280 likes | 366 Views
Connecting the Academic Experience to the Operational Security Needs of Higher Education. Peter M. Siegel Vice Provost for Information and Educational Technology & CIO, UC-Davis Co-Chair, EDUCAUSE/Internet2 Security Task Force Rodney J. Petersen
E N D
Connecting the Academic Experience to the Operational Security Needs of Higher Education Peter M. Siegel Vice Provost for Information and Educational Technology & CIO, UC-Davis Co-Chair, EDUCAUSE/Internet2 Security Task Force Rodney J. Petersen Government Relations Officer and Security Task Force Coordinator EDUCAUSE
Higher Ed & Cybersecurity • Through its core mission of teaching and learning, it is the main source of our future leaders, innovators, and technical workforce. • Through research, it is the basic source of much of our new knowledge and subsequent technologies. • As complex institutions, colleges and universities operatesome of the world’s largest collections of computers and high-speed networks.
Cybersecurity & Higher Ed • Act I (ECAR Security Survey – 2003) • Cybersecurity not a priority • Few dedicated IT security staff • InfoSec programs in infancy or disarray • Act II (ECAR Security Survey – 2006) • Vast improvements (2003-2005) • Emergence of InfoSec profession • Establishment of robust InfoSec programs • Act III (2007 and beyond) • Enterprise risk management includes InfoSec • Focus on Information protection, not just Technology • Architectural approach to IT security *EDUCAUSE Center for Applied Research (ECAR)
Intro to Security Task Force • Established in July 2000 • Staff Support from EDUCAUSE & Internet2 • Leadership from the CIO, CISO, and IT Community • Coordination with Higher Education Associations • American Council on Education • Association of American Universities • National Association of State Universities & Land-Grant Colleges • American Association of State Colleges and Universities • National Association of Independent Colleges and Universities • American Association of Community Colleges • Computer & Network Security: A Resource for Higher Ed http://www.educause.edu/security
Framework for Action • Make IT security a higher and more visible priority in higher education • Do a better job with existing security tools, including revision of institutional policies • Design, develop, and deploy improved security for future research and education networks • Raise the level of security collaboration among higher education, industry, and government • Integrate higher education work on security into the broader national effort to strengthen critical infrastructure
Strategic Goals The Security Task Force (STF) is implementing a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified: • Education and Awareness • Standards, Policies, and Procedures • Security Architecture and Tools • Organization and Information Sharing
Education and Awareness Goal To increase the awareness of the associated risks of computer and network use and the corresponding responsibilities of higher education executives and end-users of technology (faculty, staff, and students), and to further the professional development of information technology staff. Programs • STF Awareness & Training Working Group • Annual Security Professionals Conference • SAN-EDU Technical Training for IT Staff
Education & Awareness (cont’d) • Accomplishments • Leadership Strategies Book on Security (2003) • ACE Letter to Presidents (2003) • National Cyber Security Awareness Month (annually in October) • Cybersecurity Awareness Resource CD (now online) • Cybersecurity on Campus Executive Awareness Video (2005) • Computer Security Student Video Contest (2006 and 2007) • Outreach to Higher Ed Associations and Beyond (2003-present) • Partnerships • Federal Trade Commission (FTC) • National Cyber Security Alliance (www.StaySafeOnline.info) • National Centers of Academic Excellence in IA Education • SANS
Standards, Policies, & Procedures Goal To develop information technology standards, policies, and procedures that are appropriate, enforceable, and effective within the higher education community. Programs • STF Policy and Legal Issues Working Group • STF Risk Assessment Working Group • EDUCAUSE Washington Office - Public Policy and Government Relations • EDUCAUSE/Cornell Institute for Computer Policy and Law
Standards, Policies, & Procedures (cont’d) • Accomplishments • Principles to Guide Efforts to Improve Computer and Network Security in Higher Education (2003) • Publication of White Paper on “IT Security for Higher Education: A Legal Perspective” (2003) • Information Security Governance Assessment Tool (2004) • Risk Assessment Framework (2005) • Model Security Policies Project (2006) • Partnerships • Association of College and University Auditors (ACUA) • National Association of College & University Attorneys (NACUA) • National Association of College & University Business Officers (NACUBO) • National Institute for Standards in Technology (NIST)
Security Architecture and Tools Goal To design, develop, and deploy infrastructures, systems, and services that incorporate security as a priority; and to employ technology to monitor resources and minimize adverse consequences of security incidents. Programs • STF Effective Security Practices Working Group • Internet2 Security Working Groups • EDUCAUSE and Internet2 PKI, Middleware, and ID Management Initiatives
Security Architecture & Tools (cont’d) • Accomplishments • Effective Security Practices Guide (2004 and 2006) • Effective Security Practices & Solutions (ongoing) • Whitepaper on Automating Network Policy Enforcement (2004) • Center for Internet Security Benchmarks (2004 - present) • Partnerships • The Center for Internet Security • DHS National Cyber Security Division • NSF Middleware Initiative
Organization and Information Sharing Goal To create the capacity for a college or university to effectively deploy a comprehensive security architecture (people, process, and technology), and to leverage the collective wisdom and expertise of the higher education community. Programs • Security Task Force Executive Committee & Leadership Team • EDUCAUSE Security Discussion Group • Annual Security Professionals Conference • Research & Education Networking Information Sharing & Analysis Center (REN-ISAC)
Organization & Info Sharing (cont’d) • Accomplishments • Security Discussion Group ~ 2,000 subscribers • REN-ISAC Trusted Communications ~ 200 organizations • Annual Security Professionals Conference > 400 at Security ’07 • Security Task Force working groups > 100 active volunteers • Partnerships • International Association of Campus Law Enforcement Administrators (IACLEA) • ISAC Council • U.S. Department of Homeland Security U.S. – Computer Emergency Readiness Team (US-CERT) • Federal Bureau of Investigation – InfraGard Program • U.S. Secret Service – Electronic Crimes Task Force
Linkages between IA and IT • Higher Ed & Cybersecurity • IT Operations • IA Teaching and Learning • IA Research and Discovery • Creating Linkages between IA educational and research communities with campus IT • Partnerships for Teaching and Research • Setting Campus Direction • Employment
Testimony of IA Graduate “One of the biggest gaps in IA education can be bridging between the theoretical and practical aspects of security. Practitioners can help reduce the gap by bringing practical experience to the classroom, or acting as mentors while the aforementioned work by the student is performed. IA programs can help the students develop the business language of security. Often information security professionals are well versed in the technologies of security, but are not able to adequately relate the risk equation or impact to business.” Matthew Dalton (Norwich University, Class of ‘05) Manager, Security and Privacy University of Rochester
Sample Partnerships • The George Washington University and University of Rochester have used some IA students as summer interns for special projects • The University of Oklahoma has hired IA students as student employees which helped them secure jobs after graduation • California State University, San Bernardino, has employed IA students in the Information Security Office • The University of Massachusetts, Amherst, has developed a speaker series that brings together students, faculty, and IT operations staff.
Sample Partnerships (cont’d) • Carnegie Mellon University Software Engineering Institute Staff have guest lectured in courses • Indiana University Chief IT Policy Officer has guest lectured on security policies in courses • University at Buffalo Information Security Officer sits on Center’s Advisory Board • Director and Associate Director of the Center at the University at Buffalo sit on ISO’s Information Security Advisory Group
Testimony of Higher Ed ISO “I work at a large public research University. There is an enormous pool of expertise and great intelligence in the faculty and student population. I try to take advantage of the opportunities I have to tap into that pool to help protect the University programs, infrastructure and data as well as reduce risk to its mission of instruction, research and community service. I'd be crazy not to try very hard to capitalize on the CEISARE and its assets.” Chuck Dunn Information Security Officer University at Buffalo
Sample Partnerships (cont’d) • Cal Poly Pomona have involved students in conducting institutional risk assessments • The University of Texas at San Antonio Center conducted a System-wide IT Security Operational Review for the University of Texas System • Virginia Tech operates a security lab where students can test new software and identify vulnerabilities. • Virginia Tech is working with SANS with faculty and student input to develop a certification for secure coding
Employment Opportunities • Applications Development • Computer Labs • Database Administration • Help Desk • Instructional Design • Network Operations Center • ResNet • Technology Classrooms • User Support • Web Design
Security Employment • Chief Information Security Officer • Security Incident Handler • Handling Abuse Incidents • Security Engineer • Security Analyst • Security Architect • Security Awareness Coordinator • IT Disaster Recovery Manager • Business Continuity Planner • ID Management and Directory Services
Academic Opportunities • Class Projects • Participation in Student Video Contest • Conducting Risk Assessments • Independent Studies • Asset Identification and Classification • Internships • Information Security Office • Research Studies • Security Metrics/Effectiveness of Current Efforts • [Insert Your Idea Here]
How We Can Help You • Suggest group projects, class assignments, or topics for study • Provide guest lectures in courses or presentations as part of speaker series • Provide mentoring or career advice for aspiring information security professionals • Serve as faculty for courses and members of advisory committees or review boards
Your Next Steps • Reach out to your campus CIO or CISO and meet to brainstorm possibilities • Structure class projects and assignments to incorporate real life applications • Consider contributing your time and expertise to the EDUCAUSE/Internet2 Security Task Force • Share with your peers creative approaches taken at your institution
Testimony of IA Graduate “One of the nice things about my program was its tight integration with my employer. At the end of the program, I had developed an enterprise risk assessment of the institution with recommendations for improvement. I would say that depending on the program, there should be a tight integration with either the campus community or the student's employer/community through strong project work, internships, and operational integration.” Matthew Dalton (Norwich University, Class of ‘05) Manager, Security and Privacy University of Rochester
For more information EDUCAUSE/Internet2 Security Task Force www.educause.edu/security Joy Hughes jhughes@gmu.edu 703.993.8728 Peter Siegel pmsiegel@ucdavis.edu 530.752.4998 Rodney Petersen rpetersen@educause.edu 202.331-5368