Documents Contributed by ECAR, Security Management, and Security Policies

This April 2008 survey is a critical component of the EDUCAUSE Center on Applied Research (ECAR) study of information security officers in higher education. It seeks to understand the important characteristics and career paths of those engaged in day-to-day IT security management in colleges and universities.

Citation for this work: EDUCAUSE Center for Applied Research. "IT Security Officer Survey" (Survey Instrument). Boulder, CO: ECAR, 2008, available from http://www.educause.edu/ecar.

This bulletin discusses some of the lessons learned by the Emory College, Faculty of Arts and Sciences, in developing its information technology security strategy, as well as what other schools grappling with security should consider when implementing a local security strategy. Research in this bulletin is drawn from the experiences of the Emory College, along with interviews of IT lead personnel from five of Emory's graduate and undergraduate schools: the School of Law, the School of Nursing, the School of Medicine, the School of Public Health, and the School of Business.

When ECAR studied IT security in 2003, we discovered that despite efforts to develop a secure IT infrastructure in higher education, uneven management awareness and a culture that equated good IT security with the curtailment of academic freedom constrained IT security options and choices. The results of this 2006 study of IT security in higher education demonstrate that there has been a sea change in less than three years. This study not only assesses the current condition of IT security practice, but documents changes in practice over time among a constant set of respondents. Among 492 total survey respondents, fully 204 institutions responded to both the 2003 and the 2005 surveys. Extraordinary changes in both hard and soft security measures were reported. Nearly one-third of responding institutions now have a chief information security officer, and more than 60 percent of the 2005 respondents have a centralized IT security function. The study is supported with qualitative interviews from 18 higher education institutions and organizations and with three case studies.

This roadmap synthesizes the important issues and recommended actions drawn from the ECAR study, Safeguarding the Tower: IT Security in Higher Education 2006. When ECAR studied IT security in 2003, we discovered that despite efforts to develop a secure IT infrastructure in higher education, uneven management awareness and a culture that equated good IT security with the curtailment of academic freedom constrained IT security options and choices. The results of this 2006 study of IT security in higher education demonstrate that there has been a sea change in less than three years. This study not only assesses the current condition of IT security practice, but documents changes in practice over time among a constant set of respondents. Among 492 total survey respondents, fully 204 institutions responded to both the 2003 and the 2005 surveys.

This document presents the key findings of the ECAR study, Safeguarding the Tower: IT Security in Higher Education 2006. When ECAR studied IT security in 2003, we discovered that despite efforts to develop a secure IT infrastructure in higher education, uneven management awareness and a culture that equated good IT security with the curtailment of academic freedom constrained IT security options and choices. The results of this 2006 study of IT security in higher education demonstrate that there has been a sea change in less than three years. This study not only assesses the current condition of IT security practice, but documents changes in practice over time among a constant set of respondents. Among 492 total survey respondents, fully 204 institutions responded to both the 2003 and the 2005 surveys. Extraordinary changes in both hard and soft security measures were reported. Nearly one-third of responding institutions now have a chief information security officer, and more than 60 percent of the 2005 respondents have a centralized IT security function.

Successful implementation of an effective information, data, and system "security blanket" for higher education institutions requires recognition of and action upon the cultural, political, and regulatory fronts. Data stewards; policy makers; central and departmental IT staff; and students, faculties, and staff members all have a role to play. This bulletin is based on the research of current IT security literature and on interviews with representatives from multiple campuses. It offers a broad survey of the current nontechnical issues facing higher education as it attempts to secure information assets and systems.

This research bulletin summarizes how Emory University used the results of a security survey of higher education institutions to make important, peer-informed decisions on how to secure and protect its computing environment. It includes an analysis of the statistical information they gathered and details about the security initiatives they implemented after compiling and reviewing survey results.

Information security is a process of business risk management that must be performed on an ongoing basis. It is critical to take an approach to information security that examines the risks and security objectives within the environment in which the organization operates. Any comprehensive approach to information security must include a feedback mechanism that measures the performance of the process so that risks are managed appropriately and determines whether the organization's security objectives are being met. Burton Group (www.burtongroup.com) provides technically in-depth research and advisory services for colleges and universities, government agencies, and commercial enterprises. Burton Group's practical and unbiased research and advice helps technologists make smart IT infrastructure decisions in increasingly complex environments. Burton Group covers directories, identity management, application platforms, architecture, and network and telecom infrastructure topics. Like ECAR, Burton Group is an unbiased advocate for the user and more than 80 percent of Burton Group's clients are user organizations rather than suppliers.

In the spring of 2003, the EDUCAUSE Center for Applied Research (ECAR) launched a major study of IT security in higher education. Nearly 500 colleges and universities responded to the ECAR quantitative survey, and several institutions were profiled in depth. The survey also incorporated IT security surveys from a variety of external sources, making possible interesting comparisons of security practices in academe and out. This study and session also incorporate substantial qualitative information and insights gleaned from detailed case studies of MIT, Indiana University, and the University of Washington.

This presentation was also given at the 2003 ECAR Symposium.

This bulletin examines how higher education is coping with managing information technology security from the policy perspective. It focuses particular attention on policy processes and programs that address the tensions between preserving confidentiality, ensuring data integrity, and maintaining an academic environment in which information is easily available to authorized users.