Educause Security Discussion mailing list archives

Re: Integrating security in IT processes

From: "Manjak, Martin" <mmanjak () ALBANY EDU>
Date: Thu, 15 Nov 2012 17:09:02 +0000

In addition to some of the insertion points the Brian has identified in his environment (Legal and Procurement), we 
have been working with our Controller's office to integrate security in our formal internal controls program. We do 
this by including info sec questions on the self-assessment questionnaire that each office and department is required 
to perform on a three-year cycle. We then follow up with targeted, in-person reviews of an office's policies and 
practices, and make recommendations if we feel they need to make improvements. The personnel for these reviews includes 
myself, someone from our General Counsel's office, and the two staff members responsible for internal controls 
compliance.

Marty Manjak
ISO
University at Albany


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian J 
Smith-Sweeney
Sent: Thursday, November 15, 2012 11:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Integrating security in IT processes

In terms of getting security involved in IT projects, folks that I've talked to have had success inserting security 
into some or all of the following points along the project pipeline:

1) Project Management Office/Group/Process: security as milestones, part of the project intake process, etc.
2) Legal: Security review as a requirement before OLC will signoff on a contract
3) Procurement: Security review as a requirement before Purchasing/Finance/etc. gives out the money
4) Insurance/Risk Management: Security  review as an input into the overall risk management and insurance conversation

<Snip>

Cheers,
Brian

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Smith-Sweeney
Assistant Director
ITS Technology Security Services, New York University http://www.nyu.edu/its/security 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


On Tue, Nov 13, 2012 at 11:56 AM, Andy Scott <Andy_Scott () bcit ca> wrote:

Hi,



I am looking at improving the integration of information security in 
IT processes (project development, maintenance, etc.). I am interested 
on what others have successfully done to improve the integration of security.



Thanks.

_________________

Andy Scott, CISSP

Information Security Officer, IT Services

British Columbia Institute of Technology

3700 Willingdon Ave, Burnaby, BC, V5G 3H2



Tel: 604-432-8683  Mobile: 778-928-2444

Email: andy_scott () bcit ca  Web: bcit.ca/its/security

Current thread:

Integrating security in IT processes Andy Scott (Nov 13)
- Re: Integrating security in IT processes McCrary, Barbara (Nov 13)
  - Re: Integrating security in IT processes randy (Nov 13)
    - Re: Integrating security in IT processes Bob Bayn (Nov 14)
- Re: Integrating security in IT processes Brian J Smith-Sweeney (Nov 15)
  - Re: Integrating security in IT processes Manjak, Martin (Nov 15)