Re: Reporting Structure

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

There was a similar discussion under the subject heading "CISO?" in
January.  Below is some information that I posted at the time that is
relevant to your questions.  In short, most of your questions were part
of the ECAR survey
(http://www.educause.edu/asp/doclib/abstract.asp?ID=ERS0305) conducted
in April 2003 and issued in October 2003.

Rodney Petersen
Security Task Force Coordinator, EDUCAUSE

-The EDUCAUSE Center for Applied Research security report revealed the
following:  22.4% institutions of higher education have a chief IT
security officer or equivalent; 90% of CSO's work at doctoral extensive
or intensive institutions; 95 percent of the IT security officers report
to a senior administrator in the IT office, including 50 percent who
report to the CIO; respondents were asked when their institution created
the IT security officer position and there is a clear, steady pattern of
growth beginning in 1994; Director of Networking had day-to-day
responsibility for security at over 30% of the institutions

-The EDUCAUSE Center for Applied Research is considering a follow-up
study to its recent Security Report or including longitudinal questions
in an upcoming data networking study

-There is a collection of IT Security Officer job descriptions at
http://www.educause.edu/asp/doclib/detail_docs.asp?Detail_ID=6

-In a recent article, "Planning for Improved Security", by Mark Bruhn &
myself published in EDUCAUSE Review (November/December 2003)
(http://www.educause.edu/pub/er/erm03/erm036_articles.asp?id=10), we
describe the importance of strategy and planning to the development of
an information security program.  We also provide examples from three
institutions where in two of those cases the "planning" process resulted
in the establishment of the position of an IT security officer

-The recent book, Computer and Network Security in Higher Education
(http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008), contains a
chapter written by Jeff Recor on "Organizing for Improved Security".
The chapter desribes creating a security plan of action, obtaining
support for the plan, establishing security leadership (which describes
the private-sectors movement towards positions of Chief Security
Officer), and an array of security job titles assigned to specific
functions.

Rodney Petersen
Security Task Force Coordinator, EDUCAUSE 

-----Original Message-----
From: King, Dennis C. [mailto:dck22 () ALFRED EDU] 
Sent: Friday, April 23, 2004 3:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Reporting Structure

I searched the archives and couldn't find any threads on this topic.

I have been requested to survey the list members regarding the reporting
structure on their campus as it pertains to the Information Security
Officer or equivalent.  I would be interested in the following
information (which if provided to me off-list, I will summarize for the
list):
1. Position Title
2. Number of Direct Reports (if any)
3. Who you report to
4. Size of your school
5. Length of time position has existed.
6. Anything else you feel may be relevant

Thanks,

Dennis

Dennis C King
Information Security Officer
Alfred University
McMahon 247 , Alfred, NY 14802
email: dck22 () alfred edu - phone: 607.871.2379



**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.