110 likes | 288 Vues
EDUCAUSE/Internet2 Computer and Network Security Task Force Update www.educause.edu/security Jack Suess February 3, 2004. ….Interesting. Gartner - > 70% have had a serious security incident ECAR - > Significant majority of institutions feel security is better now than 2 years ago
E N D
EDUCAUSE/Internet2 Computer and Network Security Task Force Updatewww.educause.edu/securityJack SuessFebruary 3, 2004
….Interesting • Gartner - > 70% have had a serious security incident • ECAR - > Significant majority of institutions feel security is better now than 2 years ago … We can’t eliminate all incidents or know what incidents we avoided through improved practices
Task Force Strategic Goals • Education and Awareness • Standards, Policies, & Procedures • Security Architecture and Tools • Organization, Information Sharing, and Incident Response Collaborating with industry, government, and other parts of academia to achieve these goals
Dancing With the Devil: Vendor Engagement • The Security Task Force established the Cyber Security Forum for Higher Education to develop linkages with the vendor community. Members include - Microsoft, IBM, Dell, HP, Datatel, Network Associates, PeopleSoft, Oracle, Cisco, Apple, Sun, SCT, VeriSign, and others. • A delegation representing the Security Task Force visited Microsoft in September to explain the needs of higher education. Microsoft has been responsive to suggestions.
Dancing With the Devil:Nat’l Cyber Security Summit • Organized by industry trade groups on behalf of DHS • Unwritten goal: Take action so Congress doesn’t legislate solution • Summit Task Forces • Information Security Governance • Awareness • Early Warning • Technical Standards/Common Criteria • Security Across S/W Development Lifecycle Result: Demonstration of understanding and commitment to improving security
Risk Assessment and Tools • Risk assessment is a critical component in developing an IT Security Plan • We have worked with the Carnegie Mellon Software Engineering Institute (SEI) to explore development of a derivative of the OCTAVE risk assessment process for Higher Education • We continue to build partnerships with the auditing community. Rob Clark, Director of Internal Audit for Ga. Tech, has joined the Security Task Force and will be leading an initiative on risk management in higher ed • CIFAC - Variables and factors that determine thresholds of risk are largely dependent upon perspective or role
Education and Awareness Initiative • Security and awareness is consistently listed as a critical need. Less than 40% of institutions have active awareness programs • Mark Bruhn of Indiana and Kelley Bogart of U. of Arizona are co-chairing our security awareness working group. • Two weeks ago we held a 1.5 day workshop to identify how to make quick progress and what to focus on for long-term needs • This working group is working closely with the National Cyber Security Summit task force on Awareness • Finally, May 16-18 we will hold the 2nd Annual Security Professionals Workshop in Washington, D.C.
Effective Practices Initiative • The goal of the initiative is to identify and publicize practical approaches to preventing, detecting, and responding to security problems. • College & university security officers and supporting staff solicit, develop, and review submitted practices. • Effective instead of best because higher education is too diverse for a one-size fits all approach that best implies. We hope to have multiple entries per topic from different institution types
Effective Security Practices Guide Focus Areas Online: www.educause.edu/security/guide Contents include • Education, Training and Awareness • Risk Analysis and Management • Security Architecture Design • Network and Host Vulnerability Assessment • Network and Host Security Implementation • Intrusion and Virus Detection • Incident Response • Encryption, Authentication & Authorization Presently we have 25 practices available
Resources and Events Resources • www.educause.edu/security • security.internet2.edu • www.ren-isac.net Events 2nd Security Professionals Workshop May 16-18, 2004 in Washington, D.C.