CHALLENGES

 

Ø       Documenting/publishing policies and processes (doing it)

Ø       Communication between departments

Ø       Comprehensive business recovery planning

Ø       Decentralization, diversity of applications

Ø       Ethics, laws, policy compliance

Ø       Range of devices and one security infrastructure

Ø       Deployment of new technologies

Ø       Advertising of security information

Ø       Emerging viruses, vulnerabilities

Ø       Diverse proprietary systems to be integrated

Ø       Recognize (and convince everyone) that all systems require COMPETENT system administration and recognize that system administrator may not be primary user

Ø       Allowing users to manage and secure access to individual content independent of mode of storage and transport

Ø       Disconnect between ownership and security responsibility and accountability

Ø       Funding and resources

Ø       Expanding user population and increasing difficulty in determining who they are and what rights they have

Ø       Striking a balance between security and accessibility to network services

Ø       Providing strong user authentication, multifactor

Ø       Response time to isolate specific security incidents

Ø       Support for environment and users outside Blacksburg – extended campus

Ø       Not becoming a bigger target than we already are

Ø       Territorial nature of IT groups

Ø       State mandates/inflexibility

Ø       Coordination with external agencies for security “best practices”

Ø       Lack of data integrity for decision support

Ø       Decoupling authorization and authentication

Ø       Changing end user culture, get them to take security seriously

Ø       Better controlling physical access to machines and computing resources

Ø       Private systems on VT infrastructure

Ø       Meeting unfunded security mandates for research

Ø       Exit interview procedures/lack of good comprehensive system provisioning

Ø       Cost assessment methodology (including intangible costs)

Ø       Educate users

Ø       Balance between security and usability

Ø       Scope (overwhelming) of security

Ø       ID Management

Ø       Compromised student computers (desktop and laptop)

Ø       Access to VT resources for non-VT affiliates

Ø       Lack of Standards Use at VT

Ø       Ability of IT to influence/control non-IT departments

Ø       Ensuring privacy of instructional systems

Ø       Secure data storage

Ø       How to obtain support from executive administration and BOV

Ø       Cataloguing data according to its sensitivity

Ø       Non-VT access to computer resources

Ø       End-to-end transmission of data in a secure manner

Ø       Using social engineering to gain access to someone else’s resources

Ø       Security certification for IT professionals

Ø       Economics of staying current (HW, SW, patches, resources)

Ø       How to secure and “heal” systems for those who can’t or won’t do it themselves

Ø       Balancing academic needs for open access with IT needs for higher security

Ø       Organizational philosophy (determining, expressing, enforcing)

Ø       Proactive security admin (patch management) in 24x7 environment

Ø       Documenting policies for release and transmission of data elements

Ø       Practice of using shared accounts

Ø       Self-testing, self-audit and tool to help people do this

Ø       Taking a holistic view of security when responsibilities are split

Ø       Learning from security incidents and sharing remedies (prevention, discovery, response)

Ø       Coupling the responsibility for security with the authority to make it happen.

POTENTIAL SOLUTIONS

 

Ø       Coordinate holistic approach, develop a formal IT review process for ensuring systems the University deploys are secure

Ø       Standards for hiring practices for IT professionals across the university

Ø       University centralization/coordination of data management

Ø       Secure channel for sharing security information

Ø       VPN, SSL, etc. data transmission technologies

Ø       Firewalls for admin sys at network layers

Ø       Sharing, developing tools for security analysis, detection, protection

Ø       Adherence to policy, law – a group of IT persons to internally audit IT systems

Ø       PKI

Ø       Proactive scanning of computers each time they connect (checknet[1])

Ø       Decouple cost recovery/inhibitions from implementing security enhancements.  IT could subsidize

Ø       Integration competency center to assist in Enterprise App. integration

Ø       Provide IT orientation seminars for new system administrators. (An overview of VT's systems, services and security policies.)

 


[1] Checknet is a virtual network that is isolated from the main VT network.  Machines connecting to the network will be automatically placed in the Checknet, scanned for Top 20 Internet Threats, and if the pass the scan, dynamically connected to the main VT network. If the machine fails the teset, it remains in the Checknet until the vulnerabilities found on it are addressed.