Educause Security Discussion mailing list archives
Re: Campus Security Governance Structures?
From: "Custer, William L. Mr." <custerwl () MUOHIO EDU>
Date: Wed, 9 Apr 2008 15:25:57 -0400
Martin, I agree with Kevin, that a summary of Information Security Governance may be too daunting for a simple e-mail. However, here are several comments that may help. 1. The Educause Model Policy sub-committee has a section on governance https://wiki.internet2.edu/confluence/display/secguide/Security+Policies+and+Procedures Go to section 2.0 Organizational Security and look at the template at the top called Information Security Management 2. The Official (ISC2) Guide to the CISSP CBK, 2007 edition, page 8 indicates that: There is no universally definition for security governance. But that the IT Governance Institute (ITGI) recommends that information security governance should be part of IT governance. 3. The ISO 27000 offers guidance on IT Security governance and I understand that an institution can obtain certification. I assume that certification would involve proving that standard IT Security functions are properly identified in your governance structure. 4. Search the Educause library for papers on governance. I expect that you will find a number of hits. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mclaughlin, Kevin (mclaugkl) Sent: Wednesday, April 09, 2008 2:55 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Campus Security Governance Structures? Hi Martin: What is your email address or phone number? I can't determine them from the thread. My gut tells me that people have a governance structure but the complexity and details surrounding such would be a fairly lengthy and time consuming item to put into a listserv email response (or at least that's where I'm at with your question). -Kevin Kevin L. McLaughlin CISM, CISSP, GIAC-GSLC,PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) 513-558-ISEC (department) CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Martin Manjak Sent: Wednesday, April 09, 2008 2:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Campus Security Governance Structures? Looks like I have to answer my own query. The lack of response to this question is intriguing. Does it mean that most institutions don't have some form of governance when it comes to information security? If that's the case, how are decisions made that affect the institution's security posture? How are assets ranked and vulnerabilities prioritized? How is risk assessment performed? Who decides what investments are made into what technologies and controls? It seems to me that if you get governance right, many other things fall into place because you get institutional recognition of risk and endorsement of mitigation strategies. M- Martin Manjak wrote:
I'm curious to know what kinds of governance structures and processes people might have in place at their various institutions when it comes to information security. How are institutional priorities determined, who decides, and how do those get promulgated to the campus? M-
-- Martin Manjak Information Security Officer University at Albany CISSP, GIAC GSEC-G, GCIH, GCWN
Current thread:
- Campus Security Governance Structures? Martin Manjak (Apr 07)
- <Possible follow-ups>
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 07)
- Re: Campus Security Governance Structures? Martin Manjak (Apr 09)
- Re: Campus Security Governance Structures? Stephen John Smoogen (Apr 09)
- Re: Campus Security Governance Structures? Mclaughlin, Kevin (mclaugkl) (Apr 09)
- Re: Campus Security Governance Structures? Shane Bishop (Apr 09)
- Re: Campus Security Governance Structures? Basgen, Brian (Apr 09)
- Re: Campus Security Governance Structures? Chisholm, Teri (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Custer, William L. Mr. (Apr 09)
- Re: Campus Security Governance Structures? Jim Dillon (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Cal Frye (Apr 09)
- Re: Campus Security Governance Structures? Doug Markiewicz (Apr 10)
- Re: Campus Security Governance Structures? Jim Dillon (Apr 10)