Information Security Guide
Download
Report
Transcript Information Security Guide
HEISC Town Hall Webinar:
2012-2013 Strategic Plan
Host:
Larry Conrad
CIO, UNC-Chapel Hill
& HEISC Co-Chair
Today’s Agenda
Information security changes in the past 10 years
Ongoing challenges for security practitioners
HEISC strategic plan (2012-2013)
Vision
Mission
Goals & objectives
HEISC working group updates
What can you do?
Information Security Changes in the Past 10 Years
Threats: More serious – e.g., nation states,
organized crime
Vulnerabilities: New technologies (e.g., social
media, cloud, mobility) introduce new
vulnerabilities
Impact: Confidentiality, Integrity, Availability (CIA)
recognized as mission critical
On the Plus Side
Increased awareness
Greater investments, including security staff
Staff professional development and training
Improved organization across higher ed
Better tools
More policies and standards
More strategic, proactive outlook
More “effective practices” are available
Ongoing Challenges for Security Practitioners
Executive awareness and support
Technology changes: Mobility, outsourcing, cloud,
IPv6
Benchmarks and metrics
Organizational dynamics: Centralized, distributed,
and affiliated centers
Funding for IT security
Staff resources and training
Ongoing Challenges (Cont’d)
Data standards, governance, and risk
management
Data protection tools
Student and employee awareness
Academic continuity and disaster recovery
Legislation and compliance
Research data and process
International collaboration
Vendor relationships
HEISC Vision
Guide academic institutions in their quest to
safeguard data, information systems, and
networks
Protect the privacy of the higher education
community
Ensure that information security is an integral
part of campus activities and business processes
HEISC Mission
Improve information security, data protection, and
privacy programs across the higher education sector
Develop and promote leadership; awareness and
understanding; effective practices and policies; and
solutions for the protection of critical data, IT assets,
and infrastructures
Accomplish activities through working groups of
volunteers and staff
Coordinate and collaborate with government,
industry, and other academic organizations
HEISC Goals
1.
2.
3.
4.
5.
Establish the Information Security Guide as the premier
resource for security professionals.
Improve security-related interorganizational
collaboration with higher education stakeholders.
Inform and educate campus leaders on information
security issues by leveraging enterprise risk
management (ERM) processes.
Help institutions leverage their investments with regard
to all IT products and services.
Increase the effectiveness of communication efforts.
Objectives for Goal #1: Establish the Information Security
Guide as the premier resource for security professionals
Toolkits, primers, and templates
Information security maturity model
Security requirements
Security practices in research environments
CISO duties and reporting line
Identity management (IdM) practices
Objectives for Goal #2: Improve security-related
collaboration with higher education stakeholders
EDUCAUSE, Internet2, and the REN-ISAC
Core Data Service and EDUCAUSE Data,
Research, and Analytics staff
Other higher education associations, industry
groups, and government
Higher education information security
professionals
Objectives for Goal #3: Inform & educate campus leaders
on information security issues by leveraging ERM processes
ERM summit
Messaging, talking points, and presentation
template
Other higher ed association meetings and
conferences (e.g., URMIA, NACUBO, AAU)
Objectives for Goal #4: Help institutions leverage their
investments with regard to all IT products and services
Vendor community outreach
Resources for IT products and services
Information sharing
Objectives for Goal #5: Increase the effectiveness of
communication efforts
Higher ed security professionals, CIOs, IT
leaders
Wealth of resources in the Information Security
Guide
Issues and successes in the .edu domain
HEISC volunteer opportunities
Q&A
HEISC Goals and Objectives
HEISC Working Groups
Awareness & Training (A&T)
Governance, Risk, & Compliance (GRC)
Technologies, Operations, & Practices (TOP)
Information Security Guide Editorial Board
Security Professionals Conference Program
Committee
Research and Education Networking Information
Sharing and Analysis Center (REN-ISAC)
Awareness & Training (A&T)
Co-Chairs: Nicole Kegler & Ben Woelk
Student Poster & Video Contest
National Cyber Security Awareness Month in October
Executive Awareness Communications
Partnering with the IT Communications Group New!
Data Privacy Month in January New!
Security Awareness Metrics
Outreach and Marketing
Governance, Risk, & Compliance (GRC)
Co-Chairs: Doug Markiewicz & David Escalante
Recent publications: Two-Factor Authentication, Data
Incident Notification Toolkit,
Shared Assessments Project Team
Sensitive Data Exposure Incident Checklist New!
GRC Systems FAQ New!
Information Security Maturity Model New!
Essential Security Metrics New!
Top Info Security Concerns for Researchers New!
Technologies, Operations, & Practices (TOP)
Co-Chairs: Jim Taylor & Marcos Vieyra
Recent publications: Mobile Internet Device Security
Guidelines, Dropbox Security & Privacy
Considerations, Full Disk Encryption Guide
Identify emerging technologies and their security
implications New!
With the REN-ISAC, develop partnerships with
vendors to improve information sharing
Facilitate state or local ISO gatherings New!
Information Security Guide Editorial Board
Co-Chairs: Ced Bennett & Mary Dunker
Fresh look and feel New!
Emphasizing practical application of the Security
Guide via conference presentations New!
Growing the content (nearly doubled in 2011)
Extending the Guide's exposure and reach (even
beyond EDU) New!
Security Professionals Conference 2012
Program Chair: Jodi Ito & Vice Chair: Paul Howell
May 15-17, 2012 in Indianapolis, IN
10th annual conference
Focused on information security in higher ed
Premier forum for networking with security
professionals
Theme: Security Everywhere: Exploring the
Expanding World of Security
www.educause.edu/SEC12
REN-ISAC
Technical Director: Doug Pearson
Membership growth
Growth in relationships
Involvement in strategic industry groups
Implementation of Security Event System
Community Security
Partnership with SANS
Engagement in international standards work
Handling of 0-day vulnerability communications
Increase in number of notifications
Additional staff
Contact: [email protected]
Q&A
HEISC Working Groups
What Can You Do?
Join the Security Discussion Group:
www.educause.edu/groups/security
Volunteer: [email protected]
Find resources: www.educause.edu/security
Attend Security 2012: www.educause.edu/sec12
Follow us: @HEISCouncil
Contacts:
Valerie Vogel ([email protected])
Rodney Petersen ([email protected])
Look for These Hot Topics in 2012…
Metrics & Benchmarking
Cloud Computing & Services
Consumerization & Mobility
Enterprise Risk Management
IPv6
Privacy
Federated IdM
Addressing the decentralized university from a
security perspective
Thank you for participating!
If you’d like to get in touch with our speakers,
please send an e-mail to
[email protected]