Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position

[Jim Moore <jhmfa () RIT EDU>]

I have enjoyed it as well.  I find academia usually has the model of the
ISO reporting to the CIO or VP of IT.  That is not how things are set up
here.  We are set up more like a high value data, checks and balances
system.  This structure, from my experience, is more common in banks,
govenrment, and some corporations.  I have a great CIO, who is
interested in security.  So I have no complaints.

But I do have a fear.  History shows that common measures for an IT
department are things like customer satisfacion.  Customer Sat, is often
driven by ease of use.  Security and ease of use come from "transparent"
expert based security.  The steady rise in the hostility of the Internet
 environment,  combined with the steady (exponential) rise in reported
vulnerabilities, demands either fewer systems, or a broader security
base.  Logically you can produce fewer systems through standardization,
which is very difficult in an academic environment with diverse
research, and interests.  Broadening the base means more user level
security.  Which often time is a lightning rod for poor customer
satisfaction.

I have been preparing my institution that as we get better at security
(and better at detection) security will appear to get worse, from a
number of incidents standpoint.  I mentioned this to a friend on our
Criminal Justice faculty who teaches computer crime, and he said "Sure,
it happens with police too, more police, more reported crime.  You just
don't have the right measures."

So here is my question, what drives a CIO? What are the measures used to
determine that they are doing well in security?

Jim

Rodney Petersen wrote:
> I have enjoyed reading the lively, although diverse, responses to the
> original question.  Jim, I think what you were looking for was the
> letter from ACE President David Ward to all college and university
> presidents this past February
> (http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm).
>
> The specific recommendation states:
>
> Establish responsibility for campus-wide Cybersecurity at the cabinet
> level. At a large university, this responsibility might be assigned to
> the Chief Information Officer. At a small college, this person may have
> responsibility for many areas, including the institutional computing
> environment.
>
> Additionally, the National Strategy to Secure Cyberspace
> (www.securecyberspace.gov) states that "colleges and universities are
> encouraged to secure their cyber systems by establishing . . . model
> guidelines empowering Chief Information Officers (CIOs) to address
> cybersecurity" (A/R 3-5).
>
> Please let me know if you have any further questions.
>
> Rodney Petersen
> Project Director, Security Task Force
> EDUCAUSE
>
> -----------------------------------------------------------------------
>
>
> At the Educause security professionals workshop, I believe that someone
> mentioned that a college/university presidents group had a task force
> which made the recommendation that a cabinet level position for
> Information Security be created at colleges/universities.
>
> Does anyone have a reference?
>
> Does anyone have the text of the report/recommendation letter?
>
> Jim
> --
> --
> Jim Moore, CISSP, IAM
> Information Security Officer
> Rochester Institute of Technology
> 13 Lomb Memorial Drive
> Rochester, NY 14623-5603
> Telephone: (585)475-5406
> Fax:       (585)475-7950
>
> PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.


--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.