Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Security Education and Awareness Workshop

January 15-16, 2004Baltimore, MD

Purpose

To bring together representatives from schools and institutions of higher education (K-20) to create partnerships, strategies, and implementation plans to increase cyber security awareness among our constituencies.

Workshop Outcomes Conduct an Inventory of Related

Work Programs and Products Identify Key Stakeholders and

Interdependencies Provide Recommendations for

Integrating Related Work Programs Provide Recommendations for New

Initiatives

Schools & Higher Education Working Group Action Items

Action Plan and Milestones Outline of Programs

March 1st

6 months (August) 12 months (January 2005) Beyond

Agenda Information Assurance Tools and

the Learning Continuum Welcome and Introductions Inventory and Demonstration of

Security Awareness Initiatives Security Awareness Strategy and

Implementation Plan

EDUCAUSE/Internet2 Computer and Network Security Task Force

Rodney J. PetersenPolicy Analyst, EDUCAUSE

EDUCAUSE/Internet2 Security Task Force Coordinator

Strategic GoalsThe Security Task Force received a grant from National Science Foundation to identify and implement a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified:

Education and Awareness Standards, Policies, and Procedures Security Architecture and Tools Organization, Information Sharing, and

Incident Response

Education and Awareness

To increase the awareness of the associated risks of computer and network use and the corresponding responsibilities of higher education executives and end-users of technology (faculty, staff, and students), and to further the professional development of information technology staff.

Awareness Programs Only one-third of our institutions

have a formal awareness program for students, faculty, or staff – ECAR Study (2003)

The National Strategy recommends that institutions of higher education identify and adopt model user awareness programs and materials

Accomplishments – Web Site A Resource on Computer and Network

Security for the Higher Education Community at http://www.educause.edu/security

Collection of "Education and Awareness Programs and Resources" at http://www.educause.edu/security/resources/awareness.asp

Accomplishments - Publications Leadership Book: Computer and

Network Security in Higher Education Effective Security Practices Guide

http://www.educause.edu/security/guide Articles in EDUCAUSE Review,

EDUCAUSE Quarterly, & University Business Magazine

White Paper on “IT Security in Higher Education: A Legal Perspective”

Accomplishments - Outreach Conference Presentations

EDUCAUSE National, Regionals, and Other Events

Internet2 Member Meetings Higher Education IT Alliance Higher Education Associations

Annual EDUCAUSE/Internet2 Security Professionals Workshop

Letter to Presidents from the American Council on Education

Message to Presidents (Feb 2003) Set the tone: ensure that all campus stakeholders know that

you take Cybersecurity seriously. Insist on community-wide awareness and accountability.

Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment.

Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting.

Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.

David WardPresident, American Council on Education

New Awareness Campaign

www.microsoft.com/education/?ID=SecurityPosters

Recommendations Campus-wide security awareness

campaigns Develop how to and best practices

security guides Make training for sys admin in securing

machines and devices a requirement Share training and educational materials

across our campuses Develop security training and education

courses for staff students and facultyNSF Workshop Results – Fall 2002

For more information:

EDUCAUSE/Internet2Computer and Network Security Task

Force

http://www.educause.edu/security

Email: [email protected]

Recommendations Key Deliverables with Timelines Metrics Lead Organizations Responsible Resource Requirements and

Recommended/Committed Resource

Moving from Strategy to Action

Why? National Strategy! What? Nat’l Strategy – Strategic

Level What? Tactical How? Operational When? Timeframes and Metrics Who? Audience and Assignment

Elements of Implementation Plan

Provide Recommendations for Integrating Related Work Programs

Provide Recommendations for New Initiatives

Identify Key Stakeholders and Interdependencies

Organizing Implementation Plan Brainstorm Evaluate Ideas Sort and Combine Similar Ideas Prioritize Ideas

March 1st

6 months (August) 12 months (January 2005) Beyond

Resource Requirements Lead Organization(s) Responsible

Evaluation

1. What were the most significant outcomes of the workshop for you?

2. What aspects were least helpful?3. Rate the quality and organization of

the workshop (10 =excellent) Why did you mark it where you did?

4. My advice on next steps