Information security issues? We have data on that. DEVELOPING AN EFFECTIVE INFORMATION SECURITY STRATEGY TOP 5 strategic infosec issues for 2015 Organizational capacity to provide information security 1 2 3 4 5 Developing an effective information security strategy that responds to institutional organization and culture and that elevates information security concerns to institutional leadership. ALL U.S. 2.9 DR PRIV. AA 2.9 Ensuring that members of the institutional community (students, faculty, and staff) receive information security education and training. 3.1 DR PUB. BA 2.6 3.1 Developing security policies for mobile, cloud, and digital resources (includes issues of data handling/protection, access control, and end-user awareness). MA PRIV. MA PUB. 2.5 3.0 To whom does the person with primary infosec responsibility report? 1 = low, 5 = high Using risk-management methodologies to identify and address information security priorities. Organizational capacity to deliver information security is measured in five areas: organization, policy, data security and management processes, access control processes, and information system security processes. Organizations with lower scores have less mature, ad hoc programs; organizations with higher scores have optimized programs that regularly measure performance and manage risk. CFO 8% CIO 60% President 7% Director of central IT 14% Other 11% Developing, testing, and refining incident response capabilities to respond to information systems/data breaches. ENSURING THAT MEMBERS OF THE INSTITUTIONAL COMMUNITY RECEIVE INFORMATION SECURITY EDUCATION AND TRAINING Is institutional infosec training mandatory? From 2005 to 2013, unintentional human error (e.g., posting sensitive information on a website or other data mishandling) and insider threats (e.g., intentional breach of information by someone with legitimate access) accounted for 33% of data breaches in higher education, as reported in the Privacy Rights Clearinghouse. For faculty 71% For students 29% Faculty have more consistent levels of training overall; student training is focused on AUP. Faculty Students AUP 31% 23% Security policy 24% 11% Compliance 33% 8% Self defense (phishing and identity theft) Percentage of institutions 22% 11% 0% 10 20 DEVELOPING SECURITY POLICIES FOR MOBILE, CLOUD, AND DIGITAL RESOURCES IT policies in place AUP Web access 96% 40 50% 90% of institutions give responsibility for IT policy administration to central IT. develop policy in central IT. ID management 65% 30 45% 74% Information security 27% Leadership approval of information security policy Optimized 23% Managed 24% Defined 26% Repeatable 11% Absent/ad hoc 16% USING RISK-MANAGEMENT METHODOLOGIES TO IDENTIFY AND ADDRESS INFORMATION SECURITY PRIORITIES Institutions use the following risk frameworks: Most IT security risk assessments are driven by internal or external audits: None 45% ITIL 26% NIST 22% ISO 19% COBIT 9% OCTAVE MoR 43% Internal External Most institutions give their risk management lead a moderate to broad scope of authority 7% 3% 1% Percentage of institutions Other 54% 50% 50% 50% 50% 50% 50% 50% 50% 20% 15 10 5 Limited Scope of authority Broad DEVELOPING, TESTING, AND REFINING INCIDENT RESPONSE CAPABILITIES TO RESPOND TO INFORMATION SYSTEMS/DATA BREACHES Deployed broadly 39% Percentage of institutions that have deployed ITIL processes in central IT for incident management*: No discussion 21% Considered, not pursued 4% Experimenting/ considering 8% In planning 9% Organizational unit responsible for incident management: Central IT 80% Shared 18% System 1% Not applicable 1% Deployed sparsely 19% * According to ITIL, an incident is an unplanned interruption to an IT service or a reduction in the quality of an IT service. Wondering what’s next? We have actionable resources on that, too. The Higher Education Information Security Council Information Security Guide is the only resource developed by higher education information security practitioners for higher education information security practitioners. The guide features toolkits, case studies, effective practices, and recommendations to help jump-start campus information security initiatives. (Don’t reinvent the wheel every time you start a new infosec project, policy, or program function on campus.) Get it at www.educause.edu/security/guide The data in this infographic were derived from the following sources: Modules 1 and 7 of the EDUCAUSE Core Data Service Survey (2014) www.educause.edu/cds; Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (ECAR, 2014); and "Just in Time" Research: Data Breaches in Higher Education (ECAR, 2014) www.educause.edu/ecar.
© Copyright 2024