Educause Security Discussion mailing list archives
Re: Centralized security administration
From: "Sadler, Connie" <Connie_Sadler () BROWN EDU>
Date: Thu, 17 Aug 2006 14:19:57 -0400
Hi, Keith. Our policies here at Brown are reviewed by representatives throughout the University (it takes 6 weeks or so), and everyone knows they apply to the entire community. In fact, once we draft a policy, we pull subject matter experts from IT personnel in different functional areas to work the draft into something that is ready for community review - to make sure we aren't looking at policies through a "centralized" lens. We meet with representatives from the various departments once a month. We also have mailing lists for system administrators and departmental computing coordinators (DCCs - who provide desktop support for their respective departments - or at least make sure that someone is looking after the workstations). We do a lot of things that reinforce to these folks that we expect certain things from them. We require that they participate in an every-other-year risk assessment that they provide to us (via survey), and we expect them to provide contact information regarding who is responsible for patching, anti-virus, firewall protection, etc., etc. - and this initiates a lot of requests for support from our central organization. Internal Audit and IT Security both make sure that the individuals whom we hold accountable *know* that we are holding them accountable. That makes the difference! We establish a lot of partnerships in order to make things work. We still have a lot of work to do, but so far, so good. We have support from our executive administrators here, and that comes through our CIO, who helps to ensure we have the support we need. Our IDS system gives us information about events all over campus. If a machine is compromised in a particular department, we shut it off until it is rebuilt - and we require the contact (DCC or SysAdmin) to answer questions about the incident. They have to tell us who uses the machine, how it was (or could have been) compromised, what information was on the machine, and what they can do to prevent a recurrence. I hope this helps, and if you have any other questions, let me know. We have no problem with decentralized IT personnel, as long as they work with us. In fact, I don't think we could possibly provide the level of service necessary in some of these areas from a central organization. We let all of the IT personnel know that we are all on equal footing, that we are collectively responsible for the security of the systems and networks our users depend on. The bottom line is that if departments want to manage their own IT, that's fine, but they assume responsibility and accountability for securing that IT as well - with help and guidance from us, of course! Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer Brown University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu Office: 401-863-7266 -----Original Message----- From: Hunt,Keith A [mailto:keith () UAKRON EDU] Sent: Thursday, August 17, 2006 11:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Centralized security administration I was having a conversation with our CIO recently about the difficulties faced by a central IT department asked to assume responsibility for the security posture of servers owned and managed by non-IT departments. He asked me how other universities address this issue. So here I am asking you kind folks. Have you been able to establish effective policies and procedures that provide for central IT personnel to oversee the security aspects of non-IT devices (especially servers and network equipment)? Have you developed some other approach that works better? How do you reconcile the need for decentralized systems/network admin functions with the need for an enterprise approach to security? TIA -- Keith Hunt 330.972.7968 keith () uakron edu Internet & Server Systems The University of Akron
Current thread:
- Centralized security administration Hunt,Keith A (Aug 17)
- <Possible follow-ups>
- Re: Centralized security administration Bob Kehr (Aug 17)
- Re: Centralized security administration Sadler, Connie (Aug 17)
- Re: Centralized security administration Tom Davis (Aug 18)
- Re: Centralized security administration Hunt,Keith A (Aug 18)
- Re: Centralized security administration Hunt,Keith A (Aug 18)
- Re: Centralized security administration Valdis Kletnieks (Aug 18)
- Re: Centralized security administration Sadler, Connie (Aug 18)
- Re: Centralized security administration Hunt,Keith A (Aug 18)
- Re: Centralized security administration Robert Ono (Aug 18)
- Re: Centralized security administration Valdis Kletnieks (Aug 18)
- Re: Centralized security administration Cal Frye (Aug 18)
- Re: Centralized security administration Harold Winshel (Aug 18)
(Thread continues...)