Home page logo

educause logo Educause Security Discussion mailing list archives

Re: success stories
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Thu, 20 Nov 2008 08:58:33 -0500

On the policy front, we've used several methods to achieve support from senior management.  When we put a policy in place to 
address HIPAA security requirements, we worked up-front with the Office of General Counsel to ensure the policy accurately 
reflected regulatory requirements and then it was simply a matter of saying, hey this is required by law.  The policy was 
accepted by the University without a hitch.  It helped that it was our General Counsel that said that to the President's 
Council (was approves all policies).  We also spent a lot of time building relationships with HR and Student Health since they 
were the primary stakeholders.

We're currently having a lot of success with our Information Security Policy proposal.  Our technique there has really just been 
understanding business requirements, being flexible and selling it in a manner that makes sense for whichever audience we're 
presenting to.  Letting people talk through their concerns and taking a real interest in addressing those concerns is also very valuable.  
We've really had little resistance to this point and we're moving along much faster than I would have originally anticipated.  I 
guess this fits into relationship building with key players.  There are just a lot of key players when dealing with something that impacts 
the entire university.

In general, comparisons with peer institutions and industry standards also goes a long way for us in anything we do.  Its 
pretty much expected that we evaluate what other universities are doing.  On occasion, an audit issue or an incident will 
also help drive something forward.  In my experience though you have to capitalize on those pretty quickly otherwise 
priorities will shift and they'll be forgotten about.

Kathy Bergsma wrote:
I'm interested in hearing about your success stories engaging senior
management support for security initiatives.  What methods worked at
your institution?  I've suggested some methods below.  Let me know which
ones have worked for you and identify others ideas not listed.

Fear, uncertainty and doubt
Metaphors and analogies
Comparison with peer institutions
Financial benefits such as ROI (return on investment)
Leverage an incident
Working behind the scenes
Ask forgiveness rather than permission
Little by little baby steps
Relationship building with key players?  Who are the key players
Other ideas

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]