All for One and One for All: EDUCAUSE, Internet2, and REN-ISAC's Swashbuckling Adventures at SPC

High-seas adventures are usually full of peril and uncertainty, feature courageous heroes brandishing weapons to protect vital interests, and lead to happy endings all around. Such is the adventure that was the Security Professionals Conference in April. Information security threats abound, our brave heroes are higher education information security and privacy professionals who engage in a daily battle for data protection, and happy endings are achieved daily when threats are thwarted, vulnerabilities reduced, and end users adopt effective information security practices to protect institutional interests.

EDUCAUSE, Internet2, and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) provide "hero support" to higher education information security and privacy practitioners (you!). At this year's Security Professionals Conference, staff from each organization took to the stage together (we!) to share a little bit about each organization and to highlight our collaborations over the past couple of years.

Who Are We and Why Are We Here?

It's not really an existential question. Each swashbuckling member of your hero support team plays a different role:

• EDUCAUSE is a nonprofit association that helps higher education elevate the impact of IT. Our members form a community of IT leaders and professionals working together to tackle challenges and leverage opportunities that are constantly evolving within higher education. The Cybersecurity Program, one of several EDUCAUSE focus areas, supports higher education institutions as they improve information security governance, compliance, data protection, and privacy programs. Information security and privacy professionals who donate their time to the Cybersecurity Program are part of the Higher Education Information Security Council (HEISC), a collaborative community that addresses information security and privacy issues in higher education to improve the common good. The EDUCAUSE Cybersecurity Program and HEISC focus on people, policies, and practices to improve information security and privacy in higher education. You most likely interact with the Cybersecurity Program through participation on working groups and subscription to the Security and Privacy discussion lists.
• Internet2 is a nonprofit, member-driven advanced technology community founded by the nation's leading higher education institutions. Internet2 serves US universities, government agencies, regional and state education networks, corporations working with our community, and national research and education network partners. Internet2 delivers a diverse portfolio of technology solutions that leverage, integrate, and amplify the strengths of its members and helps support their educational, research, and community-service missions. Internet2's core infrastructure components include the nation's largest and fastest research and education network that was built to deliver advanced, customized services that are accessed and secured by the community-developed trust and identity framework. This includes engaging with cloud providers to develop strategic relationships with services the community determines as critical to their success. Information security is integrated with all Internet2 activities including the trust fabric from the InCommon Federation.
• The Research and Educational Networking Information Sharing and Analysis Center (REN-ISAC) is a member organization focused on improving security for higher education. By facilitating discussions about threats and mitigations in the higher education cybersecurity community, the REN-ISAC supports you with actionable and timely information for immediate response.The REN-ISAC's threat intelligence system, SES, provides automated feeds of threat-indicator data into campus security tools like firewalls, IDS/IPS, sinkholes, SIEMs, and blacklists. Ongoing coordination between the REN-ISAC and the National Council of ISACs ensures a more global approach to information sharing and ready access to the work of other sectors.

Collaborative Successes!

Cooperation is the name of the game for your swashbuckling hero support team. It should probably go without saying (but we will say it anyway) that the study and practice of information security and privacy is such a broad field that no single organization could ever hope to provide you with all the support you need to advance institutional information security maturity. Organizations must cooperate and collaborate in order to help you be successful. At the same time, we are mindful that we should avoid overlap that might put a volunteer strain on our mutual members. You may not always see the conscientious collaborations going on behind the scenes, but you see the results of "watchful overlap" in a number of different ways:

• Participation in each other's working groups and activities
• The creation of joint working groups to address special initiatives
• Joint presentations at other events to promote the higher education information security and privacy professions

Our current collaborative success is the evolution of the Higher Education Cloud Vendor Assessment Tool (HECVAT) and the creation of the Cloud Broker Index. The HECVAT was created by the HEISC Shared Assessments Working Group as a way to reduce institutional and service-provider burden in responding to and reviewing third-party information security assessments. This working group was made up of members from EDUCAUSE, Internet2, and the REN-ISAC and was supported by professional staff from each organization. EDUCAUSE facilitated the working group and hosts most HECVAT resources; Internet2 incorporated the HECVAT into parts of its cloud services and application program (NET+) to increase its reach, and the REN-ISAC hosts and supports the Cloud Broker Index (an up-to-date index of vendors who are willing to share their completed HECVAT). Over 50 higher education institutions are current HECVAT users.

Who Is Steering the Ship?

It should be clear: The heroes always steer the ship. In this case, EDUCAUSE, Internet2, and REN-ISAC members steer the ship. You steer the ship! The professional staff from each organization comes together monthly to share activities with one another and make sure we are not missing opportunities to collaborate in ways that benefit our mutual members and the higher education information security and privacy professions.

We want to set sail with you. We spent a lot of time during the Security Professionals Conference "hallway track" learning how we can support you better, and we have a number of ideas to explore in the near term. If you have any additional suggestions for collaborative projects or other feedback, please let us know! We're always interested in hearing from the community. You can contact each organization individually or send email to [email protected].

---

Joanna Lyn Grama is the Director of Cybersecurity and IT GRC Programs at EDUCAUSE.