Download presentation materials
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Download presentation materials

on

  • 532 views

 

Statistics

Views

Total Views
532
Views on SlideShare
532
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Download presentation materials Presentation Transcript

  • 1. EDUCAUSE Center for Applied Research Security Survey Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE
  • 2. Research Methodology
    • Literature review of material published from 2003 – 2005, with the intent of identifying issues of concern to the higher education community, and creating additional hypotheses to test
    • Consultation with security experts, including members of the EDUCAUSE/Internet2 Computer and Network Security Task Force, and IT leaders at 17 higher education institutions
    • A quantitative web-based survey first used in 2003 was modified to reflect changes in technologies and practices. 492 higher education institutions responded to the survey
    • A longitudinal analysis compared the survey findings with those from ECAR’s 2003 study. 204 institutions responded to both surveys, and that population was used to perform the comparison
  • 3. ECAR IT Security Study
    • The Headlines You Won’t Read in the Chronicle of Higher Ed or New York Times:
      • The respondents feel more secure today than two years ago despite being in a perceived riskier environment.
      • Respondents feel that the academic community has become more sensitive to security and privacy in the last two years.
    • ECAR IT Security Study, 2006
  • 4. IT Security Incidents
    • Ten percent of the respondents in our survey indicated that they had an IT security incident in the last twelve months, which had been reported to the press (down from 19 percent in 2003).
    • A majority of institutions (74.2 percent) report that the number of incidents is about the same or less in the past twelve months as compared with the year before.
    • The primary perceived risks are viruses (72.6 percent), theft of personal financial information (64.8 percent), and spoofing and spyware (55.3 percent).
    • ECAR IT Security Study, 2006
  • 5. Blueprint for Handling Data
    • Step 1: Create a security risk-aware culture that includes an information security risk management program
    • Step 2: Define institutional data types
    • Step 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive data
    • Step 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processes
    • Step 5: Establish and implement stricter controls for safeguarding confidential/sensitive data
    • Step 6: Provide awareness and training
    • Step 7: Verify compliance routinely with your policies and procedures
  • 6. Step 1: Risk Aware Culture
    • 1.1 Institution-wide security risk management program
    • 1.2 Roles and responsibilities defined for overall information security at the central and distributed level
    • 1.3 Executive leadership support in the form of policies and governance actions
  • 7. Risks Incurred
    • ECAR IT Security Study, 2006
    6.4% Financial losses 7.4% Damage to hardware 8.4% Identity theft 10.0% Negative publicity in the press 12.5% Damage to data 21.5% Damage to software 26.0% Information confidentiality compromised 29.4% Network unavailable 33.7% Business application, including e-mail, unavailable Percent Damage
  • 8. Risk Assessment ECAR IT Security Study, 2006 100.0% 488 Total 2.5% 12 Don't know 8.6% 42 For all institutional data and asset types 46.3% 226 For some institutional data and asset types 42.6% 208 No risk assessments done Percent Frequency
  • 9. Responsibility for IT Security ECAR IT Security Study, 2006 -28.8% -8.8% 30.6% 21.8% Director of networking -22.7% -7.0% 30.9% 23.9% Other IT management -81.3% -2.6% 3.2% 0.6% Other administrative management -50.0% -0.6% 1.2% 0.6% Other academic management -33.3% -0.6% 1.8% 1.2% Director of academic computing -15.6% -0.5% 3.2% 2.7% Director of administrative computing 113.4% 7.6% 6.7% 14.3% CIO (or equivalent) 55.8% 12.5% 22.4% 34.9% IT security officer (or equivalent) Rate of change 2003-2005 Percent new adopters Percent responsible in 2003 Percent responsible in 2005 Position
  • 10. IT Security Staffing
    • Less than one percent indicated an expected staff decrease, while 50.2 percent expected no change and 24.4 percent expected to add one staff member, and 7.7 percent two or more.
    • A sea change has occurred in two years with respect to the operational staffing structure for central IT security. One quarter of the 204 institutions in the 2003 and 2005 studies have moved to centralize security in the IT organization and the rate of change was 59.7 percent.
    • ECAR IT Security Study, 2006
  • 11. Centralization ECAR IT Security Study, 2006 77.4% 2.4% 3.1% 5.5% Other -43.8% -25.5% 58.2% 32.7% Spread across multiple central IT units/functions 59.7% 23.1% 38.7% 61.8% One central IT security unit/function Rate of change Percent Change 2003 Percent 2005 Percent Staffing structure
  • 12. IT Security Certification ECAR IT Security Study, 2006 113.3% 1.7% 1.5% 3.2% Certified Information Systems Auditor (CISA) 161.5% 4.2% 2.6% 6.8% Global Information Assurance Certification (GIAC) 67.7% 8.4% 12.4% 20.8% Certified Information Systems Security Professional (CISSP) Rate of change 2003-2005 Percent new holders Percent held in 2003 Percent held in 2005 Certificate
  • 13. Change in Barriers ECAR IT Security Study, 2006 0.0% 0.0% 4.4% 4.4% Privacy of the individual -15.9% -1.4% 8.8% 7.4% Technology issues -4.9% -3.5% 71.6% 68.1% Lack of resources -23.3% -4.0% 17.2% 13.2% Lack of senior management support -18.1% -4.9% 27.0% 22.1% Absence of policies -34.3% -6.9% 20.1% 13.2% Lack of enforcement of policies -19.8% -7.4% 37.3% 29.9% Culture of decentralization -29.1% -14.7% 50.5% 35.8% Lack of awareness Rate of Change Institutional Change 2003 2005 Barrier
  • 14. Step 2: Define Data Types
    • 2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws)
    • 2.2 Data classification schema developed with input from legal counsel and data stewards
    • 2.3 Data classification schema assigned to institutional data to the extent possible or necessary
  • 15. Policies in Place
    • Protection of organizational assets (73%)
    • Data classification, retention, and destruction (51%)
    • Identity Management (50%)
    • ECAR IT Security Study, 2006
  • 16. Step 3: Clarify Responsibilities
    • 3.1 Data stewardship roles and responsibilities
    • 3.2 Legally binding third party agreements that assign responsibility for secure data handling
    • ECAR IT Security Study, 2006
  • 17. Policies in Place
    • Individual employee responsibilities for information security practices (73%)
    • Sharing, storing, and transmitting data (51%)
    • ECAR IT Security Study, 2006
  • 18. Step 4: Reduce Access to Data
    • 4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information
    • 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information
    • 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices
    • 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices
    • 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication
  • 19. Step 5: Controls
    • 5.1 Inventory and review/remediate security of devices
    • 5.2 Configuration standards for applications, servers, desktops, and mobile devices
    • 5.3 Network level protections
    • 5.4 Encryption strategies for data in transit and at rest
    • 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage
    • 5.6 Identity management and resource provisioning processes
    • 5.7 Secure disposal of equipment and data
    • 5.8 Consider background checks on individuals handling confidential/sensitive data
  • 20. IT Security Approaches ECAR IT Security Study, 2006 226.7% 3.4% 1.5% 4.9% Shibboleth 8.5% 0.5% 5.9% 6.4% Electronic signature 17.8% 4.9% 27.5% 32.4% Security standards for application or system development 32.2% 10.8% 33.5% 44.3% Intrusion prevention 99.7% 29.6% 29.7% 59.3% Active filtering 35.1% 16.2% 46.1% 62.3% Intrusion detection 27.5% 14.0% 51.0% 65.0% Network firewalls (interior) 55.3% 25.6% 46.3% 71.9% Enterprise directory 65.4% 29.8% 45.6% 75.4% Virtual private network (VPN) for remote access 12.5% 8.5% 68.1% 76.6% Centralized data backup system 13.1% 8.9% 68.1% 77.0% Network firewalls (perimeter) Rate of change 2003-2005 Percent new adopters Percent used in 2003 Percent used in 2005 Approach
  • 21. IT Security Technologies
    • Network perimeter firewalls, centralized data back up systems, virtual private networks, an enterprise directory, and network interior firewalls are the technologies most in use.
    • Active filtering increased in use by 99.7 percent, VPN for remote access by 65.4 percent, and enterprise directories by 55.3 percent.
    • There is significantly less difference among Carnegie Class institutions in the use of IT security technologies in 2005 when compared to 2003.
    • ECAR IT Security Study, 2006
  • 22. IT Security Technologies
    • The most significant change in wireless security between 2003 and 2005 is the implementation of firewalls (24.8 percent new adopters) followed by IP VPN (14.8 percent new adopters).
    • Conventional passwords/PIN predominate (94.4 percent). We found that 26.9 percent of the institutions used Kerberos.
    • The most often used IT security strategies were limiting protocols that are allowed through the network firewall or router (87.1 percent), restricting or limiting access to servers and applications (79.6 percent), and timing out access to applications after an idle period (77.0 percent)
    • ECAR IT Security Study, 2006
  • 23. Strategies to Reduce IT Security Vulnerabilities ECAR IT Security Study, 2006 28.5% 3.5% 12.3% 15.8% Using security devices (cards, biometric scanners, etc.) for authentication 55.3% 6.3% 11.4% 17.7% Installing a software inventory system to watch for malicious software or program changes 8.2% 2.2% 26.9% 29.1% Limiting the URLs allowed through the firewall -4.3% -2.0% 46.3% 44.3% Instituting a recovery or back-up plan in the case of disasters caused by natural events or by human acts 16.9% 11.0% 65.0% 76.0% Timing-out access to specific applications after an idle period 15.4% 10.8% 70.1% 80.9% Restricting and eliminating access to servers and applications 21.5% 15.7% 73.0% 88.7% Limiting the types of protocols allowed through the firewall/router Rate of change 2003-2005 Percent new adopters Percent used in 2003 Percent used in 2005 Approach
  • 24. Wireless Security ECAR IT Security Study, 2006 125.4% 7.9% 6.3% 14.2% Advanced encryption standard (AES) -19.7% -4.8% 24.4% 19.6% 40-bit Wired Equivalency Privacy (WEP) 33.1% 4.9% 14.8% 19.7% Extensible Authentication Protocol (EAP) 73.8% 9.0% 12.2% 21.2% Kerberos 38.9% 7.2% 18.5% 25.7% Wireless vendor supplied proprietary solution 3.3% 1.1% 33.4% 34.5% 128-bit Wired Equivalency Privacy (WEP) 44.8% 14.8% 33.0% 47.8% Internet Protocol Virtual Private Network (IP VPN) 30.8% 12.8% 41.6% 54.4% Remote authentication dial-in user service (RADIUS) 53.2% 24.8% 46.6% 71.4% Firewall Rate of change 2003-2005 Percent new adopters Percent used in 2003 Percent used in 2005 Approach
  • 25. Authentication ECAR IT Security Study, 2006 0.9% PKI hardware token without PIN 1.7% PKI hardware token with PIN 2.8% Biometric identification 5.1% PKI certificate (software) with PIN 6.8% PKI certificate (software) without PIN 8.1% Other multi-factor authentication methods 8.9% Secure ID-style one-time password 26.9% Kerberos 59.8% Strong password 94.4% Conventional password/PIN Already implemented Authentication
  • 26. Password Changes ECAR IT Security Study, 2006 100.0% 474 Total 100.0% 1.5% 7 Don't know 98.5% 16.5% 78 No requirement 82.1% 19.0% 90 It varies 63.1% 5.9% 28 More than 180 days 57.2% 41.8% 198 60-180 days 15.4% 11.2% 53 Every 60 days 4.2% 3.8% 18 Every 30 days 0.4% 0.4% 2 Single use Cumulative Percent Percent Frequency
  • 27. Policies in Place
    • Secure disposal of data, media, or printed material that contains sensitive information 71.0 %
    • ECAR IT Security Study, 2006
  • 28. Step 6: Awareness and Training
    • 6.1 Make confidential/sensitive data handlers aware of privacy and security requirements
    • 6.2 Require acknowledgment by data users of their responsibility for safeguarding such data
    • 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential or sensitive data
  • 29. Awareness Programs
    • ECAR IT Security Study, 2006
    26.9% 30.6% 23.1% Percent change 69.1% 68.8% 62.3% Program 2005 42.2% 38.2% 39.2% Program 2003 Staff Faculty Students
  • 30. Awareness Programs ECAR IT Security Study, 2006 35.2% 37.7% 44.7% No program 44.4% 47.7% 37.9% Voluntary 20.4% 14.5% 17.4% Mandatory Staff Faculty Students
  • 31. Step 7: Verify Compliance
    • 7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption
    • 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance
    • 7.3 Routinely audit access privileges
    • 7.4 Procurement procedures and contract language to ensure proper data handling is maintained
    • 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment
    • 7.6 Utilize audit function within the institution to verify compliance
    • 7.7 Incident response policies and procedures
    • 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed
  • 32. IT Security Audits
    • Twenty-five percent of responding institutions do not perform formal IT security audits.
    • The majority (50.6 percent) performs formal IT security audits on an irregular basis.
    • ECAR IT Security Study, 2006
  • 33. Policies in Place
    • Managing privacy issues, including breaches of personal information (72%)
    • Incident reporting and response (69%)
    • Disaster recovery contingency planning (68%)
    • Investigation and correction of the causes of security failures (68%)
    • Notification of security events to: individuals, the law, etc. (67%)
    • ECAR IT Security Study, 2006
  • 34. IT Security Plan
    • 11.2 percent - a comprehensive IT security plan is in place
    • 66.6 percent - a partial plan is in place.
    • 20.4 percent - no IT security plan is in place
    • ECAR IT Security Study, 2006
  • 35. Characteristics of Successful IT Security Programs
    • Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today.
    • The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security.
    • ECAR IT Security Study, 2006
  • 36. For more information
    • Rodney Petersen Email: [email_address] Phone: 202.331.5368
    • EDUCAUSE/Internet2 Security Task Force www.educause.edu/security
    • EDUCAUSE Center for Applied Research www.educause.edu/ECAR
    • Blueprint for Handling Sensitive Data wiki.internet2.edu/confluence/display/secguide