Educause Security Discussion mailing list archives

Security metrics for small and community colleges

From: Mark Morrissey <mark.morrissey15 () PCC EDU>
Date: Mon, 21 May 2007 09:12:42 -0700

Let me preface this by saying that it is my assumption that small colleges
and community colleges have fewer staff and other resources for developing,
analyzing and reporting security metrics (perhaps IT metrics of any kind).
If I am wrong in that assumption, please accept my apologies.

I am relatively new to my institution and am bringing the information
security program up from scratch. As I start this program, it is clear that
we will need to baseline our security posture so as to be able to measure
and report both the effect of infrastructure changes on the security
posture, and report out to various stake holders the state of information
security in a manner that is meaningful to them.

At the recent EDUCAUSE Sec '07, there was a great presentation on security
metrics by Matt Tolbert (UPitt) and a great session on reporting by Kathy
Bergsma (UFlorida) and Joshua Beeman (UPenn). It is clear from these
presentations, talks with other institutions, and discussions within my own
institution that a small group of (potentially derived) metrics, tailored to
each stake holder group, is needed. Being new to infosec in the small and
community college arena, I am asking for assistance.

How are similar small and community colleges organizing their metrics
gathering and reporting for information security? What are your principle
stake holder groups and what infrastructure have you rolled out to support
reporting to these groups? Also, how are you using your metrics to show
compliance with applicable federal, state, local, and institutional rules
and regulations?

That looks like a good start  :-)

Thank you in advance for your help.  Please, if you send me email directly,
let me know if I can share your information in a summary on this topic. I
always like to summarize my findings back to where I asked for help.

--mark
-----------------------
Mark Morrissey
Information Security Manager
Portland Community College, Portland, Oregon
mark.morrissey15 () pcc edu
Desk: 503-977-4896  Mobile: 503-969-5631

Current thread:

Security metrics for small and community colleges Mark Morrissey (May 21)
- <Possible follow-ups>
- Re: Security metrics for small and community colleges Jim Dillon (May 21)
- Re: Security metrics for small and community colleges Alan Amesbury (May 29)