Educause Security Discussion mailing list archives
Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Wed, 16 Jul 2003 15:30:28 -0500
I neglected to say, and if you follow the URL and look at the reports you will notice, that we DO NOT measure user satisfaction for Security Administration, though most other services have that figure listed. M. -- Mark S. Bruhn, CISSP Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Bruhn, Mark S. Sent: Wednesday, July 16, 2003 3:14 PM To: 'The EDUCAUSE Security Discussion Group Listserv' Subject: RE: [SECURITY] Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position Yes, this is tough. When I do reports, even to the Trustees, I have to caveat statistics that show an increase in intrusion attempts with the fact that we are certainly experiencing more probes (for example) but that because we are becoming known as the place where things are reported, more technicians are reporting probes as well. So, I can't report the actual delta. Same thing when reporting vulnerabilities scan results: can't really use those to show a decrease in risks found and equate that to an increase in security attention. Too many other factors involved. Heaven forbid I should sample from the scan database right after a release of a popular operating system. So, we have been saying exactly the same thing: we are going to get more reports of incidents, not necessarily because they are increasing, which may or may not be the case, but because more are being reported to us. Right now, in our formal Cost and Quality of Service program (which I think everyone can get to at http://www.indiana.edu/~uits/business/report_on_cost_and_quality_of_serv ices.html) we count Consulting Engagements (by the IT Security Office), Total Scans Performed (by technicians), Unique Systems Scanned, all as measures of a hopefully-increasing attention to security on the part of departments. We'll go with these for a while, and then we'll have to find something a bit more useful. M. -- Mark S. Bruhn, CISSP Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Jim Moore [mailto:jhmfa () RIT EDU] Sent: Wednesday, July 16, 2003 2:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position I have enjoyed it as well. I find academia usually has the model of the ISO reporting to the CIO or VP of IT. That is not how things are set up here. We are set up more like a high value data, checks and balances system. This structure, from my experience, is more common in banks, govenrment, and some corporations. I have a great CIO, who is interested in security. So I have no complaints. But I do have a fear. History shows that common measures for an IT department are things like customer satisfacion. Customer Sat, is often driven by ease of use. Security and ease of use come from "transparent" expert based security. The steady rise in the hostility of the Internet environment, combined with the steady (exponential) rise in reported vulnerabilities, demands either fewer systems, or a broader security base. Logically you can produce fewer systems through standardization, which is very difficult in an academic environment with diverse research, and interests. Broadening the base means more user level security. Which often time is a lightning rod for poor customer satisfaction. I have been preparing my institution that as we get better at security (and better at detection) security will appear to get worse, from a number of incidents standpoint. I mentioned this to a friend on our Criminal Justice faculty who teaches computer crime, and he said "Sure, it happens with police too, more police, more reported crime. You just don't have the right measures." So here is my question, what drives a CIO? What are the measures used to determine that they are doing well in security? Jim Rodney Petersen wrote:
I have enjoyed reading the lively, although diverse, responses to the original question. Jim, I think what you were looking for was the letter from ACE President David Ward to all college and university presidents this past February (http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm). The specific recommendation states: Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may
have
responsibility for many areas, including the institutional computing environment. Additionally, the National Strategy to Secure Cyberspace (www.securecyberspace.gov) states that "colleges and universities are encouraged to secure their cyber systems by establishing . . . model guidelines empowering Chief Information Officers (CIOs) to address cybersecurity" (A/R 3-5). Please let me know if you have any further questions. Rodney Petersen Project Director, Security Task Force EDUCAUSE
-----------------------------------------------------------------------
At the Educause security professionals workshop, I believe that
someone
mentioned that a college/university presidents group had a task force which made the recommendation that a cabinet level position for Information Security be created at colleges/universities. Does anyone have a reference? Does anyone have the text of the report/recommendation letter? Jim -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C
D0C0
********** Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/. -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position Jim Moore (Jul 16)
- <Possible follow-ups>
- Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position Theresa M Rowe (Jul 16)
- Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position Bruhn, Mark S. (Jul 16)
- Re: Security Measures for InfoSec Progam - was Recommendations On Cabinet Level InfoSec position Bruhn, Mark S. (Jul 16)