1 / 28

IT Security and Privacy in Educational Environments

IT Security and Privacy in Educational Environments. Terry Roebuck University of Saskatchewan. IT Security Issues in an Educational Environment. Understanding Security and Technology Differing Drivers and Resource Conflicts Administrative Requirement / Academic Need

Olivia
Download Presentation

IT Security and Privacy in Educational Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Security and Privacy in Educational Environments Terry Roebuck University of Saskatchewan

  2. IT Security Issues in anEducational Environment • Understanding Security and Technology • Differing Drivers and Resource Conflicts • Administrative Requirement / Academic Need • Achieving Balance in Privacy and Security • Strategies for Success • Common Goals and Community

  3. The Technology of Security • Security and privacy are not media dependent • Protection techniques are media dependent • Security and privacy rely on trust: • Trust in policy (to provide rules and guidance) • Trust in process (to ensure compliance) • Trust in technology (to deliver anticipated results) • Trust in people (to act responsibly)

  4. The CIA Model of Security

  5. C - Confidentiality C “Keep secrets”

  6. C - Confidentiality I - Integrity C I “Keep data intact”

  7. C - Confidentiality I - Integrity C I A - Accessibility A - “Allow availability on demand”

  8. C - Confidentiality I - Integrity C I ? A - Accessibility A Security: somewhere around the intersection in The CIA Model

  9. C - Confidentiality * granularity & data mining I - Integrity C I • Network • Hardware • Software • Procedures • People A A - Accessibility * Timeliness & Scope Complexities within the CIA Model

  10. Drivers Opposing Balance in Privacy and Security • IT security & privacy: addition or integration? • Separating security from technology • Technology (h/w, s/w, network) life cycles • Knowledge and the transience of community • Changing requirements and standards • Scalability in problems and solutions • The internal perception of responsibility • The public perception of blame

  11. Administrative Requirementsand Academic Needs • Administration: Security, Stability & Consistency • Commercial (production) s/w may not be well designed for security within an open environment (assume an ‘Intranet’) • Academia: Flexibility, Capacity & Capability • Academic applications may be more robust but expects user management & control (ex: wireless devices, web browsing) • ‘Permit unless Denied’ or ‘Deny unless Permitted’?

  12. So How Much is Too Much? IT Security verses Productivity in Educational Environments

  13. The need for Balance

  14. Too Little Security Net ‘Background Noise’ Affects Operations Technology becomes unstable Increased Risk of Critical Information Loss High Risk of System Compromise Through Attack

  15. Too Much Security Device & network capability curtailed Divergence of user & support resources Diminished information accessibility Increase risk of compromise through workarounds

  16. How to Strike a Balance - Understand our Community - Understand our unique Risks - Provide Education and Training - Embrace ‘Security Best Practices’ - Target Defense Resources to Risk - Use a Structured Methodology - Be BOTH Reactive and Proactive - Use Metrics, Records & Statistics

  17. How to Strike a Balance - Understand our Community - Understand our unique Risks - Provide Education and Training - Embrace ‘Security Best Practices’ - Target Defense Resources to Risk - Use a Structured Methodology - Be BOTH Reactive and Proactive - Use Metrics, Records & Statistics

  18. Will All of This Work? No Guarantees! - No Site is ‘fully secured” - No Attack Detected is not ‘secured’ - Maintaining 100% Effort - Conflicting Resource Demands

  19. Common Goals and Community • Community members share a duty to security • Compromise will be required • There are no ‘sides’ - just advocates • Students advocate for open communication • Administration advocates for stable platforms • Faculty advocates for flexible functionality

  20. IT securityis a community problem ... Any solution will require community involvementand commitment Terry.Roebuck@usask.ca

  21. Academic - Administrative Paradigm • Limited Resources Force Tough Choices • Communication Barriers • Critical Senior Management Involvement • Metrics and Reporting - “Fixing the Problems I See” - The perceived value of measurement and structure

  22. Tolerance For Risk • Academic & Administrative see different risks • Risk can not be eliminated in either view • Risk can be mitigated and managed if known • Level of risk tolerance is a management issue • Risk education and awareness lacking

  23. How to Strike a Balance Understanding Security - Security is NOT full defense - All Systems have ‘holes’ - Tied to Defense & Attack Effort - Security: Risk Management - Security: Due Diligence - Security: A Management Function - Security: Based on Policy

  24. How to Strike a Balance Understanding Risk - Determine Site Risk Tolerance - Know What Could Be a Target - Know Where Target is Located - Know Who Seeks The Target - Know Why They Seek The Target - Know When Target is Vulnerable

  25. How to Strike a Balance General ‘Security Best Practices’ - Assign Security as a Responsibility - Awareness Training for Users - Security Training for IT Staff - Maintain Virus Detection Systems - Patch Systems and Applications - Limit Access & Capability by Need - Log & Investigate Incidences

  26. How to Strike a Balance Target Defense to Attack & Risk - Focus Defense On Target Weakness - Vary Security by Risk of Loss - Make Security Application Oriented - Provide Flexibility for Change - Base Security in Unit Policy

  27. How to Strike a Balance Use Structured Methodology - Information Inventory - Risk Assessment - Mitigation Analysis & Planning - Periodic Review - Set Management Oversight

  28. How to Strike a Balance Metrics, Records and Statistics - Log Critical Events - Maintain Site Records - Investigate Anomalies - Set & Maintain Site Standards - Follow Security Trends

More Related