Presentation is loading. Please wait.

Presentation is loading. Please wait.

EDUCAUSE Center for Applied Research Security Survey Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE.

Published byElla Weaver Modified over 9 years ago

Similar presentations

Presentation on theme: "EDUCAUSE Center for Applied Research Security Survey Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE."— Presentation transcript:

1 EDUCAUSE Center for Applied Research Security Survey Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE

2 Research Methodology Literature review of material published from 2003 – 2005, with the intent of identifying issues of concern to the higher education community, and creating additional hypotheses to test Consultation with security experts, including members of the EDUCAUSE/Internet2 Computer and Network Security Task Force, and IT leaders at 17 higher education institutions A quantitative web-based survey first used in 2003 was modified to reflect changes in technologies and practices. 492 higher education institutions responded to the survey A longitudinal analysis compared the survey findings with those from ECAR’s 2003 study. 204 institutions responded to both surveys, and that population was used to perform the comparison

3 ECAR IT Security Study The Headlines You Won’t Read in the Chronicle of Higher Ed or New York Times:  The respondents feel more secure today than two years ago despite being in a perceived riskier environment.  Respondents feel that the academic community has become more sensitive to security and privacy in the last two years. ECAR IT Security Study, 2006

4 IT Security Incidents Ten percent of the respondents in our survey indicated that they had an IT security incident in the last twelve months, which had been reported to the press (down from 19 percent in 2003). A majority of institutions (74.2 percent) report that the number of incidents is about the same or less in the past twelve months as compared with the year before. The primary perceived risks are viruses (72.6 percent), theft of personal financial information (64.8 percent), and spoofing and spyware (55.3 percent). ECAR IT Security Study, 2006

5 Blueprint for Handling Data Step 1: Create a security risk-aware culture that includes an information security risk management program Step 2: Define institutional data types Step 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive data Step 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processes Step 5: Establish and implement stricter controls for safeguarding confidential/sensitive data Step 6: Provide awareness and training Step 7: Verify compliance routinely with your policies and procedures

6 Step 1: Risk Aware Culture 1.1 Institution-wide security risk management program 1.2 Roles and responsibilities defined for overall information security at the central and distributed level 1.3 Executive leadership support in the form of policies and governance actions

7 Risks Incurred ECAR IT Security Study, 2006 DamagePercent Business application, including e-mail, unavailable33.7% Network unavailable29.4% Information confidentiality compromised26.0% Damage to software21.5% Damage to data12.5% Negative publicity in the press10.0% Identity theft8.4% Damage to hardware7.4% Financial losses6.4%

8 Risk Assessment FrequencyPercent No risk assessments done20842.6% For some institutional data and asset types 22646.3% For all institutional data and asset types 428.6% Don't know122.5% Total488100.0% ECAR IT Security Study, 2006

9 Responsibility for IT Security PositionPercent responsible in 2005 Percent responsible in 2003 Percent new adopters Rate of change 2003-2005 IT security officer (or equivalent) 34.9%22.4%12.5%55.8% CIO (or equivalent)14.3%6.7%7.6%113.4% Director of administrative computing 2.7%3.2%-0.5%-15.6% Director of academic computing 1.2%1.8%-0.6%-33.3% Other academic management 0.6%1.2%-0.6%-50.0% Other administrative management 0.6%3.2%-2.6%-81.3% Other IT management23.9%30.9%-7.0%-22.7% Director of networking21.8%30.6%-8.8%-28.8% ECAR IT Security Study, 2006

10 IT Security Staffing Less than one percent indicated an expected staff decrease, while 50.2 percent expected no change and 24.4 percent expected to add one staff member, and 7.7 percent two or more. A sea change has occurred in two years with respect to the operational staffing structure for central IT security. One quarter of the 204 institutions in the 2003 and 2005 studies have moved to centralize security in the IT organization and the rate of change was 59.7 percent. ECAR IT Security Study, 2006

11 Centralization Staffing structure2005 Percent 2003 Percent Percent Change Rate of change One central IT security unit/function 61.8%38.7%23.1%59.7% Spread across multiple central IT units/functions 32.7%58.2%-25.5%-43.8% Other5.5%3.1%2.4%77.4% ECAR IT Security Study, 2006

12 IT Security Certification CertificatePercent held in 2005 Percent held in 2003 Percent new holders Rate of change 2003-2005 Certified Information Systems Security Professional (CISSP) 20.8%12.4%8.4%67.7% Global Information Assurance Certification (GIAC) 6.8%2.6%4.2%161.5% Certified Information Systems Auditor (CISA) 3.2%1.5%1.7%113.3% ECAR IT Security Study, 2006

13 Change in Barriers Barrier20052003Institutional Change Rate of Change Lack of awareness35.8% 50.5%-14.7%-29.1% Culture of decentralization29.9% 37.3%-7.4%-19.8% Lack of enforcement of policies13.2% 20.1%-6.9%-34.3% Absence of policies22.1% 27.0%-4.9%-18.1% Lack of senior management support13.2% 17.2%-4.0%-23.3% Lack of resources68.1%71.6%-3.5%-4.9% Technology issues7.4% 8.8%-1.4%-15.9% Privacy of the individual4.4% 0.0% ECAR IT Security Study, 2006

14 Step 2: Define Data Types 2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary

15 Policies in Place Protection of organizational assets (73%) Data classification, retention, and destruction (51%) Identity Management (50%) ECAR IT Security Study, 2006

16 Step 3: Clarify Responsibilities 3.1 Data stewardship roles and responsibilities 3.2 Legally binding third party agreements that assign responsibility for secure data handling ECAR IT Security Study, 2006

17 Policies in Place Individual employee responsibilities for information security practices (73%) Sharing, storing, and transmitting data (51%) ECAR IT Security Study, 2006

18 Step 4: Reduce Access to Data 4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication

19 Step 5: Controls 5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections 5.4 Encryption strategies for data in transit and at rest 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data

20 IT Security Approaches ApproachPercent used in 2005 Percent used in 2003 Percent new adopters Rate of change 2003- 2005 Network firewalls (perimeter)77.0%68.1%8.9%13.1% Centralized data backup system76.6%68.1%8.5%12.5% Virtual private network (VPN) for remote access 75.4%45.6%29.8%65.4% Enterprise directory71.9%46.3%25.6%55.3% Network firewalls (interior)65.0%51.0%14.0%27.5% Intrusion detection62.3%46.1%16.2%35.1% Active filtering59.3%29.7%29.6%99.7% Intrusion prevention44.3%33.5%10.8%32.2% Security standards for application or system development 32.4%27.5%4.9%17.8% Electronic signature6.4%5.9%0.5%8.5% Shibboleth4.9%1.5%3.4%226.7% ECAR IT Security Study, 2006

21 IT Security Technologies Network perimeter firewalls, centralized data back up systems, virtual private networks, an enterprise directory, and network interior firewalls are the technologies most in use. Active filtering increased in use by 99.7 percent, VPN for remote access by 65.4 percent, and enterprise directories by 55.3 percent. There is significantly less difference among Carnegie Class institutions in the use of IT security technologies in 2005 when compared to 2003. ECAR IT Security Study, 2006

22 IT Security Technologies The most significant change in wireless security between 2003 and 2005 is the implementation of firewalls (24.8 percent new adopters) followed by IP VPN (14.8 percent new adopters). Conventional passwords/PIN predominate (94.4 percent). We found that 26.9 percent of the institutions used Kerberos. The most often used IT security strategies were limiting protocols that are allowed through the network firewall or router (87.1 percent), restricting or limiting access to servers and applications (79.6 percent), and timing out access to applications after an idle period (77.0 percent) ECAR IT Security Study, 2006

23 Strategies to Reduce IT Security Vulnerabilities ApproachPercent used in 2005 Percent used in 2003 Percent new adopters Rate of change 2003- 2005 Limiting the types of protocols allowed through the firewall/router 88.7%73.0%15.7%21.5% Restricting and eliminating access to servers and applications 80.9%70.1%10.8%15.4% Timing-out access to specific applications after an idle period 76.0%65.0%11.0%16.9% Instituting a recovery or back-up plan in the case of disasters caused by natural events or by human acts 44.3%46.3%-2.0%-4.3% Limiting the URLs allowed through the firewall29.1%26.9%2.2%8.2% Installing a software inventory system to watch for malicious software or program changes 17.7%11.4%6.3%55.3% Using security devices (cards, biometric scanners, etc.) for authentication 15.8%12.3%3.5%28.5% ECAR IT Security Study, 2006

24 Wireless Security Approach Percent used in 2005 Percent used in 2003 Percent new adopters Rate of change 2003- 2005 Firewall71.4%46.6%24.8%53.2% Remote authentication dial-in user service (RADIUS) 54.4%41.6%12.8%30.8% Internet Protocol Virtual Private Network (IP VPN) 47.8%33.0%14.8%44.8% 128-bit Wired Equivalency Privacy (WEP)34.5%33.4%1.1%3.3% Wireless vendor supplied proprietary solution25.7%18.5%7.2%38.9% Kerberos21.2%12.2%9.0%73.8% Extensible Authentication Protocol (EAP)19.7%14.8%4.9%33.1% 40-bit Wired Equivalency Privacy (WEP)19.6%24.4%-4.8%-19.7% Advanced encryption standard (AES)14.2%6.3%7.9%125.4% ECAR IT Security Study, 2006

25 Authentication Already implemented Conventional password/PIN94.4% Strong password59.8% Kerberos26.9% Secure ID-style one-time password8.9% Other multi-factor authentication methods8.1% PKI certificate (software) without PIN6.8% PKI certificate (software) with PIN5.1% Biometric identification2.8% PKI hardware token with PIN1.7% PKI hardware token without PIN0.9% ECAR IT Security Study, 2006

26 Password Changes FrequencyPercentCumulative Percent Single use20.4% Every 30 days183.8%4.2% Every 60 days5311.2%15.4% 60-180 days19841.8%57.2% More than 180 days285.9%63.1% It varies9019.0%82.1% No requirement7816.5%98.5% Don't know71.5%100.0% Total474100.0% ECAR IT Security Study, 2006

27 Policies in Place Secure disposal of data, media, or printed material that contains sensitive information 71.0 % ECAR IT Security Study, 2006

28 Step 6: Awareness and Training 6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgment by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential or sensitive data

29 Awareness Programs ECAR IT Security Study, 2006 StudentsFacultyStaff Program 200339.2%38.2%42.2% Program 200562.3%68.8%69.1% Percent change23.1%30.6%26.9%

30 Awareness Programs StudentsFacultyStaff Mandatory17.4%14.5%20.4% Voluntary37.9%47.7%44.4% No program44.7%37.7%35.2% ECAR IT Security Study, 2006

31 Step 7: Verify Compliance 7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

32 IT Security Audits Twenty-five percent of responding institutions do not perform formal IT security audits. The majority (50.6 percent) performs formal IT security audits on an irregular basis. ECAR IT Security Study, 2006

33 Policies in Place Managing privacy issues, including breaches of personal information (72%) Incident reporting and response (69%) Disaster recovery contingency planning (68%) Investigation and correction of the causes of security failures (68%) Notification of security events to: individuals, the law, etc. (67%) ECAR IT Security Study, 2006

34 IT Security Plan 11.2 percent - a comprehensive IT security plan is in place 66.6 percent - a partial plan is in place. 20.4 percent - no IT security plan is in place ECAR IT Security Study, 2006

35 Characteristics of Successful IT Security Programs Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today. The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security. ECAR IT Security Study, 2006

36 For more information Rodney Petersen Email: rpetersen@educause.edu Phone: 202.331.5368 EDUCAUSE/Internet2 Security Task Force www.educause.edu/security EDUCAUSE Center for Applied Research www.educause.edu/ECAR Blueprint for Handling Sensitive Data wiki.internet2.edu/confluence/display/secguide

Download ppt "EDUCAUSE Center for Applied Research Security Survey Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Information Systems Security Officer

Information Systems Security Officer
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google