Re: Campus Security Governance Structures?

["Custer, William L. Mr." <custerwl () MUOHIO EDU>]

Martin,

I agree with Kevin, that a summary of Information Security Governance may be too daunting for a simple e-mail.

However, here are several comments that may help.
1. The Educause Model Policy sub-committee has a section on governance
https://wiki.internet2.edu/confluence/display/secguide/Security+Policies+and+Procedures
Go to section 2.0 Organizational Security and look at the template at the top called
Information Security Management

2. The Official (ISC2) Guide to the CISSP CBK, 2007 edition, page 8 indicates that:
There is no universally definition for security governance.  But that the IT Governance Institute (ITGI) recommends 
that information security governance should be part of IT governance.

3. The ISO 27000 offers guidance on IT Security governance and I understand that an institution can obtain 
certification.  I assume that certification would involve proving that standard IT Security functions are properly 
identified in your governance structure.

4. Search the Educause library for papers on governance.  I expect that you will find a number of hits.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Mclaughlin, Kevin (mclaugkl)
Sent: Wednesday, April 09, 2008 2:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Campus Security Governance Structures?

Hi Martin:
What is your email address or phone number?  I can't determine them from the
thread.  My gut tells me that people have a governance structure but the
complexity and details surrounding such would be a fairly lengthy and time
consuming item to put into a listserv email response (or at least that's
where I'm at with your question).

-Kevin


Kevin L. McLaughlin
CISM, CISSP, GIAC-GSLC,PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
513-558-ISEC (department)




CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
intended solely for the addressee, and may be legally privileged. Access to
this message and its content by any individual or entity other than those
identified in this message is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of this e-mail may be
unlawful. Any action taken or omitted due to the content of this message is
prohibited and may be unlawful.



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Martin Manjak
Sent: Wednesday, April 09, 2008 2:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Campus Security Governance Structures?

Looks like I have to answer my own query.

The lack of response to this question is intriguing. Does it mean that
most institutions don't have some form of governance when it comes to
information security?

If that's the case, how are decisions made that affect the institution's
security posture? How are assets ranked and vulnerabilities prioritized?
How is risk assessment performed? Who decides what investments are made
into what technologies and controls?

It seems to me that if you get governance right, many other things fall
into place because you get institutional recognition of risk and
endorsement of mitigation strategies.
M-


Martin Manjak wrote:
> I'm curious to know what kinds of governance structures and processes
> people might have in place at their various institutions when it comes
> to information security. How are institutional priorities determined,
> who decides, and how do those get promulgated to the campus?
> M-

--
Martin Manjak
Information Security Officer
University at Albany
CISSP, GIAC GSEC-G, GCIH, GCWN