Educause Security Discussion mailing list archives
Re: Reporting Structure
From: "Watkins, Lewis" <LWATKINS () UTSYSTEM EDU>
Date: Thu, 24 Oct 2013 14:33:49 +0000
Within the University of Texas System, policy is that Institutional CISOs report to the President of the Institution or to an Executive Officer who reports directly to the President. In most cases, this ends up being the EVP for Business affairs or the Provost. Policy also states that the Institutional CISO is not to report directly to the CIO. This went into effect a few years ago to address certain conflicts of interest that can arise when the CISO reports directly to the CIO, somewhat analogous to the Audit Director reporting directly to the Chief Financial Officer. UT System Institutional CISOs also have dotted line reporting relationships to the Institutional Compliance Officer, the UT System CISO, and in some cases the Institutional CIO. In all cases, the CISO has permission to go to the President if there is a need to report something. That said, there is no one correct answer as to where the CISO, or the CIO for that matter, should report. It very much depends on the culture of the organization, maturity of IT and Information Security functions, and any local issues posing barriers to creating a security mindful culture within the institution. Lewis ____________________________________________________________________________ **** CONFIDENTIALITY STATEMENT **** The information in this message may be confidential. If you received the message in error, please notify me and delete the message. Further dissemination is prohibited. Thank you. ____________________________________________________________________________ Lewis Watkins, Chief Information Security Officer The University of Texas System, 201 W. 7th Street, ASH 318, Austin, Texas 78701 Ph: (512) 499-4540 ____________________________________________________________________________ On Thu, Oct 24, 2013 at 12:00 AM, SECURITY automatic digest system <LISTSERV () listserv educause edu<mailto:LISTSERV () listserv educause edu>> wrote: There are 6 messages totalling 997 lines in this issue. Topics of the day: 1. reporting structure (6) ---------------------------------------------------------------------- Date: Wed, 23 Oct 2013 20:20:40 +0000 From: Russ Leathe <Russ.Leathe () GORDON EDU<mailto:Russ.Leathe () GORDON EDU>> Subject: reporting structure Who does Information Security report to? Does the CSO or ISO report to th= e CIO or somebody else? Thanks and Happy Cyber Security Month! Russ Gordon College russ () gordon edu<mailto:russ () gordon edu>
Current thread:
- reporting structure Russ Leathe (Oct 23)
- Re: reporting structure Knights, John (Oct 23)
- Re: reporting structure Chris Vakhordjian (Oct 23)
- Re: reporting structure Valdis Kletnieks (Oct 24)
- Re: reporting structure Chris Vakhordjian (Oct 23)
- Re: reporting structure Jenny Blaine (Oct 23)
- Re: reporting structure George Farah (Oct 23)
- Re: reporting structure Valerie Vogel (Oct 23)
- <Possible follow-ups>
- Re: Reporting Structure John Forker (Oct 24)
- Re: Reporting Structure Watkins, Lewis (Oct 24)
- Re: reporting structure Knights, John (Oct 23)