Upload
kristopher-lamb
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Advancing Security Programs through Partnerships
Cathy Hubbs Shirley PayneIT Security Coordinator Director for Security Coordination & PolicyGeorge Mason University University of Virginia
Copyright Cathy Hubbs and Shirley Payme 2004. This work is the intellectual property of the authosr. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
IT Security Office Landscape
20 percent of the U.S. institutions surveyed have a full-time chief IT security officer
At 22 percent of the institutions, IT security is the responsibility of a single individual
95 percent of the IT security officers report to a senior administrator in the IT office, including 50 percent who report to the CIO
Coordinator Model
Responsibilities of Security Officers
Policy Development ComplianceAwareness Education & Technical TrainingRisk Assessment & Business ContinuityStrategic PlanningIncident Detection & ResponseTechnical Communications (Alerts)Security Champion
These Responsibilities Require Many Roles To Be
FilledPolicy Writer ChampionTeacherStrategic PlannerWatch DogTechnical Expert
Communications ExpertLawyerEnforcerSageEtc., etc., etc.
Etc.!LawyerEnforcer Sage
CommunicationsExpert
Technical
Expert
Strategic
Planner
Watch Dog
Champion
Teacher
PolicyWriter
Faculty, Staff, & Student Leaders
Chief of Human Resources
Dean of Students
Dorm Resident Advisors
Student Honor Committee
Central IT- Computer Group
Network Engineers
System Engineers
Desktop Support Technicians
Support Center (help desk)
Instructional Designers
Systems Administrators
Contribute to development of guidelines and policiesAssist in defining security awareness and education prioritiesAct as security champions in their departmentsDisseminate security alerts within their departments
Security Officers
Communities of PracticesMultiple PerspectivesReuse (no need to reinvent)EDUCAUSEVA SCAN
Researchers & Educators
Partners in grant opportunities
Participate in awareness events
Share news of research frontiers in security
Advisory Committees
Established committees and ad hoc focus groups
Review new guidelines, standards, policies
Assist in defining awareness & education priorities
Barbara Deily, U.Va. Audit Director Fraud Investigation:
• Investigations coordinated
• Expertise shared• Audit reporting
channels leveraged
Policy Implementation:
• Policy acceptance improved
• Audit enforcement “Big Stick” available
Software Development and New Technology:• Internal controls built in• Assurance added
Much Easier To Move Forward Together On Security Vision
Legal OfficeInterpret regulations
HIPAAGramm-Leach Bliley-Act (GLBA)FERPA
Advise on new policiesCounsel on incident handlingNotify of new or pending legislation
Police Department
Knowledge sharing
Assist during investigations of security breaches and responsible use issues like cyberstalking
IT security awareness initiatives combined with general security & safety
Public Relations Experts
Design professional literatureCommunicate alerts, events and other informationProduce creative marketing tools that deliver the security message in unique and innovative ways, e.g. the U.Va. video
Etc.!
LawyerEnforcer Sage
CommunicationsExpert
Technical
Expert
Strategic
Planner
Watch Dog
Champion
Teacher
PolicyWriter
Remember This Unhappy Juggler of Roles?
Partnerships Make All The Difference!
Provide greater flexibility
Ease access to others' competencies
Share labor
Share knowledge capital
Etc.!
Legal Office Auditors
/Police
Researchers& Educators
PublicRelationsCentral
IT
OtherSecurityOfficers
SystemAdministrators
HR/Dean of Student
s
AdvisoryCommittees
EnhancedSecurity Program
You Get Your Sanity Back!
Executives
Choose Partners Carefully
Should have common goals
Should be recognized benefits on both sides
Should be based upon mutual trust
Manage the Partnership
Set realistic expectationsCommunicate wellResolve issues quicklyPeriodically review partnership healthRecognize their contributions