Educause Security Discussion mailing list archives
Re: Making the case for security policies and personnel
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Thu, 13 Feb 2003 15:11:58 -0500
I just came across this, and recognized it was most likely addressed to me! Sorry for the delay. I have several presentations that we've done for the IU Board of Trustees, but those were done in closed session and so I can't share them. I do think there is good information in a presentation that our CIO did at EDUCAUSE 2001. See that at http://www.indiana.edu/~ovpit/presentations/. The key, as I've said before, and this might be obvious, is to keep things high level. Discuss institutional risks and not individual security vulnerabilities. The Dean of SPEA doesn't care about inetd or NETBios vulnerabilities. The Dean of SPEA cares that student grades might very well be exposed. The Dean of SPEA cares that his email could very well be read by others. The Dean of SPEA cares that he might have to answer pointed questions from the media about why a system was mismanaged -- reporters are getting much more wise and are asking questions like "well, if the vulnerability exploited was such-and-such, there was a patch issued last August. Why wasn't that applied?" Anecdotally: it happened here just like that. In the media "event" related to one of our two publicized incidents in 2001, the Dean said "our technicians have informed me that the patch you cite wasn't applicable to our server." I was at the table under the lights with him, and all I could do was sit there, knowing he was wrong, and waiting for someone to call him on it. I just hoped they didn't ask me if I agreed. They didn't at the time, but a reporter called me immediately after and asked me about it, and I said that he needed to call the Dean because I wasn't intimately familiar with their technology suite. So glad I took those classes in handling the media. By the way, when we report to the Trustees in closed session, the Director of Internal Audit is also there, and so our relationship with him and his office is key. They do look to him periodically for comment and input on what we are saying, and he has always absolutely concurred. He has said numerous times "yes, that is definitely consistent with what we saw in our last round of audits." I also get copied on every audit report, and we're asked to comment on many of them where IT security and policy issues are at issue. It is very frequent that our Security Office is mentioned in these as a source for information or security tools. (They and we still disagree on password aging, as I've said here before...but agree on most everything else :) M. -- Mark S. Bruhn, CISSP Chief IT Security and Policy Officer Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Dorette Kerian [mailto:dorette_kerian () MAIL UND NODAK EDU] Sent: Friday, February 07, 2003 6:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Making the case for security policies and personnel Mark, I heard you speak at Net@edu about making the case for security policies and personnel on your campus. It was helpful information. You talked about the importance of speaking in CEO or cabinet talk rather than technical talk. You also mentioned that you may have a slide show you used on your campus. I'm having difficulty getting traction with the administration on this issue so I'm looking for other approaches. I'd sure appreciate any examples, models you would be willing to share. Thanks, Mark. Best wishes, Dorette Dorette Kerian, Director, ITSS Information Technology Systems and Services University of North Dakota and Higher Education Computer Network dorette_kerian () mail und nodak edu 701.777-3880, fax 701.777-3978 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Making the case for security policies and personnel Dorette Kerian (Feb 07)
- <Possible follow-ups>
- Re: Making the case for security policies and personnel Dorette Kerian (Feb 07)
- Re: Making the case for security policies and personnel Jim Wilcox (Feb 07)
- Re: Making the case for security policies and personnel Tracy Mitrano (Feb 07)
- Re: Making the case for security policies and personnel Jim Moore (Feb 10)
- Re: Making the case for security policies and personnel Bruhn, Mark S. (Feb 13)
- Re: Making the case for security policies and personnel Ced Bennett (Feb 14)
- Re: Making the case for security policies and personnel Bruhn, Mark S. (Feb 14)
- Re: Making the case for security policies and personnel James Conley (Feb 14)
- Re: Making the case for security policies and personnel Ced Bennett (Feb 18)
- Re: Making the case for security policies and personnel Scott Bradner (Feb 19)