Re: Making the case for security policies and personnel

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

I just came across this, and recognized it was most likely addressed to
me!  Sorry for the delay.  

I have several presentations that we've done for the IU Board of
Trustees, but those were done in closed session and so I can't share
them.  I do think there is good information in a presentation that our
CIO did at EDUCAUSE 2001.  See that at
http://www.indiana.edu/~ovpit/presentations/.

The key, as I've said before, and this might be obvious, is to keep
things high level.  Discuss institutional risks and not individual
security vulnerabilities.  The Dean of SPEA doesn't care about inetd or
NETBios vulnerabilities.  The Dean of SPEA cares that student grades
might very well be exposed.  The Dean of SPEA cares that his email could
very well be read by others.  The Dean of SPEA cares that he might have
to answer pointed questions from the media about why a system was
mismanaged -- reporters are getting much more wise and are asking
questions like "well, if the vulnerability exploited was such-and-such,
there was a patch issued last August.  Why wasn't that applied?"  

Anecdotally:  it happened here just like that.  In the media "event"
related to one of our two publicized incidents in 2001, the Dean said
"our technicians have informed me that the patch you cite wasn't
applicable to our server."  I was at the table under the lights with
him, and all I could do was sit there, knowing he was wrong, and waiting
for someone to call him on it.  I just hoped they didn't ask me if I
agreed.  They didn't at the time, but a reporter called me immediately
after and asked me about it, and I said that he needed to call the Dean
because I wasn't intimately familiar with their technology suite.  So
glad I took those classes in handling the media.

By the way, when we report to the Trustees in closed session, the
Director of Internal Audit is also there, and so our relationship with
him and his office is key.  They do look to him periodically for comment
and input on what we are saying, and he has always absolutely concurred.
He has said numerous times "yes, that is definitely consistent with what
we saw in our last round of audits."  I also get copied on every audit
report, and we're asked to comment on many of them where IT security and
policy issues are at issue.  It is very frequent that our Security
Office is mentioned in these as a source for information or security
tools.   (They and we still disagree on password aging, as I've said
here before...but agree on most everything else :)

M.

-- 
Mark S. Bruhn, CISSP
Chief IT Security and Policy Officer
Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Dorette Kerian [mailto:dorette_kerian () MAIL UND NODAK EDU] 
Sent: Friday, February 07, 2003 6:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Making the case for security policies and personnel


Mark,
I heard you speak at Net@edu about making the case for security
policies and personnel on your campus.  It was helpful information.  You
talked about the importance of speaking in CEO or cabinet talk rather
than technical talk.  You also mentioned that you may have a slide show
you used on your campus.
I'm having difficulty getting traction with the administration on this
issue so I'm looking for other approaches.  I'd sure appreciate any
examples, models you would be willing to share.
Thanks, Mark.
Best wishes,
Dorette

Dorette Kerian, Director, ITSS
Information Technology Systems and Services
University of North Dakota and Higher Education Computer Network
dorette_kerian () mail und nodak edu
701.777-3880, fax 701.777-3978

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.