Download presentation materials
-
Upload
sandra4211 -
Category
Documents
-
view
555 -
download
0
description
Transcript of Download presentation materials
EDUCAUSE Center for Applied Research Security Survey
Rodney Petersen
Government Relations Officer
Security Task Force Coordinator
EDUCAUSE
Research Methodology
Literature review of material published from 2003 – 2005, with the intent of identifying issues of concern to the higher education community, and creating additional hypotheses to testConsultation with security experts, including members of the EDUCAUSE/Internet2 Computer and Network Security Task Force, and IT leaders at 17 higher education institutionsA quantitative web-based survey first used in 2003 was modified to reflect changes in technologies and practices. 492 higher education institutions responded to the surveyA longitudinal analysis compared the survey findings with those from ECAR’s 2003 study. 204 institutions responded to both surveys, and that population was used to perform the comparison
ECAR IT Security Study
The Headlines You Won’t Read in the Chronicle of Higher Ed or New York Times: The respondents feel more secure today than two
years ago despite being in a perceived riskier environment.
Respondents feel that the academic community has become more sensitive to security and privacy in the last two years.
ECAR IT Security Study, 2006
IT Security Incidents
Ten percent of the respondents in our survey indicated that they had an IT security incident in the last twelve months, which had been reported to the press (down from 19 percent in 2003).A majority of institutions (74.2 percent) report that the number of incidents is about the same or less in the past twelve months as compared with the year before.The primary perceived risks are viruses (72.6 percent), theft of personal financial information (64.8 percent), and spoofing and spyware (55.3 percent).
ECAR IT Security Study, 2006
Blueprint for Handling Data
Step 1: Create a security risk-aware culture that includes an information security risk management programStep 2: Define institutional data typesStep 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive dataStep 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processesStep 5: Establish and implement stricter controls for safeguarding confidential/sensitive dataStep 6: Provide awareness and trainingStep 7: Verify compliance routinely with your policies and procedures
Step 1: Risk Aware Culture
1.1 Institution-wide security risk management program
1.2 Roles and responsibilities defined for overall information security at the central and distributed level
1.3 Executive leadership support in the form of policies and governance actions
Risks Incurred
ECAR IT Security Study, 2006
Damage Percent
Business application, including e-mail, unavailable 33.7%
Network unavailable 29.4%
Information confidentiality compromised 26.0%
Damage to software 21.5%
Damage to data 12.5%
Negative publicity in the press 10.0%
Identity theft 8.4%
Damage to hardware 7.4%
Financial losses 6.4%
Risk Assessment
Frequency Percent
No risk assessments done 208 42.6%
For some institutional data and asset types
226 46.3%
For all institutional data and asset types
42 8.6%
Don't know 12 2.5%
Total 488 100.0%
ECAR IT Security Study, 2006
Responsibility for IT Security
Position Percent responsible in
2005
Percent responsible in
2003
Percent new
adopters
Rate of change 2003-2005
IT security officer (or equivalent)
34.9% 22.4% 12.5% 55.8%
CIO (or equivalent) 14.3% 6.7% 7.6% 113.4%
Director of administrative computing
2.7% 3.2% -0.5% -15.6%
Director of academic computing
1.2% 1.8% -0.6% -33.3%
Other academic management
0.6% 1.2% -0.6% -50.0%
Other administrative management
0.6% 3.2% -2.6% -81.3%
Other IT management 23.9% 30.9% -7.0% -22.7%
Director of networking 21.8% 30.6% -8.8% -28.8%
ECAR IT Security Study, 2006
IT Security Staffing
Less than one percent indicated an expected staff decrease, while 50.2 percent expected no change and 24.4 percent expected to add one staff member, and 7.7 percent two or more.A sea change has occurred in two years with respect to the operational staffing structure for central IT security. One quarter of the 204 institutions in the 2003 and 2005 studies have moved to centralize security in the IT organization and the rate of change was 59.7 percent.
ECAR IT Security Study, 2006
Centralization
Staffing structure 2005 Percent
2003 Percent
Percent Change
Rate of change
One central IT security unit/function
61.8% 38.7% 23.1% 59.7%
Spread across multiple central IT units/functions
32.7% 58.2% -25.5% -43.8%
Other 5.5% 3.1% 2.4% 77.4%
ECAR IT Security Study, 2006
IT Security Certification
Certificate Percent held in 2005
Percent held in 2003
Percent new
holders
Rate of change 2003-2005
Certified Information Systems Security Professional (CISSP)
20.8% 12.4% 8.4% 67.7%
Global Information Assurance Certification (GIAC) 6.8% 2.6% 4.2% 161.5%
Certified Information Systems Auditor (CISA) 3.2% 1.5% 1.7% 113.3%
ECAR IT Security Study, 2006
Change in Barriers
Barrier 2005 2003 Institutional Change
Rate of Change
Lack of awareness 35.8% 50.5% -14.7% -29.1%
Culture of decentralization 29.9% 37.3% -7.4% -19.8%
Lack of enforcement of policies 13.2% 20.1% -6.9% -34.3%
Absence of policies 22.1% 27.0% -4.9% -18.1%
Lack of senior management support 13.2% 17.2% -4.0% -23.3%
Lack of resources 68.1% 71.6% -3.5% -4.9%
Technology issues 7.4% 8.8% -1.4% -15.9%
Privacy of the individual 4.4% 4.4% 0.0% 0.0%
ECAR IT Security Study, 2006
Step 2: Define Data Types
2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary
Policies in Place
Protection of organizational assets (73%)
Data classification, retention, and destruction (51%)
Identity Management (50%)
ECAR IT Security Study, 2006
Step 3: Clarify Responsibilities
3.1 Data stewardship roles and responsibilities
3.2 Legally binding third party agreements that assign responsibility for secure data handling
ECAR IT Security Study, 2006
Policies in Place
Individual employee responsibilities for information security practices (73%)
Sharing, storing, and transmitting data (51%)
ECAR IT Security Study, 2006
Step 4: Reduce Access to Data
4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication
Step 5: Controls
5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections5.4 Encryption strategies for data in transit and at rest 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data
IT Security ApproachesApproach Percent
used in 2005
Percent used in 2003
Percent new
adopters
Rate of change 2003-2005
Network firewalls (perimeter) 77.0% 68.1% 8.9% 13.1%
Centralized data backup system 76.6% 68.1% 8.5% 12.5%
Virtual private network (VPN) for remote access
75.4% 45.6% 29.8% 65.4%
Enterprise directory 71.9% 46.3% 25.6% 55.3%
Network firewalls (interior) 65.0% 51.0% 14.0% 27.5%
Intrusion detection 62.3% 46.1% 16.2% 35.1%
Active filtering 59.3% 29.7% 29.6% 99.7%
Intrusion prevention 44.3% 33.5% 10.8% 32.2%
Security standards for application or system development
32.4% 27.5% 4.9% 17.8%
Electronic signature 6.4% 5.9% 0.5% 8.5%
Shibboleth 4.9% 1.5% 3.4% 226.7%
ECAR IT Security Study, 2006
IT Security Technologies
Network perimeter firewalls, centralized data back up systems, virtual private networks, an enterprise directory, and network interior firewalls are the technologies most in use.Active filtering increased in use by 99.7 percent, VPN for remote access by 65.4 percent, and enterprise directories by 55.3 percent.There is significantly less difference among Carnegie Class institutions in the use of IT security technologies in 2005 when compared to 2003.
ECAR IT Security Study, 2006
IT Security Technologies
The most significant change in wireless security between 2003 and 2005 is the implementation of firewalls (24.8 percent new adopters) followed by IP VPN (14.8 percent new adopters).Conventional passwords/PIN predominate (94.4 percent). We found that 26.9 percent of the institutions used Kerberos.The most often used IT security strategies were limiting protocols that are allowed through the network firewall or router (87.1 percent), restricting or limiting access to servers and applications (79.6 percent), and timing out access to applications after an idle period (77.0 percent)
ECAR IT Security Study, 2006
Strategies to Reduce IT Security Vulnerabilities
Approach Percent used in 2005
Percent used in 2003
Percent new
adopters
Rate of change 2003-2005
Limiting the types of protocols allowed through the firewall/router
88.7% 73.0% 15.7% 21.5%
Restricting and eliminating access to servers and applications
80.9% 70.1% 10.8% 15.4%
Timing-out access to specific applications after an idle period
76.0% 65.0% 11.0% 16.9%
Instituting a recovery or back-up plan in the case of disasters caused by natural events or by human acts
44.3% 46.3% -2.0% -4.3%
Limiting the URLs allowed through the firewall 29.1% 26.9% 2.2% 8.2%
Installing a software inventory system to watch for malicious software or program changes
17.7% 11.4% 6.3% 55.3%
Using security devices (cards, biometric scanners, etc.) for authentication
15.8% 12.3% 3.5% 28.5%
ECAR IT Security Study, 2006
Wireless Security
Approach
Percent used in 2005
Percent used in 2003
Percent new
adopters
Rate of change 2003-2005
Firewall 71.4% 46.6% 24.8% 53.2%
Remote authentication dial-in user service (RADIUS)
54.4% 41.6% 12.8% 30.8%
Internet Protocol Virtual Private Network (IP VPN)
47.8% 33.0% 14.8% 44.8%
128-bit Wired Equivalency Privacy (WEP) 34.5% 33.4% 1.1% 3.3%
Wireless vendor supplied proprietary solution 25.7% 18.5% 7.2% 38.9%
Kerberos 21.2% 12.2% 9.0% 73.8%
Extensible Authentication Protocol (EAP) 19.7% 14.8% 4.9% 33.1%
40-bit Wired Equivalency Privacy (WEP) 19.6% 24.4% -4.8% -19.7%
Advanced encryption standard (AES) 14.2% 6.3% 7.9% 125.4%
ECAR IT Security Study, 2006
Authentication
Authentication Already implemented
Conventional password/PIN 94.4%
Strong password 59.8%
Kerberos 26.9%
Secure ID-style one-time password 8.9%
Other multi-factor authentication methods 8.1%
PKI certificate (software) without PIN 6.8%
PKI certificate (software) with PIN 5.1%
Biometric identification 2.8%
PKI hardware token with PIN 1.7%
PKI hardware token without PIN 0.9%
ECAR IT Security Study, 2006
Password Changes
Frequency Percent Cumulative Percent
Single use 2 0.4% 0.4%
Every 30 days 18 3.8% 4.2%
Every 60 days 53 11.2% 15.4%
60-180 days 198 41.8% 57.2%
More than 180 days 28 5.9% 63.1%
It varies 90 19.0% 82.1%
No requirement 78 16.5% 98.5%
Don't know 7 1.5% 100.0%
Total 474 100.0%
ECAR IT Security Study, 2006
Policies in Place
Secure disposal of data, media, or printed material that contains sensitive information 71.0 %
ECAR IT Security Study, 2006
Step 6: Awareness and Training
6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgment by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential or sensitive data
Awareness Programs
ECAR IT Security Study, 2006
Students Faculty Staff
Program 2003 39.2% 38.2% 42.2%
Program 2005 62.3% 68.8% 69.1%
Percent change 23.1% 30.6% 26.9%
Awareness Programs
Students Faculty Staff
Mandatory 17.4% 14.5% 20.4%
Voluntary 37.9% 47.7% 44.4%
No program 44.7% 37.7% 35.2%
ECAR IT Security Study, 2006
Step 7: Verify Compliance
7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed
IT Security Audits
Twenty-five percent of responding institutions do not perform formal IT security audits.
The majority (50.6 percent) performs formal IT security audits on an irregular basis.
ECAR IT Security Study, 2006
Policies in Place
Managing privacy issues, including breaches of personal information (72%)Incident reporting and response (69%)Disaster recovery contingency planning (68%)Investigation and correction of the causes of security failures (68%)Notification of security events to: individuals, the law, etc. (67%)
ECAR IT Security Study, 2006
IT Security Plan
11.2 percent - a comprehensive IT security plan is in place
66.6 percent - a partial plan is in place.
20.4 percent - no IT security plan is in place
ECAR IT Security Study, 2006
Characteristics of Successful IT Security Programs
Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today.
The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security.
ECAR IT Security Study, 2006
For more information
Rodney PetersenEmail: [email protected]: 202.331.5368EDUCAUSE/Internet2 Security Task Forcewww.educause.edu/securityEDUCAUSE Center for Applied Researchwww.educause.edu/ECARBlueprint for Handling Sensitive Datawiki.internet2.edu/confluence/display/secguide