HEISC Town Hall Webinar:2012-2013 Strategic Plan

Host:Larry Conrad

CIO, UNC-Chapel Hill& HEISC Co-Chair

Today’s Agenda

Information security changes in the past 10 years Ongoing challenges for security practitioners HEISC strategic plan (2012-2013)

Vision Mission Goals & objectives

HEISC working group updates What can you do?

Information Security Changes in the Past 10 Years

Threats: More serious – e.g., nation states, organized crime

Vulnerabilities: New technologies (e.g., social media, cloud, mobility) introduce new vulnerabilities

Impact: Confidentiality, Integrity, Availability (CIA) recognized as mission critical

On the Plus Side

Increased awareness Greater investments, including security staff Staff professional development and training Improved organization across higher ed Better tools More policies and standards More strategic, proactive outlook More “effective practices” are available

Ongoing Challenges for Security Practitioners

Executive awareness and support Technology changes: Mobility, outsourcing, cloud,

IPv6 Benchmarks and metrics Organizational dynamics: Centralized, distributed,

and affiliated centers Funding for IT security Staff resources and training

Ongoing Challenges (Cont’d)

Data standards, governance, and risk management

Data protection tools Student and employee awareness Academic continuity and disaster recovery Legislation and compliance Research data and process International collaboration Vendor relationships

HEISC Vision

Guide academic institutions in their quest to safeguard data, information systems, and networks

Protect the privacy of the higher education community

Ensure that information security is an integral part of campus activities and business processes

HEISC Mission

Improve information security, data protection, and privacy programs across the higher education sector

Develop and promote leadership; awareness and understanding; effective practices and policies; and solutions for the protection of critical data, IT assets, and infrastructures

Accomplish activities through working groups of volunteers and staff

Coordinate and collaborate with government, industry, and other academic organizations

HEISC Goals

1. Establish the Information Security Guide as the premier resource for security professionals.

2. Improve security-related interorganizational collaboration with higher education stakeholders.

3. Inform and educate campus leaders on information security issues by leveraging enterprise risk management (ERM) processes.

4. Help institutions leverage their investments with regard to all IT products and services.

5. Increase the effectiveness of communication efforts.

Objectives for Goal #1: Establish the Information Security Guide as the premier resource for security professionals

Toolkits, primers, and templates Information security maturity model Security requirements Security practices in research environments CISO duties and reporting line Identity management (IdM) practices

Objectives for Goal #2: Improve security-related collaboration with higher education stakeholders

EDUCAUSE, Internet2, and the REN-ISAC Core Data Service and EDUCAUSE Data,

Research, and Analytics staff Other higher education associations, industry

groups, and government Higher education information security

professionals

Objectives for Goal #3: Inform & educate campus leaders on information security issues by leveraging ERM processes

ERM summit Messaging, talking points, and presentation

template Other higher ed association meetings and

conferences (e.g., URMIA, NACUBO, AAU)

Objectives for Goal #4: Help institutions leverage their investments with regard to all IT products and services

Vendor community outreach Resources for IT products and services Information sharing

Objectives for Goal #5: Increase the effectiveness of communication efforts

Higher ed security professionals, CIOs, IT leaders

Wealth of resources in the Information Security Guide

Issues and successes in the .edu domain HEISC volunteer opportunities

Q&A

HEISC Goals and Objectives

HEISC Working Groups

Awareness & Training (A&T) Governance, Risk, & Compliance (GRC) Technologies, Operations, & Practices (TOP) Information Security Guide Editorial Board Security Professionals Conference Program

Committee Research and Education Networking Information

Sharing and Analysis Center (REN-ISAC)

Awareness & Training (A&T)Co-Chairs: Nicole Kegler & Ben Woelk

Student Poster & Video Contest National Cyber Security Awareness Month in

October Executive Awareness Communications Partnering with the IT Communications Group New!

Data Privacy Month in January New!

Security Awareness Metrics Outreach and Marketing

Governance, Risk, & Compliance (GRC)Co-Chairs: Doug Markiewicz & David Escalante

Recent publications: Two-Factor Authentication, Data Incident Notification Toolkit,

Shared Assessments Project Team Sensitive Data Exposure Incident Checklist New!

GRC Systems FAQ New!

Information Security Maturity Model New!

Essential Security Metrics New!

Top Info Security Concerns for Researchers New!

Technologies, Operations, & Practices (TOP)Co-Chairs: Jim Taylor & Marcos Vieyra

Recent publications: Mobile Internet Device Security Guidelines, Dropbox Security & Privacy Considerations, Full Disk Encryption Guide

Identify emerging technologies and their security implications New!

With the REN-ISAC, develop partnerships with vendors to improve information sharing

Facilitate state or local ISO gatherings New!

Information Security Guide Editorial BoardCo-Chairs: Ced Bennett & Mary Dunker

Fresh look and feel New!

Emphasizing practical application of the Security Guide via conference presentations New!

Growing the content (nearly doubled in 2011) Extending the Guide's exposure and reach (even

beyond EDU) New!

Security Professionals Conference 2012Program Chair: Jodi Ito & Vice Chair: Paul Howell

May 15-17, 2012 in Indianapolis, IN 10th annual conference Focused on information security in higher ed Premier forum for networking with security

professionals Theme: Security Everywhere: Exploring the

Expanding World of Security www.educause.edu/SEC12

REN-ISACTechnical Director: Doug Pearson

Membership growth Growth in relationships Involvement in strategic industry groups Implementation of Security Event System Community Security Partnership with SANS Engagement in international standards work Handling of 0-day vulnerability communications Increase in number of notifications Additional staff Contact: dodpears@ren-isac.net

Q&A

HEISC Working Groups

What Can You Do?

Join the Security Discussion Group: www.educause.edu/groups/security

Volunteer: security-council@educause.edu Find resources: www.educause.edu/security Attend Security 2012: www.educause.edu/sec12 Follow us: @HEISCouncil Contacts:

Valerie Vogel (vvogel@educause.edu) Rodney Petersen (rpetersen@educause.edu)

Look for These Hot Topics in 2012…

Metrics & Benchmarking Cloud Computing & Services Consumerization & Mobility Enterprise Risk Management IPv6 Privacy Federated IdM Addressing the decentralized university from a

security perspective

Thank you for participating!

If you’d like to get in touch with our speakers, please send an e-mail to

security-council@educause.edu