Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position

[Theresa M Rowe <rowe () OAKLAND EDU>]

Very interesting question -

> So here is my question, what drives a CIO? What are the
measures used to
> determine that they are doing well in security?

Like the analogy to police, I like to look at preventive
measures or statistics as well as the weaknesses that still
exist.  For me, I look at how well are the weaknesses
identified, how well are the risks exposed by that weakness
presented, what reasonable steps have been proposed,
accepted, implemented.  These are more measures of progress
than thinking there's some end nirvana of security that must
be achieved.

My knowledge base indicates that new security weaknesses are
identified all the time - new viruses or worms, new operating
system holes, new awareness about possible crimes.

Can my security staff maintain a credible list of these
weaknesses?  Can we put a dollar or time or some sort of
value on the item exposed by the risk?  Can we show some sort
of progress on mitigation steps each year?  Can we show
ongoing diligence that would provide a sense of security to
those who trust we are doing all we can?
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.