Educause Security Discussion mailing list archives
Re: Campus Security Governance Structures?
From: Stephen John Smoogen <smooge () UNM EDU>
Date: Wed, 9 Apr 2008 12:52:57 -0600
Martin Manjak wrote:
Looks like I have to answer my own query. The lack of response to this question is intriguing. Does it mean that most institutions don't have some form of governance when it comes to information security?
It could mean that.. or that a lot of people on the list are not part of that governance or don't feel they can talk 'officially' about their university's system, etc. I think that in general, the decisions are made by the business owners for their reasons. The security people can consult and give advice, but if the business unit says that passwords have to be 6 letters long and all undercase because its going to cost 20 million to upgrade the mainframe.. then they have made the decision and why its done. The security people can only then find the Tums and try to figure out how to deal with the consequences of the decision.
If that's the case, how are decisions made that affect the institution's security posture? How are assets ranked and vulnerabilities prioritized? How is risk assessment performed? Who decides what investments are made into what technologies and controls? It seems to me that if you get governance right, many other things fall into place because you get institutional recognition of risk and endorsement of mitigation strategies. M- Martin Manjak wrote:I'm curious to know what kinds of governance structures and processes people might have in place at their various institutions when it comes to information security. How are institutional priorities determined, who decides, and how do those get promulgated to the campus? M-
-- Stephen Smoogen -- ITS/Linux Administrator MSC02 1520 1 University of New Mexico Albuquerque, NM 87131-0001 Phone: (505) 277-8219 Email: smooge () unm edu How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"
Current thread:
- Campus Security Governance Structures? Martin Manjak (Apr 07)
- <Possible follow-ups>
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 07)
- Re: Campus Security Governance Structures? Martin Manjak (Apr 09)
- Re: Campus Security Governance Structures? Stephen John Smoogen (Apr 09)
- Re: Campus Security Governance Structures? Mclaughlin, Kevin (mclaugkl) (Apr 09)
- Re: Campus Security Governance Structures? Shane Bishop (Apr 09)
- Re: Campus Security Governance Structures? Basgen, Brian (Apr 09)
- Re: Campus Security Governance Structures? Chisholm, Teri (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Custer, William L. Mr. (Apr 09)
- Re: Campus Security Governance Structures? Jim Dillon (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Cal Frye (Apr 09)
- Re: Campus Security Governance Structures? Doug Markiewicz (Apr 10)
(Thread continues...)