Educause Security Discussion mailing list archives
Re: Making the case for security policies and personnel
From: Jim Moore <jhmfa () CIS RIT EDU>
Date: Mon, 10 Feb 2003 12:18:29 -0500
Jim, Thanks for the articles. One that I use heavily, especially since I am at a technically oriented university, is "How to Spend a Dollar on Security", which helps me to 1) DeMyth the "technology created the problem, we will fix it with technology" error 2) Set people's expectations on their *involvement*, learning process, funds that they will spend on establishing and executing new processes. 3) Give management (who should be used to the costs of organizational change), a rational for why the firewall costs $X, but the strategy to make it operational is $4X. Good article, I wish that he had sited more sources. McBride, Patrick, How to Spend a Dollar on Security (November 9, 2000), Retrieved Aug 16, 2002 from Computerworld website http://www.computerworld.com/printthis/2000/0,4814,53651,00.html Jim Wilcox wrote:
ROSI was the popular basis for a case in 2002. No matter what you do, security is like insurance; you don't get anything new, you just get to keep what you have. Hard to make that case. Case studies are good. The penalties on executives that are included in Graham Leach Bliley and HIPAA are good if that applies. Good luck, James Wilcox, CISSP Director of Business Development Cylant, Inc. PO Box 19777 Portland, OR 97280-9777 503 799-8438 james () cylant com www.cylant.com CylantSecure, LinuxWorld "Best Security Solution" -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dorette Kerian Sent: Friday, February 07, 2003 4:07 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Making the case for security policies and personnel And my apologies to everyone on the list for sending this message to the entire list. AND YET, if anyone else has suggestions in approaches to making the security case with administration, I'd sure like to hear more. With regrets, and appreciation, Dorette dorette.kerian () mail und nodak edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
-- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Office: 585-475-5406 Fax: 585-475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0B86 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Making the case for security policies and personnel Dorette Kerian (Feb 07)
- <Possible follow-ups>
- Re: Making the case for security policies and personnel Dorette Kerian (Feb 07)
- Re: Making the case for security policies and personnel Jim Wilcox (Feb 07)
- Re: Making the case for security policies and personnel Tracy Mitrano (Feb 07)
- Re: Making the case for security policies and personnel Jim Moore (Feb 10)
- Re: Making the case for security policies and personnel Bruhn, Mark S. (Feb 13)
- Re: Making the case for security policies and personnel Ced Bennett (Feb 14)
- Re: Making the case for security policies and personnel Bruhn, Mark S. (Feb 14)
- Re: Making the case for security policies and personnel James Conley (Feb 14)
- Re: Making the case for security policies and personnel Ced Bennett (Feb 18)
- Re: Making the case for security policies and personnel Scott Bradner (Feb 19)