ISMS Case Study

Higher Education

Business Motivators
The client was a state college system with 37 campuses scattered statewide.

  • The Presidents Critical Infrastructure Protection Board released its National Strategy to Secure Cyberspace. This plan specifically identified institutions of higher education as part of the cyberspace security problem.
    • Under the national microscope, it became clear that they had no coherent information security program.
  • EDUCAUSE, the higher education lobby responded to the CIPB report with an information security action plan that was heartily endorsed throughout academia.
    • Committed to supporting the EDUCAUSE response, the client had neither means nor strategy to participate in the EDUCAUSE initiative.
  • An industry specific information protection regulation, FERPA, as well as a state date protection act became regulatory requirements.
    • With possibly serious liability concerns, the client found their diligence indefensible.
  • Academic freedom and privacy issues between librarians, students, and government agencies were becoming increasingly hostile.
    • The client had no mechanism to address improper usage of state information assets, yet had liability for results of improper usage.

The Challenge

  • Each campus was autonomous, with its own CIO in charge of information technology.
    • CIO's varied wildly in competence, sophistication, and enthusiasm.
  • Every move was put under the "academic freedom" microscope.
    • There was continual risk of lawsuits, accusations, and censure.
  • Security activities assigned to employees were scrutinized and challenged.
    • A strong union required appeasement.

The Solution
An Information Security Management System (ISMS) was designed and implemented to serve as the basis for the Information Security Program. The resultant ISMS included:

  • A management framework that was sensitive to the cultural and political environment unique to higher education.
  • A risk assessment methodology that was both defensible, and compatible with state audit requirements.
  • Information security standards that clearly defined enforceable and auditable requirements.
  • Strategic plans that showed alignment with EDUCAUSE goals and a going forward roadmap.
  • Incident management capabilities aligned with state guidelines.

The Result
The deployment of the ISMS resulted in the information security program obtaining the following benefits:

  • A minimum baseline of information security throughout the system.
  • Clear guidance to information technology employees and users.
  • Empowerment through structure.
  • Defensibility through demonstrated diligence
  • Regulatory compliance
  • Auditability

Return to Case Study List

Note: HotSkills, Inc. launched Orange Parachute in 2007. This case study may predate the Orange Parachute name and launch, but the work was completed by the same consultancy.


1 800 841 9329