You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 27 Next »

Table of Contents

Welcome to the HEISC Information Security Guide!

Wish you didn't have to reinvent the wheel every time you start a new project, policy, or function? Looking for a guide that will provide you with a variety of information and resources relevant to higher education information security programs? You're in the right place!

The Guide is mapped to several popular standards, including ISO/IEC 27002:2013, NIST, HIPAA, COBIT, PCI DSS, and the federal Cybersecurity Framework. There are currently 17 chapters on information security, privacy, identity and access management, governance, risk, and compliance.

What makes the HEISC Information Security Guide so unique is that resources and content included in the chapters are provided by higher education information security and privacy professionals. You'll find hot topics, toolkits, case studies, best practices, and recommendations for 'getting started' that will help you jumpstart key information security and privacy initiatives or programs at your institution!

Top of page

Executive Overview of the Guide

Campus leaders are grappling with how to effectively manage and understand challenges and issues associated with information security. They also have an interest in knowing how other campuses are handling information security risks and challenges. It's absolutely critical to gain executive support in order to achieve information security goals and objectives. By using the Guide in the development, implementation, and ongoing maintenance of information security programs, information security and IT professionals can provide assurances that their campuses are using effective practices that are relevant to higher education and adopted by their peers. For additional guidance, see Top Information Security Concerns for Campus Executives & Data Stewards.

Top of page

Organization of the Guide

The Home page is your starting point to explore the wealth of content contained in the Guide. To your left, you'll find links to Hot Topics, Toolkits, and Guide Chapters on various topics of interest. You'll also see quick links to assist you with navigating the Guide, contributing content, or making comments to help us continue to improve this resource.

In addition, on every topic page you will find:

  • A Table of Contents which links to key parts of the page.
  • Getting Started section that provides recommendations on how to apply the guidance contained in each chapter.
  • An Overview which describes the general intent of each chapter's topic.
  • Subtopics with objectives, descriptions and/or implementation suggestions, as well as links to articles, presentations, and institutional case studies or examples.
  • A comprehensive list of Resources referencing other materials relevant to the topic.
  • Mappings to other popular standards.

The navigation pane on the left side of every page includes direct links to important resources:

  • Home – News, Links to Key Guide Resources
  • Welcome to the HEISC Information Security Guide! The page you are reading now which provides an overview of the Guide.
  • The Toolkits page contains a list of links to specifically developed or collected resources. Most are also available from their relevant ISO topic pages; this list collects them all in one place.
  • Hot Topics are resources related to topics that are currently receiving increased attention.
  • Contribute a Case Study links to a page which provides instructions and submission forms for contributing new case studies to the Guide. It also contains a set of links to all case studies included in the Guide. (Those case studies are also linked from the relevant ISO topic pages; this list collects them all in a single place.)
  • The next 15 links connect to topical pages, beginning with Risk Management and ending with Compliance Management.
  • The Glossary page provides links to information security terminology and definitions maintained by other organizations.

In addition, at the top of every page you will find a "bread crumbs" indication of where you are and how the current page relates to the Guide's organizational hierarchy.

Top of page

How to Find Information in the Guide

There are two ways to find specific information in the Guide:

  1. Link to the appropriate (ISO) topic directly using the navigation pane on the left side of the page, or
  2. Use the search function provided on the top right of every page.
Navigation Pane

Navigation Pane linking is often the quickest way to find the topic you may be seeking. If you know you want to find information about Risk Management, Security Policy, or Incident Management, for example, then using the navigation pane to link to Risk Management, Information Security Policies, or Information Security Incident Management, respectively, will get you to the relevant information quite easily and rapidly. Or if you just want to read or browse through various topics in the Guide to gain additional understanding or to familiarize yourself with its contents, the navigation pane approach is definitely the way to go.

On the other hand, if you are not aware that ISO considers Data Classification a part of Asset Management, or that Security Awareness and Training are considered part of Human Resources Security, the navigation pane approach may feel considerably less useful. The search function will very likely help you find the materials you seek more easily in any situation where you are not sure where information may be located according to the ISO taxonomy.

Search Function

Using the Search Function is fairly straightforward; a couple of tips will make its use even more effective.

The Guide is provided as a major section of a generalized wiki that is managed by Internet2 and used for a wide variety of EDUCAUSE and Internet2 topics. Consequently, you can either search for topics within the entire wiki (i.e., the Guide and all other EDUCAUSE and Internet2 sections) or within just the Guide.

Searching the Entire Wiki

As you enter a search term in the search box at the top right of the page, it looks across the entire wiki and starts to show possible search results that have the search term as a part of a document title. If you see a document you are interested in, you can select it and you will be transferred directly to that document. Hovering your mouse over any of the terms will provide a bit more information to aid in selection - e.g., the wiki "space" in which the document resides (in our case, "2014 Information Security Guide").

On the other hand, if you simply press return (or click the Search button), the result stack returned will be a list of all documents which include that term anywhere in all the documents across all the topics (spaces) in the wiki and not just from the Guide. For example, searching on the term "awareness" will return over 600 results from the entire wiki (as of January 2016), many not really relevant to your search. Searching the term "management" will return over 3,000 results from the entire wiki (January 2016).

The result-stack page(s) will also include a column on the left where you can filter your search to refine the results. Usually, searching will be more effective it you start by using the more advanced search available in the filter box.

Searching Within the 2014 Information Security Guide

Leave the search box (at the top of the page) empty and press the Search Button. This will take you to a search page with the column on the left where you can filter your search to obtain a more refined result. To restrict your search to just the Guide, choose "All Spaces" on the pull-down menu under Spaces, and select "2014 Information Security..." There are other filters available but we suggest leaving them all at their default values initially.

Now, you can type your search term into the search box that is at the top of the page. For example, searching on "awareness" within the "where" of "2014 Information Security..." (January 2016) returns a much more manageable result stack of just over 100; searching for "management" with the same "Where" filter will return a result stack of 130 (January 2016).

Important Searching Note

Searches will automatically include other words with the same root. For example, the "awareness" search will also include the word "aware" as a part of the search and the "management" search will include the words "manage", "manager", and "managers" as a part of its search.

Top of page

Providing Feedback and Suggestions

The Guide is a living document, constantly being updated and improved. Topic materials are continuously added or updated through the work of various information security professionals volunteering in working groups of the Higher Education Information Security Council (HEISC). Our volunteers cannot fully cover all relevant topics for all information security professionals on all of the EDUCAUSE and Internet2 member campuses. That is why we ask that you share your expertise by providing feedback; we depend upon the feedback of Guide users to keep the Guide updated, relevant, and timely.

This can be accomplished by clicking on the "(info) Contact Us" link near the bottom of each page or by sending e-mail to security-council@educause.edu.

Top of page

Description of Case Studies

Case studies are descriptions of real-world, practical, proven solutions to information security challenges implemented by one or more institutions. The intent of these case studies is to provide ideas for approaches which may be adopted or adapted to other school's particular situations.
By filling in a relatively simple form, a case study is written up and submitted to the Higher Education Information Security Council (HEISC). Once received, it is typically reviewed by one or more of the HEISC working groups. This vetting process gives the institution submitting the case study an opportunity to answer questions or add content that enhances its value.

Instructions for submitting a case study, as well as a complete list of case studies currently available throughout the Guide, are available on the Case Study Submissions page.

Submitting a case study not only documents a successful institutional approach to information security, as well as providing useful guidance to other institutions, it also gives the author(s) the opportunity to publish.

Top of page

Frequently Asked Questions

Question: Why is the organization of the Guide based upon the ISO/IEC 27002:2013 standard rather than some other standard?
Answer: This is the third major edition of the Guide. The first version was organized around major security topics chosen by the originators of the Guide, but was not otherwise related to any specific taxonomy. Over time the navigation pane continued to grow as additional important topics were added. In order to streamline (and direct further development of the Guide) the decision was made to reorganize it by using an established and generally accepted standard. After considerable research and discussion, the ISO/IEC 27002 was chosen as the organizing standard because it is the only recognized international standard and is widely accepted within institutions of higher education. In May 2014, we published a revised version of the Guide, which incorporates new updates to the ISO/IEC 27002 standard that were published in late 2013.

Question: Why does the numbering of the ISO topics start with 5 and not 1?
Answer: Because the Guide follows the numbering system of ISO/IEC 27002. That document has several chapter headings that are numbered before it actually provides standards information. After an unnumbered Foreword, it has an Introduction (numbered 0), a Scope chapter (numbered 1), a Normative References chapter (numbered 2), a Terms and Definitions chapter (numbered 3), and a Structure chapter (numbered 4). We have included the Risk Management topic, which is addressed in a separate ISO standard, ISO/IEC 27005:2008. Chapters 5-18 of the Guide include all major topics included in the ISO/IEC 27002:2013 standard.

Question: Is the Guide a 'How To' manual to implement ISO 27002:2013?
Answer: No. The Guide is aligned with ISO 27002:2013 and includes key topics and subtopics found in this standard. However, the content is derived from EDUCAUSE and HEISC resources, case studies from various institutions, conference proceedings, and external information. If your institution has an ISO 27002:2013 compliance initiative, you will find this guidance directly in the standard itself.

Question: While reviewing Guide content, I thought of a resource that would complement or fit perfectly underneath a Guide Chapter. Can I provide suggestions to incorporate additional resources within the Guide to the Editorial Board?
Answer: Certainly! The Guide is a living document and we're always pleased to have input from the higher education community to improve this resource and make it even more valuable to information security professionals and IT leaders! At the bottom of each Chapter page, there is a 'Contact Us' link you can click to e-mail us your suggestions.

Top of page

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).

  • No labels