HomeHigher EducationInfosec Strategies: Creating Centralized Efficiencies in a Decentralized IT Environment


Infosec Strategies: Creating Centralized Efficiencies in a Decentralized IT Environment — 2 Comments

  1. A lot of ideas here… I’ll try to be succinct.

    Yes, a “security office” can provide expertise. More important than services or being “responsive.” Such an organization would lead forward with a unique awareness of regulatory frameworks (HIPPA/HITSP, PCI DSS, FIPS-200, yada yada). Seems like this would be a natural collaboration with law and accounting departments for a typical university.

    Tech. standards abound. Look at NIST SPs. No shortage there, and the quality is stellar. More important is to fashion and promulgate security policy. Back to the expertise of a security office, how about risk/vulnerability analysis? Determining the critical data and protecting it at rest, in motion, and transport is central to ISS.

    The cloud and off-site Email is a huge problem. Again, do the risk analysis and protect the important bits. The rest should go to the cheap/least constrained options.

    One-size-does-not-fit-all. Absolutely! Finding the right size takes expertise.

    Communicating clearly. Probably the most important, yet most difficult bit. We cannot be satisfied with budget, policy, standards, assessment, and so forth. Yes, they are needed, but the real goal is creating a security culture that can be sustained in the face of constant turnover. This requires a champion that can sustain a long-term perspective. Not saying it’s easy by any means!

    Good luck. You’re on the right track.

  2. Pingback: Guide Dogs and Information Security: Raising Them to be Enablers « Infosec Communicator