Higher Education & Information Security
5.1K views | +0 today
Follow
Higher Education & Information Security
Information Security and Cybersecurity in Higher Education
Your new post is loading...
Your new post is loading...
Rescooped by Higher Ed InfoSec Council from Higher Education & Privacy
Scoop.it!

What Privacy Professionals Should Know About the NIST Cybersecurity Framework

What Privacy Professionals Should Know About the NIST Cybersecurity Framework | Higher Education & Information Security | Scoop.it

In February of this year, President Obama issued an Executive Order on Improving Critical Infrastructure Cybersecurity. The Executive Order directed the National Institute of Standards and Technology (NIST) to develop a Cybersecurity Framework to assist owners and operators of critical infrastructure in addressing cybersecurity risks. On October 29, NIST published a preliminary version of the Framework (the “Preliminary Framework”), which is open for public comment through December 13. NIST intends to issue a final version in February 2014. The creation of the framework has, of course, been a major development in the information security community – according to NIST Director Patrick Gallagher, approximately three thousand individuals have been involved to date in the development of the Preliminary Framework. But privacy professionals should be paying attention to the framework as well.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Information security still immature, RSA conference told

Information security still immature, RSA conference told | Higher Education & Information Security | Scoop.it

"In five years’ time the security industry will have matured into a data-driven profession."

...

As a profession matures, its practitioners have a growing ability to identify what things matter so they do not waste time and energy on those that do not.

...

Unlike mature professions such as medical or accounting, security professionals have not yet developed a standard set of tried-and-tested metrics that enable practitioners to make data-driven decisions.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Enterprise defenses lag despite rising cybersecurity awareness

Enterprise defenses lag despite rising cybersecurity awareness | Higher Education & Information Security | Scoop.it

While the upper echelon is paying more attention, they are still not spending enough to defend against cyberattackers, who are increasingly more sophisticated, according to the survey of senior executives in more than 1,900 companies and government organizations.

 

Half of the respondents planned to increase their cybersecurity budget by 5 percent or more over the next 12 months, yet 65 percent cited insufficient funds as their number one challenge to operating at a security level expected by their companies. For businesses with revenues of $10 million or less, the number dissatisfied with funding rose to 71 percent.

 

A larger percentage of budgets need to be directed at security innovation and emerging technologies within the enterprise, such as the use of mobile devices and social media, the survey found. Over the next 12 months, 14 percent of security budgets are being allocated to new technologies, yet respondents said they were unsure whether they were ready to handle the risks posed by corporate use of social media.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

The emerging turf battle between information and physical security pros

The emerging turf battle between information and physical security pros | Higher Education & Information Security | Scoop.it
As security threats increasingly cross role boundaries, information and physical security pros struggle to get along, so what are the best practices for uniting both teams under a common goal?
more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Web app security best practices and the people who love them

Web app security best practices and the people who love them | Higher Education & Information Security | Scoop.it
Creating more secure software is more important than simply buying more security software, says WhiteHat Security's Jeremiah Grossman
more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Social Engineers demonstrate the damage that could be caused by information

Social Engineers demonstrate the damage that could be caused by information | Higher Education & Information Security | Scoop.it

They say knowledge is power, and the final report from DEF CON 21's Social Engineer Capture the Flag (SECTF) contest shows that in the wrong hands, the amount of information organizations leave exposed online can empower attackers across the globe.

...

A new report from Social-Engineer Inc. outlines the entire contest, as well as key observations from this year's calls. A contestant pool of 10 men and 10 women used Open Source Intelligence (OSI) to research their target company and collect as much information as possible (flags). Points are awarded based on the flags collected. This information is then used during the contest when the targets are called directly, in order for the contestants to collect additional flags depending on the information they're collecting.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Cybersecurity and the Electric Grid | EDUCAUSE.edu

Cybersecurity and the Electric Grid | EDUCAUSE.edu | Higher Education & Information Security | Scoop.it

EDUCAUSE Guest Blogger Darren Highfill, Founder & Managing Partner of UtiliSec, shares his thoughts on cybersecurity and critical infrastructure.

 

"The point at which these processors and communications hit reality is called cyber-physical systems. These are electronics that don't just control a computer game or a Facebook page - they control a stoplight, or an air-conditioning unit, or a power plant. It's been called the "Internet of Things," and of these things, the electric grid is the biggest and most complicated machine we have ever built."

 

For more National Cyber Security Awareness Month (NCSAM) 2013 guest blogs, visit: http://www.educause.edu/blogs/vvogel/.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Spooky Cybersecurity Facts [Infographic]

Spooky Cybersecurity Facts [Infographic] | Higher Education & Information Security | Scoop.it

Think Halloween is scary? What about your computer?

 

Cybersecurity does not only apply to individuals, but to organizations as well. Protecting your donor and volunteer information is incredibly important in addition to day-to-day business information.

 

For nonprofits, there are many solutions for segmenting, storing, and accessing information securely, to help protect your constituents. Check out some of these stats from Zenoss on SlideShare:

 

* 80% of CIOs rely on some infrastructure through a private cloud.

* 54% of organizations have some trust in the cloud when it comes to securing their data.

* 43% have a great deal of trust when it comes to cloud security.

* 72% of organizations using the cloud are using it for financial data.

* For 99% of the organizations surveyed, security played a big role in cloud implementation and services provided.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

EDUCAUSE Guest Blog: How to Protect Yourself from Cybercriminals

EDUCAUSE Guest Blog: How to Protect Yourself from Cybercriminals | Higher Education & Information Security | Scoop.it

EDUCAUSE Guest Blogger Martin Holste (@mcholste) shares his thoughts on protecting yourself from cybercriminals.

 

Stay tuned for more guest blogs in honor of National Cyber Security Awareness Month (NCSAM) 2013.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Essential Considerations When Making Changes to Security

Essential Considerations When Making Changes to Security | Higher Education & Information Security | Scoop.it

When it comes to security policies and practices, there are rules (both written and unwritten) that need to be adhered to. An organization simply cannot implement changes to security on the fly as it could lead to disaster. Yet, there are times when changes are necessary, or mandated due to an incident response plan. In that instance, what should business leaders be focusing on?

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

EDUCAUSE Guest Blog by Ron Pike: Cybersecurity Education

EDUCAUSE Guest Blog by Ron Pike: Cybersecurity Education | Higher Education & Information Security | Scoop.it

 

EDUCAUSE Guest Blogger Ron Pike (Assistant Professor, Computer Information Systems, Cal Poly Pomona) shares his thoughts on cybersecurity education.

 

Stay tuned for more guest blogs in honor of National Cyber Security Awareness Month (NCSAM) 2013.


more...
No comment yet.
Rescooped by Higher Ed InfoSec Council from Higher Education & Privacy
Scoop.it!

IAPP : Roundup: October Shaping Up To Be the Month of Innumerable Breaches

IAPP : Roundup: October Shaping Up To Be the Month of Innumerable Breaches | Higher Education & Information Security | Scoop.it

Headline after headline, the news is similar if not the same: PII lost, stolen or compromised through human error. And amidst October’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach of its data could be.

 

“If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said.

 

However, as The Wall Street Journal reports, he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.”

more...
No comment yet.
Rescooped by Higher Ed InfoSec Council from Higher Education & Privacy
Scoop.it!

IAPP : He Protects the Data ... By Destroying It

IAPP : He Protects the Data ... By Destroying It | Higher Education & Information Security | Scoop.it

You might call Ken Clupp a privacy professional by proxy. While he doesn’t draft privacy policies or model contracts, he’s certainly on the defensive line when it comes to protecting data. How does he protect it? He makes sure the important stuff is shredded into such tiny pieces it couldn’t ever be put back together again.

 

Clupp works for the Royal Canadian Mounted Police (RCMP) as its lead physical and technical security equipment evaluation engineer. Shorthand? He runs a shredder-testing program, amongst many other things. He’s tasked with ensuring that sensitive information stays safe, based on standards developed by the federal government.

 

“Canada is one of the few jurisdictions in the world that has a formal classifications and standards program for protecting sensitive information that’s not classified,” Clupp said. “It’s unique.”

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Shortage Of Women Hurting IT Security Industry, Study Finds -- Dark Reading

Shortage Of Women Hurting IT Security Industry, Study Finds -- Dark Reading | Higher Education & Information Security | Scoop.it

Today's information security teams increasingly need to improve their communications with other groups, align their activities more closely with business objectives, and excel at a variety of diverse tasks, industry experts say. And a new study suggests that these skills and attributes are most common among the industry's smallest minority of professionals: women.

 

Women represent about 11 percent of the current IT security workforce, according to "Agents of Change: Women in the Information Security Profession" (PDF), a new report written by Frost & Sullivan and published by the (ISC)2 security professionals' association. Yet women's strongest skill sets are the very skill sets that are in short supply across the industry, the report suggests.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Me and My Job: Jesse Bowling, Senior InfoSec Engineer, American University

Me and My Job: Jesse Bowling, Senior InfoSec Engineer, American University | Higher Education & Information Security | Scoop.it
The time and energy to optimize a service or process is often seen as an unaffordable luxury, says Jesse Bowling senior information security engineer, American University.
more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Big data blues: The dangers of data mining

Big data blues: The dangers of data mining | Higher Education & Information Security | Scoop.it
Companies are taking matters into their own hands with internal controls, open privacy policies, ethical codes and greater candor over how they're collecting and parsing personal data.
more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

NCSAM 2013 Highlights | EDUCAUSE.edu

NCSAM 2013 Highlights | EDUCAUSE.edu | Higher Education & Information Security | Scoop.it

As the 10th anniversary of National Cyber Security Awareness Month (NCSAM) wraps up, we would like to thank the higher education community for another successful celebration. Colleges and universities continue to offer fun, creative activities and events for students, faculty, staff, and their local communities. Here are just a few highlights...

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

PGP – Reliable Privacy, Security and Authentication For Everyone

PGP – Reliable Privacy, Security and Authentication For Everyone | Higher Education & Information Security | Scoop.it

If you have been following the latest in news, you’ve probably heard a lot of stories talking about privacy, information leakage, espionage and such. Given that most of our communications nowadays take place online, or at the very least, via an electronic device, we should all be aware of how to protect our valuable information. This is not only applicable to large organizations, but for everyone that uses a computer on a regular basis. We all have information we want to keep private and protected and we all need to communicate online. With PGP, you can add a very strong yet easy to use layer of security to your online communications.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

5 Steps to Creating Effective Data Definitions

5 Steps to Creating Effective Data Definitions | Higher Education & Information Security | Scoop.it
Consensus-driven data definition development is the key to data governance success.

 

The emergence of business intelligence and data warehousing initiatives has placedincreased importance on effective data governance practices among many business and IT leaders.

 

More often than not, organizations turn to IT groups to provide leadership in this area to ensure the quality, consistency, security and standardization of information across disparate business units. The key to an effective data governance program hinges on the development of strong, reusable data definitions.

 

Developing these definitions can be a tricky process, especially in organizations that have never tackled data governance on an enterprisewide basis before. Successful definition efforts require a consensus-driven approach that considers the requirements of business units beyond the immediate user or customer to guarantee the long-term viability of definitions. These five steps can help an organization build an effective data governance program.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

LinkedIn 'Intro'duces Insecurity by Bishop Fox

LinkedIn 'Intro'duces Insecurity by Bishop Fox | Higher Education & Information Security | Scoop.it

LinkedIn released a new product today called Intro.  They call it “doing the impossible”, but some might call it “hijacking email”.  Why do we say this?  Consider the following:

 

Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers. You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like.


“But that sounds like a man-in-the-middle attack!” I hear you cry. Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing.


Why is this so bad?  Here’s a list of 10 reasons to start...

more...
Higher Ed InfoSec Council's comment, October 25, 2013 5:43 PM
Related articles of interest include one from Forbes (http://www.forbes.com/sites/jameslyne/2013/10/25/linkedin-intro-hack-here-for-juicy-data/) and one from TechCrunch (http://techcrunch.com/2013/10/24/do-not-want/).
Scooped by Higher Ed InfoSec Council
Scoop.it!

4 ways metrics can improve security awareness programs

4 ways metrics can improve security awareness programs | Higher Education & Information Security | Scoop.it

 Useful and legitimate metrics have long evaded the information security community as a whole. Without proper metrics, you cannot truly prove the value of a security program. This makes it difficult to justify increasing the budget and even maintaining the budget that you have.


Security awareness is especially vulnerable to criticism of its value. We take for granted all of the times we do not click on a phishing email or exercise good judgment. It is also hard to know all of the incidents that were prevented, because there was no vulnerability to be exploited.

 

Even with the best awareness program in place, as with all security countermeasures, there will be failures, and it will be easy to point to the cost of the failures. So it is essentially impossible to prove all of the losses your security awareness program prevented and the money that you saved, while the failures make themselves apparent. For that reason, it is important to determine how to measure improvements in security awareness and the savings generated by those improvements.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Thinking outside the IT audit (check)box

Thinking outside the IT audit (check)box | Higher Education & Information Security | Scoop.it

More enterprises fight to move their programs from compliance management to security risk management.

 

"McCreight agrees on the importance of winning the hearts and minds of the business as a way to move from a compliance-driven to an IT risk management-driven program. He adds that taking small steps of integrating security into business operations can go a long way as well. 'Is the network security team aware of new projects as they arise? Is security brought in during the design phases of new IT initiatives? They need to be an integral part of the process,' he says."

more...
Juan Carlos Medina Barreto's curator insight, October 22, 2013 10:25 PM

Las leyes, regulaciones, políticas internas o incluso la intención de mantener una certificación como ISO 27001 demandan de las organizaciones la inversión de recursos en torno a la gestión del cumplimiento. Sin embargo, debemos estar alertas, pues con frecuencia este proceso se convierte en una tarea que se ejecuta en un instante específico, por lo general previo a una auditoría, y que no necesariamente repercute en una mejor posición ante los riesgos de seguridad de la información.

 

Por ello es preciso tener presente que la gestión de cumplimiento y la gestión de la seguridad de la información no necesariamente son sinónimos y que se debe incorporar la gestión de riesgos tecnológicos como parte de un proceso continuo que permita a la organización tener una posición más firme frente a las amenazas, que no tienen fecha prevista como las auditorías.

 

Hasta aquí bien, pero ¿qué hay de la "G" en GRC? El gobierno corporativo de tecnología debe propiciar la alineación de la tecnología con las estrategias del negocio y esto no tiene por qué ser un aspecto a ser incorporado por separado. Un enfoque que considere la "desalineación de tecnología" y el "no cumplimiento" como riesgos a ser gestionados podría ser una forma de  integrar el concepto de GRC en un proceso integrado y eficiente, cuyas ventajas no sólo provienen de la disminución de riesgos, sino que también propician la optimización del uso de los recursos y el logro de las metas de la organización. 

Scooped by Higher Ed InfoSec Council
Scoop.it!

Building Effective and Meaningful Cybersecurity Policies

Building Effective and Meaningful Cybersecurity Policies | Higher Education & Information Security | Scoop.it

EDUCAUSE Guest Blogger Dr. Barbara Endicott-Popovsky (Director, Center for Information Assurance and Cybersecurity, University of Washington) shares her thoughts on teacher-librarians building effective and meaningful cybersecurity policies.

 

Stay tuned for more guest blogs in honor of National Cyber Security Awareness Month (NCSAM) 2013.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

What Drives People to Maintain Information Security

What Drives People to Maintain Information Security | Higher Education & Information Security | Scoop.it
Titus's Antonio Maio discusses how to motivate people--particularly employees in an organization--to care about information security.
more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Electronic Identity: The Foundation for the Connected Age

Electronic Identity: The Foundation for the Connected Age | Higher Education & Information Security | Scoop.it

Individuals in the higher education community, by their very nature, connect to each other and share information and resources. Faculty members connect to and share research with other faculty. Students desire to access institutional computing resources in order to share information with their faculty and other students. Librarians share resource materials with other librarians. This interaction with others and sharing of information presents higher education institutions with a number of responsibilities. Who is authorized to contribute information to be shared? Who is authorized to access such information and for how long? How do the individuals or institutions involved in the sharing transaction know that those who are authorized to engage in the sharing transaction are actually the ones doing so? Further, what methods are available to individuals and institutions to perform these authorizations and authentications in a manner that maximizes the privacy of the individuals involved in the sharing transaction?

 

In addition to the responsibilities enumerated above, higher education institutions find themselves in an environment in which the definition of who is considered a member of an institution's community is becoming broader (e.g., related entities, alumni). Further, the information and resources expected to be provided by the institution are continuously expanded (e.g., cloud storage, financial aid services). Finally, institutions are often pressured by campus users, vendors, or other entities who want the institution to use—or facilitate the use of—external authentication systems established by the users individually (e.g., OpenID, login with Google or Facebook) when accessing institutional resources.

more...
No comment yet.