Documents Contributed by ECAR and Security Risk Assessment and Analysis

This ECAR research bulletin discusses the trend to use a variety of risk assessment frameworks and standards to create an information security program that is sufficiently comprehensive for colleges and universities. These standards include the Control Objectives for Information and related Technology (CobiT) IT control framework, the Information Technology Infrastructure Library (ITIL) service management framework, and the set of information control objectives now commonly referred to as ISO 27001. In specific, the process of implementing this framework at Georgia State University (GSU) is discussed. In addition, the bulletin provides a rationale for an information security governance framework that enables executives to see the degree to which their information security programs are effective in assessing and mitigating risks, protecting confidential data, aligning goals with institutional academic and business objectives, and continuously improving over time.

This April 2008 survey is a critical component of the EDUCAUSE Center on Applied Research (ECAR) study of information security officers in higher education. It seeks to understand the important characteristics and career paths of those engaged in day-to-day IT security management in colleges and universities.

Citation for this work: EDUCAUSE Center for Applied Research. "IT Security Officer Survey" (Survey Instrument). Boulder, CO: ECAR, 2008, available from http://www.educause.edu/ecar.

This research bulletin presents a methodology, used successfully at the University of Technology, Sydney (UTS) in Australia, for managing and assessing risks related to information technology systems and resources. It describes the institutional commitment, background, organizational structure, methodology, implementation, and outcomes of an institutionally inclusive risk assessment that yielded valuable results that can be applied in other colleges and universities.

Citation for this work : Waters, Ian. “Managing IT Risk in Higher Education: A Methodology” (Research Bulletin, Issue 6). Boulder, CO: EDUCAUSE Center for Applied Research, 2008, available from http://www.educause.edu/ecar.

This bulletin discusses some of the lessons learned by the Emory College, Faculty of Arts and Sciences, in developing its information technology security strategy, as well as what other schools grappling with security should consider when implementing a local security strategy. Research in this bulletin is drawn from the experiences of the Emory College, along with interviews of IT lead personnel from five of Emory's graduate and undergraduate schools: the School of Law, the School of Nursing, the School of Medicine, the School of Public Health, and the School of Business.

Researchers conducted this in-depth case study to complement the ECAR study, Safeguarding the Tower: IT Security in Higher Education 2006. The case study examines how four higher education institutions improved their information technology security programs since 2003—what they did, why they did it, how they did it, and which practices might be most effective for other institutions that wish to have similar results.

Presentation at EDUCAUSE 2006, October 9-12, 2006, Dallas, Texas. This presentation summarizes the findings of the EDUCAUSE Center for Applied Research 2006 study of information technology security in higher education.

When ECAR studied IT security in 2003, we discovered that despite efforts to develop a secure IT infrastructure in higher education, uneven management awareness and a culture that equated good IT security with the curtailment of academic freedom constrained IT security options and choices. The results of this 2006 study of IT security in higher education demonstrate that there has been a sea change in less than three years. This study not only assesses the current condition of IT security practice, but documents changes in practice over time among a constant set of respondents. Among 492 total survey respondents, fully 204 institutions responded to both the 2003 and the 2005 surveys. Extraordinary changes in both hard and soft security measures were reported. Nearly one-third of responding institutions now have a chief information security officer, and more than 60 percent of the 2005 respondents have a centralized IT security function. The study is supported with qualitative interviews from 18 higher education institutions and organizations and with three case studies.

This roadmap synthesizes the important issues and recommended actions drawn from the ECAR study, Safeguarding the Tower: IT Security in Higher Education 2006. When ECAR studied IT security in 2003, we discovered that despite efforts to develop a secure IT infrastructure in higher education, uneven management awareness and a culture that equated good IT security with the curtailment of academic freedom constrained IT security options and choices. The results of this 2006 study of IT security in higher education demonstrate that there has been a sea change in less than three years. This study not only assesses the current condition of IT security practice, but documents changes in practice over time among a constant set of respondents. Among 492 total survey respondents, fully 204 institutions responded to both the 2003 and the 2005 surveys.

This document presents the key findings of the ECAR study, Safeguarding the Tower: IT Security in Higher Education 2006. When ECAR studied IT security in 2003, we discovered that despite efforts to develop a secure IT infrastructure in higher education, uneven management awareness and a culture that equated good IT security with the curtailment of academic freedom constrained IT security options and choices. The results of this 2006 study of IT security in higher education demonstrate that there has been a sea change in less than three years. This study not only assesses the current condition of IT security practice, but documents changes in practice over time among a constant set of respondents. Among 492 total survey respondents, fully 204 institutions responded to both the 2003 and the 2005 surveys. Extraordinary changes in both hard and soft security measures were reported. Nearly one-third of responding institutions now have a chief information security officer, and more than 60 percent of the 2005 respondents have a centralized IT security function.

A well-managed security program starts at the top and must provide strong governance, business risk management, auditing, and control processes. This Burton Group study proposes a security technology vision whose key components are flexible and fine-grained zoning, more trustworthy systems, Internet identity, better-protected service-oriented architectures, advanced content control, trust frameworks, and an organization-wide control system for information protection. Burton Group (www.burtongroup.com) provides technically in-depth research and advisory services for colleges and universities, government agencies, and commercial enterprises. Burton Group's practical and unbiased research and advice helps technologists make smart IT infrastructure decisions in increasingly complex environments. Burton Group covers directories, identity management, application platforms, architecture, and network and telecom infrastructure topics. Like ECAR, Burton Group is an unbiased advocate for the user and more than 80% of Burton Group's clients are user organizations rather than suppliers.