Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business

Rodney J. PetersenUniversity of Maryland

&Educause/Internet2 Security Task

Force

E-Risks Threats vs. Vulnerabilities Legal Liabilities Risk Management

Identifying the Risks Calculating the Costs Mitigating the Risks Outsourcing the Risks Managing the Risks

Availability Computers, systems and networks

must be available on a timely basis to meet mission requirements or to avoid substantial losses.

Integrity Computers, systems, and networks

that contain information must be protected from unauthorized, unanticipated, or unintentional modification.

Confidentiality Computers, systems, and networks

that contain information require protection from unauthorized use or disclosure.

Asset/System Identification Human Resources/Payroll Systems Student Information Patient Records Financial Systems Course Information Intellectual Property/Research Data Facilities Management Systems Alumni and Donor Records

Risk Assessment by System

High MediumLow

Availability

Integrity

Confidentiality

Improving Higher Education IT Security for 2002 - Gartner Business continuity – to recover after an

incident or avoid the consequences of an outage

Improved responsiveness to security incidents, which promotes an environment of continual risk management

Improved user authentication across multiple systems, including a single sign-on that uses robust directory services.

Security Improvement - Cont’d Improved security for remote users,

including the use of VPN clients and antiviral software.

Improved directory services to ensure the institution has current information about the location and contact information for every user.

Strengthened policies to achieve a better balance between user freedom and systems integrity.

Top 10 Info-Security PoliciesPentaSafe Security Technologies, Inc.

Background Checks Maintaining a low Profile ID Badges Update and Test Contingency Plans Store Critical Data Off-Site Install Latest Patches Use Intrusion Detection Systems Minimum Levels of Monitoring and Logging Assign Explicit Responsibilities for Security Periodic Risk Assessments of Critical Systems

Establishing A Security Policy Plans Strategies Decisions IT Architecture – Standards Policies, Procedures, and Practices Guidelines

Policy Development Resource Association of College and

University Policy Administrators (ACUPA)

ACUPA2003, Spring Meeting in April hosted by the University of Minnesota, Minneapolis, MN

For more information, see:http://www.umd.edu/acupa

Framework for Action Make IT security a higher and more visible

priority in higher education Do a better job with existing security tools,

including revision of institutional policies Design, develop, and deploy improved

security for future research and education networks

Raise the level of security collaboration among higher education, industry, and government

Integrate higher education work on security into the broader national effort to strengthen critical infrastructure

Educause/Internet2 Computer & Network Security Task Force Co-Chairs

Dan Updegrove, University of Texas, Austin Gordon Wishon, University of Notre Dame

Former Task Force Committees Education and Awareness Policy and Legal Issues Detection, Prevention, and Response Emerging Technologies

See http://www.educause.edu/security See http://security.internet2.edu

Invitational Workshops Vision and Principles IT Security/Policy Professionals User Community Higher Ed IT Security Summit

National Strategy to Secure Cyberspace Development of a National Strategy Report to the President To be delivered this Summer President's Special Advisor for Cyber

Security Critical Infrastructure Assurance Office Questions: www.gcn.com/cybersecurity

National Strategy Questions Level 1 – The Home User and Small Business Level 2 – Major Enterprises Level 3 – Sectors of the National Information

Infrastructure The Federal Government The Private Sector State and Local Government Higher Education

Level 4 – National Level Institutions and Policies

Level 5 - Global

National Strategy & Higher Ed

Preventing attacks from Universities: How can academic freedom of inquiry be maintained while at the same time preventing the large scale computing power of universities from being hijacked for denial of service attacks and other malicious activity directed at other sites?

National Strategy & Higher Ed

Preventing attacks within Universities: What functions on a university system require high levels of IT security (e.g., medical records, research trials, patents) and how is that best achieved within the context of an academic setting?

National Strategy & Higher Ed

Organization: How can universities best organize to address the IT security questions they face in common? Should best practices or standards be agreed on a national level? Should there be a mechanism for information sharing on threats and vulnerabilities among university CIOs and systems administrators?

Publications About Security Higher Education Contribution to National

Strategy To Secure Cyberspace EDUCAUSE Center for Applied Research Report Commissioned Works for Invitational Workshops Jossey-Bass Security Monograph

IT Security and Academic Values Creating and Implementing An IT Security Plan Conducting a Business Impact Analysis Education and Awareness Legal Issues, Risk Assessment, and Insurance Security Policies, Procedures, and Guidelines Incident Prevention, Detection and Response

Letter to the President Is the letter to the president the right

place to start? What would it say? What is the

message? CIO: What is your response if president

offers $1 million to address security? How will you spend it?

CFO: What is your response if president requests to allocate $1 million to IT security? How will you fund it?

For more information:

Visit http://www.educause.edu/security

orContact Rodney Petersen

Email: rpetersen@educause.eduPhone: 301.405.7349