Date post: | 31-Dec-2015 |
Category: |
Documents |
Upload: | chava-snyder |
View: | 14 times |
Download: | 0 times |
Connecting the Academic Experience to the Operational Security Needs
of Higher Education Peter M. Siegel
Vice Provost for Information and Educational Technology & CIO, UC-DavisCo-Chair, EDUCAUSE/Internet2 Security Task Force
Rodney J. PetersenGovernment Relations Officer and Security Task Force Coordinator
EDUCAUSE
Higher Ed & Cybersecurity
Through its core mission of teaching and learning, it is the main source of our future leaders, innovators, and technical workforce.
Through research, it is the basic source of much of our new knowledge and subsequent technologies.
As complex institutions, colleges and universities operate some of the world’s largest collections of computers and high-speed networks.
Cybersecurity & Higher Ed
Act I (ECAR Security Survey – 2003) Cybersecurity not a priority Few dedicated IT security staff InfoSec programs in infancy or disarray
Act II (ECAR Security Survey – 2006) Vast improvements (2003-2005) Emergence of InfoSec profession Establishment of robust InfoSec programs
Act III (2007 and beyond) Enterprise risk management includes InfoSec Focus on Information protection, not just Technology Architectural approach to IT security
*EDUCAUSE Center for Applied Research (ECAR)
Intro to Security Task Force
Established in July 2000Staff Support from EDUCAUSE & Internet2Leadership from the CIO, CISO, and IT CommunityCoordination with Higher Education Associations American Council on Education Association of American Universities National Association of State Universities & Land-Grant Colleges American Association of State Colleges and Universities National Association of Independent Colleges and Universities American Association of Community Colleges
Computer & Network Security: A Resource for Higher Ed http://www.educause.edu/security
Framework for Action
Make IT security a higher and more visible priority in higher educationDo a better job with existing security tools, including revision of institutional policiesDesign, develop, and deploy improved security for future research and education networksRaise the level of security collaboration among higher education, industry, and governmentIntegrate higher education work on security into the broader national effort to strengthen critical infrastructure
Strategic Goals
The Security Task Force (STF) is implementing a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified: Education and Awareness Standards, Policies, and Procedures Security Architecture and Tools Organization and Information Sharing
Education and Awareness
GoalTo increase the awareness of the associated risks of computer and network use and the corresponding responsibilities of higher education executives and end-users of technology (faculty, staff, and students), and to further the professional development of information technology staff.
Programs STF Awareness & Training Working Group Annual Security Professionals Conference SAN-EDU Technical Training for IT Staff
Education & Awareness (cont’d)
Accomplishments Leadership Strategies Book on Security (2003) ACE Letter to Presidents (2003) National Cyber Security Awareness Month (annually in October) Cybersecurity Awareness Resource CD (now online) Cybersecurity on Campus Executive Awareness Video (2005) Computer Security Student Video Contest (2006 and 2007) Outreach to Higher Ed Associations and Beyond (2003-present)
Partnerships Federal Trade Commission (FTC) National Cyber Security Alliance (www.StaySafeOnline.info) National Centers of Academic Excellence in IA Education SANS
Standards, Policies, & Procedures
Goal
To develop information technology standards, policies, and procedures that are appropriate, enforceable, and effective within the higher education community.
Programs STF Policy and Legal Issues Working Group STF Risk Assessment Working Group EDUCAUSE Washington Office - Public Policy and
Government Relations EDUCAUSE/Cornell Institute for
Computer Policy and Law
Standards, Policies, & Procedures (cont’d)
Accomplishments Principles to Guide Efforts to Improve Computer and Network
Security in Higher Education (2003) Publication of White Paper on “IT Security for Higher Education:
A Legal Perspective” (2003) Information Security Governance Assessment Tool (2004) Risk Assessment Framework (2005) Model Security Policies Project (2006)
Partnerships Association of College and University Auditors (ACUA) National Association of College & University Attorneys (NACUA) National Association of College & University Business Officers
(NACUBO) National Institute for Standards in Technology (NIST)
Security Architecture and Tools
Goal
To design, develop, and deploy infrastructures, systems, and services that incorporate security as a priority; and to employ technology to monitor resources and minimize adverse consequences of security incidents.
Programs STF Effective Security Practices Working Group Internet2 Security Working Groups EDUCAUSE and Internet2 PKI, Middleware, and ID
Management Initiatives
Security Architecture & Tools (cont’d)
Accomplishments Effective Security Practices Guide (2004 and 2006) Effective Security Practices & Solutions (ongoing) Whitepaper on Automating Network Policy
Enforcement (2004) Center for Internet Security Benchmarks (2004 -
present)
Partnerships The Center for Internet Security DHS National Cyber Security Division NSF Middleware Initiative
Organization and Information Sharing
GoalTo create the capacity for a college or university to effectively deploy a comprehensive security architecture (people, process, and technology), and to leverage the collective wisdom and expertise of the higher education community.
Programs Security Task Force Executive Committee &
Leadership Team EDUCAUSE Security Discussion Group Annual Security Professionals Conference Research & Education Networking
Information Sharing & Analysis Center (REN-ISAC)
Organization & Info Sharing (cont’d)
Accomplishments Security Discussion Group ~ 2,000 subscribers REN-ISAC Trusted Communications ~ 200 organizations Annual Security Professionals Conference > 400 at Security ’07 Security Task Force working groups > 100 active volunteers
Partnerships International Association of Campus Law Enforcement
Administrators (IACLEA) ISAC Council U.S. Department of Homeland Security U.S. – Computer
Emergency Readiness Team (US-CERT) Federal Bureau of Investigation – InfraGard Program U.S. Secret Service – Electronic Crimes Task Force
Linkages between IA and IT
Higher Ed & Cybersecurity IT Operations IA Teaching and Learning IA Research and Discovery
Creating Linkages between IA educational and research communities with campus IT Partnerships for Teaching and Research Setting Campus Direction Employment
Testimony of IA Graduate
“One of the biggest gaps in IA education can be bridging between the theoretical and practical aspects of security. Practitioners can help reduce the gap by bringing practical experience to the classroom, or acting as mentors while the aforementioned work by the student is performed. IA programs can help the students develop the business language of security. Often information security professionals are well versed in the technologies of security, but are not able to adequately relate the risk equation or impact to business.”
Matthew Dalton (Norwich University, Class of ‘05)Manager, Security and Privacy
University of Rochester
Sample Partnerships
The George Washington University and University of Rochester have used some IA students as summer interns for special projectsThe University of Oklahoma has hired IA students as student employees which helped them secure jobs after graduationCalifornia State University, San Bernardino, has employed IA students in the Information Security OfficeThe University of Massachusetts, Amherst, has developed a speaker series that brings together students, faculty, and IT operations staff.
Sample Partnerships (cont’d)
Carnegie Mellon University Software Engineering Institute Staff have guest lectured in coursesIndiana University Chief IT Policy Officer has guest lectured on security policies in coursesUniversity at Buffalo Information Security Officer sits on Center’s Advisory BoardDirector and Associate Director of the Center at the University at Buffalo sit on ISO’s Information Security Advisory Group
Testimony of Higher Ed ISO
“I work at a large public research University. There is an enormous pool of expertise and great intelligence in the faculty and student population. I try to take advantage of the opportunities I have to tap into that pool to help protect the University programs, infrastructure and data as well as reduce risk to its mission of instruction, research and community service. I'd be crazy not to try very hard to capitalize on the CEISARE and its assets.”
Chuck DunnInformation Security Officer
University at Buffalo
Sample Partnerships (cont’d)
Cal Poly Pomona have involved students in conducting institutional risk assessments
The University of Texas at San Antonio Center conducted a System-wide IT Security Operational Review for the University of Texas System
Virginia Tech operates a security lab where students can test new software and identify vulnerabilities.
Virginia Tech is working with SANS with faculty and student input to develop a certification for secure coding
Employment Opportunities
Applications DevelopmentComputer LabsDatabase AdministrationHelp DeskInstructional DesignNetwork Operations CenterResNet Technology ClassroomsUser SupportWeb Design
Security Employment
Chief Information Security OfficerSecurity Incident Handler Handling Abuse Incidents
Security EngineerSecurity AnalystSecurity ArchitectSecurity Awareness CoordinatorIT Disaster Recovery ManagerBusiness Continuity PlannerID Management and Directory Services
Academic Opportunities
Class Projects Participation in Student Video Contest Conducting Risk Assessments
Independent Studies Asset Identification and Classification
Internships Information Security Office
Research Studies Security Metrics/Effectiveness of Current Efforts
[Insert Your Idea Here]
How We Can Help You
Suggest group projects, class assignments, or topics for study
Provide guest lectures in courses or presentations as part of speaker series
Provide mentoring or career advice for aspiring information security professionals
Serve as faculty for courses and members of advisory committees or review boards
Your Next Steps
Reach out to your campus CIO or CISO and meet to brainstorm possibilitiesStructure class projects and assignments to incorporate real life applicationsConsider contributing your time and expertise to the EDUCAUSE/Internet2 Security Task ForceShare with your peers creative approaches taken at your institution
Testimony of IA Graduate
“One of the nice things about my program was its tight integration with my employer. At the end of the program, I had developed an enterprise risk assessment of the institution with recommendations for improvement. I would say that depending on the program, there should be a tight integration with either the campus community or the student's employer/community through strong project work, internships, and operational integration.”
Matthew Dalton (Norwich University, Class of ‘05)
Manager, Security and PrivacyUniversity of Rochester
For more information
EDUCAUSE/Internet2 Security Task Forcewww.educause.edu/security
703.993.8728
Peter [email protected]
530.752.4998
Rodney [email protected]
202.331-5368