Educause Security Discussion
mailing list archives
Re: success stories
From: Suresh Balakrishnan <suresh () USMD EDU>
Date: Thu, 20 Nov 2008 16:50:54 -0500
The USM is required to have guidelines that are compatible with State IT security policies and, as a result, the USM IT
security officers developed a comprehensive set of guidelines that address risk management, security policy, access
controls, network security, nonpublic information, encryption, and other areas. These guidelines were vetted with the
State legislative auditors and are periodically updated to align with revisions to the State IT Security Policy. All
USM institutions are required to report on the status of implementation of these guidelines annually and some of the
institutional security officers have taken advantage of this reporting process to engage senior management.
Asst. Vice Chancellor and Deputy CIO
University System of Maryland Voice: (301) 445-2783
Room 1B Cell:: (301) 922-0531
3300 Metzerott Road Fax: (301) 445-1918
Adelphi, MD 20783 E-mail: suresh () usmd edu
----- Original Message -----
From: "Lazor, Joseph" <JLazor () ADMIN FSU EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Thursday, November 20, 2008 8:41 AM
Subject: Re: [SECURITY] success stories
Development, adoption, deployment, and compliance monitoring of an IT
Security Governance Industry Standard such as ISO 17799. Concurrent
with this -- Enterprise ITSEC Strategy (ITSEC is a risk management
issue not a technical one!), enabling programs, federated compliance
monitoring tools, and performance metrics.
Suggested approach includes:
1. Articulate and approve an overall security strategy.
2. Develop a security technical architecture to support the
3. Establish needed policies to support the strategy and
4. Acquire additional tools to support the architecture.
5. Establish an organizational structure to deploy the tools and
monitor policy adherence.
6. Establish a management reporting mechanism to inform unit and
executive management about unit
adherence to the strategy and policies as well as to compromised
7. Prioritize activities into implementation phases.
8. Communicate the overall security program to the campus
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kathy Bergsma
Sent: Wednesday, November 19, 2008 2:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] success stories
I'm interested in hearing about your success stories engaging senior
management support for security initiatives. What methods worked at
institution? I've suggested some methods below. Let me know which ones
worked for you and identify others ideas not listed.
Fear, uncertainty and doubt
Metaphors and analogies
Comparison with peer institutions
Financial benefits such as ROI (return on investment)
Leverage an incident
Working behind the scenes
Ask forgiveness rather than permission
Little by little baby steps
Relationship building with key players? Who are the key players
UF Information Security Manager
- Re: success stories, (continued)