1 / 22

Identity, Privacy, and Security: Higher Education Policy and Practice

Identity, Privacy, and Security: Higher Education Policy and Practice. Rodney Petersen Government Relations Officer Director of Cybersecurity Initiative EDUCAUSE. Digital Infrastructure as a Strategic National Asset.

tayten
Download Presentation

Identity, Privacy, and Security: Higher Education Policy and Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identity, Privacy, and Security: Higher Education Policy and Practice Rodney Petersen Government Relations Officer Director of Cybersecurity Initiative EDUCAUSE

  2. Digital Infrastructure as a Strategic National Asset From now on, our digital infrastructure -- the networks and computers we depend on every day -- will be treated as they should be:  as a strategic national asset . . . it's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. President Barak Obama May 29, 2009

  3. Cyberspace Policy Review • Subtitle: Assuring a Trusted and Resilient Information and Communications Infrastructure • 60 Day Comprehensive Review • (Took 90 Days for President to Review and Announce) • 6 Months Later, Major Recommendation Not Addressed: • Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; • National Security and Economic Security Concern

  4. Policy Recommendations • Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. • Prepare a cybersecurity incident response plan • Designate cybersecurity as one of the President’s key management priorities and establish performance metrics. • Designate a privacy and civil liberties official to the NSC cybersecurity directorate. • Initiate a national public awareness and education campaign to promote cybersecurity.

  5. Policy Recommendations (cont’d) • Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity. • Develop a framework for research and development strategies that focus on game-changing technologies; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions. • Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.

  6. Congressional Action • Health Information Technology Act (HI TECH Act) • FTC Enforcement of Red Flags Rule • Delayed until June 1, 2010 • HEOA Regulation: Distance Education Verification • Positioning of Cybersecurity in Federal Government • Strengthening of FISMA • Role of NIST in Standards Development • National Security Breach Notification Law • Critical Infrastructure Protection and Cyber Assets

  7. National Broadband Plan • What type of computer-based attacks against government or commercial computer systems or networks are occurring and what are other federal agencies, commercial, and other entities doing to prevent, detect and respond to cyber attacks? • How are other federal agencies of the United States and other governments collaborating with the communications segment to prevent, detect, and respond to cyber attacks? • What market incentives exist for commercial communications providers, large and small, to invest in secure infrastructure? (i.e., how do we avoid externalities?) • Do end-users have sufficient independent information to make good decisions between communications providers that may differ in the extent to which they implement cyber security measures? • How widely are cyber security best practices implemented by communications providers and what are these best practices? • What are the specific wireless network features and handset features and capabilities necessary to combat such attacks?

  8. NCSAM Highlights • Kick-off Event in Washington, D.C. • Mid-October Event in Sacramento, CA • The White House • Proclamation declaring October as NCSAM • Obama 3 Minute Video Address • Department of Homeland Security • Napolitano address at kick-off event: 1,000 new hires • Napolitano web address • Congressional Resolutions

  9. Organizational Alignment

  10. Privacy • Policy: Comprehensive Privacy Framework • Practice: Fair Information Practices • Issues: • Protection of Personally Identifiable Information • Identity Theft • Data Retention and Disposal • Roles: Chief Privacy Officer • International Association of Privacy Professionals

  11. Identity & Access Management • EDUCAUSE Identity & Access Management Working Group • Goals: • Awareness and advocacy—to help CIOs and IT leaders understand the strategic importance of IAM for their enterprise • Outreach and coordination—to work with other constituencies, including government and industry, to help enable the adoption of interoperable IAM • Partnerships and collaboration—to facilitate the utilization of centralized authentication and authorization services by business process owners, including student services, human resources, alumni and development, facilities management, and other groups • Implementation and training—to provide resources and tools, including IT staff training, to equip developers and implementers • Federated Identity Management & the InCommon Federation

  12. Academia’s Role in Securing Cyberspace • Through its core mission of teaching and learning, it is the main source of our future leaders, innovators, and technical workforce. • Through research, it is the basic source of much of our new knowledge and subsequent technologies. • As complex institutions, colleges and universities operatesome of the world’s largest collections of computers and high-speed networks.

  13. Higher Education Information Security Council Hosts: EDUCAUSE and Internet2 History: Serving higher education since 2000 Mission: to improve information security and privacy across the higher education sector by actively developing and promoting effective practices and solutions for the protection of critical IT assets and infrastructures.

  14. InfoSec Council Activities • Security Discussion Group • Working Groups • People: awareness and training • Process: compliance, policies, risk, governance • Technology: effective practices and solutions • Professional Development • Annual Security Professionals Conference • SANS-EDU Partner Series • Collaborations and Partnerships • Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) • Center for Internet Security • . . . and more

  15. InfoSec Council Strategic Plan Theme: Safeguarding Our IT Assets, Protecting Our Community’s Privacy Goals: • Obtain Executive Commitment and Action • Manage Data to Enhance Privacy and Security Protections • Develop and Promote Effective Practices and Solutions • Explore New Tools and Technologies • Establish and Promote Information-Sharing Mechanisms

  16. InfoSec Council Special Projects • Confidential Data Handling Blueprint • Guidelines for Data and Media Sanitization • Toolkit for Electronic Records Management, Data Retention, and e-Discovery • Information Security Governance • Risk Management Framework • Security Awareness Poster/Video Contest • National Cybersecurity Awareness Month • Security Metrics

  17. Risk Management Compliance Security Policy Organization of Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Controls Information Systems Acquisition, Development, and Maintenance Incident Management Business Continuity Management Information Security Guide

  18. Confidential Data Handling Blueprint • Step 1: Create a security risk-aware culture that includes an information security risk management program • Step 2: Define institutional data types • Step 3: Clarify responsibilities and accountability for safeguarding confidential data • Step 4: Reduce access to confidential data not absolutely essential to institutional processes • Step 5: Establish and implement stricter controls for safeguarding confidential data • Step 6: Provide awareness and training • Step 7: Verify compliance routinely with your policies and procedures

  19. Call to Action • Attend • Security Professionals ConferenceApril 12-14, 2010, Atlanta, Georgianet.educause.edu/conference/security • Contribute • Submit an Effective Practice and Solutionwww.educause.edu/security/guide • Join • Discussion Group: www.educause.edu/groups/security • REN-ISAC: www.ren-isac.net • Volunteer • Send an email to security-volunteer@educause.edu

  20. For More Information • Visit: • Higher Education Information Security Councilhttp://www.educause.edu/security • Contact: • David Swartz, American University, HEISC Co-Chairdswartz@american.edu • Brian Voss, LSU, HEISC Co-Chairbvoss@lsu.edu • Rodney Petersen, EDUCAUSE, HEISC Staffrpetersen@educause.edu

  21. THANK YOU

More Related