Connecting the Academic Experience to the Operational Security Needs

of Higher Education Peter M. Siegel

Vice Provost for Information and Educational Technology & CIO, UC-DavisCo-Chair, EDUCAUSE/Internet2 Security Task Force

Rodney J. PetersenGovernment Relations Officer and Security Task Force Coordinator

EDUCAUSE

Higher Ed & Cybersecurity

Through its core mission of teaching and learning, it is the main source of our future leaders, innovators, and technical workforce.

Through research, it is the basic source of much of our new knowledge and subsequent technologies.

As complex institutions, colleges and universities operate some of the world’s largest collections of computers and high-speed networks.

CAEIAE Criteria #3

Cybersecurity & Higher Ed

Act I (ECAR Security Survey – 2003) Cybersecurity not a priority Few dedicated IT security staff InfoSec programs in infancy or disarray

Act II (ECAR Security Survey – 2006) Vast improvements (2003-2005) Emergence of InfoSec profession Establishment of robust InfoSec programs

Act III (2007 and beyond) Enterprise risk management includes InfoSec Focus on Information protection, not just Technology Architectural approach to IT security

*EDUCAUSE Center for Applied Research (ECAR)

Intro to Security Task Force

Established in July 2000Staff Support from EDUCAUSE & Internet2Leadership from the CIO, CISO, and IT CommunityCoordination with Higher Education Associations American Council on Education Association of American Universities National Association of State Universities & Land-Grant Colleges American Association of State Colleges and Universities National Association of Independent Colleges and Universities American Association of Community Colleges

Computer & Network Security: A Resource for Higher Ed http://www.educause.edu/security

Framework for Action

Make IT security a higher and more visible priority in higher educationDo a better job with existing security tools, including revision of institutional policiesDesign, develop, and deploy improved security for future research and education networksRaise the level of security collaboration among higher education, industry, and governmentIntegrate higher education work on security into the broader national effort to strengthen critical infrastructure

Strategic Goals

The Security Task Force (STF) is implementing a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified: Education and Awareness Standards, Policies, and Procedures Security Architecture and Tools Organization and Information Sharing

Education and Awareness

GoalTo increase the awareness of the associated risks of computer and network use and the corresponding responsibilities of higher education executives and end-users of technology (faculty, staff, and students), and to further the professional development of information technology staff.

Programs STF Awareness & Training Working Group Annual Security Professionals Conference SAN-EDU Technical Training for IT Staff

Education & Awareness (cont’d)

Accomplishments Leadership Strategies Book on Security (2003) ACE Letter to Presidents (2003) National Cyber Security Awareness Month (annually in October) Cybersecurity Awareness Resource CD (now online) Cybersecurity on Campus Executive Awareness Video (2005) Computer Security Student Video Contest (2006 and 2007) Outreach to Higher Ed Associations and Beyond (2003-present)

Partnerships Federal Trade Commission (FTC) National Cyber Security Alliance (www.StaySafeOnline.info) National Centers of Academic Excellence in IA Education SANS

Standards, Policies, & Procedures

Goal

To develop information technology standards, policies, and procedures that are appropriate, enforceable, and effective within the higher education community.

Programs STF Policy and Legal Issues Working Group STF Risk Assessment Working Group EDUCAUSE Washington Office - Public Policy and

Government Relations EDUCAUSE/Cornell Institute for

Computer Policy and Law

Standards, Policies, & Procedures (cont’d)

Accomplishments Principles to Guide Efforts to Improve Computer and Network

Security in Higher Education (2003) Publication of White Paper on “IT Security for Higher Education:

A Legal Perspective” (2003) Information Security Governance Assessment Tool (2004) Risk Assessment Framework (2005) Model Security Policies Project (2006)

Partnerships Association of College and University Auditors (ACUA) National Association of College & University Attorneys (NACUA) National Association of College & University Business Officers

(NACUBO) National Institute for Standards in Technology (NIST)

Security Architecture and Tools

Goal

To design, develop, and deploy infrastructures, systems, and services that incorporate security as a priority; and to employ technology to monitor resources and minimize adverse consequences of security incidents.

Programs STF Effective Security Practices Working Group Internet2 Security Working Groups EDUCAUSE and Internet2 PKI, Middleware, and ID

Management Initiatives

Security Architecture & Tools (cont’d)

Accomplishments Effective Security Practices Guide (2004 and 2006) Effective Security Practices & Solutions (ongoing) Whitepaper on Automating Network Policy

Enforcement (2004) Center for Internet Security Benchmarks (2004 -

present)

Partnerships The Center for Internet Security DHS National Cyber Security Division NSF Middleware Initiative

Organization and Information Sharing

GoalTo create the capacity for a college or university to effectively deploy a comprehensive security architecture (people, process, and technology), and to leverage the collective wisdom and expertise of the higher education community.

Programs Security Task Force Executive Committee &

Leadership Team EDUCAUSE Security Discussion Group Annual Security Professionals Conference Research & Education Networking

Information Sharing & Analysis Center (REN-ISAC)

Organization & Info Sharing (cont’d)

Accomplishments Security Discussion Group ~ 2,000 subscribers REN-ISAC Trusted Communications ~ 200 organizations Annual Security Professionals Conference > 400 at Security ’07 Security Task Force working groups > 100 active volunteers

Partnerships International Association of Campus Law Enforcement

Administrators (IACLEA) ISAC Council U.S. Department of Homeland Security U.S. – Computer

Emergency Readiness Team (US-CERT) Federal Bureau of Investigation – InfraGard Program U.S. Secret Service – Electronic Crimes Task Force

Linkages between IA and IT

Higher Ed & Cybersecurity IT Operations IA Teaching and Learning IA Research and Discovery

Creating Linkages between IA educational and research communities with campus IT Partnerships for Teaching and Research Setting Campus Direction Employment

Testimony of IA Graduate

“One of the biggest gaps in IA education can be bridging between the theoretical and practical aspects of security. Practitioners can help reduce the gap by bringing practical experience to the classroom, or acting as mentors while the aforementioned work by the student is performed. IA programs can help the students develop the business language of security. Often information security professionals are well versed in the technologies of security, but are not able to adequately relate the risk equation or impact to business.”

Matthew Dalton (Norwich University, Class of ‘05)Manager, Security and Privacy

University of Rochester

Sample Partnerships

The George Washington University and University of Rochester have used some IA students as summer interns for special projectsThe University of Oklahoma has hired IA students as student employees which helped them secure jobs after graduationCalifornia State University, San Bernardino, has employed IA students in the Information Security OfficeThe University of Massachusetts, Amherst, has developed a speaker series that brings together students, faculty, and IT operations staff.

Sample Partnerships (cont’d)

Carnegie Mellon University Software Engineering Institute Staff have guest lectured in coursesIndiana University Chief IT Policy Officer has guest lectured on security policies in coursesUniversity at Buffalo Information Security Officer sits on Center’s Advisory BoardDirector and Associate Director of the Center at the University at Buffalo sit on ISO’s Information Security Advisory Group

Testimony of Higher Ed ISO

“I work at a large public research University. There is an enormous pool of expertise and great intelligence in the faculty and student population. I try to take advantage of the opportunities I have to tap into that pool to help protect the University programs, infrastructure and data as well as reduce risk to its mission of instruction, research and community service. I'd be crazy not to try very hard to capitalize on the CEISARE and its assets.”

Chuck DunnInformation Security Officer

University at Buffalo

Sample Partnerships (cont’d)

Cal Poly Pomona have involved students in conducting institutional risk assessments

The University of Texas at San Antonio Center conducted a System-wide IT Security Operational Review for the University of Texas System

Virginia Tech operates a security lab where students can test new software and identify vulnerabilities.

Virginia Tech is working with SANS with faculty and student input to develop a certification for secure coding

Employment Opportunities

Applications DevelopmentComputer LabsDatabase AdministrationHelp DeskInstructional DesignNetwork Operations CenterResNet Technology ClassroomsUser SupportWeb Design

Security Employment

Chief Information Security OfficerSecurity Incident Handler Handling Abuse Incidents

Security EngineerSecurity AnalystSecurity ArchitectSecurity Awareness CoordinatorIT Disaster Recovery ManagerBusiness Continuity PlannerID Management and Directory Services

Academic Opportunities

Class Projects Participation in Student Video Contest Conducting Risk Assessments

Independent Studies Asset Identification and Classification

Internships Information Security Office

Research Studies Security Metrics/Effectiveness of Current Efforts

[Insert Your Idea Here]

How We Can Help You

Suggest group projects, class assignments, or topics for study

Provide guest lectures in courses or presentations as part of speaker series

Provide mentoring or career advice for aspiring information security professionals

Serve as faculty for courses and members of advisory committees or review boards

Your Next Steps

Reach out to your campus CIO or CISO and meet to brainstorm possibilitiesStructure class projects and assignments to incorporate real life applicationsConsider contributing your time and expertise to the EDUCAUSE/Internet2 Security Task ForceShare with your peers creative approaches taken at your institution

Testimony of IA Graduate

“One of the nice things about my program was its tight integration with my employer. At the end of the program, I had developed an enterprise risk assessment of the institution with recommendations for improvement. I would say that depending on the program, there should be a tight integration with either the campus community or the student's employer/community through strong project work, internships, and operational integration.”

Matthew Dalton (Norwich University, Class of ‘05)

Manager, Security and PrivacyUniversity of Rochester

For more information

EDUCAUSE/Internet2 Security Task Forcewww.educause.edu/security

Joy Hughesjhughes@gmu.edu

703.993.8728

Peter Siegelpmsiegel@ucdavis.edu

530.752.4998

Rodney Petersenrpetersen@educause.edu

202.331-5368