Re: Campus Security Governance Structures?

[Stephen John Smoogen <smooge () UNM EDU>]

Martin Manjak wrote:
> Looks like I have to answer my own query.
>
> The lack of response to this question is intriguing. Does it mean that
> most institutions don't have some form of governance when it comes to
> information security?

It could mean that.. or that a lot of people on the list are not part of
that governance or don't feel they can talk 'officially' about their
university's system, etc.

I think that in general, the decisions are made by the business owners
for their reasons. The security people can consult and give advice, but
if the business unit says that passwords have to be 6 letters long and
all undercase because its going to cost 20 million to upgrade the
mainframe.. then they have made the decision and why its done. The
security people can only then find the Tums and try to figure out how to
 deal with the consequences of the decision.

> If that's the case, how are decisions made that affect the institution's
> security posture? How are assets ranked and vulnerabilities prioritized?
> How is risk assessment performed? Who decides what investments are made
> into what technologies and controls?
>
> It seems to me that if you get governance right, many other things fall
> into place because you get institutional recognition of risk and
> endorsement of mitigation strategies.
> M-
>
>
> Martin Manjak wrote:
> > I'm curious to know what kinds of governance structures and processes
> > people might have in place at their various institutions when it comes
> > to information security. How are institutional priorities determined,
> > who decides, and how do those get promulgated to the campus?
> > M-


--
Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-8219  Email: smooge () unm edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"