Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Reporting Structure
From: "Watkins, Lewis" <LWATKINS () UTSYSTEM EDU>
Date: Thu, 24 Oct 2013 14:33:49 +0000

Within the University of Texas System, policy is that Institutional CISOs report to the President of the Institution or 
to an Executive Officer who reports directly to the President.  In most cases, this ends up being the EVP for Business 
affairs or the Provost.  Policy also states that the Institutional CISO is not to report directly to the CIO.  This 
went into effect a few years ago to address certain conflicts of interest that can arise when the CISO reports directly 
to the CIO, somewhat analogous to the Audit Director reporting directly to the Chief Financial Officer.

UT System Institutional CISOs also have dotted line reporting relationships to the Institutional Compliance Officer, 
the UT System CISO, and in some cases the Institutional CIO.   In all cases, the CISO has permission to go to the 
President if there is a need to report something.

That said, there is no one correct answer as to where the CISO, or the CIO for that matter, should report.   It very 
much depends on the culture of the organization, maturity of IT and Information Security functions, and any local 
issues posing barriers to creating a security mindful culture within the institution.

                             **** CONFIDENTIALITY STATEMENT ****
The information in this message may be confidential. If you received the message in error,
please notify me and delete the message.  Further dissemination is prohibited. Thank you.
Lewis Watkins, Chief Information Security Officer
The University of Texas System, 201 W. 7th Street, ASH 318, Austin, Texas 78701
Ph:  (512) 499-4540

On Thu, Oct 24, 2013 at 12:00 AM, SECURITY automatic digest system <LISTSERV () listserv educause edu<mailto:LISTSERV 
() listserv educause edu>> wrote:
There are 6 messages totalling 997 lines in this issue.

Topics of the day:

  1. reporting structure (6)


Date:    Wed, 23 Oct 2013 20:20:40 +0000
From:    Russ Leathe <Russ.Leathe () GORDON EDU<mailto:Russ.Leathe () GORDON EDU>>
Subject: reporting structure

 Who does Information Security report to? Does the CSO or ISO report  to th=
e CIO or somebody else?

Thanks and Happy Cyber Security Month!

Gordon College
russ () gordon edu<mailto:russ () gordon edu>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]