Re: Recommendations On Cabinet Level InfoSec position

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

In that case, anything you report to the CIO is subserviant.  :-)

1)  A very good CIO is what is required to make this work.  A CIO that
doesn't have broad experiences and can't use good judgement about
setting priorities, assigning resources, and resolving conflicts isn't a
good CIO.  
2)  A good Security Officer gets involved in physical security of IT
resources as well (we do, heavily, and are expected to do so by our good
CIO :) and interacts often with physical facilities staff as well as
police.

M.


-- 
Mark S. Bruhn, CISSP

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Jim Wilcox [mailto:jim () WILCOXS NET] 
Sent: Monday, July 14, 2003 5:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recommendations On Cabinet Level InfoSec
position


Just my two cents.

First, how do you ensure information security if you can't ensure
security in the other (e.g., physical) domains? That being the case, it
makes no sense to create a CISO.

Second, if your CISO (presuming that one makes that mistake) reports to
the CIO, you are making security subservient. I liken it to routers and
firewalls. Routers are all about providing access to information (this
is a simplistic comparison for the sake of making a point); firewalls
are all about controlling information. Which is more important? Neither.
But, when the CISO reports to the CIO, security will often (if not
always) be an afterthought.

In the end, we all have to do what our organizations will allow us to
do, but in terms of organizational architecture, it is pretty easy to
draw the cause and effect drawing on this one.

Once security is integrated into how we do everything, the CSO role may
become unnecessary. We are far from that.

Cheers,

James R. Wilcox, CISSP
10433 SW 53rd Ave
Portland, OR 97219-5837
503 245-6934
jim () wilcoxs net

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bruhn, Mark S.
Sent: Monday, July 14, 2003 2:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recommendations On Cabinet Level InfoSec
position


Frankly, I'm not completely sure I understand this.  Most campuses have
a security department or police department, or hire that out to a guard
services company.  Are you suggesting that whomever leads this unit also
be responsible for IT security, and that this person report to the
President or CEO?

A lot of campuses haven't even been successful in getting the person
responsible for security to report to the CIO yet.  In any case, the
person responsible for all of IT on campus or within the university or
college should report to the President, and is the person to whom the IT
security officer should report.  That's the only realistic situation,
inasmuch as what Dan says is true: there is a need for continuous
interactions between the CIO and the security officer, as they are the
partnership that will (and must) know what the issues are and how to
translate those into insitutional risks (there I go again), and will
ultimately cause an improvement of IT security on the campus.  They have
the focus as part of their responsibilities.  A president is mired in
far too broad a resposibility set to participate in such a partnership.

M.

--
Mark S. Bruhn, CISSP

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO Indiana
University 812-855-0326

Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos
about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Jim Wilcox [mailto:jim () WILCOXS NET]
Sent: Saturday, July 12, 2003 7:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recommendations On Cabinet Level InfoSec
position


The CSO should definitely *not* report to the CIO, but to the
CEO/President.

For one thing, as Howard Schmidt emphasized while he was at Microsoft
(not touting MS as a paragon of security, but Howard left that gig to
work for the President of the US via Richard Clarke and is the former
President of the ISSA Int'l.), there is no such thing as a CISO.
Therefore, subjugating a CSO to a CIO not only diminishes the position,
but also ignores the 80% of the job that does not relate to information
technology.

James R. Wilcox, CISSP
10433 SW 53rd Ave
Portland, OR 97219-5837
503 245-6934
jim () wilcoxs net

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of art
Sent: Thursday, July 10, 2003 5:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recommendations On Cabinet Level InfoSec
position


Here at the U of New Mexico we are close to advertising for an
information security officer, functionally the mosr senior one on
campus, ans this individual will report initially to the highest ranking
IT official on campus (currently an Associate VP), but eventually to the
CIO when that position is created.

Art St. George

--On Wednesday, July 09, 2003 5:25 PM -0500 Dan Updegrove
<updegrove () MAIL UTEXAS EDU> wrote:

> Jim,
>
> It's hard for me to imagine that a President's group would have
> advocated another direct report, especially in a domain that most of
> them would consider to be (as William F. Buckley said of ocean
> sailing) "90% boredom and 10% terror."
>
> IMHO, the appropriate reporting line for ISO is the to CIO -- and the
> CIO should be at the cabinet level. I simply cannot imagine that an
> ISO would receive from a president the supervision and support needed
> to be effective. In practice, such a "cabinet level" ISO would report
> to a "deputy to the president," who is also too busy and non-technical

> to provide support.
>
> Regards,
> Dan Updegrove
>
>
> At 05:15 PM 7/9/2003, Jim Moore wrote:
> > At the Educause security professionals workshop, I believe that
> > someone mentioned that a college/university presidents group had a
> > task force which made the recommendation that a cabinet level
> > position for Information Security be created at
> > colleges/universities.
> >
> > Does anyone have a reference?
> >
> > Does anyone have the text of the report/recommendation letter?
> >
> > Jim
> > --
> > --
> > Jim Moore, CISSP, IAM
> > Information Security Officer
> > Rochester Institute of Technology
> > 13 Lomb Memorial Drive
> > Rochester, NY 14623-5603
> > Telephone: (585)475-5406
> > Fax:       (585)475-7950
> >
> > PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C
> > D0C0
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at
> > http://www.educause.edu/memdir/cg/.
>
>
> VP  for Information Technology          Phone (512) 232-9610
> The University of Texas at Austin       Fax (512) 232-9607
> FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
> P.O. Box 7407
> http://wnt.utexas.edu/~danu/ Austin, TX 78713-7407
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.