250 likes | 259 Views
Learn about EDUCAUSE, a membership association advancing IT in higher education, and the EDUCAUSE/Internet2 Security Task Force's efforts to strengthen cybersecurity.
E N D
An Introduction to EDUCAUSEand theEDUCAUSE/Internet2Security Task Force Steve Worona Director of Policy and Networking ProgramsEDUCAUSE CISSE Washington, D.C. June 5, 2003
“I am your worst nightmare!” Dr. Corey Schou,Idaho State
Today’s Highlights fromMary Ann and Dan • “Write good code, not cool code” • “Do research to solve the right problem” • “Seize all reasonable opportunities to partner” CISSE – Washington, D.C.
Today’s Highlights fromMary Ann and Dan • “Write good code, not cool code” • “Do research to solve the right problem” • “Seize all reasonable opportunities to partner” CISSE – Washington, D.C.
About EDUCAUSE • Membership association to advance information technology in higher education • 1800 member institutions • Colleges, universities, corporate partners • Publications, paper and electronic • Annual national conference (~7,000) • 6 Annual Regional conferences • Public policy initiatives CISSE – Washington, D.C.
EDUCAUSE:History and Legacy • 1998: Merger of CAUSE and Educom • Educom b.1964 with Kellogg Foundation grants to encourage use of computing in higher education • CAUSE b.1971 from earlier group (1962) formed to exchange hardware/software expertise on compus • [Step]Children • BITNET • NTTF • Internet2 • CNI CISSE – Washington, D.C.
EDUCAUSE Activities:Net@EDU • Emerged from NTTF & FARNET • Mission: “To advance the evolution of a global networking environment that best supports the transformation of Higher Education through information technology.” • ~100 member campuses • Annual meeting • Working groups • PKI • Broadband • Wireless • ICS (VoIP) CISSE – Washington, D.C.
EDUCAUSE Activities:.EDU • DoC Cooperative Agreement Nov. 2001 • Transition from VeriSign/NSI • Registrar, Registry • Outsourced to VeriSign thru August, 2003 • Limitations • Old names grandfathered • New names limited to accredited inst’s • Regional accreditation vs DofEducation list • One name/institution • Policy issues • Systems; licensing; international; … CISSE – Washington, D.C.
EDUCAUSE Activities:PKI • PKI Working Group (Net@EDU) • NSF Middleware Initiative (NMI) • Internet2/EDUCAUSE/SURA • Common middleware for campus infrastructure and GRIDS • Shibboleth, eduperson, … • Higher-Ed Root • Formerly CREN, now Internet2 • Pre-loaded into browsers • HEBCA (Higher-Ed Bridge CA) • Cloned from FBCA • Pilots, old and new • HEPKI Council CISSE – Washington, D.C.
Other EDUCAUSE Activities • EDUCAUSE/Cornell Institute for Computer Policy and Law • Annual seminar in Ithaca July 8-11 • ANMSI • NLII • ECAR • JCP2P (Higher Education+RIAA/MPAA) • EDUCAUSE Live! • EDUCAUSE/Internet2 Security TF CISSE – Washington, D.C.
The Security TF and theNational Strategy • Creation of EDUCAUSE/Internet2 Computer and Network Security Task Force – July 2000See www.educause.edu/security • Framework for Action - April 2002See security.internet2.edu/ActionStatement.pdf • National Strategy to Secure Cyberspace • Nat’l Strategy Questions - April 20, 2002See www.gcn.com/cybersecurity • Higher Education Contribution to National Strategy to Secure Cyberspace (July 2002)See www.educause.edu/security/national-strategy • NSF-Funded Workshops – Summer/Fall 2002 • DRAFT Released - September 18, 2002See www.securecyberspace.gov • Release of Nat’l Strategy – February 14, 2003 CISSE – Washington, D.C.
Framework for Action:April, 2002 • Make IT security a higher and more visible priority in higher education • Do a better job with existing security tools, including revision of institutional policies • Design, develop and deploy improved security for future research and education networks • Raise the level of security collaboration among higher education, industry and government • Integrate higher education work on security into the broader national effort to strengthen critical infrastructure CISSE – Washington, D.C.
National Strategy Priorities • A National Cyberspace Security Response System • A National Cyberspace Security Threat and Vulnerability Reduction Program • A National Cyberspace Security Awareness and Training Program • Securing Governments’ Cyberspace • National Security and International Cyberspace Security Cooperation CISSE – Washington, D.C.
Strategic Objectives of Nat’l Strategy • Prevent cyber attacks against America’s critical infrastructures • Reduce national vulnerability to cyber attacks; and • Minimize damage and recovery time from cyber attacks that do occur CISSE – Washington, D.C.
Higher Ed and National Strategy National Strategy encourages colleges and universities to secure their cyber systems by establishing some or all of the following as appropriate: • one or more Information Sharing and Analysis Centers to deal with cyber attacks and vulnerabilities; • an on-call point-of-contact to Internet service providers and law enforcement officials in the event that the school’s IT systems are discovered to be launching cyber attacks; • model guidelines empowering Chief Information Officers (CIOs) to address cybersecurity; • one or more sets of best practices for IT security; and, • model user awareness programs and materials. CISSE – Washington, D.C.
NSF-Funded Workshops 2002 • Higher Ed Values and Principles • August – Columbia University • Security Architecture and Policy • August – Chicago • Security in the Research Environment • October – Washington • Higher Education IT Security Summit • November – Washington CISSE – Washington, D.C.
Higher Ed IT Environments • Technology Environment • Distributed computing and wide range of hardware and software from outdated to state-of-the-art • Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create unique security challenges • Leadership Environment • Reactive rather than proactive • Lack of clearly defined goals (what do we need to protect and why) • Academic Culture • Persistent belief that security & academic freedom are antithetical • Tolerance, experimentation, and anonymity highly valued CISSE – Washington, D.C.
Action Agenda • Organization and Information Sharing • Education and Awareness • Policies, Procedures, and Standards • Security Architecture and Tools • Incident Response and Reporting • Cybersecurity Research & Development CISSE – Washington, D.C.
Organization & Info Sharing Goal: • To create the capacity for a college or university to effectively deploy a comprehensive security architecture (education, policy, and technology); and to leverage the collective wisdom and expertise of the higher education community. Programs: • EDUCAUSE/Internet2 Computer and Network Security Task Force • Security Resource for Higher Education Web Site • Security Discussion Group • Higher Education Information Technology Alliance • Research & Educational Networking Information Sharing and Analysis Center (REN-ISAC) Initiatives: • Empowering CIO’s and Establishing Authority/Responsibility at the Cabinet Level • Identifying 24x7 Campus Contacts for Emergencies and Law Enforcement Requests • EDUCAUSE Security Newsletter CISSE – Washington, D.C.
Incident Response and Reporting Goal: Improve the ability of higher education institutions to respond to computer incidents and develop appropriate reporting mechanisms for sharing information and measuring progress. Programs: • Computer Emergency Response Team/Coordination Center (CERT/CC) • Forum of Incident Response Teams (FIRST) • Research and Educational Networking ISAC (REN-ISAC) Initiatives: • Provide Education and Assistance in the Creation of Incident Response Teams • Develop Common Incident Categories Across Higher Education (working with Industry and Government) • Establish Incident Reporting Standards, Systems, and Mechanisms CISSE – Washington, D.C.
ACE Letter to Presidents • Set the tone: ensure that all campus stakeholders know that you take Cybersecurity seriously. Insist on community-wide awareness and accountability. • Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment. • Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting. • Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks. CISSE – Washington, D.C.
Security Professionals Workshop April 22-23, 2003 Temecula, California
Researchers Faculty System-admins Network-admins Software companies Hardware companies Students Campus auditors CIO’s Presidents/Provosts Funding agencies Legislators Campus attorneys K-12 teachers Parents … Key Players in Higher-Ed It Security:Important roles for all CISSE – Washington, D.C.
Opportunities to Collaborate • Present at EDUCAUSE conferences • Put material in EDUCAUSE library • Publish in EDUCAUSE journals • Joint conferences, meetings, workshops • Feedback loop with REN-ISAC • Job opportunities for graduates • Studies/surveys via ECAR • Vendor communication • Cross-link Web pages • Your idea here… CISSE – Washington, D.C.
For more information and collaboration • www.educause.edu/security • Rodney Petersen, EDUCAUSE • Michael Roberts, Internet2 • Dan Updegrove, UT-Austin • Gordon Wishon, Notre Dame CISSE – Washington, D.C.