Higher Education Information Security Council (HEISC) Cybersecurity Awareness Initiatives Larry Conrad, Co-Chair and CIO at UNC-Chapel Hill Michele Norin, Co-Chair and CIO at University of Arizona HEISC Mission: works to improve information security and privacy programs across the higher education sector through its community members and focused partnerships with government, industry, and other academic organizations. HEISC actively develops and promotes awareness and understanding, effective practices and policies, and solutions for the protection of critical IT assets and infrastructures.

IT USER AWARENESS Audiences: Students, Faculty, Staff, and Guests Higher Ed NCSAM Events Free Materials: NCSAM Resource Kit & Cybersecurity Awareness Resource Library Colleges and universities across the country are busy delivering awareness program throughout the month of October to promote National Cyber Security Awareness Month. Awareness programs are targeted to users of campus IT systems and networks. Students are transient and turnover at least every 4 years. They also make recreational uses of our networks, especially students who live in our residence halls. Most students are “digital natives”. Staff often have access to sensitive data and tend to be less sophisticated users (i.e., “digital immigrants”). Faculty are challenging to reach and require creative efforts to “educate”. We welcome your suggestions for how to reach our faculty. We often forget about the many guests who use our computers and networks – conference attendees, summer camp residents, visiting faculty, etc. We shouldn’t ignore educational opportunities to reach ALL users of our resources. Every year we build more and more momentum in the celebration of National Cyber Security Awareness Month. HEISC has created a “Resource kit” and has a “Cybersecurity Awareness Resource Library” to help you in your NCSAM efforts. One of the HEISC initiatives is to regulary hold a Poster and Video Contest for students. The idea is to incent, through cash prizes, the creation of awareness content FOR students designed BY students. The videos and posters are informative, creative, and often humorous. We encourage you to utilize these free resources which are supported in part by financial support from DHS and the National Cyber Security Alliance. The SANS Institute has also developed a series of awareness training materials known as Security the Human. Several institutions of higher education took advantage of the initial discount offer to license access to these resources and plan to use the materials as part of their NCSAM efforts. Here is a brief video clip from that program. “Roll the tape.” <show video> An additional subscription period will follow later this year.

EXECUTIVE AWARENESS Audiences: Boards and C-Level Administrators Key Messages: IT as a Key Strategic Asset Cyber & Enterprise Risk Management Prioritization and Funding Initiatives: HEISC Project Team Developing Strategies and Tactics Outreach to Professional Associations (e.g., AGB, NACUBO, URMIA, etc.) Support CIO and ISO in Making Their Case In addition to the education of all-users, CIO’s and CISO’s must educate senior campus administrators about the importance of cybersecurity for their institution. The audience for executive awareness includes boards, chancellors or presidents, and vice presidents for administration, research, student affairs, and university relations. These C-level executives influence strategic directions and control resources for the institution. Some of the key messages for senior executives include: -IT as a strategic asset for the institution; it’s no longer an option but a necessity to have reliable IT systems and networks for your institution; it is a strategic advantage; IT as a strategic asset requires senior leadership support and engagement -Information security is fundamentally a matter of risk management; as a component of an enterprise risk management strategy, institutions must consider how they will protect cyber assets in the same way that they develop risk management approach to protect human assets and physical assets -Of course, for CIO’s and CISO’s, the expression of executive support is often communicated through financial funding and the prioritization of IT infrastructure and projects; while sustaining funding support is difficult during the current fiscal crisis, cybersecurity remains a critical investment in support of the institutional mission and to avoid the negative consequences of a security breach HEISC is continuing to devise strategies and tactics for advancing executive awareness, including outreach to the professional associations for C-Level executives and developing resources that will help CIO’s and CISO’s make their case to their peers or superiors

DATA PRIVACY MONTH IN 2012 Data Privacy Day, January 28 www.dataprivacyday.org Data Privacy Issues Privacy Professionals Fair Information Practices Identity Management and Attribute Sharing Mobile Devices and Tracking Capabilities Shared Services, including Cloud Computing State Longitudinal Data Systems Just like “ivory and ebony”, privacy and security and security work together in perfect harmony. It is undeniable that there are tensions between the two as security professionals seek more accountability and greater levels of control while privacy advocates prefer anonymity or more individual control over their information. Nonetheless, the two disciplines are increasingly complementary and we are seeing a slow but gradual movement towards the creation of Chief Privacy and Security Officer positions at colleges and universities. Not surprisingly, during October many of the campus awareness campaigns address privacy topics – e.g., protection of your personal information, avoiding phishing scams, safeguarding regulated information. Starting in January of 2012, HEISC is extending its awareness programs to support the observance of Data Privacy Day. This is an ideal opportunity to provide another period of focus on cybersecurity awareness and privacy protection at the start of a new semester. Look for more information coming from EDUCAUSE in November/December to prepare for this next round of awareness activities. Examples of data privacy issues of importance to our community include: -how do we support and embrace the role of privacy professionals in higher education? -how do we promote fair information practices in our organizations? -what are the implications of identity management – designed to protect privacy – but challenged by the need to share attributes among institutions or with service providers -what are the implications of the growing use of mobile devices that gives us increasing capabilities to monitor and track users -as institutions consider options for outsourcing or engaging in shared services, including cloud computing, what are the privacy and security implications of such arrangements? Are we better off or worse off than keeping the data in house? -as the federal government continues to promote accountability and pour funding into state longitudinal data systems to monitor student progress from pre-school through the workforce, how do we address the privacy concerns of individuals? As you can see, there are number of privacy issues for individuals and institutions that we hope to shine a spotlight on during January.

WHAT CAN YOU DO? Host: NCSAM Event on Your Campus Join/Share: Security Discussion Group Volunteer: HEISC Working Group Attend: Security 2012 in Indianapolis Contribute: Higher Ed InfoSec Guide Follow: @HEISCouncil For more information, see www.educause.edu/security Call to Action: -join in the fun and be a part of NSCAM; share what you are doing with our HEISC staff from EDUCAUSE -share what you are doing on the Security Discussion Group listser -HEISC is a volunteer organization; we need your support and encourage you to volunteer -Attend the security conference and submit a presentation proposal -Check out the Higher Ed InfoSec Guide and contribute an effective practice or solution from your institution -Follow us on Twitter -Check out our website