Re: Centralized security administration

["Hunt,Keith A" <keith () UAKRON EDU>]

Hi Connie,

Thanks very much for your reply.

You say that everyone knows your policies apply across the community,
and you "require" that they go through the risk assessment. Do you have
a *formal* directive from Somewhere High Up that allows you to hold
folks accountable?

When your survey tool generates these requests for support, how are the
requests handled?

--
Keith
 

> -----Original Message-----
> From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU] 
> Sent: Thursday, August 17, 2006 2:20 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Centralized security administration
>
>  
> Hi, Keith.
>
> Our policies here at Brown are reviewed by representatives throughout
> the University (it takes 6 weeks or so), and everyone knows they apply
> to the entire community. In fact, once we draft a policy, we pull
> subject matter experts from IT personnel in different functional areas
> to work the draft into something that is ready for community 
> review - to
> make sure we aren't looking at policies through a "centralized" lens.
>
> We meet with representatives from the various departments 
> once a month.
> We also have mailing lists for system administrators and departmental
> computing coordinators (DCCs - who provide desktop support for their
> respective departments - or at least make sure that someone is looking
> after the workstations).
>
> We do a lot of things that reinforce to these folks that we expect
> certain things from them. We require that they participate in an
> every-other-year risk assessment that they provide to us (via survey),
> and we expect them to provide contact information regarding who is
> responsible for patching, anti-virus, firewall protection, 
> etc., etc. -
> and this initiates a lot of requests for support from our central
> organization. Internal Audit and IT Security both make sure that the
> individuals whom we hold accountable *know* that we are holding them
> accountable. That makes the difference! We establish a lot of
> partnerships in order to make things work. We still have a lot of work
> to do, but so far, so good. We have support from our executive
> administrators here, and that comes through our CIO, who 
> helps to ensure
> we have the support we need.
>
> Our IDS system gives us information about events all over campus. If a
> machine is compromised in a particular department, we shut it 
> off until
> it is rebuilt - and we require the contact (DCC or SysAdmin) to answer
> questions about the incident. They have to tell us who uses 
> the machine,
> how it was (or could have been) compromised, what information 
> was on the
> machine, and what they can do to prevent a recurrence.
>
> I hope this helps, and if you have any other questions, let 
> me know. We
> have no problem with decentralized IT personnel, as long as they work
> with us. In fact, I don't think we could possibly provide the level of
> service necessary in some of these areas from a central 
> organization. We
> let all of the IT personnel know that we are all on equal 
> footing, that
> we are collectively responsible for the security of the systems and
> networks our users depend on. The bottom line is that if departments
> want to manage their own IT, that's fine, but they assume 
> responsibility
> and accountability for securing that IT as well - with help 
> and guidance
> from us, of course!
>
> Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
> IT Security Officer
> Brown University Box 1885, Providence, RI 02912
> Connie_Sadler () Brown edu
> Office: 401-863-7266
>
>
> -----Original Message-----
> From: Hunt,Keith A [mailto:keith () UAKRON EDU] 
> Sent: Thursday, August 17, 2006 11:20 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Centralized security administration
>
> I was having a conversation with our CIO recently about the 
> difficulties
> faced by a central IT department asked to assume 
> responsibility for the
> security posture of servers owned and managed by non-IT departments.
>
> He asked me how other universities address this issue. So here I am
> asking you kind folks.
>
> Have you been able to establish effective policies and procedures that
> provide for central IT personnel to oversee the security aspects of
> non-IT devices (especially servers and network equipment)?  Have you
> developed some other approach that works better? How do you reconcile
> the need for decentralized systems/network admin functions 
> with the need
> for an enterprise approach to security?
>
> TIA
>
> --
> Keith Hunt  330.972.7968  keith () uakron edu Internet & Server 
> Systems The
> University of Akron