Abstract
This document presents the key findings of the ECAR study, Safeguarding the Tower: IT Security in Higher Education 2006. When ECAR studied IT security in 2003, we discovered that despite efforts to develop a secure IT infrastructure in higher education, uneven management awareness and a culture that equated good IT security with the curtailment of academic freedom constrained IT security options and choices. The results of this 2006 study of IT security in higher education demonstrate that there has been a sea change in less than three years. This study not only assesses the current condition of IT security practice, but documents changes in practice over time among a constant set of respondents. Among 492 total survey respondents, fully 204 institutions responded to both the 2003 and the 2005 surveys. Extraordinary changes in both hard and soft security measures were reported. Nearly one-third of responding institutions now have a chief information security officer, and more than 60 percent of the 2005 respondents have a centralized IT security function. The study is supported with qualitative interviews from 18 higher education institutions and organizations and with three case studies.