Skip to end of metadata
Go to start of metadata

Table of Contents


The Organization of Information Security can be thought of as having two major directions:

  1. that which is directed toward the internal organization, management, and control of information security within the institution. and
  2. that which is directed toward maintaining an acceptable level of information security when the institution's information and information processing facilities are accessed, processed, communicated to, or managed by external parties.

The general topic of internal organization can be further divided into several sub-topics:

  • One of the key sub-topics is management commitment to information security which includes not only general direction (i.e., implementing a security strategy), allocation of resources, acknowledgment of responsibilities, and other typical management functions but institutional governance and oversight of the security function over time.
  • Since successful information security programs require good cooperation, information security co-ordination is another important aspect of internal organization.
  • Specific and detailed allocation of information security responsibilities needs to be clearly spelled out as many assets are under the control of widely distributed units throughout the institution.
  • Internal organization is also responsible for the authorization process for information processing facilities. This is particularly important in many institutions of higher education as information technology resources are widely distributed.
  • Requirements for confidentiality agreements or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified and regularly reviewed.
  • The information security organization is responsible for appropriate contact with authorities and contact with special interest groups.
  • Periodic independent review of information security is also a responsibility of the information security organization.

Similarly, the general topic of external parties can be further divided into several sub-topics:

  • A primary responsibility is the identification of risks related to external parties.
  • A similar responsibility is addressing security when dealing with "customers" (e.g., students, applicants, alumni, parents).
  • Addressing security in third party agreements to ensure reasonable coverage of all relevant institutional security requirements.

Top of page


27002: Information Security Management
Chapter 6: Organization of Information Security
38500: Corporate Governance of Information Security, 2008
800-100: Information Security Handbook: A Guide for Managers
800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems

In addition to the standards listed here, please check out this cross-referenced matrix (developed by Symantec), which outlines IT Controls for security and privacy concerns related to regulatory compliance in the workplace, including ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, PCI DSS, GLBA, NERC standards CIP, and PIPEDA (Canada).

Top of page

Getting Started

Starting a Dialog on Information Security Governance

A useful tool for both helping to start a dialog on the governance of information security and for assessing an institution's progress is the Information Security Governance Assessment Tool.  This instrument, available both as a PDF and MS Excel™ file, is intended to help institutions of higher education determine the degree to which they have implemented an ISG Framework at the strategic level within their institution.  It is not intended to provide a complete and detailed list of information security policies or practices one must follow.  Rather, the tool is intended to help a president or institutional leadership identify general areas of concern as they relate to the ISG Framework.  If one is unable to answer a particular question affirmatively, then that question indicates an area the institution needs to examine to determine what risks may be associated with that area and how the institution will address those risks. Moreover, institutions that periodically repeat the process with this tool find that they are able to track improvement over time.  NOTE:  This tool has been refreshed and renamed the Information Security Program Assessment Tool in 2012.

Another useful tool for getting started is called Top Information Security Concerns for Campus Executives & Data Stewards. This brief document poses a series of fundamental questions designed to stimulate thinking and solution development -- and it provides useful references to specific toolkits and other sections of the Guide that will help the reader develop approaches to information security.  

Top of page

Internal Organization (ISO 6.1)

Objective:  That the institution establish a mechanism to manage information security across the entire enterprise and that institutional leadership commit their support and provide overall direction.

Implementing a Security Strategy

An effective information security strategy for a higher education institution must take into account the different groups, including academic (research included), administrative (or business), clinical, and residential environments. Even when focusing on critical processes and legal mandates, it is necessary to extend protective measures beyond the underlying IT systems and associated administrative staff. For example, many faculty members have access to student records, and this access must be considered when assessing the security risks associated with these data. A failure to provide faculty with securely configured workstations increases the risk of sensitive data being exposed via their computers. This risk can also be reduced by implementing a middleware solution to properly control which records each faculty member can access and to minimize the amount of sensitive data stored on their computers. Also, to be effective, security practices cannot rely completely on technological solutions. Continuing the example, policies are required to clearly define faculty members' responsibilities relating to student data and the security of their workstations. Also, awareness programs aimed specifically at faculty members and their responsibilities to safeguard student information might be developed, possibly in conjunction with the institution's student information steward (e.g., at many institutions this is the Registrar).

To complicate matters, the operational needs of college and university networks often directly conflict with security practices such as perimeter firewalls, port authentication, centralized configuration management, and strong authentication. Higher education networks must be designed to accommodate visitors, new students arriving with computers, researchers sharing large quantities of data with members of other academic institutions, remote access to a variety of network services for individuals who are traveling or telecommuting, and mobile users moving between classrooms, libraries, and indoor and outdoor study spots on campus. Although firewalls are becoming widely used to protect critical systems on university networks, their use at the perimeter is less common because it is difficult to reconcile their restrictiveness with the need for an open networking environment that supports research, learning, and high-speed networking. Although centralized management is feasible for certain hosts on a university network, this approach is not suitable for most student computers and many faculty, research, and clinical systems.

This is not to say that higher education institutions cannot be secured; many colleges and universities are successfully balancing the need for security and an open, collaborative networking environment. Throughout this Information Security Guide readers will find general advice, as well as specific institutional examples, of successful approaches to managing information security within higher education.

Here's a reference to one approach to strategic planning, "The Shifting Landscape Strategic Security Model" (presented at the 2010 Security Professionals Conference, which might prove to be a useful aid. 

Top of page

Information Security Governance

Effective institutional governance of the information security function is critical to a successful program. It can be both the "proof of the pudding..." with regard to management commitment and provide necessary guidance when deciding where to allocate scarce resources. This well researched section draws from experts in the field and provides useful background and advice which can be adapted to a wide variety of campus cultures. The topical outline shown here reflects the broad array of subjects covered in this very deep Information Security Governance article:

  • What is Information Security Governance and What it is Not
  • Why Information Security Governance is Needed
  • How to Govern Information Security
    • Organizational Structure
    • Roles and Responsibilities
    • Strategic Planning
    • Policy
    • Compliance
    • Risk Management
    • Measuring and Reporting Performance
  • What Governance Models are used by EDUCAUSE Members
  • Success Stories
  • Other EDUCAUSE Resources
  • Appendix A: Effective/Ineffective Governance Compared
  • Appendix B: Roles and Responsibilities from the NIST Security Handbook
  • References
Summary of the Governance article

In addition, a presentation summarizing this article was made at the 2010 Security Professionals Conference.  The slides and handouts from that session can be found here.

Implementing Information Security Governance Using ISO27000 at Georgia State University

This case study describes a decision and process used by Georgia State University to go beyond compliance with ISO 27002 (essentially the controls portion of the ISO standard) and become certified under 27001 (ISO/IEC 27001:2005 Information technology -- Security techniques -- Specification for an Information Security Management System) which required complete commitment from top management "...towards developing a comprehensive, cost effective, risk management based information security program, that is consistent, measurable, auditable, and which integrates objectives within the business and academic strategic goals, in addition to IT."

Examples of Information Security Governance

Here are a some examples of information security governance. 

The Information Security Council Charter from the University at Albany - SUNY

The Indiana University's Information Security and Privacy Risk Council charter

A presentation by the University of Alaska during the 2011 Security Professionals Conference on Initiating Security Initiatives Through System-Wide IT Governance

Top of page

Independent Review of Information Security

It is important to have the organization's approach to the information security function reviewed periodically or when significant changes to security implementation occur. Such a review should include both assessing opportunities for improvement and the need for changes to the institution's approach to security, including policies.  These reviews should be carried out by agencies independent of the area under review. Typical units selected to provide these reviews include the internal audit organization, an independent manager from some other area of the institution. or a third-party organization specializing in such reviews.  A list of some third-party organizations that have been used by other institutions is provided here (please note that inclusion on this list does not constitute an endorsement by EDUCAUSE - these third-party organizations have been added to the referenced list exclusively by EDUCAUSE members).

Top of page

Managing the Information Security Program

Here are several useful references that provide insight into the process of managing information security within the higher education community.  There are no magic bullets provided but each reference does develop some ideas that may prove useful.

Gaining the confidence of others

The Career of the IT Security Officer in Higher Education is an ECAR Research study of information security across a variety of institutions.  Not only does it provide the reader with useful comparisons and statistics regarding the practice of information security in higher education but it also provides useful advice for the information security officer regarding positive interaction with others (i.e., leaders, peers, colleagues, staff, faculty, and students).

A Guide to Security Metrics is a presentation made at the 2010 Security Professionals Conference.  It provides a definition of security metrics, explains their value, discusses the difficulties in generating them, suggests a methodology for building a security metrics program, and reviews factors that affect its ongoing success. Numerous examples of security metrics will also be covered.

Scale the Solution to the Problem is an EDUCAUSE Quarterly article describing an approach to both gaining the confidence of others within the institution and effectively leveraging other appropriate institutional resources in the pursuit of improved information security.

Effective Management of Information Security and Privacy is an EDUCAUSE Quarterly article proposing (as it summarizes in its subtitle) security and privacy are not IT issues -- they demand a comprehensive, strategic, team approach to find effective solutions.

Information Security and Internal Audit: Working Together is a presentation made at the 2011 Security Professionals Conference.

Information Security and the Institutional Review Board: A Roadmap for Securing Research Data at Your Institution is a presentation made at the Security Professionals Conference, 2011

Getting along with less

Surviving the Onslaught: Running a Security Program by Yourself is a presentation made at the 2010 Security Professionals Conference which examines ways in which a security program can be successfully mounted with very limited resources.

Top of page

Requests for Information

Guidelines for Responding to Compulsory Legal Requests for Information (which also includes a comprehensive list of references) is an excellent summary of things to consider when faced with a request for information. 

Top of page

Confidentiality Agreements

Confidentiality agreements are important as a means to inform employees and 3rd-parties of their responsibility to protect, use, and disclose institutional and personal information in an authorized manner.  Here is an example of an IT Confidentiality Statement form used by the University of Iowa.

Top of page

Information Security Program Assessment Tool

This self-assessment tool was created to evaluate the maturity of higher education information security programs using as a framework the International Organization for Standardization (ISO) 27002 "Information technology Security techniques code of practice for information security management." This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by chief information officer, chief information security officer or equivalent, or a designee.

Top of page

External Parties (ISO 6.2)

Objective:  That the institution maintain the security of the organization's information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.

Third Party Agreements - Security Considerations

The Data Protection Contractual Language toolkit was developed by a working group of the Higher Education Information Security Council (formerly called the Security Task Force) to provide sample proposal and contract language for common themes related to data protection as well as practical guidance as to when and how to consider the themes when drafting or reviewing a request for information (RFI), request for proposal (RFP) or contract.  This very useful reference does provide the caveat that the data security themes and sample contractual clauses are provided for informational purposes only and are not to be construed as legal advice.  

Building Security into the RFP Process is a presentation from the 2010 Security Professionals Conference. By including a security review as part of the RFP process, Indiana University has been able to identify and mitigate potential risks in products before they are purchased and implemented. IU requires vendors meeting certain criteria to complete a security questionnaire as well as a review process. Frequently, as a result of this process, vendors have agreed to make changes or enhancements that improve the security posture of their product.

Do They Measure up? Assessing the Security Posture of Third-Party Service Providers is a presentation from the 2011 Security Professionals Conference.  A Panel of experts discuss the reasons for assessing third party providers and provide guidance on how to go about it (with reference to a specific institution's approach. 

External Parties - Security Considerations (Cloud Computing)

Stewards for Higher Education: Looking at Clouds & the Top-Ten Issues is an issue of EDUCAUSE Review predominately focused on the topic of Cloud Computing.  It includes the following articles and columns on the subject:

  • Cloud Computing and the Power to Choose
  • Looking at Clouds from All Sides Now
  • Stewards for Higher Education: Looking at Clouds & the Top-Ten IT Issues -- Homepage [From the President]
  • Cloud with a Long Tail:  The VCL in Support of Pedagogy -- E-Content [All Things digital]
  • The Multiple Personalities of Cloud computing -- PodcasrIT [Audio and Video Interviews]
  • Collaborative Efforts:  Teaching and Learning in Virtual Worlds -- New Horizons [The Technologies Ahead]
  • Clearing the Air on Cloud Computing -- Policy Matters [Campus Environment & Political Content]

Security Considerations for Cloud computing is an article developed by a working group of the Higher Education Information Security Council (formerly the Security Task Force) that outlines things to think about when considering the application of cloud computing at institutions of higher education.

Hot Topic Discussion: Mobility, Telecommuting, and the Cloud is a presentation and discussion from the 2010 Security Professionals Conference.  The materials available are both the presentation slides as well as a recording of the session.  It provides some insight into the two separate but related issues of (1) supporting an array of hand-held and mobile computing devices and (2) managing services provided via the cloud.

Cloud Computing: Clear Skies or Rain? is a presentation from the 2010 Security Professionals Conference.  Two universities that have moved e-mail services to "the cloud" provide a primer on this new buzz phrase, then share their forecasts for security professionals.

Structuring the IT Organization for Cloud Services is an ECAR research bulletin which examines what our institutions must consider as they move to support the addition of cloud services to the campus.  The study focuses mostly on IT support services (and does not spend much time considering information security service's issues) but is nevertheless a useful primer on what sorts of considerations ought to be examined as institutions move in the direction of services not provided directly from the campus itself. 

7 Things You Should Know About Cloud Computing is an EDUCAUSE article found in the "EDUCAUSE 7 Things You Should Know About" series.  It provides a useful overview of the security issues to be considered when moving toward providing cloud computing services. 

Top of page


Campus Case Studies On This Page
Implementing Information Security Governance Using ISO27000 at Georgia State University

EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

Top of page


1. ISO/IEC 27002 (previously known as ISO/IEC 17799:2005); Information technology -- Security techniques -- Code of practice for information security management; 2007.

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

organization organization Delete
organize organize Delete
information information Delete
security security Delete
management management Delete
governance governance Delete
internal internal Delete
coordination coordination Delete
responsibilities responsibilities Delete
external external Delete
commitment commitment Delete
educause educause Delete
heisc heisc Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.