Security Policies

This ECAR research bulletin discusses the trend to use a variety of risk assessment frameworks and standards to create an information security program that is sufficiently comprehensive for colleges and universities. These standards include the Control Objectives for Information and related Technology (CobiT) IT control framework, the Information Technology Infrastructure Library (ITIL) service management framework, and the set of information control objectives now commonly referred to as ISO 27001. In specific, the process of implementing this framework at Georgia State University (GSU) is discussed. In addition, the bulletin provides a rationale for an information security governance framework that enables executives to see the degree to which their information security programs are effective in assessing and mitigating risks, protecting confidential data, aligning goals with institutional academic and business objectives, and continuously improving over time.

The multifaceted aspects of security programs become clearer with the creation and collection of appropriate metrics.

This April 2008 survey is a critical component of the EDUCAUSE Center on Applied Research (ECAR) study of information security officers in higher education. It seeks to understand the important characteristics and career paths of those engaged in day-to-day IT security management in colleges and universities.

Citation for this work: EDUCAUSE Center for Applied Research. "IT Security Officer Survey" (Survey Instrument). Boulder, CO: ECAR, 2008, available from http://www.educause.edu/ecar.

This research bulletin presents a methodology, used successfully at the University of Technology, Sydney (UTS) in Australia, for managing and assessing risks related to information technology systems and resources. It describes the institutional commitment, background, organizational structure, methodology, implementation, and outcomes of an institutionally inclusive risk assessment that yielded valuable results that can be applied in other colleges and universities.

Citation for this work : Waters, Ian. “Managing IT Risk in Higher Education: A Methodology” (Research Bulletin, Issue 6). Boulder, CO: EDUCAUSE Center for Applied Research, 2008, available from http://www.educause.edu/ecar.

Recognizing that an incident response policy is only as good as the procedures that support it, Dartmouth College developed its approach to incident response from the bottom up. This session will highlight the advantages of establishing procedures first and policy second when it comes to incident response planning.

The E-Government Act of 2002 (Public Law 107-347), recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), tasked NIST with responsibilities for standards and guidelines, including the development of:
- Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;
- Guidelines recommending the types of information and information systems to be included in each category; and
- Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category.

Unsure how all the parts of an identity management system fit together and would like to know more? This non-technical, preworkshop seminar offers a functional model of the campus infrastructure and provide attendees a chance to view it through the technology, policy, and business process lenses. Topics covered include technology model, lifecycle of identity, and policy frameworks and governance.