Educause Security Discussion mailing list archives
Re: reporting structure
From: Valerie Vogel <vvogel () EDUCAUSE EDU>
Date: Wed, 23 Oct 2013 22:54:37 +0000
Good afternoon, Here is a link to the 2009 ECAR Research Bulletin, The Career of the IT Security Officer in Higher Education, which covers reporting lines: http://www.educause.edu/library/resources/career-it-security-officer-higher -education Download the PDF here: https://net.educause.edu/ir/library/pdf/ECP0901.pdf And here is some more recent information from the Core Data Service (CDS): 20% of institutions told us the CIO is the ³highest-ranking person with primary responsibility for IT security². Of those who have someone other than the CIO in this role, only 35% are 100% dedicated to the CISO role. (see attached image) Of those 175 who are full-time CISOs (of one title or another), 69% report to the CIO and 19% report to a first-line director in Central IT. Only 6% report to someone at the C-level, who is not the CIO, and 1% report to the President. Board of Trustees/Regents: 0% President/Chancellor: 1% Provost/Chief Academic officer: 1% Chief Administrative Officer: 3% Chief Financial Officer: 2% Director of Internal Audit: 0% CIO: 69% First-line director in central IT: 19% Second-line manager in central IT: 3% None of these: 14% If you have any additional questions, please let me know. Thank you, Valerie Valerie Vogel Program Manager EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5374 | main: 202.872.4200 | educause.edu On 10/23/13 2:34 PM, "George Farah" <george.farah () QUEENSU CA> wrote:
There is an EDUCAUSE publication that show various reports, CIOs, Chancellors, Legal counsel, VP ops and Finance and Provost directly are among the options. It all depends on your culture centralised vs. de-centralised environments and maturity of your IT and business organization. Hope that helps. George Farah, GIAC/GSEC Gold, CRISC, CISA University Information Systems Security Manager Queen's University, Kingston, Ontario, Canada k7l 3n6 ----------------------------------------------------------- CONFIDENTIALITY CAUTION: This communication and any attachments is for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient you are notified that any dissemination, distribution, or copying of the communication is strictly prohibited. If you received this communication in error, please notify the sender and destroy this email immediately. AVERTISSEMENT RELATIF À LA CONFIDENTIALITÉ: Cet envoi (et toute pièce jointe) ne s'adresse qu'à la personne ou à l'entité à laquelle il est destiné. Il peut contenir des renseignements privilégiés, confidentiels et ne devant pas être divulgués. Si vous n'êtes pas le destinataire prévu, nous vous avisons que toute dissémination, distribution ou copie de cet envoi est strictement interdite. Si vous receviez cet envoi par erreur, veuillez en aviser l'expéditeur et détruire ce courriel immédiatement. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russ Leathe Sent: October-23-13 4:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] reporting structure Who does Information Security report to? Does the CSO or ISO report to the CIO or somebody else? Thanks and Happy Cyber Security Month! Russ Gordon College russ () gordon edu
Current thread:
- reporting structure Russ Leathe (Oct 23)
- Re: reporting structure Knights, John (Oct 23)
- Re: reporting structure Chris Vakhordjian (Oct 23)
- Re: reporting structure Valdis Kletnieks (Oct 24)
- Re: reporting structure Chris Vakhordjian (Oct 23)
- Re: reporting structure Jenny Blaine (Oct 23)
- Re: reporting structure George Farah (Oct 23)
- Re: reporting structure Valerie Vogel (Oct 23)
- <Possible follow-ups>
- Re: Reporting Structure John Forker (Oct 24)
- Re: Reporting Structure Watkins, Lewis (Oct 24)
- Re: reporting structure Knights, John (Oct 23)