Contributed by the Security Task Force

The purpose of this toolkit is to provide resources for business continuity and disaster recovery planning, including guides, templates, examples and tips.  The information provided herein is intended to be of value in the development, testing, enactment and revising of business continuity efforts. This Business Continuity Planning and Disaster Recovery toolkit is an ongoing work in progress.  As new resources are developed and best practices shift, updated information will be provided here.

The purpose of this policy template is to ensure that risks to University information are identified, analyzed, and managed so that they are maintained at acceptable levels. Risks to the confidentiality, integrity, and availability of university information are considered.

• This plan was adapted from the University of Colorado System’s “IT Security Program Strategic Plan for 2007-2008.”
• The purpose of this sample plan is to establish a formal IT Security Program for your institution.
• The intended audience for this plan is your executive leadership, up to and including board members and external constituents where appropriate.

The Risk Assessment Consultants List is intended as an aid to schools seeking a place to start looking for risk assessment vendors. It provides links to referencing institutions which may be able to provide additional information regarding specific consulting engagements. Note: The only way a vendor can get onto this list is to be placed there by an EDUCAUSE member institution that has engaged the consultant.

The Security Task Force Risk Assessment Working Group has developed this list of Risk Assessment tools which can aid with a risk assessment. The tools are a mix of some sold or licensed by vendors, some provided by colleague institutions, and some from associations or standards groups. This list does not contain any comparative or value judgment information regarding the tools. It merely provides the list as a starting point for the product-seeking process.

This "Briefing to CSIS Commission on Cyber Security for the 44th Presidency" By Rodney Petersen and Jack Suess on behalf of the EDUCAUSE/Internet2 IT Security Task Force was presented to the Commission on Cyber Security for the 44th Presidency. The agenda was "Improving Cybersecurity: Recommendations from Private Sector Experts".

This guide will assist organizations and system owners in making practical sanitization decisions based on the level of confidentiality of their information. It does not, and cannot, specifically address all known types of media; however, the described sanitization decision process can be applied universally. It should also be noted that Title 40 USC advises system owners and custodians that excess equipment is "Educationally useful" and "Federal equipment is a vital national resource." Wherever possible, excess equipment and media should be made available to schools and non-profit organizations to the extent permitted by law.

These are the regulations governing the use, transfer, and storage of electronic information are changing. Federal regulations (HIPAA, GLBA, and FERPA) require that guidelines be established to ensure that protected information is securely removed from electronic data storage media, prior to its reuse, transfer, or disposal.

This is the final report for the 2007 NSF Cybersecurity Summit, held February 22 & 23rd, 2007, in Arlington, VA.

The author explains his change of views on the usefulness of security certifications.

The Security Certified Program offers certifications in Security Certified Network Specialist (SCNS), Security Certified Network Professional (SCNP), and Security Certified Network Architect (SCNA).

The RSA Certified Security Professional Program offers technology professionals the knowledge, skills, and credentials necessary to deploy and maintain reliable enterprise security systems.

This security certification provides advanced skills in using Red Hat Enterprise Linux, SELinux, and Red Hat Directory Server.

This web site provides information about the Microsoftt Certified Systems Engineer (MCSE) program for security candidates on the Microsoft Windows Server 2003 track.

CompTIA Security Certification provides knowledge of communication security, infrastructure security, cryptography, operational security, and general security concepts. It is an international, vendor-neutral certification that is taught at colleges, universities and commercial training centers around the world.