Copyright 2003 Jossey-Bass Inc.
Published by Jossey-Bass, A Wiley Company. Reprinted by permission of John Wiley &
Sons, Inc. For personal use only. Not for distribution.
Computer and Network Security
in Higher Education
Mark Luker and Rodney Petersen, Editors
A
Academic freedom, 4, 7. See also
Intellectual freedom Academic values, 3–5 Acceptable use policy, 66
Access: convenience vs. security in, 16; equal, 5; equity and diversity goals and, 8; fairness in, 9; Internet, and intellectual freedom, 4; policies for dealing with abuses of, 9; pri-vacy and confidentiality considera-tions with, 8; vulnerability due to ease of, 78; wireless, VPNs for, 76–77
Administration, security education for, 91–92
Advanced Networking with Minor-ity-Serving Institutions (AN-MSI) Security Committee, 8
Alerts, security, 97
American Association of University Professors, 13n2
American Council on Education, xix American Library Association
(ALA), 5
Application-based security, 84–86 Arnone, M., 48
Articles, for delivering security educa-tion, 97–98
Association of College and University Policy Administrators (ACUPA),
policy procedure information from, 64–65
Association of Research Libraries, 13n2 Attorneys, in-house, security
educa-tion for, 94
Auditors: risk analysis supported by, 42; security education for, 93 Authentication: appropriateness of,
10; central-service approach to, 82–83; enterprise directories for, 84, 86
Authentication and authorization sys-tems, privacy practices of, 8 Autonomy, as academic value, 4
B Barman, S., 63 Barton, T., 73, 84 Bickel, R. D., 53–54 Biometrics, 12 Border firewalls, 75 Boyer, E. L., 2 Briney, A., 78 Bruhn, M., 59
“Bugtrak Mailing List Archive,” 81 Business continuity, 25–26
C
Campus directories, 84
Campus police, security education and, 93–94, 101
105
106 Index Cantor, S., 86
Carnegie Mellon University, CERT Coordination Center, 95 Carroll, L., 45
Cassat, P. C., 46 Cassidy, D., 33 Cavanaugh, L., 64
Center for Academic Integrity, 13n2
Center for Internet Security (CIS): CISECURITY toolkit, 80; security benchmarks, 40–42
CERIAS (Center for Education and Research in Information Assurance and Security), Purdue University, 103
“CERT Advisory,” 79
CERT Coordination Center, security education offered by, 95
Certification, of security professionals, 27–28
Certified information systems security professionals (CISSPs), 27 Checklists, as element of policy, 63 Chief information officers (CIOs), 22,
86–87
Chief security officers (CSOs), 22–23 CISECURITY toolkit, 80
Civil liability, 49
Civility, as principle for security in higher education, 6
Clarke, R., xix
Columbia University, 13n2
Community: as academic value, 3–4; as principle for security in higher education, 6
Computer Science and Telecommuni-cations Board, xvi
Computers: firewalls in, 81; as target of hackers, 31, 77. See also Host-based security
Computing Technology Industry Association (CompTIA), certifica-tion program, 27
Confidentiality, as principle for secu-rity in higher education, 7–8
Consultants, hired for security pur-poses, 20–21, 28, 29
Content filtering, 11
Convenience, balancing security with, 16
Cornell University, policy procedure information from, 64
Cybersecurity insurance, 56
D
Definitions, as element of policy, 62 Desman, M. B., 63
“Developing a Strategy to Manage Enterprisewide Risk in Higher Edu-cation” (Cassidy and others), 33 Distributed denial-of-service (DDOS)
attacks, xi, 31
Diversity, as principle for security in higher education, 8
Dors, N., 86 Duderstadt, J. J., 2, 3 Dunn, J., 77
Duty, in negligence law, 50–51
E
E-mail: encrypted vs. unencrypted, 85; filtering content of, 11 Eaton, J., 4
Education. SeeSecurity education EDUCAUSE/Cornell Institute for
Computer Policy and Law, models for campus IT security policies, 101 EDUCAUSE/Internet2 Computer
and Network Security Task Force:
Framework for Action,xviii–xix; participated in development of national security strategy, xvii; principles for implementing secu-rity in higher education, 6–10, 13n2; security policies information from, 65–66; security resources from, 103
Encryption, necessity of, 84–86 Enterprise directories, 84, 86 Equity, as principle for security in
Ethernet, shared, 75
Ethics, as principle for security in higher education, 9–10
Events, for delivering security educa-tion, 97
F
Facilitator university model, 53–55 Faculty, security education for, 92 Fair information practices, 5, 7–8 Fairness, as academic value, 5 Family Educational Rights and
Pri-vacy Act, 92 FBI Academy, 102
Firewalls: appropriateness of, 10; bor-der, 75; host-based, 81; multiple, 75 Foster, A., 18
Fraser, B., 74 Frasier, M., 76
Freedom. SeeAcademic freedom; Intellectual freedom
FTP, encrypted vs. unencrypted, 85
G
Global information assurance certifi-cation (GIAC), 27
Government, independence from, 4 Gray, T., 75
Green, R., 49 Grimes, S., 76
Guidelines, as element of policy, 63 Gwaltney, R., 81
H
Hackers: computers as target of, 31, 77; vulnerability to, xii, 31–32, 78, 79 Handbooks, security, 95–96
Handouts, for delivering security edu-cation, 98
Health care professionals, security education for, 93
Health Insurance Portability and Accountability Act (HIPAA), 93, 102
Higher education: academic values in, 3–5; mission of, 2; operational
environment of, 2–3; potential security practices for, 10–12; princi-ples for implementing security in, 6–10, 13n2; security conditions with liability potential in, 47–48; security vulnerability of computers in, xii, 31–32, 78, 79
Higher Education Information Tech-nology Alliance, xix
Host-based firewalls, 81
Host-based security: best practices for, 78–83; defined, 78; importance of, 77–78
I
Identity management, 83
Indiana University, response to secu-rity breaches improved at, 68–70 Information protection programs
(IPPs), steps for establishing, 15–16
Information security. SeeSecurity Institutional policies: elements of,
61–64; process of developing and maintaining, 64–65. See also Secu-rity policies
Institutional risk analysis. SeeRisk analysis
Insurance, cybersecurity, 56 Integrity, as principle for security in
higher education, 9–10
Intellectual freedom, 4, 7, 16. See also
Academic freedom
International Information Systems Security Certification Consortium, 27
Internet access, intellectual freedom and, 4
Internet Audit Project, security vul-nerabilities revealed by, 31–32 “Internet Security Systems,” 80 Internet2 Middleware initiative,
83–84, 86
Intrusion detection systems (IDSs), 11–12, 76
108 Index
“IT Security Cookbook,” 66 IT security. SeeSecurity IT staff. SeeSecurity staff
J
Jacobson, H., 49
Joint Information Systems Commit-tee, 63 Jopeck, E., 33 K Kenneally, E., 51 Kerberos, 82–83 King, C. M., 63 Klingenstein, K., 83 Kohl, J., 82 Krebs, B., 56 L Lake, P. F., 53–54
Leadership: security, 21–23; and secu-rity architecture, 86–87. See also
Security staff
Legal liability. SeeLiability
Liability, 45–57; civil, 49; and cyber-security insurance, 56; and facilita-tor university model, 53–55; and negligence law, 50–53; security conditions with potential for, 47–48; and team approach to risk management, 56–57
Libraries, privacy measures of, 5 Logging, 8, 11, 82 M Mandia, K., 66 Marchany, R., 31 McIntyre, D. J., 52 McRobbie, M., 19
Meetings, for presenting security edu-cation, 95
Microsoft products, virus protection when using, 78–79
Middleware: defined, 83; security con-siderations with, 83–84
Mission, higher education, 2
Mission Continuity Planning (Qay-oumi), 33
Murrell v.Mount St. Clare College,
52
N
National Association of College and Business Officers (NACUBO), risk assessment information, 33 National Infrastructure Protection
Center (NIPC), risk assessment model, 33
National Institute for Standards and Technology Security Resource Center, 103
National Institute of Science and Technology (NIST), risk assess-ment information, 33
National Science Foundation, 6, 13n2, 86
National Strategy to Secure Cyberspace,
xii, xvi–xviii, 16
Negligence law, 50–53; breach in, 50, 52–53; duty in, 50–51; and facilita-tor university model, 53–55; and foreseeable harm, 51–52; general principles of, 50
Network scanning utilities, 80 Network security: best practices for,
75–77; defined, 74 Neumann, C., 82 Nichols, R. K., 63 NIMDA worm virus, 79
“Nmap—Network Mapping Software,” 80
O
Oblinger, D., 1 Olsen, F., 19
Online quizzes, for security education, 96
Openness, balancing security with, 16 “OpenSAML,” 86
Operational environment, higher education, 2–3 Operational security, 25 Outsourcing security, 20–21, 28, 29 P Packet filtering, 10
Parents, security education for, 92 Partnerships, security obtained
through, 20–21
Passwords: central authentication ser-vice for, 82–83; encrypted vs. unen-crypted, 84–86; enterprise directory for managing, 84, 86
Patches, 32, 81–82 Payne, S., 89 Peltier, T. R., 63–64 Personnel. SeeSecurity staff Pescatore, J., 90
Petersen, R., 59 Physical security, 24–25
Planning. SeeSecurity plan; Security policies
Policies. SeeSecurity policies Policy statement, as element of policy,
61–62 Postel, J., 80
Princeton University, 48–49 Principles, for implementing security
in higher education, 6–10, 13n2 Privacy: as academic value, 5; as
prin-ciple for security in higher educa-tion, 7–8
Procedures, as element of policy, 62 Prosise, C., 66
Purpose statement, as element of pol-icy, 61
Q
Qayoumi, M. H., 33
R
Rationale statement, as element of policy, 61
Read, B., 18, 48
Recor, J., 15
References, as element of policy, 63 Research and Educational
Network-ing Information SharNetwork-ing Analysis Center (REN-ISAC), xii Researchers, security education for,
92–93
Responsibility, as principle for secu-rity in higher education, 9–10 Risk analysis, 31–42; benefits of, 32;
case study of, at Virginia Tech, 33–42; CIS security benchmarks for, 40–42; models for, 33; need for, 31–32, 42; as step in designing host-based security plan, 79 Risk assessment. SeeRisk analysis Risk management: and insurance, 55–56; team approach to, 56–57 Roesch, M., 76
Roles and responsibilities, as element of policy, 62
Ryan, D. J., 63 Ryan, J.J.C.H., 63
S
”Safe SQL Slammer Worm Attack Mitigation,” 75
Salaries, of certified security profes-sionals, 28
Salomon, K. D., 46
“San Diego Super Computer Security Advisory,” 85
Scanning, 11
Scope, as element of policy, 62 Security: balancing convenience and
openness with, 16; functions of, 23–26; goals of program for, 60; obtaining support for, 18–20; prin-ciples for implementing, in higher education, 6–10, 13n2; range of practices for, 10–12
Security + certification, 27
Security administrators, responsibili-ties of, 26
110 Index
Security analysts, responsibilities of, 26 Security architecture, 73–87;
applica-tion-based security element of, 84–86; CIO’s role with, 86–87; context for, 73; host-based security element of, 77–83; middleware and directory services element of, 83–84; network security element of, 74–77; technical resource on, 74.
See alsoSecurity infrastructure Security breaches: due process for
dealing with, 9; examples of pre-ventable, 17–18; by insiders, 90; institutional responses to, 52–53; monitoring, 20; response to, improved by security policies, 68–70 Security convergence, 24–25 Security education, 89–104; delivery
methods for, 95–98; need for, 89, 90; obstacles to, 90–91; recom-mended approach to, 99–103; tar-gets audiences for, 91–95; tips for communicating, 98–99
Security engineers, responsibilities of, 26
Security incidents. SeeSecurity breaches
Security infrastructure: institutional characteristics influencing, 17; steps for establishing, 18–23. See alsoSecurity architecture
Security plan: developing, 18; obtain-ing support for, 18–20; potential security practices in, 10–12 Security policies, 59–70; acceptable
use policy as component of, 66; and elements of institutional policies, 61–64; and goals of information security program, 60; information security policy statement vs., 59–60; issues to be addressed by, 65–68; necessity of establishing, 9; process for developing and main-taining, 64–65; response to security breach improved with, 68–70; secu-rity education program based on,
100–101; sources of information on, 65–66, 101
Security professionals. SeeSecurity staff
Security Self-Assessment Guide for Information Technology Systems
(Swanson), 33
Security staff: certification of, 27–28; common job titles and responsibili-ties for, 22–23, 26; number of, and size of organization, 23, 24, 25; out-side consultants as, 20–21, 28, 29; salaries of, 28; security education for, 94–95
Security Targeting and Analysis of Risks (STAR) process for risk assessment, 33–42 Security teams, 23 Semjanov, P., 82 Shibboleth, 86 Siri, L., 31 Sniffers, 11
“SQL Slammer” attack, xiii, 75 Staff, security education for, 92,
94–95. See alsoSecurity staff Standards, as element of policy, 63–64
Stanton v.University of Maine,51–52 Students: computer equipment of, 3;
security education for, 92 Suess, J., 73
Support, obtaining, for information security, 18–20
Swanson, M., 33
System Administration, Audit, Net-work, Security (SANS) Institute: certification program, 27; security education offered by, 95; security policies information from, 66 System logging service, 82
T
Telnet, encrypted vs. unencrypted, 85 Thibeau, B. E., 46
Training, incorporating security edu-cation in, 98. See alsoSecurity education
TriWest Healthcare Alliance, 52, 53 Tudor, J. K., 64
U
”University of Colorado Encrypted Authentication Security Stan-dards,” 85
University of Delaware, security inci-dent at, 17–18
University of Maine, Stanton v.,51–52 University of Maryland: computer
security vulnerability at, 78, 79; security alert tracking at, 81; secu-rity education by Dept. of Public Safety at, 101
University of Minnesota, information on policy procedures from, 64 University of Virginia, FBI Academy
operated by, 102
U.S. Department of Education, 64 U.S. Department of Homeland
Secu-rity, 97, 103
V
Values, in higher education, 3–5 Videos, for delivering security
educa-tion, 98 Vinik, F., 53
Virginia Alliance for Secure Comput-ing and NetworkComput-ing, 103
Virginia Tech, risk assessment at, 33–42
Virtual private networks (VPNs), 11, 76–77
Viruses: alerts about, 97; protection against, 78–79
Vulnerability, of computers in higher education, xii, 31–32, 78, 79
W
Walker, K. M., 64
Web ads, for delivering security edu-cation, 96
Web content filtering, 11
Web sites, for delivering security edu-cation, 96
WebISO, 86 Whatis, 11
Wireless networks, 76–77 “Wireless Security and VPN,” 77 Wood, C. C., 64
Worms. SeeViruses
Y
Yale University, 48–49 Yasin, R., 83
Z
