Re: Security 5 Year Strategic Plan

[Joshua Beeman <jbeeman () ISC UPENN EDU>]

Hi,

I was thinking about this request and why people may have been reluctant
to reply.  

A possibility is that people may feel that sharing a five year plan
amongst such a large group could be
a) difficult/unsatisfying - given the rate at which threats and technology
is evolving, it's a long time to be making predictions, and
b) risky - it may be perceived as potentially airing institutional
problems/deficiencies to the public unnecessarily.

Nonetheless, I am always interested in what my peers are doing/thinking
about.  I wondered if there might be more traction in a quasi-anonymous,
mostly unscientific survey of what people thought were priorities for the
next five years. I took a stab at creating such a survey here:
https://docs.google.com/spreadsheet/viewform?formkey=dHRPTlNiQkpia2x6dENzZU
YwbU1YVEE6MQ 

You will notice in my preamble I unabashedly admit it is neither
comprehensive, nor scientific, so please keep your expectations low!

FYI - For those that are inherently suspicious of links and google forms,
a text version is below.  Feel free to send your responses to me.  I plan
to summarize and share any results back to this list.

Josh


*********************
SURVEY [text version]
*********************

Information Security Priorities in the Next 5 YearsRapidly evolving
threats, limited resources and competing priorities, can make 5 year
Information Security planning difficult.

Those that have developed plans may be reluctant to share them because
they recognize this difficulty.

This is an informal, very unscientific survey meant to help determine if
there is some consensus amongst EDU Information Security practitioners
about topics/categories that should be prioritized in the next 5 years.

What is the size of your EDU?  (Total count of Faculty, Staff and
Students) [Optional]

    
Identify up to 10 of the following items that you believe should/will be
prioritized in the next 5 years in your organization.  This listing is not
comprehensive, items may overlap or have multiple interpretations.

If you believe items are missing, please indicate this in the "Other"
field.

*(You can select less than 10, but please do not select more).

* IPv6
* Network security applicance acquisition and installation (IDS, IPS,
NGFW, malware detection, etc.)
* Logging
* SIEM
* InCommon Bronze/Silver certification
* Multi-factor authentication
* IDM improvements/strengthening
* Policy
* Compliance (PCI, HIPAA, FISMA, FERPA, etc.)
* Mobile device security (technology)
* Mobile device security (policy)
* Whole disk encryption
* Network segregation
* Re-org/staffing
* Metrics and reporting
* Visualization
* Vulnerability and risk assesment
* Asset management
* Virtual Desktop
* Data Loss Prevention (host or network)
* Application Security
* Cloud security
* Other:


From:  Daniel Bennett <daniel.bennett () PCT EDU>
Reply-To:  The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
Date:  Friday, August 10, 2012 11:35 PM
To:  "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject:  [SECURITY] Security 5 Year Strategic Plan


Hello All,
 
I am currently working on developing our department¹s 5 year strategic
security plan and was wondering if anyone is willing to share what they
feel their focus will be over the next 5 years in regards to their
 information security infrastructure.  I have some ideas but want to see
what a broader community is working towards as well.
 
Thanks,
 
Daniel Bennett
IT Security Analyst
Adjunct Faculty
Vice-Chair North Central PA Members Alliance
 
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
 
P:570.329.4989
E:dbennett () pct edu
 
ITS and Penn College will never solicit you for your username or password
in an e-mail.