Charting Your InfoSec Data Roadmap

min read

Need data on your institution's information security program to take it to the next level? Not sure where to get started in gathering data about your information security program? Use this handy checklist to get started and take advantage of the data available to help you better understand your information security program.

Information security checklist diagram

What You Can Do Now

  • Assess the current status of your program using the HEISC Information Security Program Assessment tool. Quickly understand how your institution is currently addressing information security with this volunteer-created 101-question assessment based on International Organization for Standardization (ISO) 27002:2013 "Information Technology Security Techniques. Code of Practice for Information Security Management."
  • Access your 2015 EDUCAUSE Core Data Service (CDS) results in order to review core metrics on IT staffing, funding, and services such as information security. Information security data is presented in the Module 7 dashboards. You may access data through the self-service CDS Reporting tool if your institution has participated in the past. See figure 1 for an example of the kind of data collected in CDS.
  • Review strategic IT risks with the IT Risk Register. Understand where information security is a risk that could impact institutional business operations with this member-created register of IT risks.
Sample of data collected in the Core Data Survey

Figure 1. Sample of data collected in the CDS

What You Can Do Later This Summer

  • Understand how current IT trends impact information security practices by reviewing the Top 10 IT Issues research and 2016 IT issues, trends, and strategic technologies infographic.
  • Participate in the EDUCAUSE Core Data Service yearly survey to gain access to comparative data from peer institutions. In addition to having access to data from your peers, participating in the CDS helps you better understand your IT organization and provides a historical trend analysis of Your organization's efforts. This year's survey opens for data collection in mid-July.
    • In addition to the required modules, be sure to complete the information security module specifically to answer questions about institutional capability to deliver information security services and information security technologies deployment.
  • Learn tips and techniques on how to talk with institutional leadership about information security concerns. Read the article "Leading an Effective Briefing with Board Executives about Information Security." Arming yourself with data about your information security program will make your conversations more effective.

Putting It All Together This Fall and Winter

  • Explore Chief Information Security Officer (CISO) roles, competencies, and career trajectories by reviewing ECAR research on the IT Workforce. The CISO report coming in late October is based on responses contributed by the higher education security community.
  • Attend the EDUCAUSE Annual Conference in October to learn more about using data to improve the IT organization. Participate in the information security benchmarking session to learn how others use data to eliminate fear, uncertainty, and doubt in their institutional information security and risk management efforts.
  • Access your 2016 CDS survey results and data on your peers through the self-service CDS Reporting tool. Data from this year's survey will be available in late 2016.
  • Measure progress on campus-wide information security and risk management strategic initiatives by reviewing your EDUCAUSE Benchmarking Service information security capability report, which includes data contributed to the information security maturity and deployment indexes' questions in CDS.

Finally, it's never too early to look ahead to 2017. Take a moment to share what you have learned through the use of data to inform your information security program activities. Submit a presentation proposal to the EDUCAUSE 2017 Security Professionals Conference. The call for proposals will open early this fall, with submissions due mid-November.

EDUCAUSE Cybersecurity Initiative Resources and Community

The Cybersecurity Initiative is led by the Higher Education Information Security Council (HEISC), whose mission is to support higher education institutions as they improve information security governance, compliance, data protection, and privacy programs. The EDUCAUSE security discussion list is a good place to join in conversation with others on ways to use data effectively in your information security program.

Joanna L. Grama is director of cybersecurity and IT GRC programs for EDUCAUSE.

© 2016 Joanna Lyn Grama. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.