Educause Security Discussion mailing list archives

Re: Campus Security Governance Structures?

From: Shane Bishop <shanebishop () JALC EDU>
Date: Wed, 9 Apr 2008 13:57:08 -0500



[Martin Manjak]Looks like I have to answer my own query.

The lack of response to this question is intriguing. Does it mean that
most institutions don't have some form of governance when it comes to
information security?

[Shane Bishop] For institutions of higher education the preferred framework
seems to be COBIT. The Gartner report "Hype Cycle for Higher Education,
2007" depicts COBIT just showing up on the radar screen for many
institutions. Only the test of time will determine if COBIT will be the
preferred framework among higher education, or just another fad. Personally,
I like COBIT but would like to see something even a little more contoured
for higher education. Perhaps a CobEd version 1.0. Prudent information
security officers like well organized and clear cut objectives pertaining,
and including verbiage, related to their industry. The word business in
higher education will often return looks of confusion. Having to improvise a
framework into something that isn't uniformly agreed upon by your peers in
the industry leads to less acceptance and greater chance of failure.
Alternatively, COBIT is much better than no framework, and this indicates
the maturity level for acceptance of a framework in higher education is
still in its juvenile stages IMHO.

http://www.gartner.com/DisplayDocument?doc_cd=148910

[Martin Manjak] If that's the case, how are decisions made that affect the
institution's
security posture? How are assets ranked and vulnerabilities prioritized?
How is risk assessment performed? Who decides what investments are made
into what technologies and controls?

[Shane Bishop] An assessment needs to be done to map IT assets to business
services and which individuals are accountable for these processes. Once
that is done you would normally do a business impact analysis to prioritize
the severity of security risks to those assets.

[Martin Manjak]It seems to me that if you get governance right, many other
things fall
into place because you get institutional recognition of risk and
endorsement of mitigation strategies.

[Shane Bishop] Very true, trying to change the culture to see the benefits
of enterprise level IT security governance seems to be the bigger obstacle.
Having the CISO in a different division than the CIO seems to complement
this undertaking. Until government regulation is passed that requires
institutions of higher education to have external auditors assess security
there will not be conformity to a standard.



Shane Bishop
Associate Director of Network Infrastructure
John A. Logan College
CISM, CISSP
http://shanebishop.info
(618) 985-3741 Ext. 8544

Attachment: smime.p7s
Description:

Current thread:

Campus Security Governance Structures? Martin Manjak (Apr 07)
- <Possible follow-ups>
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 07)
- Re: Campus Security Governance Structures? Martin Manjak (Apr 09)
- Re: Campus Security Governance Structures? Stephen John Smoogen (Apr 09)
- Re: Campus Security Governance Structures? Mclaughlin, Kevin (mclaugkl) (Apr 09)
- Re: Campus Security Governance Structures? Shane Bishop (Apr 09)
- Re: Campus Security Governance Structures? Basgen, Brian (Apr 09)
- Re: Campus Security Governance Structures? Chisholm, Teri (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Custer, William L. Mr. (Apr 09)
- Re: Campus Security Governance Structures? Jim Dillon (Apr 09)
- Re: Campus Security Governance Structures? Sarah Stevens (Apr 09)
- Re: Campus Security Governance Structures? Cal Frye (Apr 09)
- Re: Campus Security Governance Structures? Doug Markiewicz (Apr 10)
- Re: Campus Security Governance Structures? Jim Dillon (Apr 10)