EDUCAUSE Center for Applied Research Security Survey Rodney Petersen Government Relations Officer...

EDUCAUSE Center for Applied Research Security Survey

Rodney Petersen

Government Relations Officer

Security Task Force Coordinator

EDUCAUSE

Research Methodology

Literature review of material published from 2003 – 2005, with the intent of identifying issues of concern to the higher education community, and creating additional hypotheses to testConsultation with security experts, including members of the EDUCAUSE/Internet2 Computer and Network Security Task Force, and IT leaders at 17 higher education institutionsA quantitative web-based survey first used in 2003 was modified to reflect changes in technologies and practices. 492 higher education institutions responded to the surveyA longitudinal analysis compared the survey findings with those from ECAR’s 2003 study. 204 institutions responded to both surveys, and that population was used to perform the comparison

ECAR IT Security Study

The Headlines You Won’t Read in the Chronicle of Higher Ed or New York Times: The respondents feel more secure today than two

years ago despite being in a perceived riskier environment.

Respondents feel that the academic community has become more sensitive to security and privacy in the last two years.

ECAR IT Security Study, 2006

IT Security Incidents

Ten percent of the respondents in our survey indicated that they had an IT security incident in the last twelve months, which had been reported to the press (down from 19 percent in 2003).A majority of institutions (74.2 percent) report that the number of incidents is about the same or less in the past twelve months as compared with the year before.The primary perceived risks are viruses (72.6 percent), theft of personal financial information (64.8 percent), and spoofing and spyware (55.3 percent).


Blueprint for Handling Data

Step 1: Create a security risk-aware culture that includes an information security risk management programStep 2: Define institutional data typesStep 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive dataStep 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processesStep 5: Establish and implement stricter controls for safeguarding confidential/sensitive dataStep 6: Provide awareness and trainingStep 7: Verify compliance routinely with your policies and procedures

Step 1: Risk Aware Culture

1.1 Institution-wide security risk management program

1.2 Roles and responsibilities defined for overall information security at the central and distributed level

1.3 Executive leadership support in the form of policies and governance actions

Risks Incurred


Damage Percent

Business application, including e-mail, unavailable 33.7%

Network unavailable 29.4%

Information confidentiality compromised 26.0%

Damage to software 21.5%

Damage to data 12.5%

Negative publicity in the press 10.0%

Identity theft 8.4%

Damage to hardware 7.4%

Financial losses 6.4%

Risk Assessment

Frequency Percent

No risk assessments done 208 42.6%

For some institutional data and asset types

226 46.3%

For all institutional data and asset types

42 8.6%

Don't know 12 2.5%

Total 488 100.0%


Responsibility for IT Security

Position Percent responsible in

2005

Percent responsible in

2003

Percent new

adopters

Rate of change 2003-2005

IT security officer (or equivalent)

34.9% 22.4% 12.5% 55.8%

CIO (or equivalent) 14.3% 6.7% 7.6% 113.4%

Director of administrative computing

2.7% 3.2% -0.5% -15.6%

Director of academic computing

1.2% 1.8% -0.6% -33.3%

Other academic management

0.6% 1.2% -0.6% -50.0%

Other administrative management

0.6% 3.2% -2.6% -81.3%

Other IT management 23.9% 30.9% -7.0% -22.7%

Director of networking 21.8% 30.6% -8.8% -28.8%


IT Security Staffing

Less than one percent indicated an expected staff decrease, while 50.2 percent expected no change and 24.4 percent expected to add one staff member, and 7.7 percent two or more.A sea change has occurred in two years with respect to the operational staffing structure for central IT security. One quarter of the 204 institutions in the 2003 and 2005 studies have moved to centralize security in the IT organization and the rate of change was 59.7 percent.


Centralization

Staffing structure 2005 Percent

2003 Percent

Percent Change

Rate of change

One central IT security unit/function

61.8% 38.7% 23.1% 59.7%

Spread across multiple central IT units/functions

32.7% 58.2% -25.5% -43.8%

Other 5.5% 3.1% 2.4% 77.4%


IT Security Certification

Certificate Percent held in 2005

Percent held in 2003

Percent new

holders


Certified Information Systems Security Professional (CISSP)

20.8% 12.4% 8.4% 67.7%

Global Information Assurance Certification (GIAC) 6.8% 2.6% 4.2% 161.5%

Certified Information Systems Auditor (CISA) 3.2% 1.5% 1.7% 113.3%


Change in Barriers

Barrier 2005 2003 Institutional Change

Rate of Change

Lack of awareness 35.8% 50.5% -14.7% -29.1%

Culture of decentralization 29.9% 37.3% -7.4% -19.8%

Lack of enforcement of policies 13.2% 20.1% -6.9% -34.3%

Absence of policies 22.1% 27.0% -4.9% -18.1%

Lack of senior management support 13.2% 17.2% -4.0% -23.3%

Lack of resources 68.1% 71.6% -3.5% -4.9%

Technology issues 7.4% 8.8% -1.4% -15.9%

Privacy of the individual 4.4% 4.4% 0.0% 0.0%


Step 2: Define Data Types

2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary

Policies in Place

Protection of organizational assets (73%)

Data classification, retention, and destruction (51%)

Identity Management (50%)


Step 3: Clarify Responsibilities

3.1 Data stewardship roles and responsibilities

3.2 Legally binding third party agreements that assign responsibility for secure data handling


Policies in Place

Individual employee responsibilities for information security practices (73%)

Sharing, storing, and transmitting data (51%)


Step 4: Reduce Access to Data

4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication

Step 5: Controls

5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections5.4 Encryption strategies for data in transit and at rest 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data

IT Security ApproachesApproach Percent

used in 2005

Percent used in 2003

Percent new

adopters


Network firewalls (perimeter) 77.0% 68.1% 8.9% 13.1%

Centralized data backup system 76.6% 68.1% 8.5% 12.5%

Virtual private network (VPN) for remote access

75.4% 45.6% 29.8% 65.4%

Enterprise directory 71.9% 46.3% 25.6% 55.3%

Network firewalls (interior) 65.0% 51.0% 14.0% 27.5%

Intrusion detection 62.3% 46.1% 16.2% 35.1%

Active filtering 59.3% 29.7% 29.6% 99.7%

Intrusion prevention 44.3% 33.5% 10.8% 32.2%

Security standards for application or system development

32.4% 27.5% 4.9% 17.8%

Electronic signature 6.4% 5.9% 0.5% 8.5%

Shibboleth 4.9% 1.5% 3.4% 226.7%


IT Security Technologies

Network perimeter firewalls, centralized data back up systems, virtual private networks, an enterprise directory, and network interior firewalls are the technologies most in use.Active filtering increased in use by 99.7 percent, VPN for remote access by 65.4 percent, and enterprise directories by 55.3 percent.There is significantly less difference among Carnegie Class institutions in the use of IT security technologies in 2005 when compared to 2003.


IT Security Technologies

The most significant change in wireless security between 2003 and 2005 is the implementation of firewalls (24.8 percent new adopters) followed by IP VPN (14.8 percent new adopters).Conventional passwords/PIN predominate (94.4 percent). We found that 26.9 percent of the institutions used Kerberos.The most often used IT security strategies were limiting protocols that are allowed through the network firewall or router (87.1 percent), restricting or limiting access to servers and applications (79.6 percent), and timing out access to applications after an idle period (77.0 percent)


Strategies to Reduce IT Security Vulnerabilities

Approach Percent used in 2005


Percent new

adopters


Limiting the types of protocols allowed through the firewall/router

88.7% 73.0% 15.7% 21.5%

Restricting and eliminating access to servers and applications

80.9% 70.1% 10.8% 15.4%

Timing-out access to specific applications after an idle period

76.0% 65.0% 11.0% 16.9%

Instituting a recovery or back-up plan in the case of disasters caused by natural events or by human acts

44.3% 46.3% -2.0% -4.3%

Limiting the URLs allowed through the firewall 29.1% 26.9% 2.2% 8.2%

Installing a software inventory system to watch for malicious software or program changes

17.7% 11.4% 6.3% 55.3%

Using security devices (cards, biometric scanners, etc.) for authentication

15.8% 12.3% 3.5% 28.5%


Wireless Security

Approach



Percent new

adopters


Firewall 71.4% 46.6% 24.8% 53.2%

Remote authentication dial-in user service (RADIUS)

54.4% 41.6% 12.8% 30.8%

Internet Protocol Virtual Private Network (IP VPN)

47.8% 33.0% 14.8% 44.8%

128-bit Wired Equivalency Privacy (WEP) 34.5% 33.4% 1.1% 3.3%

Wireless vendor supplied proprietary solution 25.7% 18.5% 7.2% 38.9%

Kerberos 21.2% 12.2% 9.0% 73.8%

Extensible Authentication Protocol (EAP) 19.7% 14.8% 4.9% 33.1%

40-bit Wired Equivalency Privacy (WEP) 19.6% 24.4% -4.8% -19.7%

Advanced encryption standard (AES) 14.2% 6.3% 7.9% 125.4%


Authentication

Authentication Already implemented

Conventional password/PIN 94.4%

Strong password 59.8%

Kerberos 26.9%

Secure ID-style one-time password 8.9%

Other multi-factor authentication methods 8.1%

PKI certificate (software) without PIN 6.8%

PKI certificate (software) with PIN 5.1%

Biometric identification 2.8%

PKI hardware token with PIN 1.7%

PKI hardware token without PIN 0.9%


Password Changes

Frequency Percent Cumulative Percent

Single use 2 0.4% 0.4%

Every 30 days 18 3.8% 4.2%

Every 60 days 53 11.2% 15.4%

60-180 days 198 41.8% 57.2%

More than 180 days 28 5.9% 63.1%

It varies 90 19.0% 82.1%

No requirement 78 16.5% 98.5%

Don't know 7 1.5% 100.0%

Total 474 100.0%


Policies in Place

Secure disposal of data, media, or printed material that contains sensitive information 71.0 %


Step 6: Awareness and Training

6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgment by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential or sensitive data

Awareness Programs


Students Faculty Staff

Program 2003 39.2% 38.2% 42.2%

Program 2005 62.3% 68.8% 69.1%

Percent change 23.1% 30.6% 26.9%

Awareness Programs

Students Faculty Staff

Mandatory 17.4% 14.5% 20.4%

Voluntary 37.9% 47.7% 44.4%

No program 44.7% 37.7% 35.2%


Step 7: Verify Compliance

7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

IT Security Audits

Twenty-five percent of responding institutions do not perform formal IT security audits.

The majority (50.6 percent) performs formal IT security audits on an irregular basis.


Policies in Place

Managing privacy issues, including breaches of personal information (72%)Incident reporting and response (69%)Disaster recovery contingency planning (68%)Investigation and correction of the causes of security failures (68%)Notification of security events to: individuals, the law, etc. (67%)


IT Security Plan

11.2 percent - a comprehensive IT security plan is in place

66.6 percent - a partial plan is in place.

20.4 percent - no IT security plan is in place


Characteristics of Successful IT Security Programs

Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today.

The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security.


For more information

Rodney PetersenEmail: [email protected]: 202.331.5368EDUCAUSE/Internet2 Security Task Forcewww.educause.edu/securityEDUCAUSE Center for Applied Researchwww.educause.edu/ECARBlueprint for Handling Sensitive Datawiki.internet2.edu/confluence/display/secguide

Date post:	12-Jan-2016
Category:	Documents
Upload:	ella-weaver
View:	215 times
Download:	0 times

EDUCAUSE Center for Applied Research Security Survey Rodney Petersen Government Relations Officer...

Documents