Resources
Location:
Lessons Learned from RIT’s First Security Posture Assessment

Lessons Learned from RIT’s First Security Posture Assessment

Title:Lessons Learned from RIT’s First Security Posture Assessment (ID: EPS197)
Author(s):James H. Moore (Rochester Institute of Technology)
Topics:Network Vulnerability Assessment, Security Risk Assessment and Analysis, Vulnerability Scanning
Origin:Community Contributions (2004)
Type:Effective Practices
Abstract:

Rochester Institute of Technology (RIT) is the 11th largest private university in the United States with approximately 22,500 hosts on our network. We have one of the largest computer science and information technology programs in the nation, with 3,000 full-time students currently enrolled and 4,500 students projected within the next five years.

Concern has been growing within RIT regarding the increasing number of security threats and legal privacy mandates such as the Gramm-Leach-Bliley Act (GLBA) and Family Educational Rights and Privacy Act (FERPA).

In 2002, I discussed with the director of risk management and the VP of finance and administration the need to uncover technology and security gaps. I brought up that the proper context for evaluating security technology and gaps could not exclude the people and processes, which are more accurately measured during a security posture assessment. The classic capability maturity model (CMM) triad consists of people, technology, and processes. We decided to locate an objective outside vendor to conduct a campus-wide security posture assessment.

Security posture assessments measure the effectiveness of the communication of information security priorities. Posture assessments most often start at the top-level mission statements and finish with the effectiveness of currently implemented operational and technical controls.

When we first started asking for support, the general attitude was that an external assessment would simply discover what everyone already knew. However, we needed the external validation to add credibility and weight to the results. We knew people would be asked questions they had never been asked before, and more importantly, that they would see how their peers responded to the questions (during group interviews), making them more aware of the risks as well as what was being measured. The groups each included up to 20 people who responded to a list of questions about how they perceived threats as well as the processes they used for managing and handling campus information. If security priorities had not been clearly communicated prior to this, they were discussed during the group interviews, and this information fed into the final report.

View this resource:
 |  | 
Bookmark/Search this page with:
   del.icio.us   Digg   Google   Yahoo   Technorati Stumbleupon Facebook Twitter

 
© Copyright 1999-2009 EDUCAUSE
  Unless otherwise noted, EDUCAUSE holds the copyright on all materials published by the association, whether in print or electronic form. In certain cases the work remains the intellectual property of the individual author(s) (see Special Circumstances). Content from conference speeches, presentations, blogs, wikis and feeds reflect the opinions of the author, and not necessarily those of EDUCAUSE or its members.