Educause Security Discussion mailing list archives
Re: Campus Security Governance Structures?
From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Thu, 10 Apr 2008 11:16:14 -0600
Doug, Fair enough, but you generally have to dig through items not specifically targeted at achieving governance to get the applicable tidbits from some of these sources. It is my understanding that the 27000 series addresses governance more specifically. If you picked a particular NIST resource, one or the other might be more applicable - that wasn't the point of my post. As to the "definition of governance" it seems that a source that considers themselves to be speaking directly to the topic of governance (as opposed to one speaking to the topic of security) might be worth considering. My primary concern is that we don't mix technical control constructs into the idea of governance. They are implementation details in response to governance, to direction, to objectives, to managerial decisions, not governance themselves. Too often I find governance arguments focus on the "strength of passwords" and "authentication methodologies", not on the objectives and risk avoidance priorities of true governance. Often the IT organization is pushing for technically superior solutions, when in the course of things business process changes are perhaps more viable. As I said, I do use these other documents and find value in their assessment methodologies and recommendations. It simply seems that it is better to start with sources that address the subject directly than to pull from more indirect sources when starting out. I have no problem recommending each of the referenced sources as having applicable information to the question. The problem is one of targeting and subject matter objective. Implementing good technical security is possible even if governance is poor - achieving the right process and optimal use of resources is pretty darn hard without appropriate governance though. Thus even though NIST is one of the primary sources for many of my security questions and practice definitions, I have to remember that it is targeted specifically at governmental systems and objectives, and thus isn't necessarily the optimal mix for my current organization. Having served in Defense Electronics, Semiconductor Manufacturing, Merchandising, and Higher Ed roles I can safely say that the priorities and thus the governance decisions are quite different for each. As I passed on to Marty, I think the "Board Briefing on IT Governance" from ITGI (ISACA Bookstore - free PDF available) is a really good place to start when thinking about governance structures. I don't subscribe to all the implications in it, or COBIT, or any one source, the point is generally that controls need to match the objectives and needs of a particular organization within its environment. That usually means that not all controls (including management roles, processes, decision forums, policies) can be identical for everyone. Too many auditors (my previous field) miss this reality entirely and measure only against the most easily identified "best practice" document with no attention to objectives and environmental constraints. Anyway, this briefing has some good information regarding particular roles and responsibilities in IT Governance (and yes IT Security Governance is just a sub-part of that) that is a good starting platform for thinking through the governance challenges that face any organization. I particularly like the appendices - not for the purpose of implementing an exact mirror, but for the purpose of thinking broadly about the potential decision points and responsibilities and identifying where they are placed in my own organization. Best regards, Jim Dillon "Bones not Casts" -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder------------------------ -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doug Markiewicz Sent: Thursday, April 10, 2008 6:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Campus Security Governance Structures?
COBIT is the only control and Governance based standard you listed
It depends on your goals and definition of governance. All three sources Sarah referenced can be leveraged as part of an IT governance strategy. None of these will achieve effective governance in and of themselves.
NIST shouldn't be confused with an International Standard for Governance.
Agree on the international part given that they're written by the US government. :-) However, as many of these documents are developed in support of federal regulations, I don't think I'd rule them out as a standard of governance. The Information Security Handbook (SP800-100) even has a chapter devoted to governance.
ISO 17799 may be about constructing security, but it isn't about governance.
Again it depends on your goals and your definition of governance. For information security governance alone, ISO 27000 series standards are a perfectly viable tool. For IT governance in general, they would certainly fall short. WRT to Martin's request for information, I'd have to second (or third?) Kevin's original point that its difficult to sum up in an email. I wouldn't even know where to begin. Internal policies, regulations, the above referenced standards/frameworks are all things we leverage to help facilitate. Its largely a collaborative effort though between such groups as the Computing Services division, General Counsel, Office of the President, Internal Audit, an executive level steering committee that exists, the board of directors, etc. To quote one of my bosses, "It's a journey not a destination." We're somewhere on that journey. Not sure I can tell you where though. :-)
Current thread:
- Re: Campus Security Governance Structures?, (continued)
- Re: Campus Security Governance Structures? Mclaughlin, Kevin (mclaugkl) (Apr 09)
- Re: Campus Security Governance Structures? Shane Bishop (Apr 09)
- Re: Campus Security Governance Structures? Basgen, Brian (Apr 09)
- Re: Campus Security Governance Structures? Chisholm, Teri (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Custer, William L. Mr. (Apr 09)
- Re: Campus Security Governance Structures? Jim Dillon (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Cal Frye (Apr 09)
- Re: Campus Security Governance Structures? Doug Markiewicz (Apr 10)
- Re: Campus Security Governance Structures? Jim Dillon (Apr 10)