Educause Security Discussion mailing list archives
Re: Centralized security administration
From: Robert Ono <raono () UCDAVIS EDU>
Date: Fri, 18 Aug 2006 12:11:46 -0700
Keith The development of the UC Davis Cyber-safety policy was initiated by a security workgroup and took about four months to reach campus adoption. The UC Davis security standards built upon the UC Berkeley and UC San Diego minimum security standards (see campus links under http://www.ucop.edu/irc/itsec/uc/). The UC Davis Cyber-safety policy was broadly discussed within the academic, technical and administrative communities before campus adoption. The policy goes beyond establishing security standards by requiring schools, colleges and administrative organizations to annually review and report on their compliance to the campus security standards and describe improvement plans, where appropriate. The policy was originally approved in May 2005 and was revised in July 2006. As part of the July revision, an online survey was developed for the 2006 report. Please feel free to use the approach and material as a guide, where appropriate. Physical security, as mentioned by Valdis, can be a challenge to implement. However, one of the main drivers for moving the physical security standard to the "level two" category was the risk level associated to physical security exposures. Campus experience revealed that the greatest security benefits would be afforded by promoting patch deployment, installation of anti-virus updates, strong authentication, security measures for restricted data, disabling of non-secure protocols and use of firewall services - all "level one" security practices. Over time, the placement of a security practice within a particular security category may change. Bob Hunt,Keith A wrote:
Hello Bob, Some really good stuff there. Any idea how much effort to develop the policies, guidelines, surveys, etc and keep it all up to date? And would you mind if I used some of it as a guide for something similar here? A question about the Level 1 and Level 2 practices: why did physical security get bumped down to Level 2? I would consider that very basic, and also one of the easier problems to fix. -- Keith-----Original Message----- From: Bob Kehr [mailto:rskehr () ucdavis edu] Sent: Thursday, August 17, 2006 12:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Centralized security administration General SysAdmin at our university is very decentralized. The current approach is "policy" in conjunction with reporting, scanning, and IDS. http://security.ucdavis.edu/cybersafety.cfm http://manuals.ucdavis.edu/ppm/310/310-21.htm - note IV.B http://security.ucdavis.edu/vuln_resources.cfm http://www.ucop.edu/irc/itlc/sautter/ucd_2005_winner.html -Bob Kehr
-- Robert A. Ono, CISSP Information Technology Security Coordinator Office of the Vice Provost Information and Educational Technology University of California, Davis (530) 757-5795
Current thread:
- Centralized security administration Hunt,Keith A (Aug 17)
- <Possible follow-ups>
- Re: Centralized security administration Bob Kehr (Aug 17)
- Re: Centralized security administration Sadler, Connie (Aug 17)
- Re: Centralized security administration Tom Davis (Aug 18)
- Re: Centralized security administration Hunt,Keith A (Aug 18)
- Re: Centralized security administration Hunt,Keith A (Aug 18)
- Re: Centralized security administration Valdis Kletnieks (Aug 18)
- Re: Centralized security administration Sadler, Connie (Aug 18)
- Re: Centralized security administration Hunt,Keith A (Aug 18)
- Re: Centralized security administration Robert Ono (Aug 18)
- Re: Centralized security administration Valdis Kletnieks (Aug 18)
- Re: Centralized security administration Cal Frye (Aug 18)
- Re: Centralized security administration Harold Winshel (Aug 18)
- Re: Centralized security administration Geoff Nathan (Aug 19)