Article Preview
TopIntroduction
Recent research (Allison et al., 2008; Camp et al., 2007) addresses the need to implement identification and access management (I/AM) solutions within higher education. However, none specifically addresses implementation issues such as awareness and training. A framework that focuses on the implementation of an I/AM solution within higher education for some level of assurance will not only contribute to the field of information systems and technology but will also assist higher education institutions in ensuring some level of I/AM.
Identification and access management, and security have been among the top ten information technology (IT) issues concerning institutions of higher education for the last few years (Ingerman et al., 2010). In the United States, institutions of higher education are both empowered by and dependent on electronic information for academic and administrative communications and services (Hawkins, 2007). Most of this information is considered sensitive and, as such, protected by state and federal regulations (which include the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Protection of Pupil Rights Amendment (PPRA), and the Gramm-Leach-Bliley Act (GLBA)) (SanNicolas-Rocca & Olfman, 2009). Unauthorized access into institution computers or network systems and/or unauthorized disclosure of data of any sort can lead to lawsuits, loss of students, bad public relations, termination of employees responsible for unauthorized access, loss of donations, and costs associated with risk assessment and management (SanNicolas-Rocca & Olfman, 2009).
This paper describes the creation and refinement of an IT security training framework at West Coast State University (WCSU) to implement a two-factor authentication system. WCSU was interested in implementing USB eTokens using PKI (public key infrastructure) for two-factor authentication to support federal and state requirements for the protection of PII (personally identifiable information), retention, and preservation of business-critical information, and to ensure I/AM requirements. The IT security training strategy framework was revised and updated by using canonical action research (CAR) with the goal of adapting it for other institutions of higher education, or any other type of organization, for the implementation of an IT security training initiative.
The structure of the paper is as follows. First, we review the literature on identification and access management. We then present the problem situation and describe our canonical action research method. We explain the process of designing the training framework and the implementation of each of the training sessions to the end users. Follow up sessions were provided and subsequent training sessions were refined accordingly. We describe results and modifications to the framework, and discuss limitations, implications and future research directions.