Re: Security team and budget

["Youngquist, Jason R." <jryoungquist () CCIS EDU>]

Theresa,

Here are some ideas (not all in our budget)  -


·         Network access control (NAC)

·         Vulnerability management

·         Laptop encryption

·         Security Information and event management (SIEM)/log management

·         Firewall(s)/VPN

·         Sensitive information scanning software

·         Anti-virus/anti-malware/ad blocking software

·         Anti-spam solution

·         Privilege management solution (ie. remove local admin)

·         Application whitelisting

·         2-factor authentication

·         Mobile device management

·         Data loss prevention software (DLP)

·         Secure file sharing

·         Web application firewall (WAF)

·         Web application scanning/code review software

·         E-Discovery tools

·         Database activity monitoring (DAM)

·         Forensic software - Full packet capture/network/host-based forensic software

·         Host-based intrusion detection/file integrity monitoring

·         Network bandwidth/monitoring tools – ie. netflow collector

·         Pentesting software

·         Third party security audits

·         Security awareness training for faculty/staff/students

·         Security training/conferences/courses for security staff


​​​​​
Jason Youngquist, CISSP, CISA, GWAPT, GCWN
Senior Information Security Engineer
Columbia College – Technology Services
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu<mailto:jryoungquist () ccis edu>
http://www.ccis.edu<http://www.ccis.edu/>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa 
Rowe
Sent: Tuesday, March 01, 2016 11:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security team and budget

Hi,

After a recent security audit, the auditor suggested that the security budget, inclusive of staffing, was underfunded.  
Using Gartner and other data, for a university our size, the suggested budget was around $500,000 to $700,000.  We are 
at 45-55% of that amount.

At first I thought a major difference would be what we spend on staff; there are two staff members on the team. But 
when I go to Educause Core Data, and compare our Carnegie class and a created group of identified peers, 2 is the size 
of the team.

This makes me wonder what we are not buying in our security budget.  We have AV, logging (hosted Splunk), and the usual 
stuff, or so I thought.

Would anyone be willing to share details about what is included in their security budget?

Thanks in advance -

--
Theresa Rowe
Chief Information Officer
Oakland University