Educause Security Discussion mailing list archives
Re: success stories
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Thu, 20 Nov 2008 08:58:33 -0500
On the policy front, we've used several methods to achieve support from senior management. When we put a policy in place to address HIPAA security requirements, we worked up-front with the Office of General Counsel to ensure the policy accurately reflected regulatory requirements and then it was simply a matter of saying, hey this is required by law. The policy was accepted by the University without a hitch. It helped that it was our General Counsel that said that to the President's Council (was approves all policies). We also spent a lot of time building relationships with HR and Student Health since they were the primary stakeholders. We're currently having a lot of success with our Information Security Policy proposal. Our technique there has really just been understanding business requirements, being flexible and selling it in a manner that makes sense for whichever audience we're presenting to. Letting people talk through their concerns and taking a real interest in addressing those concerns is also very valuable. We've really had little resistance to this point and we're moving along much faster than I would have originally anticipated. I guess this fits into relationship building with key players. There are just a lot of key players when dealing with something that impacts the entire university. In general, comparisons with peer institutions and industry standards also goes a long way for us in anything we do. Its pretty much expected that we evaluate what other universities are doing. On occasion, an audit issue or an incident will also help drive something forward. In my experience though you have to capitalize on those pretty quickly otherwise priorities will shift and they'll be forgotten about. Kathy Bergsma wrote:
I'm interested in hearing about your success stories engaging senior management support for security initiatives. What methods worked at your institution? I've suggested some methods below. Let me know which ones have worked for you and identify others ideas not listed. Fear, uncertainty and doubt Metaphors and analogies Comparison with peer institutions Financial benefits such as ROI (return on investment) Leverage an incident Metrics Working behind the scenes Ask forgiveness rather than permission Little by little baby steps Relationship building with key players? Who are the key players Other ideas
Current thread:
- success stories Kathy Bergsma (Nov 19)
- <Possible follow-ups>
- Re: success stories Wayne Samardzich (Nov 19)
- Re: success stories Ardoth Hassler (Nov 19)
- Re: success stories Steve Brukbacher (Nov 19)
- Re: success stories Emilio Valente (Nov 19)
- Re: success stories Allison Dolan (Nov 19)
- Re: success stories Brenda B Gombosky (Nov 19)
- Re: success stories Bob Bayn (Nov 19)
- Re: success stories Lazor, Joseph (Nov 20)
- Re: success stories Doug Markiewicz (Nov 20)
- Re: success stories Steve Schuster (Nov 20)
- Re: success stories Suresh Balakrishnan (Nov 20)
- Re: success stories Brian T Nichols (Nov 20)
- Re: success stories Colleen Hurd (Nov 21)