Educause Security Discussion mailing list archives
Re: Centralized security administration
From: "Sadler, Connie" <Connie_Sadler () BROWN EDU>
Date: Fri, 18 Aug 2006 14:07:55 -0400
Nothing formal, but I have the support I need, because everyone knows that assessing risk and knowing where we have exposures and taking action to remediate them is just good common sense. As far as getting people to respond, I just call them until they do. They know I will keep at it. If someone is non-responsive, I'll find a way to get to them. I do it in a positive way, but it's hard for anyone not to respond. I'll also escalate my request if I need to. It's part of my job, and to tell you the truth, I assume the authority. I'd feel personally negligent if I didn't require people to follow up. As far as support, for small requests, we take them through our Help Desk. For larger requests (please manage our server for us, because we don't have the technical expertise to do it properly), we have a high-level advisory group to help with priorities and funding issues. Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC Director, IT Security, Brown University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu Office: 401-863-7266 PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB -----Original Message----- From: Hunt,Keith A [mailto:keith () UAKRON EDU] Sent: Friday, August 18, 2006 1:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Centralized security administration Hi Connie, Thanks very much for your reply. You say that everyone knows your policies apply across the community, and you "require" that they go through the risk assessment. Do you have a *formal* directive from Somewhere High Up that allows you to hold folks accountable? When your survey tool generates these requests for support, how are the requests handled? -- Keith
-----Original Message----- From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU] Sent: Thursday, August 17, 2006 2:20 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Centralized security administration Hi, Keith. Our policies here at Brown are reviewed by representatives throughout the University (it takes 6 weeks or so), and everyone knows they apply
to the entire community. In fact, once we draft a policy, we pull subject matter experts from IT personnel in different functional areas
to work the draft into something that is ready for community review - to make sure we aren't looking at policies through a "centralized" lens. We meet with representatives from the various departments once a month. We also have mailing lists for system administrators and departmental computing coordinators (DCCs - who provide desktop support for their respective departments - or at least make sure that someone is looking
after the workstations). We do a lot of things that reinforce to these folks that we expect certain things from them. We require that they participate in an every-other-year risk assessment that they provide to us (via survey),
and we expect them to provide contact information regarding who is responsible for patching, anti-virus, firewall protection, etc., etc. - and this initiates a lot of requests for support from our central organization. Internal Audit and IT Security both make sure that the individuals whom we hold accountable *know* that we are holding them accountable. That makes the difference! We establish a lot of partnerships in order to make things work. We still have a lot of work
to do, but so far, so good. We have support from our executive administrators here, and that comes through our CIO, who helps to ensure we have the support we need. Our IDS system gives us information about events all over campus. If a
machine is compromised in a particular department, we shut it off until it is rebuilt - and we require the contact (DCC or SysAdmin) to answer questions about the incident. They have to tell us who uses the
machine, how it was (or could have been) compromised, what information
was on the machine, and what they can do to prevent a recurrence. I hope this helps, and if you have any other questions, let me know. We have no problem with decentralized IT personnel, as long as they work with us. In fact, I don't think we could possibly provide the level of service necessary in some of these areas from a central organization. We let all of the IT personnel know that we are all on equal footing, that we are collectively responsible for the security of the systems and networks our users depend on. The bottom line is that if departments want to manage their own IT, that's fine, but they
assume responsibility and accountability for securing that IT as well - with help and guidance from us, of course! Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer Brown
University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu Office: 401-863-7266 -----Original Message----- From: Hunt,Keith A [mailto:keith () UAKRON EDU] Sent: Thursday, August 17, 2006 11:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Centralized security administration I was having a conversation with our CIO recently about the difficulties faced by a central IT department asked to assume responsibility for the security posture of servers owned and managed by non-IT departments. He asked me how other universities address this issue. So here I am asking you kind folks. Have you been able to establish effective policies and procedures that provide for central IT personnel to oversee the security aspects of non-IT devices (especially servers and network equipment)? Have you developed some other approach that works better? How do you reconcile the need for decentralized systems/network admin functions with the need for an enterprise approach to security? TIA -- Keith Hunt 330.972.7968 keith () uakron edu Internet & Server Systems The University of Akron
Current thread:
- Centralized security administration Hunt,Keith A (Aug 17)
- <Possible follow-ups>
- Re: Centralized security administration Bob Kehr (Aug 17)
- Re: Centralized security administration Sadler, Connie (Aug 17)
- Re: Centralized security administration Tom Davis (Aug 18)
- Re: Centralized security administration Hunt,Keith A (Aug 18)
- Re: Centralized security administration Hunt,Keith A (Aug 18)
- Re: Centralized security administration Valdis Kletnieks (Aug 18)
- Re: Centralized security administration Sadler, Connie (Aug 18)
- Re: Centralized security administration Hunt,Keith A (Aug 18)
- Re: Centralized security administration Robert Ono (Aug 18)
- Re: Centralized security administration Valdis Kletnieks (Aug 18)
- Re: Centralized security administration Cal Frye (Aug 18)
- Re: Centralized security administration Harold Winshel (Aug 18)
- Re: Centralized security administration Geoff Nathan (Aug 19)