EDUCAUSE | Security Task Force Announcements

Security is Number One IT Issue According to 2008 Current Issues Survey Report

vvogel — Thu, 29 May 2008 18:02:05 -0500

EDUCAUSE has published the results of the 2008 Current Issues Survey, and this year Security edged out Funding IT as the top strategic challenge.

The latest EDUCAUSE Quarterly article, "Current Issues Survey Report, 2008", states:

It is no wonder that IT security has again emerged as the top strategic issue for colleges and universities given the increasing amount of critical data and new services that are available electronically and need to be protected. The persistence of security incidents and reported data breaches, and a growing number of compliance requirements including security-related state and federal regulations and contractual obligations, make this a central and acute concern of all IT organizations, no matter their institutions' sizes and missions. College and university personnel have a daunting task to ensure the security of information resources while operating within a culture of openness and decentralization. In addition, the changing nature of the threats continues to challenge IT organizations.

The article goes on to suggest security issues that institutions need to address. Security-related resources are available as part of the 2008 Current Issues Resources.

Security Task Force Submits Comments on Proposed FERPA Rules

vvogel — Thu, 29 May 2008 17:38:33 -0500

The EDUCAUSE/Internet2 Security Task Force recently commented on the "Recommendations for Safeguarding Education Records". The Family Educational Rights and Privacy Act (FERPA) has never contained regulations related to the security of student education records, although it is implied as a necessary safeguard to help keep student education records private. The department chose to include in this Notice some recommendations that included references to guidance issued by the National Institute of Standards in Technology (NIST) and the Office of Management and Budget (OMB). While the Security Task Force shared the department's concerns about cybersecurity, it was concerned that focus on government approaches may be misinformed and encouraged the department to consider resources developed by the task force (e.g., see Effective IT Security Practice Guide). The task force further cautioned the department that "the inclusion of recommended safeguards causes considerable confusion about the department's intentions and future plans."

See Rodney Petersen's blog for additional details. To review the full comments of ACE and the Security Task Force, see:

Help Promote the 2009 Computer Security Awareness Student Poster & Video Contest

vvogel — Thu, 01 May 2008 17:29:42 -0500

The EDUCAUSE/Internet2 Computer and Network Security Task Force, in cooperation with the ResearchChannel, is conducting its third annual contest in search of computer security awareness posters and short videos developed by college students for college students. The contest, which is co-sponsored by the National Cyber Security Alliance (NCSA) and CyberWATCH, offers cash prizes ($1,000, $800 and $400) to the winners in each of the four categories. It also provides an opportunity for students to gain experience by developing creative and effective short videos or posters. The deadline for submission of entries is April 30, 2009.

Winning entries will be exhibited on the ResearchChannel web site, heavily promoted during National Cyber Security Awareness month in October, and may be used in your own campus security awareness campaigns. Previous year’s winners gained national recognition in online publications such as Network World, Information Week, Campus Technology, and ZDNet Education.

You can help promote this contest by posting the flyer that is available from the contest website. On this site you will also find materials such as message templates and suggestions for how to publicize the contest to both students and faculty. We encourage you to announce the contest on your campus at this time and then again in the fall (we will remind you). A spring announcement would give students an opportunity to work on entries over the summer and for faculty to include it in plans for the fall semester if they so choose.

For more details and the complete contest rules, visit http://www.educause.edu/SecurityVideoContest2009, where you will also find links to previous winners’ videos. Additional inquiries can be directed to the Security Task Force staff at 202-872-4200 or e-mail, security-video@educause.edu.

Baker College Takes First Place in the 2008 National Collegiate Cyber Defense Competition (NCCDC)

vvogel — Thu, 24 Apr 2008 10:55:05 -0500

Congratulations to Baker College (Flint, Michigan) on winning the third annual National Collegiate Cyber Defense Competition! After competing for the last three years, the Baker College team finally made it past the regional level to beat the 2007 winners from Texas A&M University.

The competition is a three day event hosted by the University of Texas at San Antonio's Center for Infrastructure Assurance and Security, a cybersecurity research and education center. Students have the opportunity to test their knowledge of network infrastructure management and protection in an operational environment. The competition also provides students with a chance to interact and discuss the security and operational challenges they will face upon entering the job market.

FireEye Joins Internet2 to Participate in High-Performance Network Security and Malware Analysis Initiatives

vvogel — Wed, 26 Mar 2008 09:28:23 -0500

FireEye, Inc., a leader in global anti-botnet protection, announced that it has joined Internet2 as a corporate member. FireEye plans to collaborate with the Internet2 community on advanced network security projects involving high-performance network security and next- generation malware analysis In addition, FireEye and Internet2 will host a joint webinar titled "Botnet Incident Response" on April 2, 2008. FireEye's chief security content officer Dr. Fengmin Gong will also present "Scaling Security Analysis vs. Next-Gen Botnet Malware Using VM-Based Analysis" at the Spring Internet2 Member Meeting on April 21-23 in Arlington, Va. Harold Stonebraker, a security investigator at FireEye, will present "Incident Response and Network Forensics: Avoiding Common IR Errors".

While emerging network technologies will be used by legitimate organizations to drive innovation, they may also be exploited by criminals and their botnets to conduct illicit activities. As such, FireEye continues to advance its anti-botnet security technologies for the next-generation Internet. As a corporate member of Internet2, FireEye will collaborate with higher education institutions and researchers to investigate how anti-botnet protections can be incorporated into the design of next-generation Internet technologies.

Read the full press release or learn more about Internet2's security initiative.

Security Task Force Provides Briefing to CSIS Commission on Cyber Security for the 44th Presidency

vvogel — Wed, 26 Mar 2008 10:01:41 -0500

The EDUCAUSE/Internet Security Task Force provided a briefing to the CSIS Commission on Cyber Security for the 44th Presidency on March 12, 2008, during the event "Improving Cybersecurity: Recommendations from Private Sector Experts". A 1-page summary of the briefing is available, as well as the complete transcript.

New Risk Assessment Resources Available

vvogel — Fri, 14 Mar 2008 11:57:10 -0500

The Security Task Force Risk Assessment Working Group wishes to inform higher education information security practioners of a few recent resource updates which are now available from the Risk Management section of the IT Security Guide.

The Information Security Risk Assessment Consultants list provides a listing of vendors known to have conducted some form of IS risk assessment for at least one higher education institution. The only way a vendor can get onto this list is to be placed there by an EDUCAUSE member institution that has engaged the consultant. Each entry on this list provides a link to the institution which has provided the vendor reference. The list can be a starting place for schools that are seeking a consultant; referencing institutions may be willing to provide additional information about the vendor and the consulting engagement when asked.

The list of Risk Assessment Tools provides links to various tools which can aid with a risk assessment. The tools are a mix of some sold or licensed by vendors, some provided by colleague institutions, and some from associations or standards groups.

The existing PDF version of the Information Security Governance (ISG) Self Assessment Tool for Higher Education has been enhanced by the addition of a Microsoft Excel version which (1) separates each section onto individual worksheets for increased flexibility of analysis and entry and (2) provides for automatic summarization on the separate scoring worksheet.

We hope you find this information useful. If you are able to provide additional information or references for the Risk Assessment Consultants list or the Risk Assessment Tools list, please send an e-mail to the Security Task Force.

National Campus Safety and Security Project Launched

vvogel — Thu, 21 Feb 2008 16:41:19 -0600

EDUCAUSE has joined with NACUBO and several other higher education associations to launch a national campus safety and security project. The project team will conduct an 18-month study that will examine threats of every nature facing colleges and universities and develop guidelines for campus emergency management plans for prevention, preparedness, response, and recovery. Mark Luker, vice president of EDUCAUSE, underscores the importance of addressing campus threats through a multi-organizational effort: "EDUCAUSE, for example, has investigated cyber security and assisted institutions in solving related problems. Expanding on our past efforts in the most meaningful way to colleges and universities requires more of an enterprise approach. We’re looking forward to this opportunity to integrate the concerns and work of EDUCAUSE with those of our partners in the higher education community who represent other components of campus life."

E07 Video & Podcast: "Bruce Schneier on Information Security: Ten Trends"

vvogel — Thu, 29 Nov 2007 16:51:51 -0600

Watch the video or listen to the podcast of Bruce Schneier's recent keynote speech, "Bruce Schneier on Information Security: Ten Trends", which was delivered at the EDUCAUSE 2007 Annual Conference in Seattle, Washington on October 26, 2007.

You can also hear a 14 minute interview with Bruce Schneier. Listen in as he shares some insightful words about privacy along with interesting commentary about ethics, cybersecurity, and blogging.

A Security Checklist for ERP Implementations

vvogel — Mon, 26 Nov 2007 11:36:46 -0600

A study of ERP security issues produced a checklist that shows institutions what to look for while letting vendors know what campuses consider important. Learn more about this in the recent EDUCAUSE Quarterly article, "A Security Checklist for ERP Implementations" by former Security Task Force co-chair Joy R. Hughes and co-author Robert Beer.