EDUCAUSE Center for Applied Research Security Survey Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE

Research Methodology Literature review of material published from 2003 – 2005, with the intent of identifying issues of concern to the higher education community, and creating additional hypotheses to test Consultation with security experts, including members of the EDUCAUSE/Internet2 Computer and Network Security Task Force, and IT leaders at 17 higher education institutions A quantitative web-based survey first used in 2003 was modified to reflect changes in technologies and practices. 492 higher education institutions responded to the survey A longitudinal analysis compared the survey findings with those from ECAR’s 2003 study. 204 institutions responded to both surveys, and that population was used to perform the comparison

ECAR IT Security Study The Headlines You Won’t Read in the Chronicle of Higher Ed or New York Times:  The respondents feel more secure today than two years ago despite being in a perceived riskier environment.  Respondents feel that the academic community has become more sensitive to security and privacy in the last two years. ECAR IT Security Study, 2006

IT Security Incidents Ten percent of the respondents in our survey indicated that they had an IT security incident in the last twelve months, which had been reported to the press (down from 19 percent in 2003). A majority of institutions (74.2 percent) report that the number of incidents is about the same or less in the past twelve months as compared with the year before. The primary perceived risks are viruses (72.6 percent), theft of personal financial information (64.8 percent), and spoofing and spyware (55.3 percent). ECAR IT Security Study, 2006

Blueprint for Handling Data Step 1: Create a security risk-aware culture that includes an information security risk management program Step 2: Define institutional data types Step 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive data Step 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processes Step 5: Establish and implement stricter controls for safeguarding confidential/sensitive data Step 6: Provide awareness and training Step 7: Verify compliance routinely with your policies and procedures

Step 1: Risk Aware Culture 1.1 Institution-wide security risk management program 1.2 Roles and responsibilities defined for overall information security at the central and distributed level 1.3 Executive leadership support in the form of policies and governance actions

Risks Incurred ECAR IT Security Study, 2006 DamagePercent Business application, including , unavailable33.7% Network unavailable29.4% Information confidentiality compromised26.0% Damage to software21.5% Damage to data12.5% Negative publicity in the press10.0% Identity theft8.4% Damage to hardware7.4% Financial losses6.4%

Risk Assessment FrequencyPercent No risk assessments done % For some institutional data and asset types % For all institutional data and asset types 428.6% Don't know122.5% Total % ECAR IT Security Study, 2006

Responsibility for IT Security PositionPercent responsible in 2005 Percent responsible in 2003 Percent new adopters Rate of change IT security officer (or equivalent) 34.9%22.4%12.5%55.8% CIO (or equivalent)14.3%6.7%7.6%113.4% Director of administrative computing 2.7%3.2%-0.5%-15.6% Director of academic computing 1.2%1.8%-0.6%-33.3% Other academic management 0.6%1.2%-0.6%-50.0% Other administrative management 0.6%3.2%-2.6%-81.3% Other IT management23.9%30.9%-7.0%-22.7% Director of networking21.8%30.6%-8.8%-28.8% ECAR IT Security Study, 2006

IT Security Staffing Less than one percent indicated an expected staff decrease, while 50.2 percent expected no change and 24.4 percent expected to add one staff member, and 7.7 percent two or more. A sea change has occurred in two years with respect to the operational staffing structure for central IT security. One quarter of the 204 institutions in the 2003 and 2005 studies have moved to centralize security in the IT organization and the rate of change was 59.7 percent. ECAR IT Security Study, 2006

Centralization Staffing structure2005 Percent 2003 Percent Percent Change Rate of change One central IT security unit/function 61.8%38.7%23.1%59.7% Spread across multiple central IT units/functions 32.7%58.2%-25.5%-43.8% Other5.5%3.1%2.4%77.4% ECAR IT Security Study, 2006

IT Security Certification CertificatePercent held in 2005 Percent held in 2003 Percent new holders Rate of change Certified Information Systems Security Professional (CISSP) 20.8%12.4%8.4%67.7% Global Information Assurance Certification (GIAC) 6.8%2.6%4.2%161.5% Certified Information Systems Auditor (CISA) 3.2%1.5%1.7%113.3% ECAR IT Security Study, 2006

Change in Barriers Barrier Institutional Change Rate of Change Lack of awareness35.8% 50.5%-14.7%-29.1% Culture of decentralization29.9% 37.3%-7.4%-19.8% Lack of enforcement of policies13.2% 20.1%-6.9%-34.3% Absence of policies22.1% 27.0%-4.9%-18.1% Lack of senior management support13.2% 17.2%-4.0%-23.3% Lack of resources68.1%71.6%-3.5%-4.9% Technology issues7.4% 8.8%-1.4%-15.9% Privacy of the individual4.4% 0.0% ECAR IT Security Study, 2006

Step 2: Define Data Types 2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary

Policies in Place Protection of organizational assets (73%) Data classification, retention, and destruction (51%) Identity Management (50%) ECAR IT Security Study, 2006

Step 3: Clarify Responsibilities 3.1 Data stewardship roles and responsibilities 3.2 Legally binding third party agreements that assign responsibility for secure data handling ECAR IT Security Study, 2006

Policies in Place Individual employee responsibilities for information security practices (73%) Sharing, storing, and transmitting data (51%) ECAR IT Security Study, 2006

Step 4: Reduce Access to Data 4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication

Step 5: Controls 5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections 5.4 Encryption strategies for data in transit and at rest 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data

IT Security Approaches ApproachPercent used in 2005 Percent used in 2003 Percent new adopters Rate of change Network firewalls (perimeter)77.0%68.1%8.9%13.1% Centralized data backup system76.6%68.1%8.5%12.5% Virtual private network (VPN) for remote access 75.4%45.6%29.8%65.4% Enterprise directory71.9%46.3%25.6%55.3% Network firewalls (interior)65.0%51.0%14.0%27.5% Intrusion detection62.3%46.1%16.2%35.1% Active filtering59.3%29.7%29.6%99.7% Intrusion prevention44.3%33.5%10.8%32.2% Security standards for application or system development 32.4%27.5%4.9%17.8% Electronic signature6.4%5.9%0.5%8.5% Shibboleth4.9%1.5%3.4%226.7% ECAR IT Security Study, 2006

IT Security Technologies Network perimeter firewalls, centralized data back up systems, virtual private networks, an enterprise directory, and network interior firewalls are the technologies most in use. Active filtering increased in use by 99.7 percent, VPN for remote access by 65.4 percent, and enterprise directories by 55.3 percent. There is significantly less difference among Carnegie Class institutions in the use of IT security technologies in 2005 when compared to ECAR IT Security Study, 2006

IT Security Technologies The most significant change in wireless security between 2003 and 2005 is the implementation of firewalls (24.8 percent new adopters) followed by IP VPN (14.8 percent new adopters). Conventional passwords/PIN predominate (94.4 percent). We found that 26.9 percent of the institutions used Kerberos. The most often used IT security strategies were limiting protocols that are allowed through the network firewall or router (87.1 percent), restricting or limiting access to servers and applications (79.6 percent), and timing out access to applications after an idle period (77.0 percent) ECAR IT Security Study, 2006

Strategies to Reduce IT Security Vulnerabilities ApproachPercent used in 2005 Percent used in 2003 Percent new adopters Rate of change Limiting the types of protocols allowed through the firewall/router 88.7%73.0%15.7%21.5% Restricting and eliminating access to servers and applications 80.9%70.1%10.8%15.4% Timing-out access to specific applications after an idle period 76.0%65.0%11.0%16.9% Instituting a recovery or back-up plan in the case of disasters caused by natural events or by human acts 44.3%46.3%-2.0%-4.3% Limiting the URLs allowed through the firewall29.1%26.9%2.2%8.2% Installing a software inventory system to watch for malicious software or program changes 17.7%11.4%6.3%55.3% Using security devices (cards, biometric scanners, etc.) for authentication 15.8%12.3%3.5%28.5% ECAR IT Security Study, 2006

Wireless Security Approach Percent used in 2005 Percent used in 2003 Percent new adopters Rate of change Firewall71.4%46.6%24.8%53.2% Remote authentication dial-in user service (RADIUS) 54.4%41.6%12.8%30.8% Internet Protocol Virtual Private Network (IP VPN) 47.8%33.0%14.8%44.8% 128-bit Wired Equivalency Privacy (WEP)34.5%33.4%1.1%3.3% Wireless vendor supplied proprietary solution25.7%18.5%7.2%38.9% Kerberos21.2%12.2%9.0%73.8% Extensible Authentication Protocol (EAP)19.7%14.8%4.9%33.1% 40-bit Wired Equivalency Privacy (WEP)19.6%24.4%-4.8%-19.7% Advanced encryption standard (AES)14.2%6.3%7.9%125.4% ECAR IT Security Study, 2006

Authentication Already implemented Conventional password/PIN94.4% Strong password59.8% Kerberos26.9% Secure ID-style one-time password8.9% Other multi-factor authentication methods8.1% PKI certificate (software) without PIN6.8% PKI certificate (software) with PIN5.1% Biometric identification2.8% PKI hardware token with PIN1.7% PKI hardware token without PIN0.9% ECAR IT Security Study, 2006

Password Changes FrequencyPercentCumulative Percent Single use20.4% Every 30 days183.8%4.2% Every 60 days5311.2%15.4% days %57.2% More than 180 days285.9%63.1% It varies9019.0%82.1% No requirement7816.5%98.5% Don't know71.5%100.0% Total % ECAR IT Security Study, 2006

Policies in Place Secure disposal of data, media, or printed material that contains sensitive information 71.0 % ECAR IT Security Study, 2006

Step 6: Awareness and Training 6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgment by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential or sensitive data

Awareness Programs ECAR IT Security Study, 2006 StudentsFacultyStaff Program %38.2%42.2% Program %68.8%69.1% Percent change23.1%30.6%26.9%

Awareness Programs StudentsFacultyStaff Mandatory17.4%14.5%20.4% Voluntary37.9%47.7%44.4% No program44.7%37.7%35.2% ECAR IT Security Study, 2006

Step 7: Verify Compliance 7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

IT Security Audits Twenty-five percent of responding institutions do not perform formal IT security audits. The majority (50.6 percent) performs formal IT security audits on an irregular basis. ECAR IT Security Study, 2006

Policies in Place Managing privacy issues, including breaches of personal information (72%) Incident reporting and response (69%) Disaster recovery contingency planning (68%) Investigation and correction of the causes of security failures (68%) Notification of security events to: individuals, the law, etc. (67%) ECAR IT Security Study, 2006

IT Security Plan 11.2 percent - a comprehensive IT security plan is in place 66.6 percent - a partial plan is in place percent - no IT security plan is in place ECAR IT Security Study, 2006

Characteristics of Successful IT Security Programs Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today. The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security. ECAR IT Security Study, 2006

For more information Rodney Petersen Phone: EDUCAUSE/Internet2 Security Task Force EDUCAUSE Center for Applied Research Blueprint for Handling Sensitive Data wiki.internet2.edu/confluence/display/secguide