Incident Handling and Response and Security Planning

The annual Campus Computing Survey focuses on IT security and crisis management, finding gaps in preparation but fewer attacks on networks.

The focus on information security at Embry-Riddle Aeronautical University, as in many institutions, has evolved gradually over a number of years. Beginning with what can best be described as ad hoc initiatives driven by afterthought oversight, the university's focus on information security is maturing into a formalized, integrated business component and directive.

During the fall 2003 and spring 2004 semesters, Illinois State University (like most other higher educational institutions) experienced several major network and email based virus outbreaks that disrupted network availability for faculty, staff, and students alike. In response, the networking group was instructed by the Associate VP for Technology in October 2003 to develop a plan to address the shortcomings of the current network environment. The goal was to prevent these outbreaks from recurring and provide the most effective approach to deal with future threats. Researched, developed, and approved over the course of the 2004 calendar year, the ISUnet Security Enhancement Plan is the result.

The EDUCAUSE/Internet2 Security Task Force Model Policy Subgroup will survey its model security policy wiki, an inventory of policy samples, organized around 10 industry standard topics. This session will drill down on decision points in four custom models: security management, data classification, incident response, and security planning.

Information security is a process of business risk management that must be performed on an ongoing basis. It is critical to take an approach to information security that examines the risks and security objectives within the environment in which the organization operates. Any comprehensive approach to information security must include a feedback mechanism that measures the performance of the process so that risks are managed appropriately and determines whether the organization's security objectives are being met. Burton Group (www.burtongroup.com) provides technically in-depth research and advisory services for colleges and universities, government agencies, and commercial enterprises. Burton Group's practical and unbiased research and advice helps technologists make smart IT infrastructure decisions in increasingly complex environments. Burton Group covers directories, identity management, application platforms, architecture, and network and telecom infrastructure topics. Like ECAR, Burton Group is an unbiased advocate for the user and more than 80 percent of Burton Group's clients are user organizations rather than suppliers.