Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.

Published byRolf Green Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J."— Presentation transcript:

1 © 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security Task Force Coordinator

2 Introduction: 3 C’s of Security Change – academic culture is shifting, technology is evolving, and new threats and vulnerabilities are emerging Complex – technical solutions are increasingly sophisticated, but the focus should be on information security Critical! – asset protection is important, but critical infrastructures are at risk!

3 Policy of the United States In the past few years, threats in cyberspace have risen dramatically. The policy of the United States is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States. We must act to reduce our vulnerabilities to these threats before they can be exploited to damage the cyber systems supporting our Nation’s critical infrastructures and ensure that such disruptions of cyberspace are infrequent, of minimal duration, manageable, and cause the least damage possible. Letter from President George W. Bush to The American People, The National Strategy to Secure Cyberspace (February 2003)

4 Coordinated Higher Ed Effort EDUCAUSE – Use of IT in Higher Education Internet2 – Advanced Networking & Next Generation Higher Education Information Technology Alliance http://www.heitalliance.org American Association of Community Colleges American Association of State Colleges and Universities American Council on Education Association of American Universities Association of Research Libraries EDUCAUSE Internet2 National Association of College and University Business Officers National Association of Independent Colleges and Universities National Association of State Universities and Land-Grant Colleges University Continuing Education Association

5 EDUCAUSE/Internet2 Computer and Network Security Task Force Co-chairs: Jack Suess, UMBC, & Gordon Wishon, University of Notre Dame Resource on Computer and Network Security for the Higher Education Community www.educause.edu/security Initiatives Outreach and Awareness Effective Practices and Solutions Professional Development for Security Professionals Risk Assessment Methods and Tools Legal Issues and Institutional Policies Federal/State Public Policy Vendor Engagement

6 Message to Presidents (Feb 2003) Set the tone: ensure that all campus stakeholders know that you take Cybersecurity seriously. Insist on community-wide awareness and accountability. Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment. Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting. Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks. David Ward President, American Council on Education

7 Awareness and Accountability Only one-third of our institutions have a formal awareness program for students, faculty, or staff – ECAR Study (2003) The key to sec-U-R-IT-y? You are it! University of Arizona The National Strategy recommends that institutions of higher education identify and adopt model user awareness programs and materials

8 New Awareness Campaign www.microsoft.com/education/?ID=SecurityPosters

9 Responsibility and Authority Directors of networking are most often in charge of day-to-day management of IT security (31%), followed by chief IT security officers (22%), and CIOs (7 percent). Only 20% of the institutions surveyed have a full-time chief IT security officer – ECAR Study (2003) Only Only 14 percent of the institutions surveyed indicate that they “regularly report” IT security incidents to senior management – ECAR Study (2003) The National Strategy recommends that institutions of higher education identify and adopt model guidelines empowering Chief Information Officers (CIOs) to address cybersecurity

10 Risk Management Only 30% of the institutions surveyed have undertaken a risk assessment to determine their IT assets’ value and the risk to those assets – ECAR Study (2003) Risk Assessment (identify assets, classify assets, inventory policies and practices, vulnerabilities, etc.) and Responses to Risk (assumption, control, mitigation, or avoidance) The National Strategy recommends that institutions of higher education identify and adopt one or more sets of best practices for IT security Risk = Threats x Vulnerabilities x Impact

11 Types of Risk (Impact) Legal Risks Financial Risks Reputational Risks Operational Risks Strategic Risks

12 Cybersecurity Plans Only 13% of the institutions surveyed have comprehensive IT security plans in place. 10% said no plan was in place. 42% had a partial plan in place. 36% are currently developing a plan – ECAR Study (2003) Convergence with Emergency Preparedness Planning Activities Relationship to Business Continuity Cyber Security as part of Strategic Plans

13 Security Policies “A security policy is a concise statement, by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” [U.S. General Accounting Office] 54% of the institutions surveyed have formal institutional IT security policies – ECAR Study (2003) 37% had policies in the implementation stage – ECAR Study (2003)

14 What Formal Policies Cover 99% - acceptable use 89% - system access control 85% - authority to shut off Internet access 83% - data security 82% - network security 82% - enforcement of institutional policies 80% - desktop security 71% - physcial security of assets 61% - residence halls 51% - remote devices 39% - application development ECAR Study (2003)

15 Security Policies & Procedures Rationale/Purpose Scope Policy Statement Roles & Responsibilities Procedures Related Policies

16 Rationale or Purpose Examples include: Confidentiality, Integrity, & Availability Attainment of Institutional Mission Compliance with Laws or Regulations GLB Act HIPPA State Laws or Regulations Principles

17 Guiding Principles Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility

18 Scope Examples include: Data or information? Computers and networks? “Information Resources – information in any form and recorded on any media, and all computer and communications equipment and software.” [Georgetown University Information Security Policy]

19 Policy Statement Examples include: Risk management Critical asset identification Physical security System and network management Authentication & authorization Access control Vulnerability management Awareness & training

20 Roles and Responsibilities Examples include: Governing Board Executive Management Chief Information Officer Chief Security Officer Unit Directors End-Users

21 Procedures Examples include: Breach notification Logging and monitoring Identification of departmental contacts Blocking network access Incident response

22 Incident Response The National Strategy Recommends: an on-call point-of-contact to Internet service providers and law enforcement officials in the event that the school’s IT systems are discovered to be launching cyber attacks; one or more Information Sharing and Analysis Centers to deal with cyber attacks and vulnerabilities;

23 Related Policies Examples include: Acceptable Use Elimination of Social Security numbers as primary identifiers Collection and Disclosure of Personal Information Privacy Policy Identity Management

24 For more information: EDUCAUSE/Internet2 Computer and Network Security Task Force http://www.educause.edu/security Email: rpetersen@educause.edu

Download ppt "© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
© 2005, EDUCAUSE/Internet2 Computer and Network Security Task Force Information Security Governance: The Buck Stops Where? Mark Luker Vice President, EDUCAUSE.

© 2005, EDUCAUSE/Internet2 Computer and Network Security Task Force Information Security Governance: The Buck Stops Where? Mark Luker Vice President, EDUCAUSE.
Security, Privacy, Copyright, and Other Institutional Policy Implications of Online Learning Rodney J. Petersen, J.D. Policy Analyst & Security Task Force.

Security, Privacy, Copyright, and Other Institutional Policy Implications of Online Learning Rodney J. Petersen, J.D. Policy Analyst & Security Task Force.
Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.

WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Identity, Privacy, and Security: Higher Education Policy and Practice Rodney Petersen Government Relations Officer Director of Cybersecurity Initiative.

Identity, Privacy, and Security: Higher Education Policy and Practice Rodney Petersen Government Relations Officer Director of Cybersecurity Initiative.
Information Systems Security Officer

Information Systems Security Officer
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
VIRTUAL REALITY: CYBER SECURITY ISSUES

VIRTUAL REALITY: CYBER SECURITY ISSUES
Www.umbc.edu EDUCAUSE/Internet2 Computer and Network Security Task Force Update www.educause.edu/security Jack Suess February 3, 2004.

EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess February 3, 2004.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google