Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Integrating security in IT processes
From: Brian J Smith-Sweeney <bsmithsweeney () NYU EDU>
Date: Thu, 15 Nov 2012 11:50:53 -0500

In terms of getting security involved in IT projects, folks that I've
talked to have had success inserting security into some or all of the
following points along the project pipeline:

1) Project Management Office/Group/Process: security as milestones,
part of the project intake process, etc.
2) Legal: Security review as a requirement before OLC will signoff on
a contract
3) Procurement: Security review as a requirement before
Purchasing/Finance/etc. gives out the money
4) Insurance/Risk Management: Security  review as an input into the
overall risk management and insurance conversation

You could also translate "requirement" into "advised" in each of the
above, depending on the level of authority or responsibility the
security group has.

We have contacts in each of the above areas but we've really focused
our efforts on formalizing security's integration into the IT project
management process.  That begins at project intake with a brief series
of questions in our project tracking system.  Whenever anyone enters a
project they're required to provide information about the
classification of the systems and data involved in the project[1].
That information guides the level of involvement for the security
group; low criticality systems might just get a quick once-over, but
the presence of a high criticality system and/or Restricted data means
that project gets a security analyst assigned to it.   The security
consulting process itself then has a number of steps that align with
the various phases of our IT project management process.

I've done some internal presenting on this process and hope to some
day provide our documentation to the broader higher-ed community, but
we're not quite there yet :). I am however happy to chat offline if
you have questions on the above.

[1] https://www.nyu.edu/its/policies/sec_ref.html


Brian Smith-Sweeney
Assistant Director
ITS Technology Security Services, New York University

On Tue, Nov 13, 2012 at 11:56 AM, Andy Scott <Andy_Scott () bcit ca> wrote:

I am looking at improving the integration of information security in IT
processes (project development, maintenance, etc.). I am interested on what
others have successfully done to improve the integration of security.



Andy Scott, CISSP

Information Security Officer, IT Services

British Columbia Institute of Technology

3700 Willingdon Ave, Burnaby, BC, V5G 3H2

Tel: 604-432-8683  Mobile: 778-928-2444

Email: andy_scott () bcit ca  Web: bcit.ca/its/security

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]