Transcript Slide 1
Identity, Privacy, and Security: Higher Education Policy and Practice
Rodney Petersen Government Relations Officer Director of Cybersecurity Initiative EDUCAUSE
Digital Infrastructure as a Strategic National Asset
From now on, our digital infrastructure -- the networks and computers we depend on every day -- will be treated as they should be: as a strategic national asset . . . it's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. President Barak Obama May 29, 2009
Cyberspace Policy Review
Subtitle: Assuring a Trusted and Resilient Information and Communications Infrastructure 60 Day Comprehensive Review (Took 90 Days for President to Review and Announce) 6 Months Later, Major Recommendation Not Addressed: Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; National Security and Economic Security Concern
Policy Recommendations
Prepare for the President’s approval an updated
national strategy
to secure the information and communications infrastructure.
Prepare a cybersecurity
incident response plan
Designate cybersecurity as one of the President’s key
management priorities
and establish performance metrics.
Designate a
privacy and civil liberties official
to the NSC cybersecurity directorate. Initiate a national public
awareness and education campaign
to promote cybersecurity.
Policy Recommendations (cont’d)
Develop U.S. Government positions for an
international cybersecurity policy framework
associated with cybersecurity. and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities Develop a
framework for research and development strategies
that focus on game-changing technologies; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions. Build a cybersecurity-based
identity management vision and strategy
interests, leveraging privacy-enhancing technologies for the Nation.
that addresses privacy and civil liberties
Congressional Action
Health Information Technology Act (HI TECH Act) FTC Enforcement of Red Flags Rule Delayed until June 1, 2010 HEOA Regulation: Distance Education Verification Positioning of Cybersecurity in Federal Government Strengthening of FISMA Role of NIST in Standards Development National Security Breach Notification Law Critical Infrastructure Protection and Cyber Assets
National Broadband Plan
What type of computer-based attacks against government or commercial computer systems or networks are occurring and what are other federal agencies, commercial, and other entities doing to prevent, detect and respond to cyber attacks? How are other federal agencies of the United States and other governments collaborating with the communications segment to prevent, detect, and respond to cyber attacks? What market incentives exist for commercial communications providers, large and small, to invest in secure infrastructure? (i.e., how do we avoid externalities?) Do end-users have sufficient independent information to make good decisions between communications providers that may differ in the extent to which they implement cyber security measures? How widely are cyber security best practices implemented by communications providers and what are these best practices? What are the specific wireless network features and handset features and capabilities necessary to combat such attacks?
NCSAM Highlights
Kick-off Event in Washington, D.C.
Mid-October Event in Sacramento, CA The White House Proclamation declaring October as NCSAM Obama 3 Minute Video Address Department of Homeland Security Napolitano address at kick-off event: 1,000 new hires Napolitano web address Congressional Resolutions
Organizational Alignment
Cybersecurity Privacy Identity and Access Management
Privacy
Policy: Comprehensive Privacy Framework Practice: Fair Information Practices Issues: Protection of Personally Identifiable Information Identity Theft Data Retention and Disposal Roles: Chief Privacy Officer International Association of Privacy Professionals
Identity & Access Management
EDUCAUSE Identity & Access Management Working Group Goals: Awareness and advocacy —to help CIOs and IT leaders understand the strategic importance of IAM for their enterprise Outreach and coordination interoperable IAM —to work with other constituencies, including government and industry, to help enable the adoption of Partnerships and collaboration —to facilitate the utilization of centralized authentication and authorization services by business process owners, including student services, human resources, alumni and development, facilities management, and other groups Implementation and training —to provide resources and tools, including IT staff training, to equip developers and implementers Federated Identity Management & the InCommon Federation
Academia’s Role in Securing Cyberspace
Through its core mission of
teaching and learning
, it is the main source of our future leaders, innovators, and technical workforce. Through
research
, it is the basic source of much of our new knowledge and subsequent technologies. As complex institutions, colleges and universities
operate
some of the world’s largest collections of computers and high-speed networks.
Higher Education Information Security Council
Hosts: EDUCAUSE and Internet2 History: Serving higher education since 2000 Mission: to improve information security and privacy across the higher education sector by actively developing and promoting effective practices and solutions for the protection of critical IT assets and infrastructures.
InfoSec Council Activities
Security Discussion Group Working Groups People: awareness and training Process: compliance, policies, risk, governance Technology: effective practices and solutions Professional Development Annual Security Professionals Conference SANS-EDU Partner Series Collaborations and Partnerships Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) Center for Internet Security . . . and more
InfoSec Council Strategic Plan
Theme: Safeguarding Our IT Assets, Protecting Our Community’s Privacy Goals: 1.
Obtain Executive Commitment and Action 2.
Manage Data to Enhance Privacy and Security Protections 3.
4.
5.
Develop and Promote Effective Practices and Solutions Explore New Tools and Technologies Establish and Promote Information-Sharing Mechanisms
InfoSec Council Special Projects
Confidential Data Handling Blueprint Guidelines for Data and Media Sanitization Toolkit for Electronic Records Management, Data Retention, and e-Discovery Information Security Governance Risk Management Framework Security Awareness Poster/Video Contest National Cybersecurity Awareness Month Security Metrics
Information Security Guide
Risk Management Compliance Security Policy Organization of Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Controls Information Systems Acquisition, Development, and Maintenance Incident Management Business Continuity Management
Confidential Data Handling Blueprint
Step 1 : Create a security risk-aware culture that includes an information security risk management program Step 2 : Define institutional data types Step 3 : Clarify responsibilities and accountability for safeguarding confidential data Step 4 : Reduce access to confidential data not absolutely essential to institutional processes Step 5 : Establish and implement stricter controls for safeguarding confidential data Step 6 : Provide awareness and training Step 7 : Verify compliance routinely with your policies and procedures
Call to Action
Attend Security Professionals Conference April 12-14, 2010, Atlanta, Georgia net.educause.edu/conference/security Contribute Submit an Effective Practice and Solution www.educause.edu/security/guide Join Discussion Group: www.educause.edu/groups/security REN-ISAC: www.ren-isac.net
Volunteer Send an email to [email protected]
For More Information
Visit: Higher Education Information Security Council http://www.educause.edu/security Contact: David Swartz, American University, HEISC Co-Chair [email protected]
Brian Voss, LSU, HEISC Co-Chair [email protected]
Rodney Petersen, EDUCAUSE, HEISC Staff [email protected]