Re: Campus Security Governance Structures?

["Basgen, Brian" <bbasgen () PIMA EDU>]

Hi Martin,

 I think only a few large institutions have a dedicated security
governance structure. I've heard of two programs that have them, and
they are impressive, but it seems to be an option for a large school, as
opposed to a requirement for all schools.

> mean that most institutions don't have some form of 
> governance when it comes to information security?

 As a medium sized institution, our governance comes from our
Chancellor. There are several external committees (including an IT
committee) that have an advisory role and have chimed in on various
security issues, but our Chancellor makes the decisions. 

> If that's the case, how are decisions made that affect the 
> institution's security posture? How are assets ranked and 
> vulnerabilities prioritized? 
> How is risk assessment performed? Who decides what 
> investments are made into what technologies and controls?

 These questions are pretty different, and I don't think they are
governance issues. Risk assessment, for example, is sometimes an entire
department in an institution, and has many components that should
include the ISO. Yet, *how* risk is performed is determined by these
functional units -- governance only dictates that risk assessments are
performed. 

> It seems to me that if you get governance right, many other 
> things fall into place because you get institutional 
> recognition of risk and endorsement of mitigation strategies.

 If governance in the institution emanates by committee, then that
sounds right. I'm curious if many institutions operate in this fashion.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
 
 
 

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Martin Manjak
> Sent: Wednesday, April 09, 2008 11:27 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Campus Security Governance Structures?
>
> Looks like I have to answer my own query.
>
> The lack of response to this question is intriguing. Does it 
> mean that most institutions don't have some form of 
> governance when it comes to information security?
>
> If that's the case, how are decisions made that affect the 
> institution's security posture? How are assets ranked and 
> vulnerabilities prioritized? 
> How is risk assessment performed? Who decides what 
> investments are made into what technologies and controls?
>
> It seems to me that if you get governance right, many other 
> things fall into place because you get institutional 
> recognition of risk and endorsement of mitigation strategies.
> M-
>
>
> Martin Manjak wrote:
> > I'm curious to know what kinds of governance structures and 
> processes 
> > people might have in place at their various institutions 
> when it comes 
> > to information security. How are institutional priorities 
> determined, 
> > who decides, and how do those get promulgated to the campus?
> > M-
>
> --
> Martin Manjak
> Information Security Officer
> University at Albany
> CISSP, GIAC GSEC-G, GCIH, GCWN