Re: Centralized security administration

["Sadler, Connie" <Connie_Sadler () BROWN EDU>]

Nothing formal, but I have the support I need, because everyone knows
that assessing risk and knowing where we have exposures and taking
action to remediate them is just good common sense. As far as getting
people to respond, I just call them until they do. They know I will keep
at it. If someone is non-responsive, I'll find a way to get to them. I
do it in a positive way, but it's hard for anyone not to respond. I'll
also escalate my request if I need to. It's part of my job, and to tell
you the truth, I assume the authority. I'd feel personally negligent if
I didn't require people to follow up.

As far as support, for small requests, we take them through our Help
Desk. For larger requests (please manage our server for us, because we
don't have the technical expertise to do it properly), we have a
high-level advisory group to help with priorities and funding issues.

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC Director, IT Security, 
Brown University Box 1885, Providence, RI 02912 
Connie_Sadler () Brown edu
Office: 401-863-7266
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB

-----Original Message-----
From: Hunt,Keith A [mailto:keith () UAKRON EDU] 
Sent: Friday, August 18, 2006 1:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Centralized security administration

Hi Connie,

Thanks very much for your reply.

You say that everyone knows your policies apply across the community,
and you "require" that they go through the risk assessment. Do you have
a *formal* directive from Somewhere High Up that allows you to hold
folks accountable?

When your survey tool generates these requests for support, how are the
requests handled?

--
Keith
 

> -----Original Message-----
> From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU]
> Sent: Thursday, August 17, 2006 2:20 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Centralized security administration
>
>  
> Hi, Keith.
>
> Our policies here at Brown are reviewed by representatives throughout 
> the University (it takes 6 weeks or so), and everyone knows they apply

> to the entire community. In fact, once we draft a policy, we pull 
> subject matter experts from IT personnel in different functional areas

> to work the draft into something that is ready for community review - 
> to make sure we aren't looking at policies through a "centralized" 
> lens.
>
> We meet with representatives from the various departments once a 
> month.
> We also have mailing lists for system administrators and departmental 
> computing coordinators (DCCs - who provide desktop support for their 
> respective departments - or at least make sure that someone is looking

> after the workstations).
>
> We do a lot of things that reinforce to these folks that we expect 
> certain things from them. We require that they participate in an 
> every-other-year risk assessment that they provide to us (via survey),

> and we expect them to provide contact information regarding who is 
> responsible for patching, anti-virus, firewall protection, etc., etc. 
> - and this initiates a lot of requests for support from our central 
> organization. Internal Audit and IT Security both make sure that the 
> individuals whom we hold accountable *know* that we are holding them 
> accountable. That makes the difference! We establish a lot of 
> partnerships in order to make things work. We still have a lot of work

> to do, but so far, so good. We have support from our executive 
> administrators here, and that comes through our CIO, who helps to 
> ensure we have the support we need.
>
> Our IDS system gives us information about events all over campus. If a

> machine is compromised in a particular department, we shut it off 
> until it is rebuilt - and we require the contact (DCC or SysAdmin) to 
> answer questions about the incident. They have to tell us who uses the

> machine, how it was (or could have been) compromised, what information

> was on the machine, and what they can do to prevent a recurrence.
>
> I hope this helps, and if you have any other questions, let me know. 
> We have no problem with decentralized IT personnel, as long as they 
> work with us. In fact, I don't think we could possibly provide the 
> level of service necessary in some of these areas from a central 
> organization. We let all of the IT personnel know that we are all on 
> equal footing, that we are collectively responsible for the security 
> of the systems and networks our users depend on. The bottom line is 
> that if departments want to manage their own IT, that's fine, but they

> assume responsibility and accountability for securing that IT as well 
> - with help and guidance from us, of course!
>
> Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer Brown

> University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu
> Office: 401-863-7266
>
>
> -----Original Message-----
> From: Hunt,Keith A [mailto:keith () UAKRON EDU] 
> Sent: Thursday, August 17, 2006 11:20 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Centralized security administration
>
> I was having a conversation with our CIO recently about the 
> difficulties
> faced by a central IT department asked to assume 
> responsibility for the
> security posture of servers owned and managed by non-IT departments.
>
> He asked me how other universities address this issue. So here I am
> asking you kind folks.
>
> Have you been able to establish effective policies and procedures that
> provide for central IT personnel to oversee the security aspects of
> non-IT devices (especially servers and network equipment)?  Have you
> developed some other approach that works better? How do you reconcile
> the need for decentralized systems/network admin functions 
> with the need
> for an enterprise approach to security?
>
> TIA
>
> --
> Keith Hunt  330.972.7968  keith () uakron edu Internet & Server 
> Systems The
> University of Akron