Educause Security Discussion mailing list archives

Re: Making the case for security policies and personnel

From: Jim Moore <jhmfa () CIS RIT EDU>
Date: Mon, 10 Feb 2003 12:18:29 -0500

Jim,

Thanks for the articles.

One that I use heavily, especially since I am at a technically oriented
university, is "How to Spend a Dollar on Security", which helps me to

1) DeMyth the "technology created the problem, we will fix it with
technology" error

2) Set people's expectations on their *involvement*, learning process,
funds that they will spend on establishing and executing new processes.

3) Give management (who should be used to the costs of organizational
change), a rational for why the firewall costs $X, but the strategy to
make it operational is $4X.

Good article, I wish that he had sited more sources.

McBride, Patrick, How to Spend a Dollar on Security (November 9, 2000),
Retrieved Aug 16, 2002 from Computerworld website
http://www.computerworld.com/printthis/2000/0,4814,53651,00.html

Jim Wilcox wrote:

ROSI was the popular basis for a case in 2002. No matter what you do,
security is like insurance; you don't get anything new, you just get to
keep what you have. Hard to make that case. Case studies are good. The
penalties on executives that are included in Graham Leach Bliley and
HIPAA are good if that applies.

Good luck,

James Wilcox, CISSP
Director of Business Development
Cylant, Inc.
PO Box 19777
Portland, OR 97280-9777
503 799-8438
james () cylant com
www.cylant.com
CylantSecure, LinuxWorld "Best Security Solution"


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dorette Kerian
Sent: Friday, February 07, 2003 4:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Making the case for security policies and
personnel


And my apologies to everyone on the list for sending this message to the
entire list. AND YET, if anyone else has suggestions in approaches to
making the security case with administration, I'd sure like to hear
more. With regrets, and appreciation, Dorette
dorette.kerian () mail und nodak edu

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.



--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603

Office: 585-475-5406
Fax:    585-475-7950

PGP (jimmoore () mail rit edu): 9C33 0328  CD59 B602 82B8  8521 0B86 0DC9
963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.

Current thread:

Making the case for security policies and personnel Dorette Kerian (Feb 07)
- <Possible follow-ups>
- Re: Making the case for security policies and personnel Dorette Kerian (Feb 07)
- Re: Making the case for security policies and personnel Jim Wilcox (Feb 07)
- Re: Making the case for security policies and personnel Tracy Mitrano (Feb 07)
- Re: Making the case for security policies and personnel Jim Moore (Feb 10)
- Re: Making the case for security policies and personnel Bruhn, Mark S. (Feb 13)
- Re: Making the case for security policies and personnel Ced Bennett (Feb 14)
- Re: Making the case for security policies and personnel Bruhn, Mark S. (Feb 14)
- Re: Making the case for security policies and personnel James Conley (Feb 14)
- Re: Making the case for security policies and personnel Ced Bennett (Feb 18)
- Re: Making the case for security policies and personnel Scott Bradner (Feb 19)