ResNet Symposium: ECAR and RARG Security Survey Results

Two members of the ResNet Applied Research Group (RARG), Dave Futey and Clifton Pee, joined Rodney Peterson, EDUCAUSE Government Relations Officer and Security Task Force Coordinator, to present results related to security research conducted by those two organizations. Both of these organizations conducted work related to security last year: the EDUCAUSE Center for Applied Research (ECAR) released the results of their “Safeguarding the Tower: IT Security in Higher Education 2006” study (although the study is only available to ECAR members, the Key Findings are publicly available) and the RARG released results from their “2006 ResNet Security Practices and Policies Survey.”

The bulk of the presentation focused not on survey results but on their meaning. Rodney concentrated his presentation on relating the ECAR data to the new EDUCAUSE/Internet2 Security Task Force’s Confidential Data Handling Blueprint. (although I did not attend SIGUCCS’ Computer Services Management Symposium, I am told that Rodney presented a very similar presentation in Savannah). The RARG data was a selection of results from the larger body of results followed by several questions intended to stir discussion among attendees.

Items raised in the discussion included:

  • An observation (initially made by myself but echoed by other attendees) that the experience of small colleges may differ significantly from larger institutions. In particular, we have fewer staff less likely to have the specific skills necessary to address complex legal and technical challenges related to security. We also may perceive of ourselves as “not targets” due to our small sizes as we “fly under the radar” while attention is focused on larger institutions. In response, Rodney observed that some institutions are shifting and training staff instead of hiring new persons.
  • What has changed in the last year? Or have we finally caught up to 2003 (a landmark year for ResNet programs as various worms decimated our networks during fall opening)? The primary response to these questions was “there have been no recent incidents.” This perceived lack of incidents led us to question if we are being successful in our efforts, merely lucky, or just untested.
  • When asked how often we should evaluate our security plans, Rodney reminded us that the federal government is required to review their plans whenever an incident occurs and at least annually (as required by the Gramm-Leach-Biley Act).
  • One attendee noted that her institution is formulating a security plan that encompasses not only IT but also paper forms and data recorded on paper. Rodney agreed that was necessary and advised us to place security in the context of risk and not computers or IT (“people, process, & technology” was the exact phrase he used).
  • When asked how we should define success in relation to security, one attendee replied that success has occurred when a culture embracing security has been created. Another opined that you only know when you’re unsuccessful.

Stepping back away from the content of the presentation, it was quite heartening to see this joint presentation between an EDUCAUSE staff member and members of the RARG.  I believe that it’s a sign of healthy maturity that the ResNet organization is reaching out to and being reached out to by other professional organizations.