Re: Campus Security Governance Structures?

[Jim Dillon <Jim.Dillon () COLORADO EDU>]

Doug,

Fair enough, but you generally have to dig through items not specifically targeted at achieving governance to get the 
applicable tidbits from some of these sources.  It is my understanding that the 27000 series addresses governance more 
specifically.  If you picked a particular NIST resource, one or the other might be more applicable - that wasn't the 
point of my post.  As to the "definition of governance" it seems that a source that considers themselves to be speaking 
directly to the topic of governance (as opposed to one speaking to the topic of security) might be worth considering.

My primary concern is that we don't mix technical control constructs into the idea of governance.  They are 
implementation details in response to governance, to direction, to objectives, to managerial decisions, not governance 
themselves.  Too often I find governance arguments focus on the "strength of passwords" and "authentication 
methodologies", not on the objectives and risk avoidance priorities of true governance.  Often the IT organization is 
pushing for technically superior solutions, when in the course of things business process changes are perhaps more 
viable.

As I said, I do use these other documents and find value in their assessment methodologies and recommendations.  It 
simply seems that it is better to start with sources that address the subject directly than to pull from more indirect 
sources when starting out.  I have no problem recommending each of the referenced sources as having applicable 
information to the question.  The problem is one of targeting and subject matter objective.  Implementing good 
technical security is possible even if governance is poor - achieving the right process and optimal use of resources is 
pretty darn hard without appropriate governance though.  Thus even though NIST is one of the primary sources for many 
of my security questions and practice definitions, I have to remember that it is targeted specifically at governmental 
systems and objectives, and thus isn't necessarily the optimal mix for my current organization.  Having served in 
Defense Electronics, Semiconductor Manufacturing, Merchandising, and Higher Ed roles I can safely say that the 
priorities and thus the governance decisions are quite different for each. 

As I passed on to Marty, I think the "Board Briefing on IT Governance" from ITGI (ISACA Bookstore - free PDF available) 
is a really good place to start when thinking about governance structures.  I don't subscribe to all the implications 
in it, or COBIT, or any one source, the point is generally that controls need to match the objectives and needs of a 
particular organization within its environment.  That usually means that not all controls (including management roles, 
processes, decision forums, policies) can be identical for everyone.  Too many auditors (my previous field) miss this 
reality entirely and measure only against the most easily identified "best practice" document with no attention to 
objectives and environmental constraints.  Anyway, this briefing has some good information regarding particular roles 
and responsibilities in IT Governance (and yes IT Security Governance is just a sub-part of that) that is a good 
starting platform for thinking through the governance challenges that face any organization.  I particularly like the 
appendices - not for the purpose of implementing an exact mirror, but for the purpose of thinking broadly about the 
potential decision points and responsibilities and identifying where they are placed in my own organization.

Best regards,

Jim Dillon

"Bones not Casts"

-----------University of Colorado--------------
Jim Dillon, CISA, CISSP
Program Manager
Administrative Systems and Data Services
jim.dillon () colorado edu        303-735-5682
-------------------Boulder------------------------

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doug 
Markiewicz
Sent: Thursday, April 10, 2008 6:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Campus Security Governance Structures?

> COBIT is the only control and Governance based standard you listed

It depends on your goals and definition of governance.  All three sources Sarah referenced can be leveraged as part of 
an IT governance strategy.  None of these will achieve effective governance in and of themselves.

> NIST shouldn't be confused with an International Standard for Governance.

Agree on the international part given that they're written by the US government. :-) However, as many of these 
documents are developed in support of federal regulations, I don't think I'd rule them out as a standard of governance. 
 The Information Security Handbook (SP800-100) even has a chapter devoted to governance.

> ISO 17799 may be about constructing security, but it isn't about governance.

Again it depends on your goals and your definition of governance.  For information security governance alone, ISO 27000 
series standards are a perfectly viable tool.  For IT governance in general, they would certainly fall short.

WRT to Martin's request for information, I'd have to second (or third?) Kevin's original point that its difficult to 
sum up in an email.  I wouldn't even know where to begin.  Internal policies, regulations, the above referenced 
standards/frameworks are all things we leverage to help facilitate.  Its largely a collaborative effort though between 
such groups as the Computing Services division, General Counsel, Office of the President, Internal Audit, an executive 
level steering committee that exists, the board of directors, etc.

To quote one of my bosses, "It's a journey not a destination."  We're somewhere on that journey.  Not sure I can tell 
you where though.  :-)