Re: Campus Security Governance Structures?

[Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>]

Jim,

Interesting points that you raise, and I look forward to responding when I am not on my Blackberry so that I can give 
your response the attention that it deserves.

 
Sarah E Stevens
Stevens Technologies, Inc.
(704) 625-8842 x500
--------------------------
Sent from my BlackBerry Wireless Handheld

----- Original Message -----
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Wed Apr 09 13:13:51 2008
Subject: Re: [SECURITY] Campus Security Governance Structures?

Sarah,

I don't get how your response deals with the "Governance" question - it seems you've mixed apples and oranges - COBIT 
is the only control and Governance based standard you listed - NIST isn't a standard, it is an institute with a 
collection of guidelines and standards that includes a lot of implementation and assessment guidelines, but NIST 
shouldn't be confused with an International Standard for Governance.  ISO 17799 may be about constructing security, but 
it isn't about governance.

It isn't that there is a lack of good security guidance in these various items, I do refer to each of them, but they 
may be slightly less appropriate or applicable when applied outside of their designed audience.  Of the three, the only 
source that even claims to be a governance organization is the IT Governance Institute - so framing the others as 
governance standards and guidance is a tad misleading.  It's like trying to use ITIL to manage security when it is 
designed to address service delivery.

In the same breath, COBIT is not a security standard, it is a lifecyle control and governance device with some 
applicability to security, but has much more to do with achieving controls to ensure business objective achievement.  

I too agree that a "bigger picture" for decision making and governance is essential to effective campus/university IT.  
We need to stop thinking of IT ONLY as a service function ALIGNED with business.  Rather we need to recognize that 
while certain aspects of technology may be commodity services, information technology must be INTEGRATED into business 
decision (governance) processes - that implementing IT, whether that be security, operational decisions, or whatever, 
is an essential/integral part of the business process, not a reservoir of resources to be tacked alongside the business 
- a bucket to be reached into to solve the occasional problem.  The appropriate place for IT is flowing through the 
veins of the branch, not merely wrapping the outside.  ITGI (COBIT and other stuff) is the only one of the above 
resources that truly addresses this by role and responsibility definitions and governance assertion in a systematic 
fashion.  It has more to do with attesting to objective result than implementing security.  

The point here is not a blanket endorsement of COBIT - it is merely that governance is not just tactical or 
technological - it is business objective, process, responsibility, authority, decision making, risk/opportunity 
analysis, etc.  Using tools designed to address the tactics and technologies of security to infer governance may not be 
effective and may in fact continue to leave IT supporting the branch, not feeding it.



Related to Martin's original request - If I thought we had anything mature enough to be called commendable practice in 
the governance arena I'd offer it, but frankly our small successes are far removed from a mature governance solution, 
so he's better off looking at something like COBIT or other governance sources.  You haven't achieved IT governance 
until it is a trusted part of each major business council or decision making/planning organization as a partner, until 
IT decisions can clearly be assigned to responsible and authorized individuals possessing both the political authority 
and the resources to fund both the decision and the consequences of decision failures.

Best regards,

Jim

"Build strong muscles and bones, don't rely on splints and casts."

-----------University of Colorado--------------
Jim Dillon, CISA, CISSP
Program Manager
Administrative Systems and Data Services
jim.dillon () colorado edu        303-735-5682
-------------------Boulder------------------------

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarah 
Stevens
Sent: Wednesday, April 09, 2008 1:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Campus Security Governance Structures?

I completely understand your question, Martin.  For the past few years, I have participated in these boards, 
encouraging educational institutions to adopt a centralized approach to information security.  Unfortunately, a lot of 
focus has remained on the details "laptop encryption" or single regulation compliance, instead of big picture reviews.

I perform risk assessments in academia, government, and corporations, and COBIT is not my first choice.  Of COBIT, ISO 
17799, and NIST, NIST is my favorite because of the versatility of the guidelines.  NIST 800 Series offers a framework 
that includes guidance for all the gory details, including data classification, risk management, and even which 
encryption technologies to use.

My disclaimer:  I own a corporation that performs risk assessment for various industries.  However, I perform volunteer 
speeches and routinely provide free services to academia in order to achieve my own mission of furthering information 
security as part of a core curriculum of knowledge spread and enabled through an individual's academic experience.

Regards,

Sarah E Stevens
Stevens Technologies, Inc.
(704) 625-8842 x500
--------------------------
Sent from my BlackBerry Wireless Handheld