Re: SECURITY Digest - 5 Jun 2008 to 6 Jun 2008 (#2008-106)

["Erwin L. Carrow" <erwin.carrow () USG EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It is the opinion of many at our organization that each of these support
systems are of benefit and value when a part of a comprehensive
solution.  We are currently working on a similar type of integration of
the various frameworks on an informal level.  Since we must assess 37
different universities, colleges, or agencies it becomes very evident
that one size does not fit all.  Yet we have seen that if we take a look
at each individual organization's _business requirements and rules for
IT and the associated business practices that a clear framework is
evident _and sound for mitigating risk.  This framework requires a
starting point to allow / afford the flexibility needed to accomplish
the mission of the organization.  I am convinced that COBIT is that
place to start because it imposes a top down decision making criterion.
Often the other components mentioned (ISO, NIST, ITIL, etc.) are
controls used to address the "mitigation of risk" to be imposed upon
technology in order to do business or accomplish the organizational
mission.  The mistake often made is to create a list from the ISO, NIST,
ITIL, etc. to mitigate risk (though very beneficial) and then impose
this upon the mission or business requirements and thereby often cripple
its capability or functional intent.  The educational system in general
(someone is going to shoot me down for the obvious, but it must be
stated) has significant - key issues that are consistently not addressed.

*1st*:  Leadership (top-down) must have a clear understanding of their
business requirements and the associated rules, e.g., _goals and
objectives need practical tactical and operational controls that must be
procedurally defined_ (which may or may not include technology).  In
contrast, a common misconception and application is to throw dollars and
technology at a problem so it can miraculously be resolved or at least
have the impression that something is being done to accomplish the mission.
*2nd*:  Technological expertise at whatever level (bottom-up - yes even
the help desk or front-line technicians) _must embrace and assimilate
the organization's mission mindset and business - education vocabulary_,
so they are not perceived as a separate support entity whose sole
purpose is to impart some all encompassing panacea or super-human
approach to a problem that has not been clearly defined.
*3rd*:  _The educational system has created, supports, and maintains two
opposing functional and operational groups / factions in support of the
mission._  Though not admittedly recognized as such, _faculty and
administration _do not always play nicely together.  Often the
application of technology gets strategically positioned between the two
factions to mitigate solutions where it should not be involved at all.
Or IT's involvement is too premature in the decision life cycle process
to consider its use or application.  Very often, the CIO or similar
representative is called upon to perform some sort of reconciliation
utilizing IT even though political inconsistency is clearly identifiable
on the side-lines of both camps.  Therefore, the CIO is forced respond
and negotiated without a clearly agreed-upon consensus from both parties
as to what the problem really is or an approach for providing a
solution.  SIDEBAR:  Anything identified in nature as having two heads
is often called a freak or unnatural.  _As educators we must learn to
negotiate our unnatural identity better._
*4th*:  Tension will always exist in how controls are implemented to
safeguard and support the mission.  We must _facilitate and empower a
business - education environment and culture that is flexible enough to
embrace the required change_ that is constant with information
technology's use and application.

Practically speaking, if you go to the ISACA site they have already
begun to incorporate some of these strategies into the COBIT framework
to facilitate associated mappings with these other standards, e.g., see
http://www.isaca.org  and the section marked COBIT mapping.  I look
forward to the results of your endeavors!

- --Chris

Erwin (Chris) Louis Carrow,
CISSP, INFOSEC, CSSP, CCNP, OCM
IT Auditor II
Board of Regents, University System of Georgia
270 Washington Street S.W., Ste. 7087
Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, Email: erwin.carrow () usg edu

SECURITY automatic digest system wrote:
| The Security Task Force is considering the organization of our efforts
| (e.g., effective practices guide, conference program tracks, working
| groups, etc.) around some categories that easily map to existing
| information security standards or related frameworks (ISO 27002/17799,
| NIST, COBIT, ITIL, ISC2 Common Body of Knowledge, etc.)  We would like
| to hear from any institutions who have built their information security
| program around such a standard or framework.  We are especially
| interested to learn if you have already gone to the effort to create a
| matrix of the different standards or frameworks - perhaps coming up with
| your own generalized categories.=20
|
| For an example of similar mappings, see:
|
|     Appendix G of NIST Special Publication 800-53, Security Control
| Mappings:  Relationship of Security Controls to Other Standards and
| Control Sets:
| http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-fin
| al.pdf
|
|     Virginia Alliance for Secure Computing And Networking (VA SCAN):
| http://www.vascan.org/resources/index.html=20
|
| Therefore, I would like to request that you reply to the list (if you
| have something to share that everyone would benefit from learning more
| about) or contact me directly if you have built a standards-based
| information security program and are willing to share you story,
| including any relevant documentation or links.
|
| Thanks,
|
| -Rodney
|
| --------------------------------------------------
| Rodney J. Petersen, J.D.
| Government Relations Officer & Security Task Force Coordinator
|
| EDUCAUSE
| 1150 18th Street, N.W., Suite 1010
| Washington, D.C. 20036
| (202) 331-5368 / (202) 872-4200
| (202) 872-4318 (FAX)=20
| EDUCAUSE/Internet2 Security Task Force
| www.educause.edu/security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFITR2N+lAww4pSzJURAhtlAJ0aom5qUqRv2c0qJP1sQanC7Mz8+wCdEBEq
5E3swZHXk1gpR5y0um6bvlE=
=nzYv
-----END PGP SIGNATURE-----

Attachment: erwin_carrow.vcf
Description: