Educause Security Discussion mailing list archives
Re: IT Security Strategic Plan
From: Melissa Guenther <mguenther () COX NET>
Date: Tue, 17 Aug 2004 06:54:03 -0700
Table of Contents a.. Section 1. Purpose b.. Section 2. Authorities and Sources c.. Section 3. Challenges to Strategic Planning The university is a very large and complex place. Developing and implementing a successful strategic plan to properly protect its vast information systems resources and associated data involves an enormous set of challenges. They include: a.. Significant resource, personnel, and related budget issues b.. Governance issues c.. Challenges of a dynamic and often problematic regulatory environment d.. The sheer volume of computer systems involved and the separate services that they are designed to provide e.. The volume of data involved f.. Numerous, different operating system types and customized configurations g.. Vulnerabilities with emerging computer and network technologies that cannot be easily resolved h.. A constant, rapidly expanding spectrum of threats to computing systems and networks i.. The size and diversity of the campus workforce and student population j.. Communication issues This strategic plan takes into account the realities of what is involved. It assumes that if the university intends to reduce the incidents of intrusions, misuse of its computing resources, and inappropriate access to data, resources will have to be allocated. The reality is that there are many departments and units within the university that currently do not have budgeted resources specifically for security. This problem is compounded by the fact that, even with financial resources, finding the necessary expertise to support security efforts is difficult. Elements of this plan are defined in response to these realities. This plan includes several immediate affordable steps as well as important long-term strategies to help grow a stronger awareness of and emphasis on security and privacy protection. In addition, the plan is designed around a risk management approach that includes documenting the cost of prevention verses the costs of potential incidences. a.. Section 4. Applicability and Scope b.. Section 5. Security and Assurance Components 1.. Organizational Controls and Resources 2.. Information Systems Security Policy and Associated Guidelines 3.. Security Awareness Training and Education 4.. Threat Assessment and Risk Management 5.. Security Incident Response and Reporting 6.. Anti-Virus Measures 7.. Physical Security Policy 8.. Business Continuity and Disaster Recovery 9.. Data and Systems Access Controls 10.. Network and System Review Services 11.. Chain of Trust Agreements for Information Exchange 12.. Service Level Agreements for Business Partners 13.. Fair Information Disclosure Practices 14.. Audit Services c.. Section 6. Plan Review and Revisions The only material I can share is in regards to Security and Privacy Awareness Training and Education Program, as I helped in the design. The rest is not mine to provide. a.. A university-wide Security and Privacy Awareness Training and Education Program must be developed and implemented based on current resources that are available. This kind of education and training is the most cost-effective security measure that an organization can adopt. The program must be flexible in content, message, and design to accommodate multiple targeted audiences: university administration officials, deans, chairs, department heads, system and network administrators, faculty, and students. The content and information that is delivered must support the strategic message that everyone is responsible to do their part to protect the university's information systems and data - and the best recourse for individuals to protect themselves. Sensitive information, the university's reputation, availability of computing services, legal liabilities, intellectual property, and individuals' right to privacy are at stake. The program's content and structure will be the responsibility of the Information Security Officer who will be responsible to drive this effort. Modest resources and expertise contributed by a coalition of university departments and groups can support content suggestions and program implementation. Initially the program should rely on as many existing communication tools, information sharing venues, publications, university websites, and campus publications that make sense to leverage. For the long term, the program should strive to become more institutionalized and permanently funded, as well as owned by every campus constituent. ----- Original Message ----- From: Tim Lane To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Sunday, August 15, 2004 9:26 PM Subject: [SECURITY] IT Security Strategic Plan Hello All, I am about to develop an IT strategic plan. I wondered if anyone who has previously developed one or is in possession of one could help with any or all of the below: 1) table of contents or types of areas covered 2) template 3) approach taken to develop. Thanks very much, Tim Lane Tim Lane Information Security Program Manager Information Technology and Telecommunication Services Southern Cross University PO Box 157 Lismore NSW 2480 Ph: 61 2 6620 3290 Fax: 61 2 6620 3033 Email: tlane () scu edu au http://www.scu.edu.au ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- IT Security Strategic Plan Tim Lane (Aug 15)
- <Possible follow-ups>
- IT Security Strategic Plan Tim Lane (Aug 15)
- Re: IT Security Strategic Plan Jere Retzer (Aug 16)
- Re: IT Security Strategic Plan Melissa Guenther (Aug 17)