Educause Security Discussion mailing list archives
Re: SECURITY Digest - 5 Jun 2008 to 6 Jun 2008 (#2008-106)
From: "Erwin L. Carrow" <erwin.carrow () USG EDU>
Date: Mon, 9 Jun 2008 08:09:49 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It is the opinion of many at our organization that each of these support systems are of benefit and value when a part of a comprehensive solution. We are currently working on a similar type of integration of the various frameworks on an informal level. Since we must assess 37 different universities, colleges, or agencies it becomes very evident that one size does not fit all. Yet we have seen that if we take a look at each individual organization's _business requirements and rules for IT and the associated business practices that a clear framework is evident _and sound for mitigating risk. This framework requires a starting point to allow / afford the flexibility needed to accomplish the mission of the organization. I am convinced that COBIT is that place to start because it imposes a top down decision making criterion. Often the other components mentioned (ISO, NIST, ITIL, etc.) are controls used to address the "mitigation of risk" to be imposed upon technology in order to do business or accomplish the organizational mission. The mistake often made is to create a list from the ISO, NIST, ITIL, etc. to mitigate risk (though very beneficial) and then impose this upon the mission or business requirements and thereby often cripple its capability or functional intent. The educational system in general (someone is going to shoot me down for the obvious, but it must be stated) has significant - key issues that are consistently not addressed. *1st*: Leadership (top-down) must have a clear understanding of their business requirements and the associated rules, e.g., _goals and objectives need practical tactical and operational controls that must be procedurally defined_ (which may or may not include technology). In contrast, a common misconception and application is to throw dollars and technology at a problem so it can miraculously be resolved or at least have the impression that something is being done to accomplish the mission. *2nd*: Technological expertise at whatever level (bottom-up - yes even the help desk or front-line technicians) _must embrace and assimilate the organization's mission mindset and business - education vocabulary_, so they are not perceived as a separate support entity whose sole purpose is to impart some all encompassing panacea or super-human approach to a problem that has not been clearly defined. *3rd*: _The educational system has created, supports, and maintains two opposing functional and operational groups / factions in support of the mission._ Though not admittedly recognized as such, _faculty and administration _do not always play nicely together. Often the application of technology gets strategically positioned between the two factions to mitigate solutions where it should not be involved at all. Or IT's involvement is too premature in the decision life cycle process to consider its use or application. Very often, the CIO or similar representative is called upon to perform some sort of reconciliation utilizing IT even though political inconsistency is clearly identifiable on the side-lines of both camps. Therefore, the CIO is forced respond and negotiated without a clearly agreed-upon consensus from both parties as to what the problem really is or an approach for providing a solution. SIDEBAR: Anything identified in nature as having two heads is often called a freak or unnatural. _As educators we must learn to negotiate our unnatural identity better._ *4th*: Tension will always exist in how controls are implemented to safeguard and support the mission. We must _facilitate and empower a business - education environment and culture that is flexible enough to embrace the required change_ that is constant with information technology's use and application. Practically speaking, if you go to the ISACA site they have already begun to incorporate some of these strategies into the COBIT framework to facilitate associated mappings with these other standards, e.g., see http://www.isaca.org and the section marked COBIT mapping. I look forward to the results of your endeavors! - --Chris Erwin (Chris) Louis Carrow, CISSP, INFOSEC, CSSP, CCNP, OCM IT Auditor II Board of Regents, University System of Georgia 270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334 (404)657-9890 Office, (678)644-3526 Cell, Email: erwin.carrow () usg edu SECURITY automatic digest system wrote: | The Security Task Force is considering the organization of our efforts | (e.g., effective practices guide, conference program tracks, working | groups, etc.) around some categories that easily map to existing | information security standards or related frameworks (ISO 27002/17799, | NIST, COBIT, ITIL, ISC2 Common Body of Knowledge, etc.) We would like | to hear from any institutions who have built their information security | program around such a standard or framework. We are especially | interested to learn if you have already gone to the effort to create a | matrix of the different standards or frameworks - perhaps coming up with | your own generalized categories.=20 | | For an example of similar mappings, see: | | Appendix G of NIST Special Publication 800-53, Security Control | Mappings: Relationship of Security Controls to Other Standards and | Control Sets: | http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-fin | al.pdf | | Virginia Alliance for Secure Computing And Networking (VA SCAN): | http://www.vascan.org/resources/index.html=20 | | Therefore, I would like to request that you reply to the list (if you | have something to share that everyone would benefit from learning more | about) or contact me directly if you have built a standards-based | information security program and are willing to share you story, | including any relevant documentation or links. | | Thanks, | | -Rodney | | -------------------------------------------------- | Rodney J. Petersen, J.D. | Government Relations Officer & Security Task Force Coordinator | | EDUCAUSE | 1150 18th Street, N.W., Suite 1010 | Washington, D.C. 20036 | (202) 331-5368 / (202) 872-4200 | (202) 872-4318 (FAX)=20 | EDUCAUSE/Internet2 Security Task Force | www.educause.edu/security -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFITR2N+lAww4pSzJURAhtlAJ0aom5qUqRv2c0qJP1sQanC7Mz8+wCdEBEq 5E3swZHXk1gpR5y0um6bvlE= =nzYv -----END PGP SIGNATURE-----
Attachment:
erwin_carrow.vcf
Description:
Current thread:
- Re: SECURITY Digest - 5 Jun 2008 to 6 Jun 2008 (#2008-106) Erwin L. Carrow (Jun 09)