EDUCAUSE | Cybersecurity Policy

FERPA Notice of Proposed Rulemaking Addresses Changes in IT

Rodney — Mon, 31 Mar 2008 12:52:09 -0500

The U.S. Department of Education has issued a Notice of Proposed Rulemaking with proposed regulations pertaining to the Family Education Rights and Privacy (FERPA). Among other things, "the proposed regulations respond to changes in information technology and address other issues identified through the Department's experience administering FERPA," according to the Notice. Additionally, the regulations are needed to implement amendments to FERPA contained in the USA Patriot Act and the Campus Sex Crimes Prevention Act, to implement two U.S. Supreme Court decisions interpreting FERPA, and to make other necessary changes.

Among the IT-related changes are:

Clarification of what can be included as directory information, addressing Social Security Number (SSN), other student ID numbers, and email addresses
Requiring the use of reasonable methods to identify and authenticate the identity of students, parents, school officials, and any other parties to whom personally identifiable information is disclosed
Recommendations to assist institutions in safeguarding educational records

The deadline for comments is May 8, 2008.

The EDUCAUSE Washington Office is reviewing the proposed changes and welcome your comments or questions. We will provide a more detailed analysis of the proposed rules and any further updates at a later date.

Security Task Force Provides Briefing to CSIS Commission on Cyber Security for the 44th Presidency

vvogel — Wed, 26 Mar 2008 10:01:41 -0500

The EDUCAUSE/Internet Security Task Force provided a briefing to the CSIS Commission on Cyber Security for the 44th Presidency on March 12, 2008, during the event "Improving Cybersecurity: Recommendations from Private Sector Experts". A 1-page summary of the briefing is available, as well as the complete transcript.

Soliciting Higher Education Input to the Commission on Cyber Security for the 44th Presidency

Rodney — Thu, 06 Mar 2008 15:31:21 -0600

The Center for Strategic and International Studies (CSIS) has established a Commission on Cyber Security for the 44th Presidency – the administration that will take office in January 2009. The goal of the nonpartisan Commission is to develop recommendations for a comprehensive strategy to improve cyber security in federal systems and in critical infrastructure.

The EDUCAUSE/Internet2 Security Task Force has been invited to provide input to the Commission and welcomes your comments in the following areas:

What role has the Federal government played to improve cybersecurity these past few years that has been useful for the higher education sector?
Are there ways in which the Federal government has hindered progress? If so, please describe.
Are there new initiatives you would like to see from the Federal government help to improve cybersecurity?

Please comment by Wednesday, March 12th, 2008, by using the "Post new comment" section below or sending your comments to Security-Task-Force@educause.edu

EDUCAUSE Live! Podcast: What Price Insularity? Reflections About Computer Security Failings.

gbayne — Mon, 07 Jan 2008 12:27:05 -0600

In this EDUCAUSE Live! podcast, join host, Steve Worona, for the topic "What Price Insularity? Reflections About Computer Security Failings". Steve's guest is Fred Schneider, Professor of Computer Science at Cornell University.

Presentation slides for this audio can be found here.

Why is it risky for technologists to ignore the nontechnical context where their systems will be deployed? Furthermore, what is the risk when policymakers ignore the limits and potential of technology? How can we structure dialogue between technologists and policymakers to address security failings—to revisit identity theft, electronic voting machines, digital rights management, and network neutrality? Fred Schneider, editor of the National Research Council study Trust in Cyberspace and longtime researcher on what makes computer systems secure, considers these and other questions.

Tune in Jan. 4 for a Free Web Seminar on the Role Insularity Plays in Computer Security Failings

pkurkowski — Tue, 18 Dec 2007 18:06:55 -0600

Why is it risky for technologists to ignore the nontechnical context where their systems will be deployed? Furthermore, what is the risk when policymakers ignore the limits and potential of technology? How can we structure dialogue between technologists and policymakers to address what could be termed as "security failings"—to revisit identity theft, electronic voting machines, digital rights management, and network neutrality?

In this free January 4 EDUCAUSE LIVE! seminar, What Price Insularity? Reflections About Computer Security Failings, presenter Fred Schneider, professor of computer science, Cornell University, will consider these and other questions.

Those unable to attend may wish to visit the archives after the event or browse related EDUCAUSE resources on Security Management, Identity Theft, and Cybersecurity Policy.

Tune In Nov. 14: Free Web Seminar on IT Security Essential Body of Knowledge for Workforce Development

vvogel — Thu, 08 Nov 2007 16:15:57 -0600

The Department of Homeland Security's National Cyber Security Division worked with subject matter experts from government, the private sector, and academia to develop an umbrella framework that establishes a national baseline representing the essential knowledge and skills IT security practitioners must have to perform their jobs. The IT Security EBK builds directly on established work and is not intended to represent a standard, directive, or policy by DHS. Instead, it further clarifies key IT security terms and concepts for well-defined competencies, identifies notional security roles, and defines primary functional perspectives to help advance the IT security training and certification landscape as we strive to ensure that we have the most qualified and appropriately trained IT security workforce possible.

This free November 14 EDUCAUSE Live! Web seminar, IT Security Essential Body of Knowledge: A Competency and Functional Framework for IT Security Workforce Development, features presenter Brenda Oldfield, Director of Education, Training, and Workforce Development, Office of Cyber Security and Communications, U.S. Department of Homeland Security.

Those unable to attend may wish to visit the archives after the event or browse related EDUCAUSE resources:

Tune In Nov. 14: Free Web Seminar on IT Security Essential Body of Knowledge for Workforce Development

cluckett — Wed, 07 Nov 2007 17:18:53 -0600

This free November 14 EDUCAUSE Live! Web seminar, IT Security Essential Body of Knowledge: A Competency and Functional Framework for IT Security Workforce Development, features presenter Brenda Oldfield, director of education, training, and workforce development, office of cyber security and communications, U.S. Department of Homeland Security,

Those unable to attend may wish to visit the archives after the event or browse related EDUCAUSE resources:

Attend the State of the Net Conference in January 2008

Rodney — Tue, 06 Nov 2007 15:58:31 -0600

The Congressional Internet Caucus Advisory Committee's State of the Net Conference will be held on January 30, 2008, in Washington, D.C. The conference offers attendees unparalleled opportunities to network and dialogue on key technology and information policy issues. Attendees include a mix of academics, consumer groups, industry, and government. In 2007, over 50 percent of the attendees were policy staff from Congressional offices and governmental agencies. There is a significant registration discount for non-profit and academic organizations. For more information or to register, go to http://netcaucus.org/conference/2008/

Congress Expresses “Apprehension” About DHS Framework for Cybersecurity

Rodney — Thu, 01 Nov 2007 17:01:42 -0500

In a hearing before the U.S. House of Representatives Homeland Security Committee Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, subcommittee chair Rep. James R. Langevin (Dem.-RI) said, “I have great apprehension about the current framework DHS is creating with the sector specific plans (SSP’s) as they relate to cybersecurity.” He continued, “The Federal government and the American people want to ensure there is a high level of cybersecurity protections on our critical infrastructure.

Dr. Lawrence A. Gordon, a professor from the University of Maryland, testified regarding ways of encouraging investments (i.e., incentives) that are directed at improving cybersecurity in profit-oriented organizations. “The most powerful incentive for an organization in the private sector to invest in cybersecurity activities is the motivation to increase the organization’s value to its owners,” he said. “A fundamental problem in coming up with estimates of the benefits derived from cybersecurity investments is that the most important potential losses are due to unobservable lost customers resulting from cyber breaches and the potential liabilities associated with cyber breaches.” Sally Katzen, a visiting professor of law at George Mason University (GMU) and senior consultant to the GMU Critical Infrastructure Protection (CIP) Program, observed in her testimony that the key to addressing cybersecurity both within and across sectors is the integration of various existing standards into Enterprise Risk Management (ERM) principles and techniques. She remarked, “ERM shines a light on cyber-CIP risks and all other enterprise risks at very high levels of accountability, including the boardroom.”

The hearing, “Enhancing and Implementing the Cybersecurity Elements of the Sector Specific Plans”, was designed to highlight the cyber elements of the plans submitted by the critical infrastructure sectors as required by the National Infrastructure Protection Plan. Although higher education cyber systems are not considered “critical infrastructure” according to the Federal government’s current framework, the U.S. Department of Education has submitted an SSP on behalf of “educational facilities” that references the need to maintain the security of college and university cyber systems. A report issued by the Government Accountability Office concluded that the sector specific plans varied in how comprehensively they addressed the cyber security aspects of their sectors.

E07 Podcast: An Interview with Bruce Schneier

mpasiewicz — Thu, 01 Nov 2007 15:02:49 -0500

The attached recording provides coverage of a 14 minute interview with BT Counterpane's Bruce Schneier. Listen in as he shares some insightful words about privacy along with interesting commentary about ethics, cybersecurity and blogging. Don't forget the video (or audio) of his session in Seattle too.