Re: Campus Security Governance Structures?

["Chisholm, Teri" <teri_chisholm () HARVARD EDU>]

Please remove my name from the listserv.  



Teri Chisholm
Harvard University
Office of the University CIO
Office: 617-384-6619
Cell: 781-258-8500
 
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shane Bishop
Sent: Wednesday, April 09, 2008 2:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Campus Security Governance Structures?



[Martin Manjak]Looks like I have to answer my own query.

The lack of response to this question is intriguing. Does it mean that 
most institutions don't have some form of governance when it comes to 
information security?

[Shane Bishop] For institutions of higher education the preferred
framework
seems to be COBIT. The Gartner report "Hype Cycle for Higher Education,
2007" depicts COBIT just showing up on the radar screen for many
institutions. Only the test of time will determine if COBIT will be the
preferred framework among higher education, or just another fad.
Personally,
I like COBIT but would like to see something even a little more
contoured
for higher education. Perhaps a CobEd version 1.0. Prudent information
security officers like well organized and clear cut objectives
pertaining,
and including verbiage, related to their industry. The word business in
higher education will often return looks of confusion. Having to
improvise a
framework into something that isn't uniformly agreed upon by your peers
in
the industry leads to less acceptance and greater chance of failure.
Alternatively, COBIT is much better than no framework, and this
indicates
the maturity level for acceptance of a framework in higher education is
still in its juvenile stages IMHO. 

http://www.gartner.com/DisplayDocument?doc_cd=148910

[Martin Manjak] If that's the case, how are decisions made that affect
the
institution's 
security posture? How are assets ranked and vulnerabilities prioritized?

How is risk assessment performed? Who decides what investments are made 
into what technologies and controls?

[Shane Bishop] An assessment needs to be done to map IT assets to
business
services and which individuals are accountable for these processes. Once
that is done you would normally do a business impact analysis to
prioritize
the severity of security risks to those assets.

[Martin Manjak]It seems to me that if you get governance right, many
other
things fall 
into place because you get institutional recognition of risk and 
endorsement of mitigation strategies.

[Shane Bishop] Very true, trying to change the culture to see the
benefits
of enterprise level IT security governance seems to be the bigger
obstacle.
Having the CISO in a different division than the CIO seems to complement
this undertaking. Until government regulation is passed that requires
institutions of higher education to have external auditors assess
security
there will not be conformity to a standard. 


 
Shane Bishop
Associate Director of Network Infrastructure
John A. Logan College
CISM, CISSP
http://shanebishop.info
(618) 985-3741 Ext. 8544