Information security cognition requires mutual confirmation from factual knowledge and practical field experience. Colleges and universities are aggregations of independent academic bodies. The most precious properties of colleges and universities are the researchers and the intellectual properties as a direct result of their research. Therefore, the aim of information security in colleges and universities is different from other civil services or private organizations. The overall goals and management procedures need to be reconsidered. The purpose of this research is to study the current information security strategies and practices in national universities, as well as exploring the viewpoints of personnel involved in ensuring university information security. The research method is questionnaire-survey based. The questions in the survey are modified from the CNS 17800 information security management guideline of the Ministry of Economic Affairs. The questionnaire is distributed to and collected from computing center personnel of 26 national universities through web pages. From literatures and analysis of the collected questionnaires, conclusions are as follows： 1.The current information security practice stresses the technical aspect because the managers lack for understanding of information security and procedural guidelines to the management. 2.The staffs in computer centers of the national universities are from the internal organization. Their main responsibility is to develop software and they usually do not contact with information security management, which differs from those in the government agencies. 3. Based on the analysis, the scores related to higher level management is quite low. This indicates that higher level decision makers have less interest in participating in information security promotion. 4. Personnel with different background have different cognition on information security. First, the network administrator, the system administrators and software developers differ in their viewpoints on information security. Second, those persons with a Ph.D. degree thought that information accessibility is the most important issue while others listed information secrecy as the most important factor. The two groups also differ in their viewpoints in the necessity of information security. Third, the study also found that computer center directors and the division head also differ on many issues. According to above findings, Our study offers the following suggestions： 1. To Ministry of Education(MOE), we suggest they should promote information security at MOE meetings. We hope MOE to plan many programs for “Information Security management” and make on-the-job training to personnel. 2. To the universities, we suggest they should establish “Information Security Subcommittee” for enforcing & controlling various regulations, and urge the university administrators to oversee seriously and implement related strategies accompanied with a personnel reward system. 3. For the future duties, we suggest it should conduct qualitative study. Deeply research the aspects of principle system, education, and technology in the information security.