| | May 201519CIOReviewThe cornerstone for effective information security within the higher education community is a deep commitment to information sharing and collaborationthe community. Operationally many of us simply could not imagine achieving what success we have without the trust community of the REN-ISAC. Open communications and collaboration between institutions has proven essential for incident response while world-class tools such as the Bro intrusion detection system are essentially products of this larger ecosystem.Information sharingAs an example, it is worth looking more closely at the REN-ISAC (RI). Within the RI there has developed a uniquely collaborative culture. One founded on the willingness to share experiences, techniques, and data on malicious actors and traffic in near real-time. The REN-ISAC is a closed trust community. Individuals are required to be vetted as both worthy of trust by the community as well as dedicated security professionals. Strict policies govern information sharing and deferred trusts can be created so that networking and systems staff who handle infrastructure can utilize intelligence collected by the community.Curiously, the larger, better-resourced Universities do not dominate dialog within the RI. Sure, like any professional community, the REN-ISAC has thought leaders who tend to be heavier contributors, but expertise is recognized and eagerly embraced on its merits, not its personality. This not only benefits the entire membership but also has a normalizing influence on the community of practice.More challenging for our practioners is information sharing related to actual data breaches. Typically there are legal and policy constraints that bind operational staff from acknowledging or discussing details in breach scenarios. However even in these circumstances it is possible to utilize the expertise of the community. Brandeis University benefited directly from this: by i m pl e me nt i ng some of the recommendations of the RI community we were protected from a direct deposit redirection attack in 2014. Community Response to Compliance and Risk for Cloud ServicesAs our sourcing portfolio changes to increasingly include cloud infrastructure and SAAS services, Universities have struggled with the challenge of managing the risk these services bring. Few operational security staff or our Legal Counsels have extensive experience addressing data security and privacy in cloud service agreements. By coming together as a community through consortial partnerships such as the Internet2 Netplus program, we have given ourselves a louder voice with cloud providers than even the largest single institution can muster (Internet2 member institutions represent over 6 million students). Despite our differences as institutions--from large to small, public and private, whether focused on the liberal arts, sciences, or the professional schools--we have found it possible to leverage our combined expertise and are steadily developing master agreements for services that address data security and privacy (as well as risk more generally), including the unique requirements of student records. In essence the higher education community is slowly coalescing around a common standard of practice for contract language for cloud services. I don't want to undersell the difficulty of this or the work remaining; the public institutions in particular live under a patchwork of State procurement codes, which make taking advantage of consortial agreements challenging. We have a long way to go but when enough of us point to common control instruments (such as the Cloud Security Alliance), vendors do take notice.The importance of information sharing was highlighted in the December Cybersecurity Legislative Proposal from the Whitehouse. The higher education experience has shown that operational collaboration and information sharing can act proactively to better position universities and the corporate sector to prevent cyberattacks. The higher education ecosystem is built around the premise of increasing the flow of information. The information security culture and practice of higher education reflects this attitude and because of it has thrived in one of the most challenging to secure environments.
< Page 9 | Page 11 >