© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force

Computer Access, Privacy and Security: Legal Obligations and Liabilities

Rodney J. PetersenPolicy Analyst, EDUCAUSE

EDUCAUSE/Internet2 Security Task Force Coordinator

Introduction: 3 C’s of Security Change – academic culture is shifting,

technology is evolving, and new threats and vulnerabilities are emerging

Complex – technical solutions are increasingly sophisticated, but the focus should be on information security

Critical! – asset protection is important, but critical infrastructures are at risk!

Policy of the United StatesIn the past few years, threats in cyberspace have risen dramatically. The policy of the United States is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States. We must act to reduce our vulnerabilities to these threats before they can be exploited to damage the cyber systems supporting our Nation’s critical infrastructures and ensure that such disruptions of cyberspace are infrequent, of minimal duration, manageable, and cause the least damage possible.

Letter from President George W. Bush to The American People, The National Strategy to Secure Cyberspace (February 2003)

Coordinated Higher Ed Effort EDUCAUSE – Use of IT in Higher Education Internet2 – Advanced Networking & Next

Generation Higher Education Information Technology

Alliance http://www.heitalliance.org American Association of Community Colleges American Association of State Colleges and Universities American Council on Education Association of American Universities Association of Research Libraries EDUCAUSE Internet2 National Association of College and University Business Officers National Association of Independent Colleges and Universities National Association of State Universities and Land-Grant Colleges University Continuing Education Association

EDUCAUSE/Internet2 Computer and Network Security Task Force Co-chairs: Jack Suess, UMBC, & Gordon

Wishon, University of Notre Dame Resource on Computer and Network Security

for the Higher Education Communitywww.educause.edu/security

Initiatives Outreach and Awareness Effective Practices and Solutions Professional Development for Security

Professionals Risk Assessment Methods and Tools Legal Issues and Institutional Policies Federal/State Public Policy Vendor Engagement

Message to Presidents (Feb 2003) Set the tone: ensure that all campus stakeholders know that

you take Cybersecurity seriously. Insist on community-wide awareness and accountability.

Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment.

Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting.

Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.

David WardPresident, American Council on Education

Awareness and Accountability Only one-third of our institutions

have a formal awareness program for students, faculty, or staff – ECAR Study (2003)

The key to sec-U-R-IT-y? You are it!University of Arizona

The National Strategy recommends that institutions of higher education identify and adopt model user awareness programs and materials

New Awareness Campaign

www.microsoft.com/education/?ID=SecurityPosters

Responsibility and Authority Directors of networking are most often in

charge of day-to-day management of IT security (31%), followed by chief IT security officers (22%), and CIOs (7 percent). Only 20% of the institutions surveyed have a full-time chief IT security officer – ECAR Study (2003)

Only Only 14 percent of the institutions surveyed indicate that they “regularly report” IT security incidents to senior management – ECAR Study (2003)

The National Strategy recommends that institutions of higher education identify and adopt model guidelines empowering Chief Information Officers (CIOs) to address cybersecurity

Risk Management Only 30% of the institutions surveyed have

undertaken a risk assessment to determine their IT assets’ value and the risk to those assets – ECAR Study (2003)

Risk Assessment (identify assets, classify assets, inventory policies and practices, vulnerabilities, etc.) and Responses to Risk (assumption, control, mitigation, or avoidance)

The National Strategy recommends that institutions of higher education identify and adopt one or more sets of best practices for IT security

Risk = Threats x Vulnerabilities x Impact

Types of Risk (Impact) Legal Risks Financial Risks Reputational Risks Operational Risks Strategic Risks

Cybersecurity Plans Only 13% of the institutions surveyed

have comprehensive IT security plans in place. 10% said no plan was in place. 42% had a partial plan in place. 36% are currently developing a plan – ECAR Study (2003)

Convergence with Emergency Preparedness Planning Activities

Relationship to Business Continuity Cyber Security as part of Strategic Plans

Security Policies “A security policy is a concise statement,

by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” [U.S. General Accounting Office]

54% of the institutions surveyed have formal institutional IT security policies – ECAR Study (2003)

37% had policies in the implementation stage – ECAR Study (2003)

What Formal Policies Cover 99% - acceptable use 89% - system access

control 85% - authority to

shut off Internet access

83% - data security 82% - network

security 82% - enforcement of

institutional policies

80% - desktop security 71% - physcial security

of assets 61% - residence halls 51% - remote devices 39% - application

development

ECAR Study (2003)

Security Policies & Procedures Rationale/Purpose Scope Policy Statement Roles & Responsibilities Procedures Related Policies

Rationale or PurposeExamples include: Confidentiality, Integrity, &

Availability Attainment of Institutional Mission Compliance with Laws or Regulations

GLB Act HIPPA State Laws or Regulations

Principles

Guiding Principles Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility

ScopeExamples include: Data or information? Computers and networks? “Information Resources – information

in any form and recorded on any media, and all computer and communications equipment and software.” [Georgetown University Information Security Policy]

Policy Statement

Examples include: Risk management Critical asset

identification Physical security System and

network management

Authentication & authorization

Access control Vulnerability

management Awareness &

training

Roles and Responsibilities

Examples include: Governing Board Executive Management Chief Information Officer Chief Security Officer Unit Directors End-Users

Procedures

Examples include: Breach notification Logging and monitoring Identification of departmental

contacts Blocking network access Incident response

Incident ResponseThe National Strategy Recommends: an on-call point-of-contact to Internet

service providers and law enforcement officials in the event that the school’s IT systems are discovered to be launching cyber attacks;

one or more Information Sharing and Analysis Centers to deal with cyber attacks and vulnerabilities;

Related Policies

Examples include: Acceptable Use Elimination of Social Security

numbers as primary identifiers Collection and Disclosure of

Personal Information Privacy Policy Identity Management

For more information:

EDUCAUSE/Internet2Computer and Network Security Task

Force

http://www.educause.edu/security

Email: rpetersen@educause.edu