Incident Handling and Response and Research Bulletins

This ECAR research bulletin discusses the trend to use a variety of risk assessment frameworks and standards to create an information security program that is sufficiently comprehensive for colleges and universities. These standards include the Control Objectives for Information and related Technology (CobiT) IT control framework, the Information Technology Infrastructure Library (ITIL) service management framework, and the set of information control objectives now commonly referred to as ISO 27001. In specific, the process of implementing this framework at Georgia State University (GSU) is discussed. In addition, the bulletin provides a rationale for an information security governance framework that enables executives to see the degree to which their information security programs are effective in assessing and mitigating risks, protecting confidential data, aligning goals with institutional academic and business objectives, and continuously improving over time.

This ECAR research bulletin suggests a framework to provide resiliency in higher education by placing such considerations up front in the evaluation, selection, and design of information technology (IT) services and building them into the business practices of the institution. Resiliency is the product of technology, people, and processes that minimize the impact of an event and make transparent that which would otherwise adversely disrupt the normal operation of services for students, faculty, or staff.

In August 2006, EDUCAUSE brought together a group of thought leaders from higher education and the private sector to explore and share effective strategies and behaviors on the important topic of business continuity in higher education. One of these leaders is Catherine Lewis, the information technology administrator who led New Orleans–based Xavier University through the August 2005 disaster of Hurricane Katrina and helped restore academic continuity for the institution. Lewis shares her perspective and insights in the form of this research bulletin.

This bulletin discusses some of the lessons learned by the Emory College, Faculty of Arts and Sciences, in developing its information technology security strategy, as well as what other schools grappling with security should consider when implementing a local security strategy. Research in this bulletin is drawn from the experiences of the Emory College, along with interviews of IT lead personnel from five of Emory's graduate and undergraduate schools: the School of Law, the School of Nursing, the School of Medicine, the School of Public Health, and the School of Business.

Successful implementation of an effective information, data, and system "security blanket" for higher education institutions requires recognition of and action upon the cultural, political, and regulatory fronts. Data stewards; policy makers; central and departmental IT staff; and students, faculties, and staff members all have a role to play. This bulletin is based on the research of current IT security literature and on interviews with representatives from multiple campuses. It offers a broad survey of the current nontechnical issues facing higher education as it attempts to secure information assets and systems.

This research bulletin summarizes how Emory University used the results of a security survey of higher education institutions to make important, peer-informed decisions on how to secure and protect its computing environment. It includes an analysis of the statistical information they gathered and details about the security initiatives they implemented after compiling and reviewing survey results.

At many higher education institutions, casual staffing arrangements are no longer adequate to handle the myriad technical, procedural, and cultural issues surrounding information technology security. For ECAR's 2003 study, "Information Technology Security: Governance, Strategy, and Practice in Higher Education," researchers conducted intensive telephone interviews with more than 30 IT and functional executives, managers, and security officers at more than 20 selected EDUCAUSE institutions. This research bulletin explores, in depth, the issue of IT staffing as reflected by several chief information officers and IT security officers who participated in the ECAR study.

This bulletin examines how higher education is coping with managing information technology security from the policy perspective. It focuses particular attention on policy processes and programs that address the tensions between preserving confidentiality, ensuring data integrity, and maintaining an academic environment in which information is easily available to authorized users.