Advancing Security Programs through Partnerships

Cathy Hubbs Shirley PayneIT Security Coordinator Director for Security Coordination & PolicyGeorge Mason University University of Virginia

Copyright Cathy Hubbs and Shirley Payme 2004. This work is the intellectual property of the authosr. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

IT Security Office Landscape

20 percent of the U.S. institutions surveyed have a full-time chief IT security officer

At 22 percent of the institutions, IT security is the responsibility of a single individual

95 percent of the IT security officers report to a senior administrator in the IT office, including 50 percent who report to the CIO

Coordinator Model

Responsibilities of Security Officers

Policy Development ComplianceAwareness Education & Technical TrainingRisk Assessment & Business ContinuityStrategic PlanningIncident Detection & ResponseTechnical Communications (Alerts)Security Champion

These Responsibilities Require Many Roles To Be

FilledPolicy Writer ChampionTeacherStrategic PlannerWatch DogTechnical Expert

Communications ExpertLawyerEnforcerSageEtc., etc., etc.

Etc.!LawyerEnforcer Sage

CommunicationsExpert

Technical

Expert

Strategic

Planner

Watch Dog

Champion

Teacher

PolicyWriter

Executive StaffExecutive Level Champions

Tom Hennessey, Chief of Staff, George Mason University

Faculty, Staff, & Student Leaders

Chief of Human Resources

Dean of Students

Dorm Resident Advisors

Student Honor Committee

Central IT- Computer Group

Network Engineers

System Engineers

Desktop Support Technicians

Support Center (help desk)

Instructional Designers

Systems Administrators

Contribute to development of guidelines and policiesAssist in defining security awareness and education prioritiesAct as security champions in their departmentsDisseminate security alerts within their departments

Security Officers

Communities of PracticesMultiple PerspectivesReuse (no need to reinvent)EDUCAUSEVA SCAN

Researchers & Educators

Partners in grant opportunities

Participate in awareness events

Share news of research frontiers in security

Advisory Committees

Established committees and ad hoc focus groups

Review new guidelines, standards, policies

Assist in defining awareness & education priorities

Internal Auditors

Define Risk Assessment priorities

And more…

Barbara Deily, U.Va. Audit Director Fraud Investigation:

• Investigations coordinated

• Expertise shared• Audit reporting

channels leveraged

Policy Implementation:

• Policy acceptance improved

• Audit enforcement “Big Stick” available

Software Development and New Technology:• Internal controls built in• Assurance added

Much Easier To Move Forward Together On Security Vision

Legal OfficeInterpret regulations

HIPAAGramm-Leach Bliley-Act (GLBA)FERPA

Advise on new policiesCounsel on incident handlingNotify of new or pending legislation

Police Department

Knowledge sharing

Assist during investigations of security breaches and responsible use issues like cyberstalking

IT security awareness initiatives combined with general security & safety

Public Relations Experts

Design professional literatureCommunicate alerts, events and other informationProduce creative marketing tools that deliver the security message in unique and innovative ways, e.g. the U.Va. video

Etc.!

LawyerEnforcer Sage

CommunicationsExpert

Technical

Expert

Strategic

Planner

Watch Dog

Champion

Teacher

PolicyWriter

Remember This Unhappy Juggler of Roles?

Partnerships Make All The Difference!

Provide greater flexibility

Ease access to others' competencies

Share labor

Share knowledge capital

Etc.!

Legal Office Auditors

/Police

Researchers& Educators

PublicRelationsCentral

IT

OtherSecurityOfficers

SystemAdministrators

HR/Dean of Student

s

AdvisoryCommittees

EnhancedSecurity Program

You Get Your Sanity Back!

Executives

Making Partnerships Work

Choose Partners Carefully

Should have common goals

Should be recognized benefits on both sides

Should be based upon mutual trust

Manage the Partnership

Set realistic expectationsCommunicate wellResolve issues quicklyPeriodically review partnership healthRecognize their contributions

Questions?