Re: Security Program Development / Staffing survey - Not social engineering.

[James Moore <jhmfa () RIT EDU>]

Good point, although I can think of better information, like some of
what has been floating along the list regarding vulnerability scanners
in use, IDSs in use, etc.  It is a safe assumption that the bad guys are
on the list, and listening.  That is why people more often voice this
kind of question through forums of FIRST, I4, or ESF.  But participation
in those venues, often implies a maturing, rather than starting program.

But most people on Educause Security list know me.  I was on the progam
committee for this year's Educause Security Professionals Workshop.

In years of tight budgeting, it is difficult to grow an information
security program.  I tried 2 years ago with benchmarking.  I followed
with an information security posture assessment (also documented for
Educause, and in their archives).  I am trying again with benchmarking.


I imagine that there are other people who have been trying to start
information security programs ever since GLBA, and have found themselves
wanting/needing to expand, but without resources.  Then they want to be
proactive, but can't over commit, or risk the credibility of the
program.  I am gathering this information for myself.  I can see its
broader use, as well.

Jim
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Samuel Liles
> Sent: Monday, August 30, 2004 1:14 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Security Program Development / 
> Staffing survey - Brief
>
> I don't want to be trite, but wouldn't that exact information 
> make a great finger print of an institution? I think it would 
> be one of the greatest social engineering hacks of all times. 
> So Eve says to Alice "I logged onto a mail server and 
> everybody sent me their technology capabilities and 
> institutional protection capabilities... No really!".
>
> Welcome back to school.
>
> --------------------------
> Sam Liles
> Purdue University Calumet
> Assistant Professor CISIT
> Gyte 278
> 2200 169th Street
> Hammond, IN 46323-2094
> liless () calumet purdue edu
> sliles () purdue edu (West Lafayette)
> (219)989-3195 Voice
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Moore
> Sent: Monday, August 30, 2004 11:59 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Security Program Development / Staffing 
> survey - Brief
>
> I am trying to do benchmarking to describe "normal" growth 
> for our information security program.
>
>  Mail To: jhmfa () rit edu       Indicate if you want to be included in a
> summary for Educause.
>
> 1).  How large is your institution?
>
>
> 2)   Do you have factors which make your information security 
> especially
> complex
>      a)  medical school?
>
>      B)  gov't contracts, sensitive information?
>
>      c)  technology school?
>
>      d) other?
>
> 3)   Is your information security program institute wide?
>
>      If not,  describe?
>
> 4)   How long ago did you start your information security program?
>
> 5)   How many people have information security as full-time position?
>
> 6)   How many people are in information security part-time 
> positions (at
> least half-time)?
>
> 7)   How many people do?
>      a)   Information Security Policy/Standards Development
>
>      b)   Information Security Awareness
>
>      c)   Incident Handling / Investigations
>
>      d)   Are all abuse reports treated as incidents?  If 
> not, how many
> do abuse report handling?
>
>      e)   Network Monitoring / Scanning / IDS /ISP
>
>      f)   Risk Assessment / Security Reviews of systems in development
>
>
> 8)  How did your program develop in the first few years?  
> (e.g. We started with 1, a year later we added another, 2 
> years later we added 2 more ...)
>
>
>
> 9) Lessons learned or war stories (e.g. We deployed too much 
> new technology early on, without raising awareness ...)
>
>
>
> Jim
> - - -
> Jim Moore, CISSP, IAM
> Information Security Officer
> Rochester Institute of Technology
> 13 Lomb Memorial Drive
> Rochester, NY 14623-5603
> Office: 585-475-5406
> Lab: 585-475-4122
> Fax: 585-475-7950
>
> "In the middle of difficulty lies opportunity." Albert Einstein
>
> "The release of new internet threats have not created a new 
> problem. It has merely made more urgent the necessity of 
> solving an existing one."
> Parallels quote by Albert Einstein on atomic energy
>
> **********
> Participation and subscription information for this EDUCAUSE 
> Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE 
> Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.