Incident Handling and Response and Documents Contributed by ECAR

This ECAR research bulletin discusses the trend to use a variety of risk assessment frameworks and standards to create an information security program that is sufficiently comprehensive for colleges and universities. These standards include the Control Objectives for Information and related Technology (CobiT) IT control framework, the Information Technology Infrastructure Library (ITIL) service management framework, and the set of information control objectives now commonly referred to as ISO 27001. In specific, the process of implementing this framework at Georgia State University (GSU) is discussed. In addition, the bulletin provides a rationale for an information security governance framework that enables executives to see the degree to which their information security programs are effective in assessing and mitigating risks, protecting confidential data, aligning goals with institutional academic and business objectives, and continuously improving over time.

This ECAR research bulletin suggests a framework to provide resiliency in higher education by placing such considerations up front in the evaluation, selection, and design of information technology (IT) services and building them into the business practices of the institution. Resiliency is the product of technology, people, and processes that minimize the impact of an event and make transparent that which would otherwise adversely disrupt the normal operation of services for students, faculty, or staff.

This July 2007 survey is part of a study of identity management and information technology (IT) security in higher education sponsored by CAUDIT in Australasia, by EUNIS in Europe, and by the EDUCAUSE Center for Applied Research (ECAR) in North America. Data from this study will form the basis of a report designed to help institutions position themselves in these evolving areas. Identity management refers to the business processes and infrastructure required to support the use of digital identities. Identity management is not the same as, but is related to, IT security, another top concern of IT leaders in higher education. The survey focuses on the key functions of establishing identity, user authentication, and authorization, as well as supporting infrastructures such as enterprise directory, reduced/single sign-on, and federated identity.

In August 2006, EDUCAUSE brought together a group of thought leaders from higher education and the private sector to explore and share effective strategies and behaviors on the important topic of business continuity in higher education. One of these leaders is Catherine Lewis, the information technology administrator who led New Orleans–based Xavier University through the August 2005 disaster of Hurricane Katrina and helped restore academic continuity for the institution. Lewis shares her perspective and insights in the form of this research bulletin.

This study looks at IT unit readiness to foster and support the functioning of colleges and universities that are challenged by disruption. Responding to a well-documented increase of interest in business continuity and disaster recovery issues among higher education CIOs, ECAR designed the study to inform executives about how institutions approach continuity issues and to identify practices that are associated with good BC outcomes. The study methodology included a literature review; consultation with a select group of CIOs and BC experts for the purpose of identifying and validating research questions; a quantitative survey of IT administrators (mostly CIOs) at 340 higher education institutions; post-survey interviews with 15 executives and IT staff members involved in BC; a quantitative survey of institutional business officers (mostly CBOs/CFOs) at 247 member institutions of the National Association of College and University Business Officers (NACUBO); and four case studies looking at BC planning and operations Florida State University, New York University, Pace University, UC–Davis, and UCLA.

This document presents the key findings of the 2007 ECAR study, Shelter from the Storm: IT and Business Continuity in Higher Education. The study looks at IT unit readiness to foster and support the functioning of colleges and universities that are challenged by disruption. Responding to a well-documented increase of interest in business continuity and disaster recovery issues among higher education chief information officers (CIOs), ECAR designed the study to inform executives about how institutions approach continuity issues and to identify practices that are associated with good business continuity outcomes.

This roadmap synthesizes the important issues and recommended actions drawn from the 2007 ECAR study, Shelter from the Storm: IT and Business Continuity in Higher Education. The study looks at IT unit readiness to foster and support the functioning of colleges and universities that are challenged by disruption. Responding to a well-documented increase of interest in business continuity and disaster recovery issues among higher education chief information officers (CIOs), ECAR designed the study to inform executives about how institutions approach continuity issues and to identify practices that are associated with good business continuity outcomes.

This bulletin discusses some of the lessons learned by the Emory College, Faculty of Arts and Sciences, in developing its information technology security strategy, as well as what other schools grappling with security should consider when implementing a local security strategy. Research in this bulletin is drawn from the experiences of the Emory College, along with interviews of IT lead personnel from five of Emory's graduate and undergraduate schools: the School of Law, the School of Nursing, the School of Medicine, the School of Public Health, and the School of Business.

This case study examines ways in which the Virginia Alliance for Secure Computing and Networking (VA SCAN) provides a blueprint for higher education institutions interested in collaboratively providing openly accessible IT security resources. VA SCAN is a partnership among five Virginia state higher education institutions and three IT security research programs that provide a repository of IT security tools, training, and consultative services to Virginia higher education institutions. All of the resources are available for free or on a cost-recovery basis. The case study was undertaken as part of ECAR's 2006 study of information technology security practices in higher education, which included a literature review, quantitative and qualitative date from 492 higher education institutions in the U.S. and Canada, input from IT security leaders and specialists, and three case studies.

This case study examines Baylor University's risk assessment program for information technology security, which was established in the face of the escalating demands that security places on information technology organizations. The case study was undertaken as part of ECAR's 2006 study of information technology security practices in higher education, which included a literature review, quantitative and qualitative date from 492 higher education institutions in the U.S. and Canada, input from IT security leaders and specialists, and three case studies.