Re: Info Sec at Small Colleges

["Hagan, Sean" <sean.hagan () YC EDU>]

It's obviously up to the organizational culture and priorities of the institution, but my boss (our CIO) was able to 
successfully advocate for institutional support - initially a fairly small amount - just to do some internal resource 
shifting, and more recently enough to add a dedicated FTE.  Primarily this support was based on the increasingly 
complex and in-depth audits we were being subjected to by the state as well as a general awareness that attacks and 
potential exposure were increasing in both volume and sophistication, and that it was important to formally task 
someone with a responsibility to address those concerns.  Related to audits and compliance, we expect those prior 
audits were fairly benign by comparison to what we'll be subjected to this spring/summer with the FSA/GLBA audit 
finally happening.

In terms of numbers - we have 26 Information Technology FTE supporting 1,400 total employees and 7,282 FTSE at six 
campuses.  Two of the IT staff (myself included) are dedicated to InfoSec.  InfoSec here also supports compliance and 
privacy matters that in some other organizations might be handled by HR or a dedicated Risk Management or 
Audit/Compliance group, as well as certain technical items that might be handled by another IT functional area at other 
organizations.

I've presented on this topic at our state IT conference and will be co-presenting at Educause SPC next month on the 
same.  I'd be happy to chat offline and share some materials that might give a better idea of budgeting and strategic 
direction - at least how we've chosen to spend our limited resources.

Good luck!

Sean

~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sean Hagan
Chief Information Security Officer
Yavapai College
(928) 717-7651 - direct
https://www.yc.edu<https://www.yc.edu/>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Davis, 
Chris
Sent: Friday, March 9, 2018 12:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Info Sec at Small Colleges

I apologize if this is a double email for anyone.  I sent this question the small college group, but then thought, it 
might get more traction/attention here.

Before my question, a brief background on my school.  We are a small Catholic liberal arts university with an 
enrollment of approximately 1,300 students.

We attended a webinar today on GDPR which led to a larger discussion regarding information security.  My question to 
the group is, how do the smaller colleges justify the expenditures required for a decent info sec program to your 
administration given the size of our institutions.  Also, would anyone be willing to hop on a call to discuss info sec 
programs at small colleges and what you are doing to stay compliant with the various regulatory requirements - PCI, 
HIPAA, GLBA, Red Flag, FERPA, and potentially, GDPR.

Many thanks in advance!

Chris


Christopher Davis, Ph.D.
Chief Information Officer
Lourdes University
6832 Convent Blvd. | REH 003P | Sylvania, OH 43560
cdavis () lourdes edu<mailto:cdavis () lourdes edu>

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) 
and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not 
the intended recipient of this message or their agent, or if this message has been addressed to you in error, please 
immediately alert the sender by reply email and then delete this message and any attachments. If you are not the 
intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its 
attachments is strictly prohibited.