Educause Security Discussion mailing list archives

Re: success stories

From: Brian T Nichols <bnichols () LSU EDU>
Date: Thu, 20 Nov 2008 21:13:20 -0600



Kathy,

At Louisiana State University (LSU), the Vice Chancellor for IT and CIO sits on the Executive Cabinet and periodically 
briefs the Chancellor and senior management on IT security and policy matters on campus, and in the higher education 
community.  In addition, we had an external security review conducted by a group of experts in IT security and policy 
from other higher education institutions in 2005, and again earlier this year.  The review team provided a report with 
a number of recommendations that helped raise the awareness of the importance of IT security at the institution.  You 
might also consider forming an IT Security & Policy Advisory Committee with representatives from all over campus (we 
have done so at LSU and have had success in moving forward with a number of security initiatives  please see 
www.lsu.edu/itpolicy for additional details).

Hope this helps,

-Brian

Brian T. Nichols, CISSP, CISM, CISA, CIA
Chief  IT Security & Policy Officer
Louisiana State University

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv on behalf of Suresh Balakrishnan
Sent: Thu 11/20/2008 3:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] success stories
 
The USM is required to have guidelines that are compatible with State IT security policies and, as a result, the USM IT 
security officers developed a comprehensive set of guidelines that address risk management, security policy, access 
controls, network security, nonpublic information, encryption, and other areas. These guidelines were vetted with the 
State legislative auditors and are periodically updated to align with revisions to the State IT Security Policy.  All 
USM institutions are required to report on the status of implementation of these guidelines annually and some of the 
institutional security officers have taken advantage of this reporting process to engage senior management.
 
Suresh
 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Suresh Balakrishnan                                        
Asst. Vice Chancellor and Deputy CIO
University System of Maryland              Voice: (301) 445-2783
Room 1B                                             Cell:: (301) 922-0531  
3300 Metzerott Road                            Fax: (301) 445-1918 
Adelphi, MD 20783                               E-mail: suresh () usmd edu
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 
----- Original Message ----- 
From: "Lazor, Joseph" <JLazor () ADMIN FSU EDU <mailto:JLazor () ADMIN FSU EDU> >
To: <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> >
Sent: Thursday, November 20, 2008 8:41 AM
Subject: Re: [SECURITY] success stories


Development, adoption, deployment, and compliance monitoring of an IT
Security Governance Industry Standard such as ISO 17799.  Concurrent
with  this -- Enterprise ITSEC Strategy (ITSEC is a risk management
issue not a technical one!), enabling programs, federated compliance
monitoring tools, and performance metrics.

Suggested approach includes:
1. Articulate and approve an overall security strategy.
2. Develop a security technical architecture to support the
strategy.
3. Establish needed policies to support the strategy and
architecture.
4. Acquire additional tools to support the architecture.
5. Establish an organizational structure to deploy the tools and
monitor policy adherence.
6. Establish a management reporting mechanism to inform unit and
executive management about unit 
adherence to the strategy and policies as well as to compromised
systems. 
7. Prioritize activities into implementation phases.
8. Communicate the overall security program to the campus
community.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kathy Bergsma
Sent: Wednesday, November 19, 2008 2:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [SECURITY] success stories

I'm interested in hearing about your success stories engaging senior
management support for security initiatives.  What methods worked at
your 
institution?  I've suggested some methods below.  Let me know which ones
have 
worked for you and identify others ideas not listed.

Fear, uncertainty and doubt
Metaphors and analogies
Comparison with peer institutions
Financial benefits such as ROI (return on investment)
Leverage an incident
Metrics
Working behind the scenes
Ask forgiveness rather than permission
Little by little baby steps
Relationship building with key players?  Who are the key players
Other ideas

-- 
Kathy Bergsma
UF Information Security Manager
352-392-2061

Current thread:

Re: success stories, (continued)
- Re: success stories Ardoth Hassler (Nov 19)
- Re: success stories Steve Brukbacher (Nov 19)
- Re: success stories Emilio Valente (Nov 19)
- Re: success stories Allison Dolan (Nov 19)
- Re: success stories Brenda B Gombosky (Nov 19)
- Re: success stories Bob Bayn (Nov 19)
- Re: success stories Lazor, Joseph (Nov 20)
- Re: success stories Doug Markiewicz (Nov 20)
- Re: success stories Steve Schuster (Nov 20)
- Re: success stories Suresh Balakrishnan (Nov 20)
- Re: success stories Brian T Nichols (Nov 20)
- Re: success stories Colleen Hurd (Nov 21)