Educause Security Discussion mailing list archives
Re: Centralized vs. Decentralized IT
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Mon, 11 Aug 2008 11:46:54 -0700
Hi Daniel, FWIW, I've found it helpful to think of some institutions as a loose federation of independent businesses. This has helped me understand why some institutions operate in what seem to be problematic ways. In other words, I think the problem in pushing centralization in some environments can be stated as the attempt to push any kind of centralized business process into autonomous business units. In this sense, logic should be subjectively structured based on the meat and potatoes of how the businesses interoperate. Hope this helps. :) ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel Sent: Friday, August 08, 2008 11:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Centralized vs. Decentralized IT Thank you for all for your responses. I think this is a useful conversation. I'm starting to think that it may be best to have a Central IT collaborate with the departmental IT staff to create an environment where central is responsible for the network (including firewalls/IDS/anti-virus/wireless, the servers and the operating systems) while the departments are responsible for any applications specialized to their areas, including security administration. If the Central IT staff was responsible for the servers, they could also create a uniform back-up process and be responsible for all back-ups (including applications). Currently 17 departments are responsible for their own with backups, with inconsistent results. This would also simplify the DR/BC plans and thereby mitigate a few risks there as well. So far the department's I've reviewed have been of the campus services variety (Parking, transit, physical plant), not really people who can claim academic freedom with a straight face. Maybe they are better candidates than research departments. But I would think even within the research departments this would free-up resources so they could focus on their research, and they would still be responsible for their own applications/databases, etc., with all the freedoms to fail that come with it (although this still leaves me with a potential SOD issues) I've only worked in the University setting since January, and may be very naïve, but I do think a hybrid with Central IT responsible for computer operations and the departments responsible for the applications they run on it, has potential. I come from a finance background, and I've just not seen IT environments like this before. Thanks Again :: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu <http://www.massachusetts.edu/> ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Dillon Sent: Friday, August 08, 2008 2:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Centralized vs. Decentralized IT Daniel, I hate to join the chorus of "it depends" folks out there, but it really does, on a lot of cultural issues and delivery spaces. There are two primary audiences out there from my perspective, and administrative one and an educational one, and I think we sometimes don't balance the two properly in HEd. One needs the leeway to experiment and fail with some regularity, the other has regulation and customer expectations that bind it, with little room for failure due to obligation and regulation. Managing those two vastly different user communities within one organization and one service model can be problematic as the service goals are different. I'll agree with an earlier comment, when the objectives and goals of the IT service are regular, consistent, well understood and procedural, and when they are in support of regulatory or high scrutiny evaluation (lots of reputation threat) then there are some good reasons for a more centrally managed support to achieve better control outcomes and oversight. When the requirements are rapidly changing, reactive, opportunistic, etc. (think academic side, not necessarily academic administration) then the ability to let something go, work with a prototype, and keep the discussion close to the many scattered and unique goal setters leans towards local management. One thing central IT can provide in the academic environment is a good forum for collaboration and communication. I think our approach at the CU Boulder campus is one area where we are pretty good in that aspect. The "support community" events tend to bridge a lot of gaps and aid in communication. The chief difficulty I note is that it is very difficult to provide adequate analysis, strategic vision, direction, management, evaluation in a highly distributed environment. The skill sets that succeed in this area are rare, complex, and poorly applied in weakly defined functions. Thus all the "total cost of ownership" and life-cycle roles necessary to alleviate risk are poorly met in a distributed model, just due to the reality of total-cost factors. A really successful program will help ensure that the entire life-cycle consideration of any effort is understood going in. What tends to happen is people build things then have trouble maintaining the resultant life-cycle support costs. As a result there's a lot of stinky stuff that doesn't work well and that often becomes a burden to the central IT function due to criticality and a lack of appropriate support. This boils down to a broadly used term, "Governance", but I think it is too broad to really address the difficulties and complexities. My take is more central for administrative stuff, less, with supportive building blocks and infrastructure (hosting, virtualization, storage, networking) coming from the central org, and some procedural and process reality guidance that insists on a good life-cycle cost analysis for anything developed outside central that appears to have enterprise criticality or sensitivity. Easy said, tough to do. Jim Dillon (Until recently IT Audit Mgr. for CU System) -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder------------------------ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel Sent: Thursday, August 07, 2008 1:28 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Centralized vs. Decentralized IT Hi All, Do you have any leanings between Centralized IT networks (Main IT group responsible for IT services); vs. decentralized IT networks (Each department is responsible for their own apps, servers and security (Intrusion detection/prevention) with their own IT staff? Has anyone looked at their campus and formed an opinion on the IT governance configuration? Any feedback you can provide is appreciated. Thanks, :: Daniel Sarazen, CISA, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu <http://www.massachusetts.edu/>
Current thread:
- Re: Centralized vs. Decentralized IT, (continued)
- Re: Centralized vs. Decentralized IT Georgios Mousouros (Aug 07)
- Re: Centralized vs. Decentralized IT Adam Stone (Aug 07)
- Re: Centralized vs. Decentralized IT Stephen John Smoogen (Aug 07)
- Re: Centralized vs. Decentralized IT Russell Fulton (Aug 07)
- Re: Centralized vs. Decentralized IT Jim Dillon (Aug 08)
- Re: Centralized vs. Decentralized IT Sarazen, Daniel (Aug 08)
- Re: Centralized vs. Decentralized IT Christopher Jones (Aug 08)
- Re: Centralized vs. Decentralized IT Bob Bayn (Aug 08)
- Re: Centralized vs. Decentralized IT Jim Dillon (Aug 08)
- Re: Centralized vs. Decentralized IT Cal Frye (Aug 10)
- Re: Centralized vs. Decentralized IT Basgen, Brian (Aug 11)
- Re: Centralized vs. Decentralized IT Stublefield, Matthew (Aug 19)