My thoughts on one of the challenges facing infosec offices in higher education. It reflects my thoughts, and not necessarily those of my employer.
The institutional challenge of creating centralized cost-effective efficiencies in an environment with a strong tradition of localized, decentralized IT solutions and personnel is normative in higher education.
An Information Security Office can create centralized efficiencies by:
- Modeling an effective centralized service organization that is responsive to the individual needs of specific departments. (One way to accomplish this is by regular meetings with stakeholders to ensure that the Information Security Office can enable their business, rather than create barriers with unreasonable requirements.)
- Providing centralized security services such as vulnerability scanning of web and servers and security reviews of proposed solutions.
- Managing compliance initiatives such as private information remediation centrally, leveraging an extended team composed of empowered college and division representatives.
- Supporting cloud-based sharing solutions that do not require localized site support and that could be more effectively managed centrally.
- Supporting efforts to centralize authentication mechanisms.
- Administering a centralized security project budget.
- Driving centralization by drafting and gaining consensus on comprehensive technical standards, especially for servers and network that make it obvious that it’s more effective and desirable for these areas to be supported centrally.
- Recognizing that one size does not fit all and that the Information Security Office may need to provide appropriate service level agreements in certain areas.
- Communicating clearly to Deans and VPs that continued use of local support indicates that they are willing to accept all associated risks, especially those risks related to compliance.
In general, overcoming the existing decentralized model is about selling the value proposition of centralization to the various colleges and departments who use localized support. Can they better use their limited resources if they do not have the burden of providing support to systems and networks that can be centrally managed?
Having trouble with security awareness at your university or college? Need some new ideas? Trying to figure out what to do for National Cyber Security Awareness Month?
The members of the EDUCAUSE Higher Education Information Security Council (HEISC) Awareness and Training Working Group have created some wiki-based resources to help you with your security awareness initiatives.
We’ve created two main resources.
- The Quick Start Guide (https://wiki.internet2.edu:443/confluence/x/sRpG) provides ideas and resources for launching a security awareness program. Topics range from establishing an Information Security Awareness Program to different techniques and vehicles for “getting the message out.” The Quick Start Guide is useful for both beginning and advanced security awareness programs.
- The Detailed Instruction Manual (https://wiki.internet2.edu:443/confluence/x/yBpG) provides additional topics around selected security awareness initiatives including campus-specific efforts and tips on communicating specific issues.
Check out these resources. The A&T Working Group is delighted to share their ideas with you and they’re there to help you be successful. They have a wide range of expertise and they believe you’ll find these materials valuable.
Related articles by Zemanta
- Ideas to Promote Information Security Awareness (brighthub.com)
- October is National Cyber Security Month (silvertailsystems.wordpress.com)
- WOULD YOU LIKE TO PLAY A GAME? High schoolers invited to NYU-Poly cyber-security games (crunchgear.com)