Security Implementation

In late 2005, the Security Review Policy was adopted by the University, which states "Where appropriate, information security personnel will conduct risk assessments of technologies/processes that are being evaluated and/or used at Georgia State University. The purpose of these assessments is to quantify the impact and probability of potential threats and vulnerabilities.

GSU's CIO sponsored the ISO 27001 certification initiative at Georgia State University in mid 2007 and the Information Security Department and Office of Disbursements were the first GSU departments to be included. We were successful in obtaining the certification in March 2008, which is a very prestigious achievement given that our university is one of the first (if not the first) in the nation to be awarded this
international designation.

The multifaceted aspects of security programs become clearer with the creation and collection of appropriate metrics.

In 2005, the University of Notre Dame suffered a serious incident that brought information security into the campus spotlight. In response, we partnered with a Big Four consulting firm to conduct a comprehensive IT risk assessment. Two years later, we're halfway through a four-year risk management program.

Windows desktops are widely deployed and can be subject to multiple attack vectors. Windows XP and Vista have vulnerabilities that need to be mitigated effectively by security teams or by end users. This session will cover the top security vulnerabilities in Windows desktops and how to secure them quickly and effectively, along with the tools to use.

In 2006, the University of Texas System launched a system-wide initiative to bolster information security. The process involves following an implementation roadmap and answering four fundamental questions: What's happening? What's important? What's effective? What's next? The purpose of this session is to share the roadmap and answers the questions.

Baylor University has spent two years working on a large-scale deployment of whole disk encryption. The session will present the process from selecting the encryption technology to the culminating deployment process. The result is mediation of data loss that can result from the loss or theft of a technology asset.

One of the first decisions facing campuses that have decided to deploy a PKI is whether to build their PKI in house, with the necessary personnel and infrastructure it entails, or to buy their PKI from a vendor, which can have a seemingly high sticker price. What are the driving factors behind this decision? How do you accurately assess all costs, both short- and long-term? How do you measure the benefits/ROI of a given choice? What signing options should you consider? Come to this session to participate in a discussion with panelists who have made decisions in each of these directions.

Deploying PKI can be complex and tricky, but more and more campuses are solving the technical and logistical problems and reporting positive outcomes. This session will feature representatives from three campuses where PKI has been successfully rolled out. They'll tell you how they did it.