White Paper. IT Security in Higher Education



Similar documents
How to Justify Your Security Assessment Budget

Security Controls What Works. Southside Virginia Community College: Security Awareness

What is Penetration Testing?

PCI DSS Overview and Solutions. Anwar McEntee

IT Risk Management: Guide to Software Risk Assessments and Audits

Web Application Security

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

White Paper. Understanding NIST FISMA Requirements

Securing Critical Information Assets: A Business Case for Managed Security Services

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Proactive Vulnerability Management Using Rapid7 NeXpose

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Real-Time Database Protection and. Overview IBM Corporation

ISE Northeast Executive Forum and Awards

Achieving Governance, Risk and Compliance Requirements with HISP Certification Course

WHITEPAPER. Compliance: what it means for databases

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

Cloud Services Overview

Information Security: A Perspective for Higher Education

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

Improving Network Security Change Management Using RedSeal

University Information Technology Security Program Standard

Managing Special Authorities. for PCI Compliance. on the. System i

John Essner, CISO Office of Information Technology State of New Jersey

The Business Case for Security Information Management

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

The SQL Injection Threat Study

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Vulnerability. Management

Defending the Database Techniques and best practices

SCAC Annual Conference. Cybersecurity Demystified

Top Ten Technology Risks Facing Colleges and Universities

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Cyber Risks in the Boardroom

Self-Service SOX Auditing With S3 Control

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Cisco SAFE: A Security Reference Architecture

Securing the Cloud Infrastructure

Information Resources Security Guidelines

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

IT Security & Compliance Risk Assessment Capabilities

Cybersecurity Strategy

R345, Information Technology Resource Security 1

Fortinet Solutions for Compliance Requirements

VULNERABILITY & COMPLIANCE MANAGEMENT SYSTEM

Network Security & Privacy Landscape

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Information Security Risk Management

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Think like an MBA not a CISSP

Executive Management of Information Security

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Lifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose

F5 and Microsoft Exchange Security Solutions

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

IT Security & Compliance. On Time. On Budget. On Demand.

Bridging the HIPAA/HITECH Compliance Gap

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

An Evaluation of Privacy and Security Issues at a Small University

VENDOR MANAGEMENT. General Overview

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Did security go out the door with your mobile workforce? Help protect your data and brand, and maintain compliance from the outside

Powerhouses and Benchwarmers

BIG SHIFT TO CLOUD-BASED SECURITY

PCI Compliance for Cloud Applications

Leveraging the Cloud for Your Business

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Ed Adams CEO Security Innovation. John Kirkwood CISO Security Innovation ISACA Webinar Program ISACA. All rights reserved.

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Alphabet Soup - GLBA, FERPA and HIPAA: Security Best Practices

Altius IT Policy Collection Compliance and Standards Matrix

Auditing Security: Lessons Learned From Healthcare Security Breaches

Transcription:

White Paper IT Security in Higher Education

3BIntroduction: The Growing Need for Improved IT Security on Campuses IT security is a hot topic these days, especially at colleges and universities. An April 2008 Symantec Global Internet 1 report noted that the education sector experienced more IT security breaches than any other industry.f F What s more, the number of higher education breaches and institutions affected continues to rise, as schools are under greater pressure to collect more and more student data. Between 2006 and 2008, the number of incidents reported by schools grew by 101 percent, and during that same period, the number of institutions affected rose by 173 2 percent.f F As recently as February 2009, the University of Florida reported an exposure of 97,200 student records, all of which contained names and Social Security Numbers. Statistics like these in the education sector as well as the increasing number of breaches in other industries have garnered a great deal of publicity and have generated cause for alarm. There has been tremendous growth in the field of IT security training, as organizations of all sizes struggle to find professionals to help them address the challenge. There are a myriad books on IT security on the market, and the list grows monthly; and many colleges, universities, and technical schools now offer a degree or certification in IT security. A December 2008 Gartner Group Survey found that the role of the chief information security officer (CISO) is no longer rare, but many institutions have yet to formalize the role and the title. Policies and support for educating the community are also still evolving. Work still needs to be done, if security is to be viewed not as an IT problem, but 3 as an institutional problem that needs addressing. F F The Gartner survey s key findings include the following: The need for a security officer is now recognized and supported by more than 60 percent of institutions. The risk of losing important data is still a more important business driver for security compared to financial risks. Calculating the cost of security breaches and attacks is rare. More than 75 percent of institutions have not even 4 calculated the cost of mobile PC thefts, which should be less difficult to calculate F 4BCampus Technology The technology environment in higher education is complicated by many factors. First, there are often ambiguous campus perimeters. Many schools have a transient student population, and, even when this is not the case, computer equipment is often moved during the school year between campus and home. This situation is further complicated by the fact that a distributed computing environment is common at large schools, making it hard for a central IT group to keep track of what s out there. Furthermore, many schools offer distance learning options, meaning that some student computers may never actually be on campus. Second, there is a tremendous amount of sensitive electronic data on most campuses. Determining the location of that data, who controls it, and how best to protect it is a daunting task, even at a small school. At large universities, there may be a central IT group or even a central IT security group but the daily management of many systems and/or handling of data is usually the responsibility of the individual colleges or departments. 1 Security Threat Report, Symantec Global Internet, April 2008. 2 Educational Security Incidents (ESI) Year in Review 2008, Released February 2009. 3 Gartner 2008 Higher Education Security Survey: Governance, Policy and Cost. Michael Zastrocky, Jan-Martin Lowendahl, and Marti Harris. 22 December 2008. 4 Ibid.

Third is the issue of shadow systems. The university s core systems, containing Enterprise Resource Planning (ERP), CC information, medical records, or other important student data, may be well protected; but there are frequently local copies of sensitive data that are not under that same protective umbrella. Even small schools have multiple departments, and some of these Housing or Campus Dining, for example need systems containing important student information in order to function. When these various shadow systems are connected to the Internet, or where the shadow systems are accessible from across the campus networks, the problem is compounded. This proliferation of systems in a highly distributed information environment makes it very difficult for colleges and universities to keep track of everyone who has copies of sensitive data such as students Social Security Numbers. Academic freedom is a fourth concern. Open networks indeed, the Internet itself have their roots in academe. Networks have long been viewed as teaching tools, and the notion of imposing any restrictions on them has been forbidden. IT security measures that would exist as a matter of course in a business environment have, until recently, been frowned upon in academic settings in the name of academic freedom. Finally, there is always the issue of funding. Because of financial constraints now more than ever schools are often forced to depend on a limited staff of professional IT support personnel. In fact, some campus IT departments are staffed primarily by computer science majors or other students with an interest in technology. 5BGovernment Compliance Issues Unfortunately, this challenging campus IT environment exists at the same time when increasingly stringent government regulations continue to raise the bar for data protection and to impose harsh penalties for those who fail to protect sensitive data. At colleges and universities, IT managers must comply with many such regulations. Banking. Universities and colleges lend and collect large amounts of money, as they grant loans and disperse funds. This means that they fall under the Gramm-Leach-Bliley Act (GLBA) and must protect the privacy of their student customers. Health care. Almost institutions of higher education with students living on campus have a health center and therefore must protect patient data under the Health Insurance Portability and Accountability Act (HIPAA). Retail sales. Parents and students use credit cards to pay for everything from books to tuition, meaning that colleges and universities like all other retailers must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). Student grades. The Family Educational Rights and Privacy Act (FERPA) controls who can access student grades. If grades are being distributed or stored electronically, they must be secured. In addition to these federal requirements, colleges and universities in most states must comply with state privacy laws such as California SB 1386, a piece of landmark legislation that became operative in July of 2003. Laws like this require that any agency, person, or business that owns or licenses computerized personal information must disclose any breach of security to those whose unencrypted data is believed to have been disclosed. In his article, Back to School: Compliance in Higher Education, Ken Bocek notes, While most institutions are compliance with GLB, PCI, HIPAA, FERPA, and other regulations, the number of institutions involved in data breaches 5 does not seem to be on the decline. It s this point that makes higher education a lesson for all organizations. F 5 Back to School: Compliance in Higher Education, SC Magazine. Ken Bocek. September 19, 2007.

6BAddressing IT Security on Campus Thanks to their growing awareness of the importance of IT security, schools are addressing the issue in a variety of ways. The most obvious solution creation of a full-time central IT security group on campus has been put in place at many schools, especially large universities. Even smaller schools have recognized the need for someone whose full-time job is IT security, and higher education employment Websites frequently advertise IT security positions at community colleges and comprehensive universities. The recognition that security is not something a network engineer can do as a side job is viewed by education professionals as a positive trend as they accept the challenge of safeguarding sensitive data, complying with government regulations, and generally protecting the systems and information within the campus computing environment. A central IT security group is typically managed by an IT security officer, a high-level position with broad authority and recognition throughout the school. Because of budget pressures, many schools IT groups have not grown larger in the past few years, but schools have reprioritized resources to address their security concerns. For example, a school may designate what was formerly a network engineering position as a full-time security position, and retrain that individual accordingly. There has also been a trend toward greater cooperation among departments regarding security. Various campus offices Human Resources, Controller, Registrar, Financial Aid frequently collaborate to develop innovative ways to share resources and protect their user communities. Another important trend has been increased educational opportunities for the extended university community students, faculty, and administration about the importance of IT security. Blogs, YouTube, and the ubiquitous laptop and cell phone are all effective means of communication, along with campus newsletters, email, and face-to-face discussions. By communicating through these various media, campus IT security professionals have helped their communities to understand that IT security is a shared responsibility and that every campus computer user faces risks if there is a security lapse. Many campuses have adopted the practice of conducting departmental or area IT security reviews to help their constituents recognize their vulnerabilities; identify potential problems with hardware, applications, and/or databases; and offer alternatives. Some schools have even developed and distributed an IT disaster recovery plan. It has also become common for schools to conduct compliance-related reviews to teach people how to handle FERPA, PCI, HIPAA, and/or GLB data, and to underscore the benefit of adopting industry practices such as ISO 27001, CoBIT, and NIST. Furthermore, every college or university today acknowledges the need to maintain a reliable Web presence, and most of their websites now include at least one page dedicated to IT security. The bottom line is that IT security operations and practices have become increasingly formalized, and schools have a far greater awareness of compliance requirements. Colleges now understand that PCI applies everywhere. 7BIT Security Resources in Higher Education As IT security has gained exposure on college and university campuses, a growing number of resources have become available to address the issue. The Virginia Alliance for Secure Computing and Networking (VA SCAN) was established to strengthen IT security programs throughout the Commonwealth of Virginia. As their Website points out, This Alliance brings together Virginia higher education security practitioners who developed and maintain security programs widely emulated by other institutions, and researchers responsible for creating cybersecurity instruction 6 and research programs nationally recognized for excellence. F 6 Website Virginia Alliance for Secure Computing and Networking (VA SCAN), Hwww.vascan.org

The University of Wisconsin s flagship campus in Madison now routinely conducts risk assessment of its IT systems with all departmental CIOs in the University system. In Texas, the state legislature has enacted new laws that impact all public universities and their approach to IT security. Perhaps the best known American higher education technology resource is EDUCAUSE, which was founded in the late 7 1990s to advance higher education by promoting the intelligent use of information technology. F F Open to all public and private colleges and universities, EDUCAUSE fosters information sharing by providing schools with opportunities to participate in policy-sharing forums or to post presentations and other materials that they have developed. EDUCAUSE also sponsors an annual security event for those in security officer or security analyst roles so they can come together and focus on communication, collaboration, and information sharing. 8BThe Role of Rapid7 Nexpose Rapid7 Nexpose is a vulnerability assessment product that has become a boon to IT security professionals at nearly 100 institutions of higher learning, including Carnegie Mellon University, Florida State University, George Washington University, Norwich University, University of Mary Washington, Virginia Tech University and Weill Medical College. In fact, one IT security officer has described Rapid7 Nexpose as a force multiplier that saves valuable time and resources. Nexpose provides broad platform coverage from one integrated product that assesses the security risk for a wide array of systems, software and devices in your IT environment, including: Network and Operating System Vulnerability Assessment The first step in securing your IT environment is to ensure that all systems and network devices have been properly audited and exposures eliminated. Rapid7 Nexpose enables organizations to audit their networks, track discovered vulnerabilities through resolution, and ensure policy compliance. Web Application Vulnerability Assessment Because they exist as a conduit between external users and a company s internal databases, Web applications can be one of the biggest security risks. Rapid7 Nexpose scans the Web application server and all Web applications for serious threats to your environment, such as SQL injection and cross-site scripting. Database Vulnerability Assessment Rapid7 Nexpose provides comprehensive database scanning for Oracle, Microsoft SQL Server, Sybase, PostgreSQL, MySQL, IBM DB2 and IBM DB/400 to identify vulnerabilities that affect databases such as default accounts; default permissions on database objects like tables, views, and stored procedures; buffer overflows; and denial of service. Compliance Scanning The growing number of government and industry-specific regulations designed to protect corporate information require organizations to put policies in place to regularly audit the environment and produce reports that validate compliance. Rapid7 Nexpose generates SOX, HIPAA, PCI, FISMA and GLBA reports that document and demonstrate compliance to auditors. 7 Website EDUCAUSE, Hwww.educause.edu

9BAbout Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7 s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a Top Place to Work by the Boston Globe. Its products are top rated by Gartner, Forrester and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7. com.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information