Educause Security Discussion mailing list archives
Re: Campus Security Governance Structures?
From: "Chisholm, Teri" <teri_chisholm () HARVARD EDU>
Date: Wed, 9 Apr 2008 15:05:25 -0400
Please remove my name from the listserv. Teri Chisholm Harvard University Office of the University CIO Office: 617-384-6619 Cell: 781-258-8500 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shane Bishop Sent: Wednesday, April 09, 2008 2:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Campus Security Governance Structures? [Martin Manjak]Looks like I have to answer my own query. The lack of response to this question is intriguing. Does it mean that most institutions don't have some form of governance when it comes to information security? [Shane Bishop] For institutions of higher education the preferred framework seems to be COBIT. The Gartner report "Hype Cycle for Higher Education, 2007" depicts COBIT just showing up on the radar screen for many institutions. Only the test of time will determine if COBIT will be the preferred framework among higher education, or just another fad. Personally, I like COBIT but would like to see something even a little more contoured for higher education. Perhaps a CobEd version 1.0. Prudent information security officers like well organized and clear cut objectives pertaining, and including verbiage, related to their industry. The word business in higher education will often return looks of confusion. Having to improvise a framework into something that isn't uniformly agreed upon by your peers in the industry leads to less acceptance and greater chance of failure. Alternatively, COBIT is much better than no framework, and this indicates the maturity level for acceptance of a framework in higher education is still in its juvenile stages IMHO. http://www.gartner.com/DisplayDocument?doc_cd=148910 [Martin Manjak] If that's the case, how are decisions made that affect the institution's security posture? How are assets ranked and vulnerabilities prioritized? How is risk assessment performed? Who decides what investments are made into what technologies and controls? [Shane Bishop] An assessment needs to be done to map IT assets to business services and which individuals are accountable for these processes. Once that is done you would normally do a business impact analysis to prioritize the severity of security risks to those assets. [Martin Manjak]It seems to me that if you get governance right, many other things fall into place because you get institutional recognition of risk and endorsement of mitigation strategies. [Shane Bishop] Very true, trying to change the culture to see the benefits of enterprise level IT security governance seems to be the bigger obstacle. Having the CISO in a different division than the CIO seems to complement this undertaking. Until government regulation is passed that requires institutions of higher education to have external auditors assess security there will not be conformity to a standard. Shane Bishop Associate Director of Network Infrastructure John A. Logan College CISM, CISSP http://shanebishop.info (618) 985-3741 Ext. 8544
Current thread:
- Campus Security Governance Structures? Martin Manjak (Apr 07)
- <Possible follow-ups>
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 07)
- Re: Campus Security Governance Structures? Martin Manjak (Apr 09)
- Re: Campus Security Governance Structures? Stephen John Smoogen (Apr 09)
- Re: Campus Security Governance Structures? Mclaughlin, Kevin (mclaugkl) (Apr 09)
- Re: Campus Security Governance Structures? Shane Bishop (Apr 09)
- Re: Campus Security Governance Structures? Basgen, Brian (Apr 09)
- Re: Campus Security Governance Structures? Chisholm, Teri (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Custer, William L. Mr. (Apr 09)
- Re: Campus Security Governance Structures? Jim Dillon (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Cal Frye (Apr 09)
- Re: Campus Security Governance Structures? Doug Markiewicz (Apr 10)
- Re: Campus Security Governance Structures? Jim Dillon (Apr 10)