Educause Security Discussion mailing list archives
Re: Centralized vs. Decentralized IT
From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Fri, 8 Aug 2008 18:22:00 -0600
Daniel, At a very basic level, it seems intuitive that when faced with the question, "Do you really want to have to provision and support servers, routers, networks, compliance controls for FERPA/PCI/HIPAA/etc., change management procedures, patching, monitoring, securing, storage, backup, recovery/continuity planning, etc., or wouldn't you rather focus on your application?" It seems so simple and intuitive that the answer should be an immediate and emphatic "NO!" that I'm often taken aback that it isn't. Obviously there are many potential reasons for this - inside the box thinking, entropy, trust/service experiences, empire building. Maybe the most obvious is simply a matter of $ and leverage, a lot ends up coming down to that. In the end it is in many ways a question of economics and scarce resources. They taught me that stuff in school but it doesn't seem to translate well into action in this environment. Good luck in your propositions, the pendulum swings from left to right as we over-correct and see greener grass, the trick is to make that swing less pronounced each time. It still seems that the architecture and core services are a pretty good bet for some level of centralization, but there are a number of scale factors and organizational maturity issues that inform a good selection on the decentralized end, and I'm not sure any of us can provide a really good non-situational solution for you. Best wishes, Jim -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder------------------------ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel Sent: Friday, August 08, 2008 12:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Centralized vs. Decentralized IT Thank you for all for your responses. I think this is a useful conversation. I'm starting to think that it may be best to have a Central IT collaborate with the departmental IT staff to create an environment where central is responsible for the network (including firewalls/IDS/anti-virus/wireless, the servers and the operating systems) while the departments are responsible for any applications specialized to their areas, including security administration. If the Central IT staff was responsible for the servers, they could also create a uniform back-up process and be responsible for all back-ups (including applications). Currently 17 departments are responsible for their own with backups, with inconsistent results. This would also simplify the DR/BC plans and thereby mitigate a few risks there as well. So far the department's I've reviewed have been of the campus services variety (Parking, transit, physical plant), not really people who can claim academic freedom with a straight face. Maybe they are better candidates than research departments. But I would think even within the research departments this would free-up resources so they could focus on their research, and they would still be responsible for their own applications/databases, etc., with all the freedoms to fail that come with it (although this still leaves me with a potential SOD issues) I've only worked in the University setting since January, and may be very naïve, but I do think a hybrid with Central IT responsible for computer operations and the departments responsible for the applications they run on it, has potential. I come from a finance background, and I've just not seen IT environments like this before. Thanks Again :: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu <http://www.massachusetts.edu/> Clip history...
Current thread:
- Re: Centralized vs. Decentralized IT, (continued)
- Re: Centralized vs. Decentralized IT Stephen John Smoogen (Aug 07)
- Re: Centralized vs. Decentralized IT Megan Carney (Aug 07)
- Re: Centralized vs. Decentralized IT Georgios Mousouros (Aug 07)
- Re: Centralized vs. Decentralized IT Adam Stone (Aug 07)
- Re: Centralized vs. Decentralized IT Stephen John Smoogen (Aug 07)
- Re: Centralized vs. Decentralized IT Russell Fulton (Aug 07)
- Re: Centralized vs. Decentralized IT Jim Dillon (Aug 08)
- Re: Centralized vs. Decentralized IT Sarazen, Daniel (Aug 08)
- Re: Centralized vs. Decentralized IT Christopher Jones (Aug 08)
- Re: Centralized vs. Decentralized IT Bob Bayn (Aug 08)
- Re: Centralized vs. Decentralized IT Jim Dillon (Aug 08)
- Re: Centralized vs. Decentralized IT Cal Frye (Aug 10)
- Re: Centralized vs. Decentralized IT Basgen, Brian (Aug 11)
- Re: Centralized vs. Decentralized IT Stublefield, Matthew (Aug 19)