Version 1.0: July 2010
Find answers to frequently asked security questions and get an overview of the guide using the new infographic.
- Introduction to the Guide
- Organization of the Guide
- How to Find Information in the Guide
- Providing Feedback and Suggestions
- Description of Case Studies
- Frequently Asked Questions
The Information Security Guide: Effective Practices and Solutions for Higher Education (referred to as "the Guide") is, as its subtitle suggests, a compendium of information providing guidance on effective approaches to the application of information security at institutions of higher education. It is a key publication of the Higher Education Information Security Council (formerly the Security Task Force). Its content is actively maintained by a large group of volunteers who are information security practitioners at a variety of colleges and universities.
The content itself is a rich combination of materials written for the Guide, articles written for other publications, presentations from information security conferences, case studies, examples of processes, procedures, and forms used by various institutions, toolkits, hot topics, and references to a wide variety of other materials from EDUCAUSE and other sources.
Top of page
As can be seen by examining the navigation pane on the left side of any page of the Guide, its fundamental organization is based upon the ISO/IEC 27002: 2005 standard, Information technology - Security techniques - Code of practice for information security management. ISO 27002 is one of several standards within the ISO 27xxx series. It is specifically concerned with the security of information assets (i.e., the actual information) and not just IT/systems security. As such it focuses its attention on information security controls within a framework of enterprise security topics.
It must be made clear, however, that this does not mean the Guide is an implementation toolkit or set of instructions on how to implement this ISO standard. Rather, it only means that the Guide is organized into topics which parallel the major clauses of ISO 27002.
In addition, on every topic page there is:
- a table of contents which links to key parts of the page
- an overview which describes the general intent of the ISO topic
- a cross-reference to other common standards (currently ISO 27002 and any other relevant ISO standards, as well as appropriate NIST, COBIT, and PCI DSS sections)
- the information security categories appropriate to that ISO clause (and within those categories you will find explanations, links to articles, links to presentations, or links to institutional examples of aspects of the particular information security category)
- a comprehensive list of linked references to other materials relevant to the topic.
The navigation pane on the left side of every page includes direct links to important resources:
- Home includes announcements of special events of note and provides links to featured resources and publications.
- Overview to the Guide is the page you are reading now.
- The next twelve links, beginning with Risk Management (ISO 4) and ending with Compliance (ISO 15), connect to the specific ISO topics pages.
- Toolkits contains a list of links to specifically developed or collected resources (most are also available from their relevant ISO topic pages - this list collects them all in a single place).
- Hot Topics are resources related to topics that are currently receiving increased attention.
- Contribute a Case Study links to a page which provides instructions and submission forms for contributing new case studies to the Guide. It also contains a set of links to all case studies in the Guide (those case studies are also linked from the relevant ISO topic pages-- this list collects them all in a single place).
- Glossary is an extensive list of term and phrase definitions relevant to information security.
In addition, at the top of every page you will find a "bread crumbs" indication of where you are and how the current page relates to the Guide's organizational hierarchy.
Top of page
There are basically two ways to find specific information in the Guide: (1) link to the appropriate (ISO) topic directly using the navigation pane on the left side of the page, or (2) use the search function provided on the top right of every page.
Navigation Pane linking is often the quickest way to find the topic you may be seeking. If you know you want to find information about Risk Management, Security Policy, or Incident Management, for example, then using the navigation pane to link to Risk Management (ISO 4), Security Policy (ISO 5), or Information Security Incident Management (ISO 13), respectively, will get you to the relevant information quite easily and rapidly. Or if you just want to read or browse through various topics in the Guide to gain additional understanding or to familiarize yourself with its contents, the navigation pane approach is definitely the way to go.
On the other hand, if you don't know that Data Classification is considered a part of Asset Management (ISO 7), or that Awareness and Training are considered part of Human Resources Security (ISO 8), or that the Cryptographic Controls category is considered a part of Information Systems Acquisition, Development, and Maintenance (ISO 12) then the navigation pane approach may feel considerably less useful. In any situation where you are not sure where information may be located according to the ISO taxonomy, using the search function will very likely help you find the materials you seek more easily.
Using the Search Function is fairly straightforward; a bit of instruction will make its use even more effective.
Although it may not be obvious the Guide is provided as a major section of a generalized wiki that is managed by Internet2 and used for a wide variety of EDUCAUSE and Internet2 topics. As you enter a search term in the search box at the top right of the page it looks across the entire wiki and starts to show possible search results that have the search term as a part of a document title. If you see a document you are interested in, you can select it and you will be transferred directly to that document. Hovering your mouse over any of the terms will provide a bit more information to aid in selection - the wiki "space" in which the document resides (in our case, "Information Security Guide") .
On the other hand, if you simply press return (or click the Search button), the result stack returned will be a list of all documents which include that term anywhere in all the documents across all the topics (spaces) in the wiki and not just from the Guide. For example, searching on the term "awareness" will return 206 results from the entire wiki (at the time of this writing), many not really relevant to your search. Searching the term "management" will return a result stack of 657 from the entire wiki (at the time of this writing).
The result-stack page(s) will also include a shaded box on the right where you can filter your search to refine the results. Usually, searching will be more effective it you start by using the more advanced search available using the filter box.
The most effective approach to searching the Guide is to leave the search box (at the top of the page) empty and press the Search Button. This will take you to a search page with the shaded box on the right where you can filter your search to obtain a more refined result. To restrict your search to just the Guide, choose the box labeled "Where" (which initially shows the default "All Spaces"), click the down-facing triangle on the right to see the various topics spaces on the pull-down menu, and select "Information Security..." There are other filters available but we suggest leaving them all at their default values initially.
Now, you can type your search term into the search box that is specific to the search page (toward the top left of the page, next to the Internet2 logo). For example, searching on "awareness" within the "where" of "Information Security..." (at the time of this writing) returns a much more manageable result stack of 68; searching for "management" with the same "Where" filter will return a result-stack of 134 (at the time of this writing).
All searches will automatically include other words with the same root. For example, the "awareness" search will also include the word "aware" as a part of the search and the "management" search will include the words "manage", "manager", and "managers" as a part of its search.
Top of page
The Guide is a living document, constantly being updated and improved. Through the work of various information security professionals volunteering in working groups of the Higher Education Information Security Council, materials are continuously added or updated. But those volunteers cannot fully represent all the security practitioners on all the EDUCAUSE and Internet2 member campuses. That is why we ask that you share your expertise by providing feedback - we depend upon users of this material to help keep it updated.
There are several ways you can provide feedback.
One of the simplest and most direct is to comment directly on a page. If you see something that needs correcting (from a simple typo to a serious flaw in a recommended procedure) or you have a suggestion for improvement, for some additional material, or simply want to provide kudos, simply click on the "Add Comment" link on the bottom of any page and enter your comments. You can provide contact information as a part of your comment if you wish or just remain anonymous. If contact information is included we may contact you for clarification.
Another way to provide feedback, particularly if you wish to send us lengthy comments or some attached material, is to send e-mail. This can be accomplished by clicking on the " Contact Us" link near the bottom of each page or by sending e-mail to email@example.com.
Case Studies are very welcome too.
Top of page
Case studies are descriptions of real-world, practical, proven solutions to information security challenges implemented by one or more institutions. The intent of these case studies is to provide ideas for approaches which may be adopted or adapted to other school's particular situations.
By filling in a relatively simple form, a case study is written up and submitted to the Higher Education Information Security Council (HEISC). Once it is received, it is typically reviewed by one or more of the HEISC working groups. This vetting process gives the institution submitting the case study an opportunity to answer questions or add content that enhances its value.
Instructions for submitting a case study, as well as a complete list of case studies currently available throughout the Guide, are available on the Case Study Submissions page.
Submitting a case study not only documents a successful institutional approach to information security, as well as providing useful guidance to other institutions, it also gives the author(s) the opportunity to publish.
Top of page
Why is the organization of the Guide based upon the ISO/IEC 27002: 2005 standard rather than some other standard?
This is the second major edition of the Guide. The first version was organized around major security topics chosen by the originators of the Guide but was not otherwise related to any specific taxonomy. Over time the navigation pane continued to grow as additional important topics were added. In order to streamline (and direct further development of the Guide) the decision was made to reorganize it by using an established and generally accepted standard. After considerable research and discussion, the ISO/IEC 27002: 2005 was chosen as the organizing standard because it is the only recognized international standard and is widely accepted within institutions of higher education.
Why does the numbering of the ISO topics start with 4 and not 1?
Because the Guide follows the numbering system of ISO 27002. That document has several chapter headings that are numbered before it actually provides standards information. After an unnumbered Foreword, it has an Introduction (numbered 0), a Scope chapter (numbered 1), a Terms and Definitions chapter (numbered 2), and a Structure of This Standard (numbered 3). The Risk Assessment topic is number 4 in the standard.
Top of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.