Versions Compared

Old Version 27

changes.mady.by.user Valerie Vogel

Saved on

compared with

New Version 28

changes.mady.by.user Valerie Vogel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleTable of Contents

Anchor
Introduction
Introduction

...

Wish you didn't have to reinvent the wheel every time you start a new project, policy, or function? Looking for a guide that will provide you with a variety of information and resources relevant to higher education information security programs? You're in the right place!

The Information Security Guide is mapped to several popular standards, including ISO/IEC 27002:2013, NIST, HIPAA, COBIT, PCI DSS, and the federal Cybersecurity Framework. There are currently 17 chapters on information security, privacy, identity and access management, governance, risk, and compliance.

What makes the HEISC Information Security Guide guide so unique is that resources and content included in the chapters are provided by higher education information security and privacy professionals. You'll find hot topics, toolkits, case studies, best practices, and recommendations for 'getting started' that will help you jumpstart key information security and privacy initiatives or programs at your institution!

...

Campus leaders are grappling with how to effectively manage and understand challenges and issues associated with information security and privacy. They also have an interest in knowing how other campuses are handling information security and privacy risks and challenges. It's absolutely critical to gain executive support in order to achieve information security and privacy goals and objectives. By using the Guide guide in the development, implementation, and ongoing maintenance of information security and privacy programs, information security, privacy, and IT professionals can provide assurances that their campuses are using effective practices that are relevant to higher education and adopted by their peers. For additional guidance, see Top Information Security Concerns for Campus Executives & Data Stewards.

...

The Home page is your starting point to explore the wealth of content contained in the Guideguide. To your left, you'll find links to Hot Topicstoolkits, Toolkitshot topics, and Guide Chapters on various guide chapters on high-level topics of interest. You'll also see quick links to assist you with navigating the Guideguide, contributing content, or making comments to help us continue to improve this resource.

In addition, on every topic page you will find(chapter) includes:

  • A Table of Contents which links to key parts of the page.
  • Getting Started section that provides recommendations on how to apply the guidance contained included in each chapter.
  • An Overview which describes the general intent of each chapter's topic.
  • Subtopics with objectives, descriptions and/or implementation suggestions, as well as links to articles, presentations, and institutional case studies or examples.
  • A comprehensive list of Resources referencing other materials relevant to the topic.
  • Mappings to other popular standards.information security standards 

The navigation pane on the left side of every page includes direct links to important resources:

  • Home – News , Links to Key Guide Resourcesand links to key publications and resources
  • Welcome to the HEISC Information Security Guide! The page you are reading now, which provides an overview of the Guide.guide
  • The Toolkits page contains a  – A list of links to resources specifically developed or collected resources. Most by HEISC volunteers (most are also available from their relevant ISO topic pages; this list collects them all in one place.)
  • Hot Topics are  – A list of resources related to topics that are currently receiving increased attention .(most are developed by HEISC volunteers)
  • Contribute a Case Study links to a page which provides – Provides instructions and submission forms for contributing new case studies to the Guide. It also contains a set of links to all , as well as a complete list of case studies included in the Guide. guide (Those case studies are also linked from the their relevant ISO topic pages; this list collects them all in a single one place.)
  • The next 15 17 links connect to topical pages, beginning with Risk Management and ending with Compliance Management.including new chapters on Privacy and Career and Workforce Development
  • Glossary – Provides The Glossary page provides links to information security terminology and definitions maintained by other organizations.

In addition, at the top of every page you will find a "bread crumbs" indication of where you are and how the current page relates to the Guideguide's organizational hierarchy.

...

How to Find Information in the Guide

There are two ways to find specific information in the Guide:

...

Using the navigation pane on the left side of the page

...

Navigation Pane

Navigation Pane linking is often the to access a specific topic (chapter) is often the quickest way to find the topic you may be seeking. If you know you want to find information about Risk Management, Security Policy, or Incident Management, for example, then using the navigation pane to link to Risk Management, Information Security Policies, or Information Security Incident Management, respectively, will get you to the relevant information quite easily and rapidly. Or if you just want to read or browse through various topics in the Guide to gain additional understanding or to familiarize yourself with its contents, the navigation pane approach is definitely the way to go.On the other hand, if you are not aware that ISO considers Data Classification a part of Asset Management, or that Security Awareness and Training are considered part of Human Resources Security, the navigation pane approach may feel considerably less useful. The what you are looking for. However, the search function will very likely help you find the materials resources you seek need more easily in any situation where if you are not sure where information may be located according to the ISO taxonomy.

...

Using the Search Function search function is fairly straightforward; a couple of tips will make its use even more effective. The Guide is provided as a major section of a generalized wiki that is managed by Internet2 and used for a wide variety of EDUCAUSE and Internet2 topics. Consequently, you can either search for topics within the entire wiki (i.e., the Information Security Guide and all other EDUCAUSE and Internet2 sections) or within just the Guideguide.

Searching the Entire Wiki

As you enter a search term in the search box at the top right of the page, it looks across the entire wiki and starts to show possible search results that have the search term as a part of a document title. If you see a document you are interested in, you can select it and you will be transferred directly to that document. Hovering your mouse over any of the terms will provide a bit more information to aid in selection - e– e.g., the wiki "space" in which the document resides (in our case, "2014 Information Security Guide"). (warning) NOTE: Although the guide URLs include 2014, content is reviewed on a regular basis and most pages have been updated between 2016-2017.

On the other hand, if you simply press return (or click the Search button), the result stack returned will be a list of all documents which include that term anywhere in all the documents across all the topics (spaces) in the wiki and not just from the Guideguide. For example, searching on the term "awareness" will return over 600 800 results from the entire wiki (as of January 2016June 2017), many not really relevant to your search. Searching the term "management" will return over 3,000 results from the entire wiki (January 2016June 2017).

The result-stack page(s) will also include a column on the left where you can filter your search to refine the results. Usually, searching will be more effective it you start by using the more advanced search available in the filter box.

Searching Within within the 2014 Information Security Guide

Leave the search box (at the top of the page) empty and press the Search Button. This will take you to a search page with the column on the left where you can filter your search to obtain a more refined result. To restrict your search to just the Guideguide, choose "All Spaces" on the pull-down menu under Spaces, and select "2014 Information Security..." There are other filters available but we suggest leaving them all at their default values initially.

Now, you can type your search term into the search box that is at the top of the page. For example, searching on "awareness" within the "where" of "2014 Information Security..." (January 2016June 2017) returns a much more manageable result stack of just over 100; searching for "management" with the same "Where" filter will return a result stack of 130 (January 2016just over 140 (June 2017).

Important Searching Note

...

Providing Feedback and Suggestions

The Information Security Guide is a living document, constantly being updated and improved. Topic materials Resources are continuously added or updated through the work of various information security and privacy professionals volunteering in working groups of the Higher Education Information Security Council (HEISC). Our volunteers cannot fully cover all relevant topics for all information security and privacy professionals on all of the EDUCAUSE and Internet2 member campuses. That is why we ask that you share your expertise by providing feedback; we depend upon the feedback of Guide users our readers to keep the Guide guide updated, relevant, and timely.

...

Case studies are descriptions of real-world, practical, proven solutions to information security challenges implemented by one or more institutions. The intent of these case studies is to provide ideas for approaches which may be adopted or adapted to other schoolanother institution's particular situationssituation.

By filling in a relatively simple form, a case study is written up and submitted to the Higher Education Information Security Council (HEISC). Once received, it is typically reviewed by one or more of the HEISC working groups. This vetting process gives the institution submitting the case study an opportunity to answer questions or add content that enhances its value.

Instructions for submitting a case study, as well as a complete list of case studies currently available throughout the Guideguide, are available on the Case Study Submissions page.

Submitting a case study not only documents a successful institutional approach to information security, as well as providing useful guidance to other institutions, it also gives the author(s) the opportunity to publish.

Top of page AnchorFAQFAQ

Frequently Asked Questions

Question: Why is the organization of the Guide based upon the ISO/IEC 27002:2013 standard rather than some other standard?
Answer: This is the third major edition of the Guide. The first version was organized around major security topics chosen by the originators of the Guide, but was not otherwise related to any specific taxonomy. Over time the navigation pane continued to grow as additional important topics were added. In order to streamline (and direct further development of the Guide) the decision was made to reorganize it by using an established and generally accepted standard. After considerable research and discussion, the ISO/IEC 27002 was chosen as the organizing standard because it is the only recognized international standard and is widely accepted within institutions of higher education. In May 2014, we published a revised version of the Guide, which incorporates new updates to the ISO/IEC 27002 standard that were published in late 2013.

Question: Why does the numbering of the ISO topics start with 5 and not 1?
Answer: Because the Guide follows the numbering system of ISO/IEC 27002. That document has several chapter headings that are numbered before it actually provides standards information. After an unnumbered Foreword, it has an Introduction (numbered 0), a Scope chapter (numbered 1), a Normative References chapter (numbered 2), a Terms and Definitions chapter (numbered 3), and a Structure chapter (numbered 4). We have included the Risk Management topic, which is addressed in a separate ISO standard, ISO/IEC 27005:2008. Chapters 5-18 of the Guide include all major topics included in the ISO/IEC 27002:2013 standard.

Question: Is the Guide a 'How To' manual to implement ISO 27002:2013?
Answer: No. The Guide is aligned with ISO 27002:2013 and includes key topics and subtopics found in this standard. However, the content is derived from EDUCAUSE and HEISC resources, case studies from various institutions, conference proceedings, and external information. If your institution has an ISO 27002:2013 compliance initiative, you will find this guidance directly in the standard itself.

Question: While reviewing Guide content, I thought of a resource that would complement or fit perfectly underneath a Guide Chapter. Can I provide suggestions to incorporate additional resources within the Guide to the Editorial Board?
Answer: Certainly! The Guide is a living document and we're always pleased to have input from the higher education community to improve this resource and make it even more valuable to information security professionals and IT leaders! At the bottom of each Chapter page, there is a 'Contact Us' link you can click to e-mail us your suggestions.

Top of page 

...

(question) Questions or comments? (info) Contact us.

...