SlideShare une entreprise Scribd logo

IT Security in Higher Education

Rapid7
Rapid7

According to Analysts, the Higher Education sector is the most breached of any industry. This white paper outlines key reasons why universities are more affected by security issues and how they can better prepare themselves to address IT security and vulnerability management challenges.

TechnologieFormation
1  sur  6
Télécharger pour lire hors ligne
White Paper IT Security in Higher Education
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 3BIntroduction: The Growing Need for Improved IT Security on Campuses IT security is a hot topic these days, especially at colleges and universities. An April 2008 Symantec Global Internet report noted that the education sector experienced more IT security breaches than any other industry.F 1 F What’s more, the number of higher education breaches and institutions affected continues to rise, as schools are under greater pressure to collect more and more student data. Between 2006 and 2008, the number of incidents reported by schools grew by 101 percent, and during that same period, the number of institutions affected rose by 173 percent.F 2 F As recently as February 2009, the University of Florida reported an exposure of 97,200 student records, all of which contained names and Social Security Numbers. Statistics like these in the education sector – as well as the increasing number of breaches in other industries – have garnered a great deal of publicity and have generated cause for alarm. There has been tremendous growth in the field of IT security training, as organizations of all sizes struggle to find professionals to help them address the challenge. There are a myriad books on IT security on the market, and the list grows monthly; and many colleges, universities, and technical schools now offer a degree or certification in IT security. A December 2008 Gartner Group Survey found that “the role of the chief information security officer (CISO) is no longer rare, but many institutions have yet to formalize the role and the title. Policies and support for educating the community are also still evolving. Work still needs to be done, if security is to be viewed not as an IT problem, but as an institutional problem that needs addressing.”F 3 F The Gartner survey’s key findings include the following: • “The need for a security officer is now recognized and supported by more than 60 percent of institutions. • “The risk of losing important data is still a more important business driver for security compared to financial risks. “Calculating the cost of security breaches and attacks is rare. More than 75 percent of institutions have not even calculated the cost of mobile PC thefts, which should be less difficult to calculate”F 4 4BCampus Technology The technology environment in higher education is complicated by many factors. First, there are often ambiguous campus perimeters. Many schools have a transient student population, and, even when this is not the case, computer equipment is often moved during the school year between campus and home. This situation is further complicated by the fact that a distributed computing environment is common at large schools, making it hard for a central IT group to keep track of what’s out there. Furthermore, many schools offer distance learning options, meaning that some student computers may never actually be on campus. Second, there is a tremendous amount of sensitive electronic data on most campuses. Determining the location of that data, who controls it, and how best to protect it is a daunting task, even at a small school. At large universities, there may be a central IT group – or even a central IT security group – but the daily management of many systems and/or handling of data is usually the responsibility of the individual colleges or departments. 1 Security Threat Report, Symantec Global Internet, April 2008. 2 Educational Security Incidents (ESI) Year in Review – 2008, Released February 2009. 3 Gartner 2008 Higher Education Security Survey: Governance, Policy and Cost. Michael Zastrocky, Jan-Martin Lowendahl, and Marti Harris. 22 December 2008. 4 Ibid.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Third is the issue of shadow systems. The university’s core systems, containing Enterprise Resource Planning (ERP), CC information, medical records, or other important student data, may be well protected; but there are frequently local copies of sensitive data that are not under that same protective umbrella. Even small schools have multiple departments, and some of these – Housing or Campus Dining, for example – need systems containing important student information in order to function. When these various shadow systems are connected to the Internet, or where the shadow systems are accessible from across the campus networks, the problem is compounded. This proliferation of systems in a highly distributed information environment makes it very difficult for colleges and universities to keep track of everyone who has copies of sensitive data such as students’ Social Security Numbers. Academic freedom is a fourth concern. Open networks – indeed, the Internet itself – have their roots in academe. Networks have long been viewed as teaching tools, and the notion of imposing any restrictions on them has been forbidden. IT security measures that would exist as a matter of course in a business environment have, until recently, been frowned upon in academic settings in the name of academic freedom. Finally, there is always the issue of funding. Because of financial constraints – now more than ever – schools are often forced to depend on a limited staff of professional IT support personnel. In fact, some campus IT departments are staffed primarily by computer science majors or other students with an interest in technology. 5BGovernment Compliance Issues Unfortunately, this challenging campus IT environment exists at the same time when increasingly stringent government regulations continue to raise the bar for data protection and to impose harsh penalties for those who fail to protect sensitive data. At colleges and universities, IT managers must comply with many such regulations. • Banking. Universities and colleges lend and collect large amounts of money, as they grant loans and disperse funds. This means that they fall under the Gramm-Leach-Bliley Act (GLBA) and must protect the privacy of their student customers. • Health care. Almost institutions of higher education with students living on campus have a health center and therefore must protect patient data under the Health Insurance Portability and Accountability Act (HIPAA). • Retail sales. Parents and students use credit cards to pay for everything from books to tuition, meaning that colleges and universities – like all other retailers – must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). • Student grades. The Family Educational Rights and Privacy Act (FERPA) controls who can access student grades. If grades are being distributed or stored electronically, they must be secured. In addition to these federal requirements, colleges and universities in most states must comply with state privacy laws such as California SB 1386, a piece of landmark legislation that became operative in July of 2003. Laws like this require that any agency, person, or business that owns or licenses computerized “personal information” must disclose any breach of security to those whose unencrypted data is believed to have been disclosed. In his article, “Back to School: Compliance in Higher Education,” Ken Bocek notes, “While most institutions are compliance with GLB, PCI, HIPAA, FERPA, and other regulations, the number of institutions involved in data breaches does not seem to be on the decline. It’s this point that makes higher education a lesson for all organizations.”F 5 5 “Back to School: Compliance in Higher Education,” SC Magazine. Ken Bocek. September 19, 2007.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 6BAddressing IT Security on Campus Thanks to their growing awareness of the importance of IT security, schools are addressing the issue in a variety of ways. The most obvious solution – creation of a full-time central IT security group on campus – has been put in place at many schools, especially large universities. Even smaller schools have recognized the need for someone whose full-time job is IT security, and higher education employment Websites frequently advertise IT security positions at community colleges and comprehensive universities. The recognition that security is not something a network engineer can do as a side job is viewed by education professionals as a positive trend as they accept the challenge of safeguarding sensitive data, complying with government regulations, and generally protecting the systems and information within the campus computing environment. A central IT security group is typically managed by an IT security officer, a high-level position with broad authority and recognition throughout the school. Because of budget pressures, many schools’ IT groups have not grown larger in the past few years, but schools have reprioritized resources to address their security concerns. For example, a school may designate what was formerly a network engineering position as a full-time security position, and retrain that individual accordingly. There has also been a trend toward greater cooperation among departments regarding security. Various campus offices – Human Resources, Controller, Registrar, Financial Aid – frequently collaborate to develop innovative ways to share resources and protect their user communities. Another important trend has been increased educational opportunities for the extended university community – students, faculty, and administration – about the importance of IT security. Blogs, YouTube, and the ubiquitous laptop and cell phone are all effective means of communication, along with campus newsletters, email, and face-to-face discussions. By communicating through these various media, campus IT security professionals have helped their communities to understand that IT security is a shared responsibility and that every campus computer user faces risks if there is a security lapse. Many campuses have adopted the practice of conducting departmental or area IT security reviews to help their constituents recognize their vulnerabilities; identify potential problems with hardware, applications, and/or databases; and offer alternatives. Some schools have even developed and distributed an IT disaster recovery plan. It has also become common for schools to conduct compliance-related reviews to teach people how to handle FERPA, PCI, HIPAA, and/or GLB data, and to underscore the benefit of adopting industry practices such as ISO 27001, CoBIT, and NIST. Furthermore, every college or university today acknowledges the need to maintain a reliable Web presence, and most of their websites now include at least one page dedicated to IT security. The bottom line is that IT security operations and practices have become increasingly formalized, and schools have a far greater awareness of compliance requirements. Colleges now understand that PCI applies everywhere. 7BIT Security Resources in Higher Education As IT security has gained exposure on college and university campuses, a growing number of resources have become available to address the issue. The Virginia Alliance for Secure Computing and Networking (VA SCAN) was established to strengthen IT security programs throughout the Commonwealth of Virginia. As their Website points out, “This Alliance brings together Virginia higher education security practitioners who developed and maintain security programs widely emulated by other institutions, and researchers responsible for creating cybersecurity instruction and research programs nationally recognized for excellence.”F 6 6 Website – Virginia Alliance for Secure Computing and Networking (VA SCAN), Hwww.vascan.org
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com The University of Wisconsin’s flagship campus in Madison now routinely conducts risk assessment of its IT systems with all departmental CIOs in the University system. In Texas, the state legislature has enacted new laws that impact all public universities and their approach to IT security. Perhaps the best known American higher education technology resource is EDUCAUSE, which was founded in the late 1990s “to advance higher education by promoting the intelligent use of information technology.”F 7 F Open to all public and private colleges and universities, EDUCAUSE fosters information sharing by providing schools with opportunities to participate in policy-sharing forums or to post presentations and other materials that they have developed. EDUCAUSE also sponsors an annual security event for those in security officer or security analyst roles so they can come together and focus on communication, collaboration, and information sharing. 8BThe Role of Rapid7 Nexpose Rapid7 Nexpose is a vulnerability assessment product that has become a boon to IT security professionals at nearly 100 institutions of higher learning, including Carnegie Mellon University, Florida State University, George Washington University, Norwich University, University of Mary Washington, Virginia Tech University and Weill Medical College. In fact, one IT security officer has described Rapid7 Nexpose as a “force multiplier” that saves valuable time and resources. Nexpose provides broad platform coverage from one integrated product that assesses the security risk for a wide array of systems, software and devices in your IT environment, including: • Network and Operating System Vulnerability Assessment – The first step in securing your IT environment is to ensure that all systems and network devices have been properly audited and exposures eliminated. Rapid7 Nexpose enables organizations to audit their networks, track discovered vulnerabilities through resolution, and ensure policy compliance. • Web Application Vulnerability Assessment – Because they exist as a conduit between external users and a company’s internal databases, Web applications can be one of the biggest security risks. Rapid7 Nexpose scans the Web application server and all Web applications for serious threats to your environment, such as SQL injection and cross-site scripting. • Database Vulnerability Assessment – Rapid7 Nexpose provides comprehensive database scanning for Oracle, Microsoft SQL Server, Sybase, PostgreSQL, MySQL, IBM DB2 and IBM DB/400 to identify vulnerabilities that affect databases such as default accounts; default permissions on database objects like tables, views, and stored procedures; buffer overflows; and denial of service. • Compliance Scanning – The growing number of government and industry-specific regulations designed to protect corporate information require organizations to put policies in place to regularly audit the environment and produce reports that validate compliance. Rapid7 Nexpose generates SOX, HIPAA, PCI, FISMA and GLBA reports that document and demonstrate compliance to auditors. 7 Website – EDUCAUSE, Hwww.educause.edu
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 9BAbout Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7. com.

Recommandé

Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Privacy trends 2011
Privacy trends 2011Privacy trends 2011
Privacy trends 2011Vladimir Matviychuk
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsResearch on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 

Recommandé

Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Privacy trends 2011
Privacy trends 2011Privacy trends 2011
Privacy trends 2011Vladimir Matviychuk
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsResearch on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...Cédric Laurant
 
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Andrea Omicini
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation finalsunnyjoshi88
 
ONR Blog 1
ONR Blog 1ONR Blog 1
ONR Blog 1Charles (Mac) Hamilton M.A., M.F.A., C.P.C.
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Adriana Sanford
 
LAK16 privacy and analytics (2016)
LAK16 privacy and analytics (2016)LAK16 privacy and analytics (2016)
LAK16 privacy and analytics (2016)Wolfgang Greller
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist- Mark - Fullbright
 
Information governance a_necessity_in_to
Information governance a_necessity_in_toInformation governance a_necessity_in_to
Information governance a_necessity_in_toAnne ndolo
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Open Government Data & Privacy Protection
Open Government Data & Privacy ProtectionOpen Government Data & Privacy Protection
Open Government Data & Privacy ProtectionSylvia Ogweng
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019ENC
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
Major Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALMajor Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALLouise Collins
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityRapid7
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 

Contenu connexe

Tendances

WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...Cédric Laurant
 
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Andrea Omicini
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation finalsunnyjoshi88
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Adriana Sanford
 
LAK16 privacy and analytics (2016)
LAK16 privacy and analytics (2016)LAK16 privacy and analytics (2016)
LAK16 privacy and analytics (2016)Wolfgang Greller
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Information governance a_necessity_in_to
Information governance a_necessity_in_toInformation governance a_necessity_in_to
Information governance a_necessity_in_toAnne ndolo
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Open Government Data & Privacy Protection
Open Government Data & Privacy ProtectionOpen Government Data & Privacy Protection
Open Government Data & Privacy ProtectionSylvia Ogweng
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019ENC
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
Major Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALMajor Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALLouise Collins
 

Tendances (19)

WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
 
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation final
 
ONR Blog 1
ONR Blog 1ONR Blog 1
ONR Blog 1
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014
 
LAK16 privacy and analytics (2016)
LAK16 privacy and analytics (2016)LAK16 privacy and analytics (2016)
LAK16 privacy and analytics (2016)
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist
 
Information governance a_necessity_in_to
Information governance a_necessity_in_toInformation governance a_necessity_in_to
Information governance a_necessity_in_to
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer Privacy
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
 
Open Government Data & Privacy Protection
Open Government Data & Privacy ProtectionOpen Government Data & Privacy Protection
Open Government Data & Privacy Protection
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protection
 
Major Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALMajor Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINAL
 

En vedette

Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityRapid7
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 

En vedette (8)

Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization Security
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing Attacks
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance Guide
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 

Similaire à IT Security in Higher Education

Journal of Information Technology Education Volume 11, 2012 .docx
Journal of Information Technology Education Volume 11, 2012 .docxJournal of Information Technology Education Volume 11, 2012 .docx
Journal of Information Technology Education Volume 11, 2012 .docxtawnyataylor528
 
Current Issues In Education Technology WPG Consulting .pdf
Current Issues In Education Technology WPG Consulting .pdfCurrent Issues In Education Technology WPG Consulting .pdf
Current Issues In Education Technology WPG Consulting .pdfmeetsolanki44
 
Safeguarding K-12 Organizations from Cybersecurity Threats WPGC.pdf
Safeguarding K-12 Organizations from Cybersecurity Threats WPGC.pdfSafeguarding K-12 Organizations from Cybersecurity Threats WPGC.pdf
Safeguarding K-12 Organizations from Cybersecurity Threats WPGC.pdfmeetsolanki44
 
Read the Case Study at the end of Chapter 7. Perform the following a.docx
Read the Case Study at the end of Chapter 7. Perform the following a.docxRead the Case Study at the end of Chapter 7. Perform the following a.docx
Read the Case Study at the end of Chapter 7. Perform the following a.docxniraj57
 
Why Education Sector Needs To Prioritize Cybersecurity? 7 Helpful Importance ...
Why Education Sector Needs To Prioritize Cybersecurity? 7 Helpful Importance ...Why Education Sector Needs To Prioritize Cybersecurity? 7 Helpful Importance ...
Why Education Sector Needs To Prioritize Cybersecurity? 7 Helpful Importance ...Future Education Magazine
 
CHEPTER The Internet and ClientServer, Intranet & Cloud Computin.docx
CHEPTER The Internet and ClientServer, Intranet & Cloud Computin.docxCHEPTER The Internet and ClientServer, Intranet & Cloud Computin.docx
CHEPTER The Internet and ClientServer, Intranet & Cloud Computin.docxchristinemaritza
 
cyber security certifications in Malaysia..pdf
cyber security certifications in Malaysia..pdfcyber security certifications in Malaysia..pdf
cyber security certifications in Malaysia..pdfCareerera
 
Internet privacy ethics and online security
Internet privacy ethics and online securityInternet privacy ethics and online security
Internet privacy ethics and online securityPaul Berryman
 
A different perspective on university IT
A different perspective on university ITA different perspective on university IT
A different perspective on university ITsarahmusselbrook
 
CompTIA Security Study [Report]
CompTIA Security Study [Report]CompTIA Security Study [Report]
CompTIA Security Study [Report]Assespro Nacional
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
 
Key findings from information security survey at higher education institution...
Key findings from information security survey at higher education institution...Key findings from information security survey at higher education institution...
Key findings from information security survey at higher education institution...MajedahAlkharji
 
GAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataGAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataChristina Gagnier
 
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONS
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONSCAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONS
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONSijfcstjournal
 
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONS
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONSCAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONS
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONSijfcstjournal
 
Student Data and Its Discontents: How FUD undermined an education reform agenda
Student Data and Its Discontents: How FUD undermined an education reform agendaStudent Data and Its Discontents: How FUD undermined an education reform agenda
Student Data and Its Discontents: How FUD undermined an education reform agendaPatrick McCormick
 
Keep Student information protected while improving services
Keep Student information protected while improving servicesKeep Student information protected while improving services
Keep Student information protected while improving servicesCloudMask inc.
 
WiCyS Career Fair Handbook
WiCyS Career Fair HandbookWiCyS Career Fair Handbook
WiCyS Career Fair HandbookClearedJobs.Net
 

Similaire à IT Security in Higher Education (20)

Journal of Information Technology Education Volume 11, 2012 .docx
Journal of Information Technology Education Volume 11, 2012 .docxJournal of Information Technology Education Volume 11, 2012 .docx
Journal of Information Technology Education Volume 11, 2012 .docx
 
Current Issues In Education Technology WPG Consulting .pdf
Current Issues In Education Technology WPG Consulting .pdfCurrent Issues In Education Technology WPG Consulting .pdf
Current Issues In Education Technology WPG Consulting .pdf
 
Safeguarding K-12 Organizations from Cybersecurity Threats WPGC.pdf
Safeguarding K-12 Organizations from Cybersecurity Threats WPGC.pdfSafeguarding K-12 Organizations from Cybersecurity Threats WPGC.pdf
Safeguarding K-12 Organizations from Cybersecurity Threats WPGC.pdf
 
Read the Case Study at the end of Chapter 7. Perform the following a.docx
Read the Case Study at the end of Chapter 7. Perform the following a.docxRead the Case Study at the end of Chapter 7. Perform the following a.docx
Read the Case Study at the end of Chapter 7. Perform the following a.docx
 
Why Education Sector Needs To Prioritize Cybersecurity? 7 Helpful Importance ...
Why Education Sector Needs To Prioritize Cybersecurity? 7 Helpful Importance ...Why Education Sector Needs To Prioritize Cybersecurity? 7 Helpful Importance ...
Why Education Sector Needs To Prioritize Cybersecurity? 7 Helpful Importance ...
 
CHEPTER The Internet and ClientServer, Intranet & Cloud Computin.docx
CHEPTER The Internet and ClientServer, Intranet & Cloud Computin.docxCHEPTER The Internet and ClientServer, Intranet & Cloud Computin.docx
CHEPTER The Internet and ClientServer, Intranet & Cloud Computin.docx
 
cyber security certifications in Malaysia..pdf
cyber security certifications in Malaysia..pdfcyber security certifications in Malaysia..pdf
cyber security certifications in Malaysia..pdf
 
Internet privacy ethics and online security
Internet privacy ethics and online securityInternet privacy ethics and online security
Internet privacy ethics and online security
 
A different perspective on university IT
A different perspective on university ITA different perspective on university IT
A different perspective on university IT
 
CompTIA Security Study [Report]
CompTIA Security Study [Report]CompTIA Security Study [Report]
CompTIA Security Study [Report]
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
 
Essay On It Security
Essay On It SecurityEssay On It Security
Essay On It Security
 
Key findings from information security survey at higher education institution...
Key findings from information security survey at higher education institution...Key findings from information security survey at higher education institution...
Key findings from information security survey at higher education institution...
 
GAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataGAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big Data
 
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONS
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONSCAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONS
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONS
 
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONS
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONSCAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONS
CAPTURE THE TALENT: SECONDARY SCHOOL EDUCATION WITH CYBER SECURITY COMPETITIONS
 
Student Data and Its Discontents: How FUD undermined an education reform agenda
Student Data and Its Discontents: How FUD undermined an education reform agendaStudent Data and Its Discontents: How FUD undermined an education reform agenda
Student Data and Its Discontents: How FUD undermined an education reform agenda
 
Keep Student information protected while improving services
Keep Student information protected while improving servicesKeep Student information protected while improving services
Keep Student information protected while improving services
 
WiCyS Career Fair Handbook
WiCyS Career Fair HandbookWiCyS Career Fair Handbook
WiCyS Career Fair Handbook
 

Plus de Rapid7

[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...Rapid7
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionRapid7
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessRapid7
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionRapid7
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIORapid7
 

Plus de Rapid7 (8)

[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's Effectiveness
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD Methodology
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL Injection
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance Guide
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIO
 

Dernier

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

IT Security in Higher Education

  • 1. White Paper IT Security in Higher Education
  • 2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 3BIntroduction: The Growing Need for Improved IT Security on Campuses IT security is a hot topic these days, especially at colleges and universities. An April 2008 Symantec Global Internet report noted that the education sector experienced more IT security breaches than any other industry.F 1 F What’s more, the number of higher education breaches and institutions affected continues to rise, as schools are under greater pressure to collect more and more student data. Between 2006 and 2008, the number of incidents reported by schools grew by 101 percent, and during that same period, the number of institutions affected rose by 173 percent.F 2 F As recently as February 2009, the University of Florida reported an exposure of 97,200 student records, all of which contained names and Social Security Numbers. Statistics like these in the education sector – as well as the increasing number of breaches in other industries – have garnered a great deal of publicity and have generated cause for alarm. There has been tremendous growth in the field of IT security training, as organizations of all sizes struggle to find professionals to help them address the challenge. There are a myriad books on IT security on the market, and the list grows monthly; and many colleges, universities, and technical schools now offer a degree or certification in IT security. A December 2008 Gartner Group Survey found that “the role of the chief information security officer (CISO) is no longer rare, but many institutions have yet to formalize the role and the title. Policies and support for educating the community are also still evolving. Work still needs to be done, if security is to be viewed not as an IT problem, but as an institutional problem that needs addressing.”F 3 F The Gartner survey’s key findings include the following: • “The need for a security officer is now recognized and supported by more than 60 percent of institutions. • “The risk of losing important data is still a more important business driver for security compared to financial risks. “Calculating the cost of security breaches and attacks is rare. More than 75 percent of institutions have not even calculated the cost of mobile PC thefts, which should be less difficult to calculate”F 4 4BCampus Technology The technology environment in higher education is complicated by many factors. First, there are often ambiguous campus perimeters. Many schools have a transient student population, and, even when this is not the case, computer equipment is often moved during the school year between campus and home. This situation is further complicated by the fact that a distributed computing environment is common at large schools, making it hard for a central IT group to keep track of what’s out there. Furthermore, many schools offer distance learning options, meaning that some student computers may never actually be on campus. Second, there is a tremendous amount of sensitive electronic data on most campuses. Determining the location of that data, who controls it, and how best to protect it is a daunting task, even at a small school. At large universities, there may be a central IT group – or even a central IT security group – but the daily management of many systems and/or handling of data is usually the responsibility of the individual colleges or departments. 1 Security Threat Report, Symantec Global Internet, April 2008. 2 Educational Security Incidents (ESI) Year in Review – 2008, Released February 2009. 3 Gartner 2008 Higher Education Security Survey: Governance, Policy and Cost. Michael Zastrocky, Jan-Martin Lowendahl, and Marti Harris. 22 December 2008. 4 Ibid.
  • 3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Third is the issue of shadow systems. The university’s core systems, containing Enterprise Resource Planning (ERP), CC information, medical records, or other important student data, may be well protected; but there are frequently local copies of sensitive data that are not under that same protective umbrella. Even small schools have multiple departments, and some of these – Housing or Campus Dining, for example – need systems containing important student information in order to function. When these various shadow systems are connected to the Internet, or where the shadow systems are accessible from across the campus networks, the problem is compounded. This proliferation of systems in a highly distributed information environment makes it very difficult for colleges and universities to keep track of everyone who has copies of sensitive data such as students’ Social Security Numbers. Academic freedom is a fourth concern. Open networks – indeed, the Internet itself – have their roots in academe. Networks have long been viewed as teaching tools, and the notion of imposing any restrictions on them has been forbidden. IT security measures that would exist as a matter of course in a business environment have, until recently, been frowned upon in academic settings in the name of academic freedom. Finally, there is always the issue of funding. Because of financial constraints – now more than ever – schools are often forced to depend on a limited staff of professional IT support personnel. In fact, some campus IT departments are staffed primarily by computer science majors or other students with an interest in technology. 5BGovernment Compliance Issues Unfortunately, this challenging campus IT environment exists at the same time when increasingly stringent government regulations continue to raise the bar for data protection and to impose harsh penalties for those who fail to protect sensitive data. At colleges and universities, IT managers must comply with many such regulations. • Banking. Universities and colleges lend and collect large amounts of money, as they grant loans and disperse funds. This means that they fall under the Gramm-Leach-Bliley Act (GLBA) and must protect the privacy of their student customers. • Health care. Almost institutions of higher education with students living on campus have a health center and therefore must protect patient data under the Health Insurance Portability and Accountability Act (HIPAA). • Retail sales. Parents and students use credit cards to pay for everything from books to tuition, meaning that colleges and universities – like all other retailers – must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). • Student grades. The Family Educational Rights and Privacy Act (FERPA) controls who can access student grades. If grades are being distributed or stored electronically, they must be secured. In addition to these federal requirements, colleges and universities in most states must comply with state privacy laws such as California SB 1386, a piece of landmark legislation that became operative in July of 2003. Laws like this require that any agency, person, or business that owns or licenses computerized “personal information” must disclose any breach of security to those whose unencrypted data is believed to have been disclosed. In his article, “Back to School: Compliance in Higher Education,” Ken Bocek notes, “While most institutions are compliance with GLB, PCI, HIPAA, FERPA, and other regulations, the number of institutions involved in data breaches does not seem to be on the decline. It’s this point that makes higher education a lesson for all organizations.”F 5 5 “Back to School: Compliance in Higher Education,” SC Magazine. Ken Bocek. September 19, 2007.
  • 4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 6BAddressing IT Security on Campus Thanks to their growing awareness of the importance of IT security, schools are addressing the issue in a variety of ways. The most obvious solution – creation of a full-time central IT security group on campus – has been put in place at many schools, especially large universities. Even smaller schools have recognized the need for someone whose full-time job is IT security, and higher education employment Websites frequently advertise IT security positions at community colleges and comprehensive universities. The recognition that security is not something a network engineer can do as a side job is viewed by education professionals as a positive trend as they accept the challenge of safeguarding sensitive data, complying with government regulations, and generally protecting the systems and information within the campus computing environment. A central IT security group is typically managed by an IT security officer, a high-level position with broad authority and recognition throughout the school. Because of budget pressures, many schools’ IT groups have not grown larger in the past few years, but schools have reprioritized resources to address their security concerns. For example, a school may designate what was formerly a network engineering position as a full-time security position, and retrain that individual accordingly. There has also been a trend toward greater cooperation among departments regarding security. Various campus offices – Human Resources, Controller, Registrar, Financial Aid – frequently collaborate to develop innovative ways to share resources and protect their user communities. Another important trend has been increased educational opportunities for the extended university community – students, faculty, and administration – about the importance of IT security. Blogs, YouTube, and the ubiquitous laptop and cell phone are all effective means of communication, along with campus newsletters, email, and face-to-face discussions. By communicating through these various media, campus IT security professionals have helped their communities to understand that IT security is a shared responsibility and that every campus computer user faces risks if there is a security lapse. Many campuses have adopted the practice of conducting departmental or area IT security reviews to help their constituents recognize their vulnerabilities; identify potential problems with hardware, applications, and/or databases; and offer alternatives. Some schools have even developed and distributed an IT disaster recovery plan. It has also become common for schools to conduct compliance-related reviews to teach people how to handle FERPA, PCI, HIPAA, and/or GLB data, and to underscore the benefit of adopting industry practices such as ISO 27001, CoBIT, and NIST. Furthermore, every college or university today acknowledges the need to maintain a reliable Web presence, and most of their websites now include at least one page dedicated to IT security. The bottom line is that IT security operations and practices have become increasingly formalized, and schools have a far greater awareness of compliance requirements. Colleges now understand that PCI applies everywhere. 7BIT Security Resources in Higher Education As IT security has gained exposure on college and university campuses, a growing number of resources have become available to address the issue. The Virginia Alliance for Secure Computing and Networking (VA SCAN) was established to strengthen IT security programs throughout the Commonwealth of Virginia. As their Website points out, “This Alliance brings together Virginia higher education security practitioners who developed and maintain security programs widely emulated by other institutions, and researchers responsible for creating cybersecurity instruction and research programs nationally recognized for excellence.”F 6 6 Website – Virginia Alliance for Secure Computing and Networking (VA SCAN), Hwww.vascan.org
  • 5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com The University of Wisconsin’s flagship campus in Madison now routinely conducts risk assessment of its IT systems with all departmental CIOs in the University system. In Texas, the state legislature has enacted new laws that impact all public universities and their approach to IT security. Perhaps the best known American higher education technology resource is EDUCAUSE, which was founded in the late 1990s “to advance higher education by promoting the intelligent use of information technology.”F 7 F Open to all public and private colleges and universities, EDUCAUSE fosters information sharing by providing schools with opportunities to participate in policy-sharing forums or to post presentations and other materials that they have developed. EDUCAUSE also sponsors an annual security event for those in security officer or security analyst roles so they can come together and focus on communication, collaboration, and information sharing. 8BThe Role of Rapid7 Nexpose Rapid7 Nexpose is a vulnerability assessment product that has become a boon to IT security professionals at nearly 100 institutions of higher learning, including Carnegie Mellon University, Florida State University, George Washington University, Norwich University, University of Mary Washington, Virginia Tech University and Weill Medical College. In fact, one IT security officer has described Rapid7 Nexpose as a “force multiplier” that saves valuable time and resources. Nexpose provides broad platform coverage from one integrated product that assesses the security risk for a wide array of systems, software and devices in your IT environment, including: • Network and Operating System Vulnerability Assessment – The first step in securing your IT environment is to ensure that all systems and network devices have been properly audited and exposures eliminated. Rapid7 Nexpose enables organizations to audit their networks, track discovered vulnerabilities through resolution, and ensure policy compliance. • Web Application Vulnerability Assessment – Because they exist as a conduit between external users and a company’s internal databases, Web applications can be one of the biggest security risks. Rapid7 Nexpose scans the Web application server and all Web applications for serious threats to your environment, such as SQL injection and cross-site scripting. • Database Vulnerability Assessment – Rapid7 Nexpose provides comprehensive database scanning for Oracle, Microsoft SQL Server, Sybase, PostgreSQL, MySQL, IBM DB2 and IBM DB/400 to identify vulnerabilities that affect databases such as default accounts; default permissions on database objects like tables, views, and stored procedures; buffer overflows; and denial of service. • Compliance Scanning – The growing number of government and industry-specific regulations designed to protect corporate information require organizations to put policies in place to regularly audit the environment and produce reports that validate compliance. Rapid7 Nexpose generates SOX, HIPAA, PCI, FISMA and GLBA reports that document and demonstrate compliance to auditors. 7 Website – EDUCAUSE, Hwww.educause.edu
  • 6. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 9BAbout Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7. com.