Infosec Strategies: Creating Centralized Efficiencies in a Decentralized IT Environment
Category:Higher Education,Information Security,Infosec Communicator,Leadchange,Risk,UncategorizedMy thoughts on one of the challenges facing infosec offices in higher education. It reflects my thoughts, and not necessarily those of my employer.
The institutional challenge of creating centralized cost-effective efficiencies in an environment with a strong tradition of localized, decentralized IT solutions and personnel is normative in higher education.
An Information Security Office can create centralized efficiencies by:
- Modeling an effective centralized service organization that is responsive to the individual needs of specific departments. (One way to accomplish this is by regular meetings with stakeholders to ensure that the Information Security Office can enable their business, rather than create barriers with unreasonable requirements.)
- Providing centralized security services such as vulnerability scanning of web and servers and security reviews of proposed solutions.
- Managing compliance initiatives such as private information remediation centrally, leveraging an extended team composed of empowered college and division representatives.
- Supporting cloud-based sharing solutions that do not require localized site support and that could be more effectively managed centrally.
- Supporting efforts to centralize authentication mechanisms.
- Administering a centralized security project budget.
- Driving centralization by drafting and gaining consensus on comprehensive technical standards, especially for servers and network that make it obvious that it’s more effective and desirable for these areas to be supported centrally.
- Recognizing that one size does not fit all and that the Information Security Office may need to provide appropriate service level agreements in certain areas.
- Communicating clearly to Deans and VPs that continued use of local support indicates that they are willing to accept all associated risks, especially those risks related to compliance.
In general, overcoming the existing decentralized model is about selling the value proposition of centralization to the various colleges and departments who use localized support. Can they better use their limited resources if they do not have the burden of providing support to systems and networks that can be centrally managed?
2 Comments
Warning: Trying to access array offset on value of type null in /home/theint16/public_html/wp-content/themes/enigma-premium-advance3-7-3/core/comment-function.php on line 11
Guide Dogs and Information Security: Raising Them to be Enablers « Infosec Communicator
November 8, 2012at 5:00 pm[…] Infosec Strategies: Creating Centralized Efficiencies in a Decentralized IT Environment […]
Warning: Trying to access array offset on value of type null in /home/theint16/public_html/wp-content/themes/enigma-premium-advance3-7-3/core/comment-function.php on line 11
John
November 2, 2012at 9:50 pmA lot of ideas here… I’ll try to be succinct.
Yes, a “security office” can provide expertise. More important than services or being “responsive.” Such an organization would lead forward with a unique awareness of regulatory frameworks (HIPPA/HITSP, PCI DSS, FIPS-200, yada yada). Seems like this would be a natural collaboration with law and accounting departments for a typical university.
Tech. standards abound. Look at NIST SPs. No shortage there, and the quality is stellar. More important is to fashion and promulgate security policy. Back to the expertise of a security office, how about risk/vulnerability analysis? Determining the critical data and protecting it at rest, in motion, and transport is central to ISS.
The cloud and off-site Email is a huge problem. Again, do the risk analysis and protect the important bits. The rest should go to the cheap/least constrained options.
One-size-does-not-fit-all. Absolutely! Finding the right size takes expertise.
Communicating clearly. Probably the most important, yet most difficult bit. We cannot be satisfied with budget, policy, standards, assessment, and so forth. Yes, they are needed, but the real goal is creating a security culture that can be sustained in the face of constant turnover. This requires a champion that can sustain a long-term perspective. Not saying it’s easy by any means!
Good luck. You’re on the right track.