact | Help | About EDUCAUSE | FAQ | Feedback | Colophon | Terms of Use
The Department of Homeland Security's National Cyber Security Division worked with subject matter experts from government, the private sector, and academia to develop an umbrella framework that establishes a national baseline representing the essential knowledge and skills IT security practitioners must have to perform their jobs. The IT Security EBK builds directly on established work and is not intended to represent a standard, directive, or policy by DHS. Instead, it further clarifies key IT security terms and concepts for well-defined competencies, identifies notional security roles, and defines primary functional perspectives to help advance the IT security training and certification landscape as we strive to ensure that we have the most qualified and appropriately trained IT security workforce possible.