Educause Security Discussion mailing list archives

Re: Size of IT Security Department

From: Angel L Cruz <cruz () AUSTIN UTEXAS EDU>
Date: Thu, 28 Aug 2003 11:49:27 -0500

Alex:

Let me give you a 2 part answer concerning institutional security
staffing -

We have 4 full time (myself included) and 1 part time. We will add 2
full time staffers very shortly (we'll have gone from 2.5 to 6.5 in just
over a year). I suspect we will continue to grow, but at a pace
appropriate to our budget, risk profile, IT environment, etc.

Our environment includes 6500 residents among our 52,000 students;
45,000 university-owned machines inside our border on any given day;
21,000 faculty/staff; 40,000 + personally owned computers that regularly
access our network from outside and inside to perform university
business (student, faculty, staff, and researcher desktop and laptop
machines).


How do you determine what the proper size is for your operation?

Consider 2 operational scenarios - emergency and day-to-day:

Emergency: We engage a Response Team comprised of our entire ISO staff
along with significant portions of central Networking, Systems, and User
Services staff - all working to guide and support technical support
staff from our over 200 departments. Clearly, without that model, we
could not efficiently or effectively contain such events as seen the
last 4 1/2 weeks - my ISO staff was devoted completely to triage and
remediation support.

Day to day operations: We consider our key incident management functions
first (detection, triage, response, forensics, reporting), then factor
in what services our office can provide/hopes to provide to the campus.

Some issues to consider include:

Do you or will you:

- Support central or department security architecting and management?
- Manage IDS, IDP, Firewall, VPN resources, or share duties?
- Perform centralized or support distributed security scanning?
- Perform institutional or departmental security audits?
- Manage/support centralized or department IT disaster planning?
- Develop security or IT policy and standards?
- Create and deliver security awareness courses?
- Deliver security courses to technical staff?
- Test and evaluate security technologies?
- Participate in institutional IT projects?
- Consider additional security staff in major technology implementations
or upgrades?

Hope this helps your presentation.


Mr. Angel L. Cruz, BS
Director & University ISO
ITS - Information Security Office
The University of Texas at Austin
1 University Station, #G0900
Austin, Texas 78712-0557
(512) 475-9462
cruz () austin utexas edu
 
++++++++++++++++++++++++++++++++++++++++++++
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager. If you are not the named addressee you should not
distribute or copy this e-mail. Please notify the sender immediately if
you have received this e-mail by mistake and delete this e-mail from
your system. If you are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on
the contents of this information is prohibited.
++++++++++++++++++++++++++++++++++++++++++++



-----Original Message-----
From: Alex Campoe [mailto:campoe () USF EDU] 
Sent: Thursday, August 28, 2003 10:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Size of IT Security Department

Hello folks

I am watching the discussions on Residence Halls and a question came to
mind. How many people are usually working in your security department?

We have about 3,000 students in our Residence Halls, 16,000 active
machines during the day, and 6,600 faculty/staff on campus. Being
proactive in terms of training, burning CDs, etc, is almost out of the
question since we have a total of 40 hours full time and 40 hours part
time invested on security. Surprisingly enough, we managed to do a
pretty good job containing everything that hit us during the past weeks,
  at the expense of some VERY long work days.

I am about do a presentation to high level University officers on the
state of campus security and would like to make some comparissons.

Thanks

Alex


--
----------------
J. Alex Campoe
Associate Director, Systems Group and Data Security Administrator
Academic Computing, University of South Florida
Phone: (813) 974-1796

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Size of IT Security Department Alex Campoe (Aug 28)
- <Possible follow-ups>
- Re: Size of IT Security Department Tammy Clark (Aug 28)
- Re: Size of IT Security Department Carol Myers (Aug 28)
- Re: Size of IT Security Department Dewitt Latimer (Aug 28)
- Re: Size of IT Security Department Allen Chang (Aug 28)
- Re: Size of IT Security Department Angel L Cruz (Aug 28)
- Re: Size of IT Security Department Nick Tate (Aug 28)