Re: Campus Security Governance Structures?

[Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>]

I completely understand your question, Martin.  For the past few years, I have participated in these boards, 
encouraging educational institutions to adopt a centralized approach to information security.  Unfortunately, a lot of 
focus has remained on the details "laptop encryption" or single regulation compliance, instead of big picture reviews.

I perform risk assessments in academia, government, and corporations, and COBIT is not my first choice.  Of COBIT, ISO 
17799, and NIST, NIST is my favorite because of the versatility of the guidelines.  NIST 800 Series offers a framework 
that includes guidance for all the gory details, including data classification, risk management, and even which 
encryption technologies to use.

My disclaimer:  I own a corporation that performs risk assessment for various industries.  However, I perform volunteer 
speeches and routinely provide free services to academia in order to achieve my own mission of furthering information 
security as part of a core curriculum of knowledge spread and enabled through an individual's academic experience.

Regards,

Sarah E Stevens
Stevens Technologies, Inc.
(704) 625-8842 x500
--------------------------
Sent from my BlackBerry Wireless Handheld

----- Original Message -----
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Wed Apr 09 11:57:08 2008
Subject: Re: [SECURITY] Campus Security Governance Structures?



[Martin Manjak]Looks like I have to answer my own query.

The lack of response to this question is intriguing. Does it mean that 
most institutions don't have some form of governance when it comes to 
information security?

[Shane Bishop] For institutions of higher education the preferred framework
seems to be COBIT. The Gartner report "Hype Cycle for Higher Education,
2007" depicts COBIT just showing up on the radar screen for many
institutions. Only the test of time will determine if COBIT will be the
preferred framework among higher education, or just another fad. Personally,
I like COBIT but would like to see something even a little more contoured
for higher education. Perhaps a CobEd version 1.0. Prudent information
security officers like well organized and clear cut objectives pertaining,
and including verbiage, related to their industry. The word business in
higher education will often return looks of confusion. Having to improvise a
framework into something that isn't uniformly agreed upon by your peers in
the industry leads to less acceptance and greater chance of failure.
Alternatively, COBIT is much better than no framework, and this indicates
the maturity level for acceptance of a framework in higher education is
still in its juvenile stages IMHO. 

http://www.gartner.com/DisplayDocument?doc_cd=148910

[Martin Manjak] If that's the case, how are decisions made that affect the
institution's 
security posture? How are assets ranked and vulnerabilities prioritized? 
How is risk assessment performed? Who decides what investments are made 
into what technologies and controls?

[Shane Bishop] An assessment needs to be done to map IT assets to business
services and which individuals are accountable for these processes. Once
that is done you would normally do a business impact analysis to prioritize
the severity of security risks to those assets.

[Martin Manjak]It seems to me that if you get governance right, many other
things fall 
into place because you get institutional recognition of risk and 
endorsement of mitigation strategies.

[Shane Bishop] Very true, trying to change the culture to see the benefits
of enterprise level IT security governance seems to be the bigger obstacle.
Having the CISO in a different division than the CIO seems to complement
this undertaking. Until government regulation is passed that requires
institutions of higher education to have external auditors assess security
there will not be conformity to a standard. 


 
Shane Bishop
Associate Director of Network Infrastructure
John A. Logan College
CISM, CISSP
http://shanebishop.info
(618) 985-3741 Ext. 8544