Educause Security Discussion mailing list archives
Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position
From: Jim Moore <jhmfa () RIT EDU>
Date: Wed, 16 Jul 2003 15:21:08 -0400
I have enjoyed it as well. I find academia usually has the model of the ISO reporting to the CIO or VP of IT. That is not how things are set up here. We are set up more like a high value data, checks and balances system. This structure, from my experience, is more common in banks, govenrment, and some corporations. I have a great CIO, who is interested in security. So I have no complaints. But I do have a fear. History shows that common measures for an IT department are things like customer satisfacion. Customer Sat, is often driven by ease of use. Security and ease of use come from "transparent" expert based security. The steady rise in the hostility of the Internet environment, combined with the steady (exponential) rise in reported vulnerabilities, demands either fewer systems, or a broader security base. Logically you can produce fewer systems through standardization, which is very difficult in an academic environment with diverse research, and interests. Broadening the base means more user level security. Which often time is a lightning rod for poor customer satisfaction. I have been preparing my institution that as we get better at security (and better at detection) security will appear to get worse, from a number of incidents standpoint. I mentioned this to a friend on our Criminal Justice faculty who teaches computer crime, and he said "Sure, it happens with police too, more police, more reported crime. You just don't have the right measures." So here is my question, what drives a CIO? What are the measures used to determine that they are doing well in security? Jim Rodney Petersen wrote:
I have enjoyed reading the lively, although diverse, responses to the original question. Jim, I think what you were looking for was the letter from ACE President David Ward to all college and university presidents this past February (http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm). The specific recommendation states: Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment. Additionally, the National Strategy to Secure Cyberspace (www.securecyberspace.gov) states that "colleges and universities are encouraged to secure their cyber systems by establishing . . . model guidelines empowering Chief Information Officers (CIOs) to address cybersecurity" (A/R 3-5). Please let me know if you have any further questions. Rodney Petersen Project Director, Security Task Force EDUCAUSE ----------------------------------------------------------------------- At the Educause security professionals workshop, I believe that someone mentioned that a college/university presidents group had a task force which made the recommendation that a cabinet level position for Information Security be created at colleges/universities. Does anyone have a reference? Does anyone have the text of the report/recommendation letter? Jim -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
-- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position Jim Moore (Jul 16)
- <Possible follow-ups>
- Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position Theresa M Rowe (Jul 16)
- Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position Bruhn, Mark S. (Jul 16)
- Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position Bruhn, Mark S. (Jul 16)