Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

Yes, this is tough.  

When I do reports, even to the Trustees, I have to caveat statistics
that show an increase in intrusion attempts with the fact that we are
certainly experiencing more probes (for example) but that because we are
becoming known as the place where things are reported, more technicians
are reporting probes as well.  So, I can't report the actual delta.

Same thing when reporting vulnerabilities scan results: can't really use
those to show a decrease in risks found and equate that to an increase
in security attention.  Too many other factors involved.  Heaven forbid
I should sample from the scan database right after a release of a
popular operating system.

So, we have been saying exactly the same thing: we are going to get more
reports of incidents, not necessarily because they are increasing, which
may or may not be the case, but because more are being reported to us.

Right now, in our formal Cost and Quality of Service program (which I
think everyone can get to at

http://www.indiana.edu/~uits/business/report_on_cost_and_quality_of_serv
ices.html)

we count Consulting Engagements (by the IT Security Office), Total Scans
Performed (by technicians), Unique Systems Scanned, all as measures of a
hopefully-increasing attention to security on the part of departments.
We'll go with these for a while, and then we'll have to find something a
bit more useful.

M.

-- 
Mark S. Bruhn, CISSP

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Jim Moore [mailto:jhmfa () RIT EDU] 
Sent: Wednesday, July 16, 2003 2:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security Measures for InfoSec Progam - was
Recommendations On Cabinet Level InfoSec position


I have enjoyed it as well.  I find academia usually has the model of the
ISO reporting to the CIO or VP of IT.  That is not how things are set up
here.  We are set up more like a high value data, checks and balances
system.  This structure, from my experience, is more common in banks,
govenrment, and some corporations.  I have a great CIO, who is
interested in security.  So I have no complaints.

But I do have a fear.  History shows that common measures for an IT
department are things like customer satisfacion.  Customer Sat, is often
driven by ease of use.  Security and ease of use come from "transparent"
expert based security.  The steady rise in the hostility of the Internet
  environment,  combined with the steady (exponential) rise in reported
vulnerabilities, demands either fewer systems, or a broader security
base.  Logically you can produce fewer systems through standardization,
which is very difficult in an academic environment with diverse
research, and interests.  Broadening the base means more user level
security.  Which often time is a lightning rod for poor customer
satisfaction.

I have been preparing my institution that as we get better at security
(and better at detection) security will appear to get worse, from a
number of incidents standpoint.  I mentioned this to a friend on our
Criminal Justice faculty who teaches computer crime, and he said "Sure,
it happens with police too, more police, more reported crime.  You just
don't have the right measures."

So here is my question, what drives a CIO? What are the measures used to
determine that they are doing well in security?

Jim

Rodney Petersen wrote:
> I have enjoyed reading the lively, although diverse, responses to the
> original question.  Jim, I think what you were looking for was the
> letter from ACE President David Ward to all college and university
> presidents this past February
> (http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm).
>
> The specific recommendation states:
>
> Establish responsibility for campus-wide Cybersecurity at the cabinet
> level. At a large university, this responsibility might be assigned to
> the Chief Information Officer. At a small college, this person may
have
> responsibility for many areas, including the institutional computing
> environment.
>
> Additionally, the National Strategy to Secure Cyberspace
> (www.securecyberspace.gov) states that "colleges and universities are
> encouraged to secure their cyber systems by establishing . . . model
> guidelines empowering Chief Information Officers (CIOs) to address
> cybersecurity" (A/R 3-5).
>
> Please let me know if you have any further questions.
>
> Rodney Petersen
> Project Director, Security Task Force
> EDUCAUSE
-----------------------------------------------------------------------
> At the Educause security professionals workshop, I believe that
someone
> mentioned that a college/university presidents group had a task force
> which made the recommendation that a cabinet level position for
> Information Security be created at colleges/universities.
>
> Does anyone have a reference?
>
> Does anyone have the text of the report/recommendation letter?
>
> Jim
> --
> --
> Jim Moore, CISSP, IAM
> Information Security Officer
> Rochester Institute of Technology
> 13 Lomb Memorial Drive
> Rochester, NY 14623-5603
> Telephone: (585)475-5406
> Fax:       (585)475-7950
>
> PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C
D0C0
> **********
> Participation and subscription information for this EDUCAUSE
Discussion
> Group discussion list can be found at
http://www.educause.edu/memdir/cg/.


--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C
D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.