Educause Security Discussion mailing list archives
Re: Campus Security Governance Structures?
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Wed, 9 Apr 2008 12:02:32 -0700
Hi Martin, I think only a few large institutions have a dedicated security governance structure. I've heard of two programs that have them, and they are impressive, but it seems to be an option for a large school, as opposed to a requirement for all schools.
mean that most institutions don't have some form of governance when it comes to information security?
As a medium sized institution, our governance comes from our Chancellor. There are several external committees (including an IT committee) that have an advisory role and have chimed in on various security issues, but our Chancellor makes the decisions.
If that's the case, how are decisions made that affect the institution's security posture? How are assets ranked and vulnerabilities prioritized? How is risk assessment performed? Who decides what investments are made into what technologies and controls?
These questions are pretty different, and I don't think they are governance issues. Risk assessment, for example, is sometimes an entire department in an institution, and has many components that should include the ISO. Yet, *how* risk is performed is determined by these functional units -- governance only dictates that risk assessments are performed.
It seems to me that if you get governance right, many other things fall into place because you get institutional recognition of risk and endorsement of mitigation strategies.
If governance in the institution emanates by committee, then that sounds right. I'm curious if many institutions operate in this fashion. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Martin Manjak Sent: Wednesday, April 09, 2008 11:27 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Campus Security Governance Structures? Looks like I have to answer my own query. The lack of response to this question is intriguing. Does it mean that most institutions don't have some form of governance when it comes to information security? If that's the case, how are decisions made that affect the institution's security posture? How are assets ranked and vulnerabilities prioritized? How is risk assessment performed? Who decides what investments are made into what technologies and controls? It seems to me that if you get governance right, many other things fall into place because you get institutional recognition of risk and endorsement of mitigation strategies. M- Martin Manjak wrote:I'm curious to know what kinds of governance structures andprocessespeople might have in place at their various institutionswhen it comesto information security. How are institutional prioritiesdetermined,who decides, and how do those get promulgated to the campus? M--- Martin Manjak Information Security Officer University at Albany CISSP, GIAC GSEC-G, GCIH, GCWN
Current thread:
- Campus Security Governance Structures? Martin Manjak (Apr 07)
- <Possible follow-ups>
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 07)
- Re: Campus Security Governance Structures? Martin Manjak (Apr 09)
- Re: Campus Security Governance Structures? Stephen John Smoogen (Apr 09)
- Re: Campus Security Governance Structures? Mclaughlin, Kevin (mclaugkl) (Apr 09)
- Re: Campus Security Governance Structures? Shane Bishop (Apr 09)
- Re: Campus Security Governance Structures? Basgen, Brian (Apr 09)
- Re: Campus Security Governance Structures? Chisholm, Teri (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Custer, William L. Mr. (Apr 09)
- Re: Campus Security Governance Structures? Jim Dillon (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Cal Frye (Apr 09)
- Re: Campus Security Governance Structures? Doug Markiewicz (Apr 10)
- Re: Campus Security Governance Structures? Jim Dillon (Apr 10)