resources for presidents and senior executives: information security (239824257)
TRANSCRIPT
8112019 Resources for Presidents and Senior Executives Information Security (239824257)
httpslidepdfcomreaderfullresources-for-presidents-and-senior-executives-information-security-239824257 14
educauseedu | 1
CIOs view information security and related issues (dataprivacy regulatory compliance) as the most important IT
risks in higher education (figure 1) Yet only 3 of centralIT budgets and staff in higher education are devoted toinformation security and related identity managementactivities compared to 5 in sectors other than highereducation Higher education spends 60 less perinstitutional employee on information security than istypical among all US industries Institutional attentionto information security may be increasing Although onlyabout one in three (32) colleges and universities had a
full-time information security lead in 2013 this representedan increase from 27 in 2012 Smaller institutions viewthemselves as less effective at addressing informationsecurity and are less likely to have a full-time informationsecurity lead than larger institutions
Is safeguarding information security a priority for your institution
Data breaches and other information security incidents may be one of the biggest risks facing colleges and universities Information
security encompasses the technologies policies and procedures and education and awareness activities that maintain the balancebetween an institutionrsquos need to use data and IT resources to achieve its mission (openness) and the need to secure those data and
resources from external and internal threats (risk control)
Figure 1 CIO rankings of IT risks in higher education
SEPTEMBER 2014
Key Questions for Information SecurityInstitutional Implications for Safeguarding Data
Unique risks posed by cloud computing
Disaster planning and recovery systems
Physical security of I T resources
Identityaccess management
Data privacyconfidentiality
Information security
Compliance with laws and regulations
Insufficient strategic funding of IT
65
66
68
74
76
79
79
82
84
62
61
Personnel negligence or malfeasance
Information systems acquisitiondevelopment maintenance
Asset management
8112019 Resources for Presidents and Senior Executives Information Security (239824257)
httpslidepdfcomreaderfullresources-for-presidents-and-senior-executives-information-security-239824257 24
educauseedu | 2
Information security relies on numerous practices to protectthe network servers end-user devices and data The followingcore technical practices are in place in over 95 of colleges and
universities
bull Malware identification and cleanup
bull Network segmentation
bull Server and desktop configuration management
bull The scanning of the network for vulnerabilities
bull Confidential data search and discovery
bull Intrusion detection system operation
bull Network access control
IT departments are actively implementing additional
technical protections in response to changing and increasing
threats (figure 2)
Which information security practices do you have in place
Figure 2 Projected increases in the deployment of information security protections
In placein 2013
2015(projection)
2016ndash2017(projection)
Biometric authorization
Enterprise identity accessmanagement (IAM) solutions
Database encryption
Federated ID management
Content-aware DLP
Strong authentication forcritical applications
E-mail encryption
E-signatures
Enterprise GRC systems
33
28
25
19
9
10
8
6
2
72
59
45
36
34
33
25
20
6
8112019 Resources for Presidents and Senior Executives Information Security (239824257)
httpslidepdfcomreaderfullresources-for-presidents-and-senior-executives-information-security-239824257 34
educauseedu | 3
Figure 3 Level of adoption of security practices for various applicationsdevices and systems
Figure 4 Faculty perceptions of personal and institutional security practices
Essentially all colleges and universities have implementeda core acceptable use policy (AUP 99) and engage in
compliance-related practices (99) Policies to protectcritical systems are also widespread Although personallyowned devices are often used to transmit process and storeinstitutional data few institutional security policies extend tothem (figure 3)
Almost all institutions (96) provide education and training
to increase faculty staff and student awareness of goodinformation security practices However fewer than half offaculty (48) believe their institutions are facilitating a betterunderstanding of information privacy and security This gapmay be due to lack of awareness or might imply the need toimprove offerings
Only about half of faculty report they have access toresources to keep their data secure the same proportionare confident in their institutionrsquos ability to safeguard theirpersonal information However the majority of facultyreport that they themselves are taking sufficient measuresto safeguard data (figure 4) Turning to another dimensionmost institutions have instituted privacy and security policiesthat have not interfered with faculty productivity
Which information security policieshas your institution implemented
How effective are your institutionrsquosinformation security awareness andend-user protection activities
Disabling of network ports connecting devicesviolating AUPdisrupting the network
Written agreements for facultystaff use of personalcloud services to house student or institutional records
Encryption of institutionally owned mobile devices withconfidential information
Patchingupdating of all personally owned computers
Patchingupdating of all institutionally owned computers
Security assessments for licencing commercial soware
Proactive scanning of critical systems
Patchingupdating of critical systems
Security assessments for hosted services
Deploying domain name system security extensions
Encryption of all institutionally owned mobile devices
Proactive scanning of all personally owned computers
Proactive scanning of all institutionally ownedpublic-facing web applications
Proactive scanning of all institutionally owned computers
Mobile device management for personally owned devices
45
53
73
8
9
18
27
90
39
32
14
79
72
27
9
Personal devices
Institutional devices
Critical institutional systemsPercentage of respondents
I have access to all the resources I need to keep myresearch and scholarly data secure
I take sufficient measures to keep data about mystudents secure
I take sufficient measures to keep my researchand scholarly data secure
I have confidence in my institutions ability to
safeguard my personal information
My institution facilitates a better understanding ofinformation privacy and security
Agree Strongly agree
50250 75 100
8112019 Resources for Presidents and Senior Executives Information Security (239824257)
httpslidepdfcomreaderfullresources-for-presidents-and-senior-executives-information-security-239824257 44
educauseedu | 4
About This Brief
This report is one of a series of executive briefs designed to help institutional leaders optimize the impact of IT in higher educationIt was supported by a grant from the Lumina Foundation To read the other briefs and access related resources go toResources for Presidents and Senior Executives
EDUCAUSE is a nonprofit membership association created to support those who lead manage and use information technology to benefit higher education A comprehensive range of resources
and activities are available to all EDUCAUSE members For more information about EDUCAUSE including membership please contact us at info983104educauseedu or visit educauseedu
copy EDUCAUSE This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 40 License
Maturity indices measure the capability to deliver IT services
and applications in a given area They examine multipledimensions of progressmdashnot just technical requirementsmdash
for IT effectiveness such as culture process expertise
investment and governance Maturity indices enable institutions
to determine where they are and where they aspire to be
EDUCAUSE has identified five dimensions of maturity for
information security (figure 5)
Threats to the security of institutional research and scholarly
data are mutable and on the rise The key to good information
security is a strong partnership between IT institutional risk
management and the institutional community to ensure that the
institution is providing the necessary technologies policies and
processes and that faculty staff and students are using themeffectively and consistently
The primary goal of good security is to safeguard data and
identities This means protecting the data that the institution usesto meet its mission as well as protecting the identity information
of the campus community Foster an environment that strikes
a realistic balance between controlling risk (with investments
and policies that protect data) and facilitating the openness
necessary to the academic enterprise Ensure your institution has
a qualified and empowered leadership role to understand how to
apply contemporary solutions at your institution
How would you rate your institutionon the maturity of these majorelements of information security
Implications
What is the single most importantnext step for your institution ininformation security
Figure 5 Information security maturity index
Information security
policies and guidelines
Data management
and security policies
Access control processes
Information securitysystem process
Information security
organization
8112019 Resources for Presidents and Senior Executives Information Security (239824257)
httpslidepdfcomreaderfullresources-for-presidents-and-senior-executives-information-security-239824257 24
educauseedu | 2
Information security relies on numerous practices to protectthe network servers end-user devices and data The followingcore technical practices are in place in over 95 of colleges and
universities
bull Malware identification and cleanup
bull Network segmentation
bull Server and desktop configuration management
bull The scanning of the network for vulnerabilities
bull Confidential data search and discovery
bull Intrusion detection system operation
bull Network access control
IT departments are actively implementing additional
technical protections in response to changing and increasing
threats (figure 2)
Which information security practices do you have in place
Figure 2 Projected increases in the deployment of information security protections
In placein 2013
2015(projection)
2016ndash2017(projection)
Biometric authorization
Enterprise identity accessmanagement (IAM) solutions
Database encryption
Federated ID management
Content-aware DLP
Strong authentication forcritical applications
E-mail encryption
E-signatures
Enterprise GRC systems
33
28
25
19
9
10
8
6
2
72
59
45
36
34
33
25
20
6
8112019 Resources for Presidents and Senior Executives Information Security (239824257)
httpslidepdfcomreaderfullresources-for-presidents-and-senior-executives-information-security-239824257 34
educauseedu | 3
Figure 3 Level of adoption of security practices for various applicationsdevices and systems
Figure 4 Faculty perceptions of personal and institutional security practices
Essentially all colleges and universities have implementeda core acceptable use policy (AUP 99) and engage in
compliance-related practices (99) Policies to protectcritical systems are also widespread Although personallyowned devices are often used to transmit process and storeinstitutional data few institutional security policies extend tothem (figure 3)
Almost all institutions (96) provide education and training
to increase faculty staff and student awareness of goodinformation security practices However fewer than half offaculty (48) believe their institutions are facilitating a betterunderstanding of information privacy and security This gapmay be due to lack of awareness or might imply the need toimprove offerings
Only about half of faculty report they have access toresources to keep their data secure the same proportionare confident in their institutionrsquos ability to safeguard theirpersonal information However the majority of facultyreport that they themselves are taking sufficient measuresto safeguard data (figure 4) Turning to another dimensionmost institutions have instituted privacy and security policiesthat have not interfered with faculty productivity
Which information security policieshas your institution implemented
How effective are your institutionrsquosinformation security awareness andend-user protection activities
Disabling of network ports connecting devicesviolating AUPdisrupting the network
Written agreements for facultystaff use of personalcloud services to house student or institutional records
Encryption of institutionally owned mobile devices withconfidential information
Patchingupdating of all personally owned computers
Patchingupdating of all institutionally owned computers
Security assessments for licencing commercial soware
Proactive scanning of critical systems
Patchingupdating of critical systems
Security assessments for hosted services
Deploying domain name system security extensions
Encryption of all institutionally owned mobile devices
Proactive scanning of all personally owned computers
Proactive scanning of all institutionally ownedpublic-facing web applications
Proactive scanning of all institutionally owned computers
Mobile device management for personally owned devices
45
53
73
8
9
18
27
90
39
32
14
79
72
27
9
Personal devices
Institutional devices
Critical institutional systemsPercentage of respondents
I have access to all the resources I need to keep myresearch and scholarly data secure
I take sufficient measures to keep data about mystudents secure
I take sufficient measures to keep my researchand scholarly data secure
I have confidence in my institutions ability to
safeguard my personal information
My institution facilitates a better understanding ofinformation privacy and security
Agree Strongly agree
50250 75 100
8112019 Resources for Presidents and Senior Executives Information Security (239824257)
httpslidepdfcomreaderfullresources-for-presidents-and-senior-executives-information-security-239824257 44
educauseedu | 4
About This Brief
This report is one of a series of executive briefs designed to help institutional leaders optimize the impact of IT in higher educationIt was supported by a grant from the Lumina Foundation To read the other briefs and access related resources go toResources for Presidents and Senior Executives
EDUCAUSE is a nonprofit membership association created to support those who lead manage and use information technology to benefit higher education A comprehensive range of resources
and activities are available to all EDUCAUSE members For more information about EDUCAUSE including membership please contact us at info983104educauseedu or visit educauseedu
copy EDUCAUSE This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 40 License
Maturity indices measure the capability to deliver IT services
and applications in a given area They examine multipledimensions of progressmdashnot just technical requirementsmdash
for IT effectiveness such as culture process expertise
investment and governance Maturity indices enable institutions
to determine where they are and where they aspire to be
EDUCAUSE has identified five dimensions of maturity for
information security (figure 5)
Threats to the security of institutional research and scholarly
data are mutable and on the rise The key to good information
security is a strong partnership between IT institutional risk
management and the institutional community to ensure that the
institution is providing the necessary technologies policies and
processes and that faculty staff and students are using themeffectively and consistently
The primary goal of good security is to safeguard data and
identities This means protecting the data that the institution usesto meet its mission as well as protecting the identity information
of the campus community Foster an environment that strikes
a realistic balance between controlling risk (with investments
and policies that protect data) and facilitating the openness
necessary to the academic enterprise Ensure your institution has
a qualified and empowered leadership role to understand how to
apply contemporary solutions at your institution
How would you rate your institutionon the maturity of these majorelements of information security
Implications
What is the single most importantnext step for your institution ininformation security
Figure 5 Information security maturity index
Information security
policies and guidelines
Data management
and security policies
Access control processes
Information securitysystem process
Information security
organization
8112019 Resources for Presidents and Senior Executives Information Security (239824257)
httpslidepdfcomreaderfullresources-for-presidents-and-senior-executives-information-security-239824257 34
educauseedu | 3
Figure 3 Level of adoption of security practices for various applicationsdevices and systems
Figure 4 Faculty perceptions of personal and institutional security practices
Essentially all colleges and universities have implementeda core acceptable use policy (AUP 99) and engage in
compliance-related practices (99) Policies to protectcritical systems are also widespread Although personallyowned devices are often used to transmit process and storeinstitutional data few institutional security policies extend tothem (figure 3)
Almost all institutions (96) provide education and training
to increase faculty staff and student awareness of goodinformation security practices However fewer than half offaculty (48) believe their institutions are facilitating a betterunderstanding of information privacy and security This gapmay be due to lack of awareness or might imply the need toimprove offerings
Only about half of faculty report they have access toresources to keep their data secure the same proportionare confident in their institutionrsquos ability to safeguard theirpersonal information However the majority of facultyreport that they themselves are taking sufficient measuresto safeguard data (figure 4) Turning to another dimensionmost institutions have instituted privacy and security policiesthat have not interfered with faculty productivity
Which information security policieshas your institution implemented
How effective are your institutionrsquosinformation security awareness andend-user protection activities
Disabling of network ports connecting devicesviolating AUPdisrupting the network
Written agreements for facultystaff use of personalcloud services to house student or institutional records
Encryption of institutionally owned mobile devices withconfidential information
Patchingupdating of all personally owned computers
Patchingupdating of all institutionally owned computers
Security assessments for licencing commercial soware
Proactive scanning of critical systems
Patchingupdating of critical systems
Security assessments for hosted services
Deploying domain name system security extensions
Encryption of all institutionally owned mobile devices
Proactive scanning of all personally owned computers
Proactive scanning of all institutionally ownedpublic-facing web applications
Proactive scanning of all institutionally owned computers
Mobile device management for personally owned devices
45
53
73
8
9
18
27
90
39
32
14
79
72
27
9
Personal devices
Institutional devices
Critical institutional systemsPercentage of respondents
I have access to all the resources I need to keep myresearch and scholarly data secure
I take sufficient measures to keep data about mystudents secure
I take sufficient measures to keep my researchand scholarly data secure
I have confidence in my institutions ability to
safeguard my personal information
My institution facilitates a better understanding ofinformation privacy and security
Agree Strongly agree
50250 75 100
8112019 Resources for Presidents and Senior Executives Information Security (239824257)
httpslidepdfcomreaderfullresources-for-presidents-and-senior-executives-information-security-239824257 44
educauseedu | 4
About This Brief
This report is one of a series of executive briefs designed to help institutional leaders optimize the impact of IT in higher educationIt was supported by a grant from the Lumina Foundation To read the other briefs and access related resources go toResources for Presidents and Senior Executives
EDUCAUSE is a nonprofit membership association created to support those who lead manage and use information technology to benefit higher education A comprehensive range of resources
and activities are available to all EDUCAUSE members For more information about EDUCAUSE including membership please contact us at info983104educauseedu or visit educauseedu
copy EDUCAUSE This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 40 License
Maturity indices measure the capability to deliver IT services
and applications in a given area They examine multipledimensions of progressmdashnot just technical requirementsmdash
for IT effectiveness such as culture process expertise
investment and governance Maturity indices enable institutions
to determine where they are and where they aspire to be
EDUCAUSE has identified five dimensions of maturity for
information security (figure 5)
Threats to the security of institutional research and scholarly
data are mutable and on the rise The key to good information
security is a strong partnership between IT institutional risk
management and the institutional community to ensure that the
institution is providing the necessary technologies policies and
processes and that faculty staff and students are using themeffectively and consistently
The primary goal of good security is to safeguard data and
identities This means protecting the data that the institution usesto meet its mission as well as protecting the identity information
of the campus community Foster an environment that strikes
a realistic balance between controlling risk (with investments
and policies that protect data) and facilitating the openness
necessary to the academic enterprise Ensure your institution has
a qualified and empowered leadership role to understand how to
apply contemporary solutions at your institution
How would you rate your institutionon the maturity of these majorelements of information security
Implications
What is the single most importantnext step for your institution ininformation security
Figure 5 Information security maturity index
Information security
policies and guidelines
Data management
and security policies
Access control processes
Information securitysystem process
Information security
organization
8112019 Resources for Presidents and Senior Executives Information Security (239824257)
httpslidepdfcomreaderfullresources-for-presidents-and-senior-executives-information-security-239824257 44
educauseedu | 4
About This Brief
This report is one of a series of executive briefs designed to help institutional leaders optimize the impact of IT in higher educationIt was supported by a grant from the Lumina Foundation To read the other briefs and access related resources go toResources for Presidents and Senior Executives
EDUCAUSE is a nonprofit membership association created to support those who lead manage and use information technology to benefit higher education A comprehensive range of resources
and activities are available to all EDUCAUSE members For more information about EDUCAUSE including membership please contact us at info983104educauseedu or visit educauseedu
copy EDUCAUSE This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 40 License
Maturity indices measure the capability to deliver IT services
and applications in a given area They examine multipledimensions of progressmdashnot just technical requirementsmdash
for IT effectiveness such as culture process expertise
investment and governance Maturity indices enable institutions
to determine where they are and where they aspire to be
EDUCAUSE has identified five dimensions of maturity for
information security (figure 5)
Threats to the security of institutional research and scholarly
data are mutable and on the rise The key to good information
security is a strong partnership between IT institutional risk
management and the institutional community to ensure that the
institution is providing the necessary technologies policies and
processes and that faculty staff and students are using themeffectively and consistently
The primary goal of good security is to safeguard data and
identities This means protecting the data that the institution usesto meet its mission as well as protecting the identity information
of the campus community Foster an environment that strikes
a realistic balance between controlling risk (with investments
and policies that protect data) and facilitating the openness
necessary to the academic enterprise Ensure your institution has
a qualified and empowered leadership role to understand how to
apply contemporary solutions at your institution
How would you rate your institutionon the maturity of these majorelements of information security
Implications
What is the single most importantnext step for your institution ininformation security
Figure 5 Information security maturity index
Information security
policies and guidelines
Data management
and security policies
Access control processes
Information securitysystem process
Information security
organization