Re: IT Security Strategic Plan

[Melissa Guenther <mguenther () COX NET>]

Table of Contents

  a.. Section 1. Purpose 
  b.. Section 2. Authorities and Sources 
  c.. Section 3. Challenges to Strategic Planning 
The university is a very large and complex place. Developing and implementing a successful strategic plan to properly 
protect its vast information systems resources and associated data involves an enormous set of challenges. They include:

  a.. Significant resource, personnel, and related budget issues 
  b.. Governance issues 
  c.. Challenges of a dynamic and often problematic regulatory environment 
  d.. The sheer volume of computer systems involved and the separate services that they are designed to provide 
  e.. The volume of data involved 
  f.. Numerous, different operating system types and customized configurations 
  g.. Vulnerabilities with emerging computer and network technologies that cannot be easily resolved 
  h.. A constant, rapidly expanding spectrum of threats to computing systems and networks 
  i.. The size and diversity of the campus workforce and student population 
  j.. Communication issues 
This strategic plan takes into account the realities of what is involved. It assumes that if the university intends to 
reduce the incidents of intrusions, misuse of its computing resources, and inappropriate access to data, resources will 
have to be allocated. The reality is that there are many departments and units within the university that currently do 
not have budgeted resources specifically for security. This problem is compounded by the fact that, even with financial 
resources, finding the necessary expertise to support security efforts is difficult. Elements of this plan are defined 
in response to these realities.

This plan includes several immediate affordable steps as well as important long-term strategies to help grow a stronger 
awareness of and emphasis on security and privacy protection. In addition, the plan is designed around a risk 
management approach that includes documenting the cost of prevention verses the costs of potential incidences.

  a.. Section 4. Applicability and Scope 
  b.. Section 5. Security and Assurance Components 
    1.. Organizational Controls and Resources 
    2.. Information Systems Security Policy and Associated Guidelines 
    3.. Security Awareness Training and Education 
    4.. Threat Assessment and Risk Management 
    5.. Security Incident Response and Reporting 
    6.. Anti-Virus Measures 
    7.. Physical Security Policy 
    8.. Business Continuity and Disaster Recovery 
    9.. Data and Systems Access Controls 
    10.. Network and System Review Services 
    11.. Chain of Trust Agreements for Information Exchange 
    12.. Service Level Agreements for Business Partners  
    13.. Fair Information Disclosure Practices 
    14.. Audit Services 
  c.. Section 6. Plan Review and Revisions

The only material I can share is in regards to Security and Privacy Awareness Training and Education Program, as I 
helped in the design.  The rest is not mine to provide. 

  a.. A university-wide Security and Privacy Awareness Training and Education Program must be developed and implemented 
based on current resources that are available. This kind of education and training is the most cost-effective security 
measure that an organization can adopt.

  The program must be flexible in content, message, and design to accommodate multiple targeted audiences: university 
administration officials, deans, chairs, department heads, system and network administrators, faculty, and students. 
The content and information that is delivered must support the strategic message that everyone is responsible to do 
their part to protect the university's information systems and data - and the best recourse for individuals to protect 
themselves. Sensitive information, the university's reputation, availability of computing services, legal liabilities, 
intellectual property, and individuals' right to privacy are at stake.

  The program's content and structure will be the responsibility of the Information Security Officer who will be 
responsible to drive this effort. Modest resources and expertise contributed by a coalition of university departments 
and groups can support content suggestions and program implementation. Initially the program should rely on as many 
existing communication tools, information sharing venues, publications, university websites, and campus publications 
that make sense to leverage. For the long term, the program should strive to become more institutionalized and 
permanently funded, as well as owned by every campus constituent.

   
  ----- Original Message ----- 
  From: Tim Lane 
  To: SECURITY () LISTSERV EDUCAUSE EDU 
  Sent: Sunday, August 15, 2004 9:26 PM
  Subject: [SECURITY] IT Security Strategic Plan


    Hello All,

  I am about to develop an IT strategic plan.  I wondered if anyone who has previously developed one or is in 
possession of one could help with any or all of the below:

  1) table of contents or types of areas covered
  2) template
  3) approach taken to develop.

  Thanks very much,

  Tim Lane



  Tim Lane
  Information Security Program Manager

  Information Technology and Telecommunication Services
  Southern Cross University
  PO Box 157 Lismore NSW 2480

  Ph:  61 2 6620 3290 
  Fax: 61 2 6620 3033 
  Email: tlane () scu edu au 
  http://www.scu.edu.au
  ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found 
at http://www.educause.edu/cg/. 

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.