On October 26 and 27, 2015, Indiana University and the U.S. Government’s (USG) Department of Homeland Security (DHS) sponsored an annual National Seminar and Tabletop Exercise (NTTX) for Institutions of Higher Education (IHE). Specifically timed to occur during National Cyber Security Awareness Month in October, the event was designed and made possible through extensive collaboration with other Federal agencies, including the Federal Bureau of Investigation (FBI) and Federal Emergency Management Agency (FEMA), as well as key participants from higher education.
250 participants from nearly 80 institutions attended, including senior leaders, communication managers, information security experts, and emergency management professionals. Workshops and presentations delivered by experts from the Federal government and higher education covered topics such as campus resilience, business continuity planning, social media risks, and a cyber-threat intelligence briefing. Bob Turner, Chief Information Security Officer at the University of Wisconsin noted the need to "increase our capability in this area," ensuring an ongoing cycle of learning and sharing with the Federal Agencies.
On the second day, the tabletop exercise began with a security breach scenario and included the theft of sensitive personal information and intellectual property, focusing on coordination and communication during a series of incidents impacting student and donor data. The exercise allowed plenty of time for the participants to discuss the steps to investigate the break-ins, protect the data, communicate with victims and the community, and restore normal operations. Many institutions sent a team of individuals, who worked together during the exercise, and the discussions around the room were lively
Using an integrated approach to emergency management planning, as espoused in the exercise, institutional systems and services can be systemically managed to prevent, protect, mitigate, respond to, and recover from any threat or hazard. This integration ensures that the planning accounts for relationships and dependencies among the core capabilities both within and across mission areas.
While nearly all participating institutions have some sort of emergency management plan in place, the workshop and exercise helped in many ways:
- Campus planners were able to pinpoint areas of improvement and identify gaps in current emergency management.
- Participants developed confidence in their institution’s ability to manage a cybersecurity emergency.
- The need for national guidance on how IHEs should plan for, respond to, and recover from such incidents was identified.
- Officials from higher education institutions noted the importance of clear, concise, and timely messaging to both the internal and external IHE community.
- Ensuring a continuity of operations was deemed essential as it relates to the teaching and learning missions of IHEs.
- Participants also agreed that additional considerations for unique populations, such as the international student community, must be further developed.
- Many participants found great value in hearing from their peers, both during the exercise and in the workshops.
- Coordination with the Federal Government was also a noted outcome of the exercise.
"Collaboration between higher education and cyber-security personnel in DHS, FBI, and other government agencies took a giant step forward with this event. We need to build on this foundation to ensure that all colleges and universities can take advantage of this initiative.”
- Marty Ringle, Chief Information Officer, Reed College
Additional findings will be outlined in the NTTX IHE Summary Report, scheduled for publication in December 2015.
Kim Milford, JD, serves as the executive director for the Research and Education Networking Information Sharing and Analysis Center, REN-ISAC. In this role, she participates in the National Council of ISACs on behalf of the research and education networking community. Prior to this role, Milford was chief privacy officer at Indiana University, information security officer at the University of Rochester, and information security manager at the University of Wisconsin, leading initiatives such as disaster recovery planning, identity management, incident response, and user awareness. Milford graduated from Saint Louis University with a BS in Accounting and earned her JD at John Marshall Law School.
© 2015 Kim Milford. This EDUCAUSE Review article is licensed under the Creative Commons BY-NC-SA 4.0 International license.