1 2 3 4 5 90%

Information security issues?
We have data on that.
DEVELOPING AN EFFECTIVE
INFORMATION SECURITY STRATEGY
TOP 5
strategic infosec
issues for 2015
Organizational capacity to
provide information security
1
2
3
4
5
Developing an effective information
security strategy that responds to
institutional organization and culture and
that elevates information security
concerns to institutional leadership.
ALL U.S.
2.9
DR
PRIV.
AA
2.9
Ensuring that members of the
institutional community (students,
faculty, and staff) receive information
security education and training.
3.1
DR
PUB.
BA
2.6
3.1
Developing security policies for mobile,
cloud, and digital resources (includes
issues of data handling/protection,
access control, and end-user awareness).
MA
PRIV.
MA
PUB.
2.5
3.0
To whom does the person
with primary infosec
responsibility report?
1 = low, 5 = high
Using risk-management methodologies
to identify and address information
security priorities.
Organizational capacity to
deliver information security is
measured in five areas:
organization, policy, data
security and management
processes, access control
processes, and information
system security processes.
Organizations with lower
scores have less mature, ad
hoc programs; organizations
with higher scores have
optimized programs that
regularly measure
performance and manage risk.
CFO 8%
CIO 60%
President 7%
Director of central IT 14% Other 11%
Developing, testing, and refining incident
response capabilities to respond to
information systems/data breaches.
ENSURING THAT MEMBERS OF THE INSTITUTIONAL COMMUNITY
RECEIVE INFORMATION SECURITY EDUCATION AND TRAINING
Is institutional infosec training mandatory?
From 2005 to 2013, unintentional human error (e.g., posting
sensitive information on a website or other data mishandling)
and insider threats (e.g., intentional breach of information by
someone with legitimate access) accounted for 33% of data
breaches in higher education, as reported in the Privacy
Rights Clearinghouse.
For faculty
71%
For students
29%
Faculty have more consistent levels of training overall; student training is focused on AUP.
Faculty Students
AUP
31%
23%
Security
policy
24%
11%
Compliance
33%
8%
Self defense
(phishing and identity theft)
Percentage of institutions
22%
11%
0%
10
20
DEVELOPING SECURITY POLICIES FOR
MOBILE, CLOUD, AND DIGITAL RESOURCES
IT policies in place
AUP
Web
access
96%
40
50%
90%
of institutions give responsibility
for IT policy administration to
central IT.
develop policy
in central IT.
ID
management
65%
30
45%
74%
Information
security
27%
Leadership approval
of information
security policy
Optimized 23%
Managed 24%
Defined 26%
Repeatable 11%
Absent/ad hoc 16%
USING RISK-MANAGEMENT METHODOLOGIES TO IDENTIFY AND
ADDRESS INFORMATION SECURITY PRIORITIES
Institutions use the following risk
frameworks:
Most IT
security risk
assessments
are driven by
internal or
external audits:
None 45%
ITIL 26%
NIST 22%
ISO 19%
COBIT
9%
OCTAVE
MoR
43%
Internal
External
Most institutions give their risk
management lead a moderate to
broad scope of authority
7%
3%
1%
Percentage of institutions
Other
54%
50%
50%
50%
50%
50%
50%
50%
50%
20%
15
10
5
Limited
Scope of authority
Broad
DEVELOPING, TESTING, AND REFINING INCIDENT RESPONSE
CAPABILITIES TO RESPOND TO INFORMATION SYSTEMS/DATA BREACHES
Deployed
broadly 39%
Percentage of
institutions
that have
deployed ITIL
processes in
central IT for
incident
management*:
No discussion 21%
Considered,
not pursued 4%
Experimenting/
considering
8%
In planning 9%
Organizational unit
responsible for
incident management:
Central IT 80%
Shared 18%
System 1%
Not applicable 1%
Deployed
sparsely 19%
* According to ITIL, an incident is an unplanned interruption to an
IT service or a reduction in the quality of an IT service.
Wondering what’s next?
We have actionable resources on that, too.
The Higher Education Information Security Council Information Security Guide is the only resource developed by higher education information security
practitioners for higher education information security practitioners. The guide features toolkits, case studies, effective practices, and
recommendations to help jump-start campus information security initiatives. (Don’t reinvent the wheel every time you start a new infosec
project, policy, or program function on campus.) Get it at www.educause.edu/security/guide
The data in this infographic were derived from the following sources: Modules 1 and 7 of the EDUCAUSE Core Data Service Survey (2014) www.educause.edu/cds; Getting Your Ducks in a Row: IT
Governance, Risk, and Compliance Programs in Higher Education (ECAR, 2014); and "Just in Time" Research: Data Breaches in Higher Education (ECAR, 2014) www.educause.edu/ecar.