Re: Centralized security administration

["Sadler, Connie" <Connie_Sadler () BROWN EDU>]

Hi, Keith.

Our policies here at Brown are reviewed by representatives throughout
the University (it takes 6 weeks or so), and everyone knows they apply
to the entire community. In fact, once we draft a policy, we pull
subject matter experts from IT personnel in different functional areas
to work the draft into something that is ready for community review - to
make sure we aren't looking at policies through a "centralized" lens.

We meet with representatives from the various departments once a month.
We also have mailing lists for system administrators and departmental
computing coordinators (DCCs - who provide desktop support for their
respective departments - or at least make sure that someone is looking
after the workstations).

We do a lot of things that reinforce to these folks that we expect
certain things from them. We require that they participate in an
every-other-year risk assessment that they provide to us (via survey),
and we expect them to provide contact information regarding who is
responsible for patching, anti-virus, firewall protection, etc., etc. -
and this initiates a lot of requests for support from our central
organization. Internal Audit and IT Security both make sure that the
individuals whom we hold accountable *know* that we are holding them
accountable. That makes the difference! We establish a lot of
partnerships in order to make things work. We still have a lot of work
to do, but so far, so good. We have support from our executive
administrators here, and that comes through our CIO, who helps to ensure
we have the support we need.

Our IDS system gives us information about events all over campus. If a
machine is compromised in a particular department, we shut it off until
it is rebuilt - and we require the contact (DCC or SysAdmin) to answer
questions about the incident. They have to tell us who uses the machine,
how it was (or could have been) compromised, what information was on the
machine, and what they can do to prevent a recurrence.

I hope this helps, and if you have any other questions, let me know. We
have no problem with decentralized IT personnel, as long as they work
with us. In fact, I don't think we could possibly provide the level of
service necessary in some of these areas from a central organization. We
let all of the IT personnel know that we are all on equal footing, that
we are collectively responsible for the security of the systems and
networks our users depend on. The bottom line is that if departments
want to manage their own IT, that's fine, but they assume responsibility
and accountability for securing that IT as well - with help and guidance
from us, of course!

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
IT Security Officer
Brown University Box 1885, Providence, RI 02912
Connie_Sadler () Brown edu
Office: 401-863-7266


-----Original Message-----
From: Hunt,Keith A [mailto:keith () UAKRON EDU] 
Sent: Thursday, August 17, 2006 11:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Centralized security administration

I was having a conversation with our CIO recently about the difficulties
faced by a central IT department asked to assume responsibility for the
security posture of servers owned and managed by non-IT departments.

He asked me how other universities address this issue. So here I am
asking you kind folks.

Have you been able to establish effective policies and procedures that
provide for central IT personnel to oversee the security aspects of
non-IT devices (especially servers and network equipment)?  Have you
developed some other approach that works better? How do you reconcile
the need for decentralized systems/network admin functions with the need
for an enterprise approach to security?

TIA

--
Keith Hunt  330.972.7968  keith () uakron edu Internet & Server Systems The
University of Akron