Educause Security Discussion mailing list archives
Re: Integrating security in IT processes
From: Brian J Smith-Sweeney <bsmithsweeney () NYU EDU>
Date: Thu, 15 Nov 2012 11:50:53 -0500
In terms of getting security involved in IT projects, folks that I've talked to have had success inserting security into some or all of the following points along the project pipeline: 1) Project Management Office/Group/Process: security as milestones, part of the project intake process, etc. 2) Legal: Security review as a requirement before OLC will signoff on a contract 3) Procurement: Security review as a requirement before Purchasing/Finance/etc. gives out the money 4) Insurance/Risk Management: Security review as an input into the overall risk management and insurance conversation You could also translate "requirement" into "advised" in each of the above, depending on the level of authority or responsibility the security group has. We have contacts in each of the above areas but we've really focused our efforts on formalizing security's integration into the IT project management process. That begins at project intake with a brief series of questions in our project tracking system. Whenever anyone enters a project they're required to provide information about the classification of the systems and data involved in the project[1]. That information guides the level of involvement for the security group; low criticality systems might just get a quick once-over, but the presence of a high criticality system and/or Restricted data means that project gets a security analyst assigned to it. The security consulting process itself then has a number of steps that align with the various phases of our IT project management process. I've done some internal presenting on this process and hope to some day provide our documentation to the broader higher-ed community, but we're not quite there yet :). I am however happy to chat offline if you have questions on the above. [1] https://www.nyu.edu/its/policies/sec_ref.html Cheers, Brian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Smith-Sweeney Assistant Director ITS Technology Security Services, New York University http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Tue, Nov 13, 2012 at 11:56 AM, Andy Scott <Andy_Scott () bcit ca> wrote:
Hi, I am looking at improving the integration of information security in IT processes (project development, maintenance, etc.). I am interested on what others have successfully done to improve the integration of security. Thanks. _________________ Andy Scott, CISSP Information Security Officer, IT Services British Columbia Institute of Technology 3700 Willingdon Ave, Burnaby, BC, V5G 3H2 Tel: 604-432-8683 Mobile: 778-928-2444 Email: andy_scott () bcit ca Web: bcit.ca/its/security
Current thread:
- Integrating security in IT processes Andy Scott (Nov 13)
- Re: Integrating security in IT processes McCrary, Barbara (Nov 13)
- Re: Integrating security in IT processes randy (Nov 13)
- Re: Integrating security in IT processes Bob Bayn (Nov 14)
- Re: Integrating security in IT processes randy (Nov 13)
- Re: Integrating security in IT processes Brian J Smith-Sweeney (Nov 15)
- Re: Integrating security in IT processes Manjak, Martin (Nov 15)
- Re: Integrating security in IT processes McCrary, Barbara (Nov 13)