resources for presidents and senior executives: information security (239824257)

8112019 Resources for Presidents and Senior Executives Information Security (239824257)

httpslidepdfcomreaderfullresources-for-presidents-and-senior-executives-information-security-239824257 14

educauseedu | 1

CIOs view information security and related issues (dataprivacy regulatory compliance) as the most important IT

risks in higher education (figure 1) Yet only 3 of centralIT budgets and staff in higher education are devoted toinformation security and related identity managementactivities compared to 5 in sectors other than highereducation Higher education spends 60 less perinstitutional employee on information security than istypical among all US industries Institutional attentionto information security may be increasing Although onlyabout one in three (32) colleges and universities had a

full-time information security lead in 2013 this representedan increase from 27 in 2012 Smaller institutions viewthemselves as less effective at addressing informationsecurity and are less likely to have a full-time informationsecurity lead than larger institutions

Is safeguarding information security a priority for your institution

Data breaches and other information security incidents may be one of the biggest risks facing colleges and universities Information

security encompasses the technologies policies and procedures and education and awareness activities that maintain the balancebetween an institutionrsquos need to use data and IT resources to achieve its mission (openness) and the need to secure those data and

resources from external and internal threats (risk control)

Figure 1 CIO rankings of IT risks in higher education

SEPTEMBER 2014

Key Questions for Information SecurityInstitutional Implications for Safeguarding Data

Unique risks posed by cloud computing

Disaster planning and recovery systems

Physical security of I T resources

Identityaccess management

Data privacyconfidentiality

Information security

Compliance with laws and regulations

Insufficient strategic funding of IT

65

66

68

74

76

79

79

82

84

62

61

Personnel negligence or malfeasance

Information systems acquisitiondevelopment maintenance

Asset management



educauseedu | 2

Information security relies on numerous practices to protectthe network servers end-user devices and data The followingcore technical practices are in place in over 95 of colleges and

universities

bull Malware identification and cleanup

bull Network segmentation

bull Server and desktop configuration management

bull The scanning of the network for vulnerabilities

bull Confidential data search and discovery

bull Intrusion detection system operation

bull Network access control

IT departments are actively implementing additional

technical protections in response to changing and increasing

threats (figure 2)

Which information security practices do you have in place

Figure 2 Projected increases in the deployment of information security protections

In placein 2013

2015(projection)

2016ndash2017(projection)

Biometric authorization

Enterprise identity accessmanagement (IAM) solutions

Database encryption

Federated ID management

Content-aware DLP

Strong authentication forcritical applications

E-mail encryption

E-signatures

Enterprise GRC systems

33

28

25

19

9

10

8

6

2

72

59

45

36

34

33

25

20

6



educauseedu | 3

Figure 3 Level of adoption of security practices for various applicationsdevices and systems

Figure 4 Faculty perceptions of personal and institutional security practices

Essentially all colleges and universities have implementeda core acceptable use policy (AUP 99) and engage in

compliance-related practices (99) Policies to protectcritical systems are also widespread Although personallyowned devices are often used to transmit process and storeinstitutional data few institutional security policies extend tothem (figure 3)

Almost all institutions (96) provide education and training

to increase faculty staff and student awareness of goodinformation security practices However fewer than half offaculty (48) believe their institutions are facilitating a betterunderstanding of information privacy and security This gapmay be due to lack of awareness or might imply the need toimprove offerings

Only about half of faculty report they have access toresources to keep their data secure the same proportionare confident in their institutionrsquos ability to safeguard theirpersonal information However the majority of facultyreport that they themselves are taking sufficient measuresto safeguard data (figure 4) Turning to another dimensionmost institutions have instituted privacy and security policiesthat have not interfered with faculty productivity

Which information security policieshas your institution implemented

How effective are your institutionrsquosinformation security awareness andend-user protection activities

Disabling of network ports connecting devicesviolating AUPdisrupting the network

Written agreements for facultystaff use of personalcloud services to house student or institutional records

Encryption of institutionally owned mobile devices withconfidential information

Patchingupdating of all personally owned computers

Patchingupdating of all institutionally owned computers

Security assessments for licencing commercial soware

Proactive scanning of critical systems

Patchingupdating of critical systems

Security assessments for hosted services

Deploying domain name system security extensions

Encryption of all institutionally owned mobile devices

Proactive scanning of all personally owned computers

Proactive scanning of all institutionally ownedpublic-facing web applications

Proactive scanning of all institutionally owned computers

Mobile device management for personally owned devices

45

53

73

8

9

18

27

90

39

32

14

79

72

27

9

Personal devices

Institutional devices

Critical institutional systemsPercentage of respondents

I have access to all the resources I need to keep myresearch and scholarly data secure

I take sufficient measures to keep data about mystudents secure

I take sufficient measures to keep my researchand scholarly data secure

I have confidence in my institutions ability to

safeguard my personal information

My institution facilitates a better understanding ofinformation privacy and security

Agree Strongly agree

50250 75 100



educauseedu | 4

About This Brief

This report is one of a series of executive briefs designed to help institutional leaders optimize the impact of IT in higher educationIt was supported by a grant from the Lumina Foundation To read the other briefs and access related resources go toResources for Presidents and Senior Executives

EDUCAUSE is a nonprofit membership association created to support those who lead manage and use information technology to benefit higher education A comprehensive range of resources

and activities are available to all EDUCAUSE members For more information about EDUCAUSE including membership please contact us at info983104educauseedu or visit educauseedu

copy EDUCAUSE This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 40 License

Maturity indices measure the capability to deliver IT services

and applications in a given area They examine multipledimensions of progressmdashnot just technical requirementsmdash

for IT effectiveness such as culture process expertise

investment and governance Maturity indices enable institutions

to determine where they are and where they aspire to be

EDUCAUSE has identified five dimensions of maturity for

information security (figure 5)

Threats to the security of institutional research and scholarly

data are mutable and on the rise The key to good information

security is a strong partnership between IT institutional risk

management and the institutional community to ensure that the

institution is providing the necessary technologies policies and

processes and that faculty staff and students are using themeffectively and consistently

The primary goal of good security is to safeguard data and

identities This means protecting the data that the institution usesto meet its mission as well as protecting the identity information

of the campus community Foster an environment that strikes

a realistic balance between controlling risk (with investments

and policies that protect data) and facilitating the openness

necessary to the academic enterprise Ensure your institution has

a qualified and empowered leadership role to understand how to

apply contemporary solutions at your institution

How would you rate your institutionon the maturity of these majorelements of information security

Implications

What is the single most importantnext step for your institution ininformation security

Figure 5 Information security maturity index


policies and guidelines

Data management

and security policies

Access control processes

Information securitysystem process


organization



educauseedu | 2

Information security relies on numerous practices to protectthe network servers end-user devices and data The followingcore technical practices are in place in over 95 of colleges and

universities

bull Malware identification and cleanup

bull Network segmentation

bull Server and desktop configuration management

bull The scanning of the network for vulnerabilities

bull Confidential data search and discovery

bull Intrusion detection system operation

bull Network access control

IT departments are actively implementing additional

technical protections in response to changing and increasing

threats (figure 2)

Which information security practices do you have in place

Figure 2 Projected increases in the deployment of information security protections

In placein 2013

2015(projection)

2016ndash2017(projection)

Biometric authorization

Enterprise identity accessmanagement (IAM) solutions

Database encryption

Federated ID management

Content-aware DLP

Strong authentication forcritical applications

E-mail encryption

E-signatures

Enterprise GRC systems

33

28

25

19

9

10

8

6

2

72

59

45

36

34

33

25

20

6



educauseedu | 3

























45

53

73

8

9

18

27

90

39

32

14

79

72

27

9

Personal devices










50250 75 100



educauseedu | 4

About This Brief



























Implications





Data management





organization



educauseedu | 3

























45

53

73

8

9

18

27

90

39

32

14

79

72

27

9

Personal devices










50250 75 100



educauseedu | 4

About This Brief



























Implications





Data management





organization



educauseedu | 4

About This Brief



























Implications





Data management





organization

resources for presidents and senior executives: information security (239824257)

Documents