Main Nav

Hi,

 

I am looking at improving the integration of information security in IT processes (project development, maintenance, etc.). I am interested on what others have successfully done to improve the integration of security.

 

Thanks.

_________________

Andy Scott, CISSP

Information Security Officer, IT Services

British Columbia Institute of Technology

3700 Willingdon Ave, Burnaby, BC, V5G 3H2

 

Tel: 604-432-8683  Mobile: 778-928-2444

Email: andy_scott@bcit.ca  Web: bcit.ca/its/security

 

Comments

Message from bmccrary@osrhe.edu

The  SANs 20 critical controls are concise and a quick way to start moving forward on formalization, all the while  implementing quick fixes along the way.  The key controls have been incorporated into to FISMA as a centerpiece for government and large enterprise security programs but they are very scalable.  The emphasis on automation makes them even more effective.

 

http://www.sans.org/critical-security-controls/

 

Another source?  NIST, particularly, NIST National Checklist Repository which provides updated installation administrative, security and device hardening checklists for a variety of systems. Granted, you may not intend to harden to DoD standards, but along with the now built-in security automation goals and how-to guidance, you get some nice base checklists to use but it does take a bit more digging and effort. 

Barbara McCrary
Chief Information Security Officer
MCSE, MCSE:Security, +Messaging, CompTia:Security+

bmccrary@osrhe.edu

 

Protecting data is a shared responsibility!

 

INSTALL antivirus and antispyware software.

USE strong passwords.

KNOW who you are dealing with online.

STORE confidential and sensitive data on encrypted devices only.

SHUT DOWN home computers or disconnect from the Internet when not in use.

 

Oklahoma State Regents for Higher Education
655 Research Parkway

Suite 200

Oklahoma City, OK  73104
405 225.9316 office
405 234.4321 cell
405 234.4588 fax

 

Note:  This communication and attachments, if any, are intended solely for the use of the addressee hereof.  In addition, this information and attachments, if any, may contain information that is confidential, privileged and exempt from disclosure under applicable law, including, but not limited to, the Privacy Act of 1974.  If you are not the intended recipient of this information, you are prohibited from reading, disclosing, reproducing, distributing, disseminating, or otherwise using this information.  If you have received this message in error, please promptly notify the sender and immediately, delete this communication from your system.

 

We're using the 20 critical controls as our blueprint for our security architecture here at VA Tech.

-Randy Marchany
VA Tech IT Security Office

All public higher ed schools in Utah use the 20 critical controls to some degree or another, if only because the 20 critical controls are the basis for the annual security audit that is performed by a roving technical audit team under the auspices of the state Board of Regents.

It remains to be seen how well that top-down endorsement of the 20 controls works to promote a penetration of the principles into all IT processes.  We are taking baby steps here.

Bob Bayn    SER 301    (435)797-2396       IT Security Team
Office of Information Technology,     Utah State University
     three common hazardous email scams to watch out for:
     1) unfamiliar transaction report from familiar business
     2) attachment with no explanation in message body
     3) "phishing" for your email password

In terms of getting security involved in IT projects, folks that I've talked to have had success inserting security into some or all of the following points along the project pipeline: 1) Project Management Office/Group/Process: security as milestones, part of the project intake process, etc. 2) Legal: Security review as a requirement before OLC will signoff on a contract 3) Procurement: Security review as a requirement before Purchasing/Finance/etc. gives out the money 4) Insurance/Risk Management: Security review as an input into the overall risk management and insurance conversation You could also translate "requirement" into "advised" in each of the above, depending on the level of authority or responsibility the security group has. We have contacts in each of the above areas but we've really focused our efforts on formalizing security's integration into the IT project management process. That begins at project intake with a brief series of questions in our project tracking system. Whenever anyone enters a project they're required to provide information about the classification of the systems and data involved in the project[1]. That information guides the level of involvement for the security group; low criticality systems might just get a quick once-over, but the presence of a high criticality system and/or Restricted data means that project gets a security analyst assigned to it. The security consulting process itself then has a number of steps that align with the various phases of our IT project management process. I've done some internal presenting on this process and hope to some day provide our documentation to the broader higher-ed community, but we're not quite there yet :). I am however happy to chat offline if you have questions on the above. [1] https://www.nyu.edu/its/policies/sec_ref.html Cheers, Brian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Smith-Sweeney Assistant Director ITS Technology Security Services, New York University http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In addition to some of the insertion points the Brian has identified in his environment (Legal and Procurement), we have been working with our Controller's office to integrate security in our formal internal controls program. We do this by including info sec questions on the self-assessment questionnaire that each office and department is required to perform on a three-year cycle. We then follow up with targeted, in-person reviews of an office's policies and practices, and make recommendations if we feel they need to make improvements. The personnel for these reviews includes myself, someone from our General Counsel's office, and the two staff members responsible for internal controls compliance. Marty Manjak ISO University at Albany -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian J Smith-Sweeney Sent: Thursday, November 15, 2012 11:51 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Integrating security in IT processes In terms of getting security involved in IT projects, folks that I've talked to have had success inserting security into some or all of the following points along the project pipeline: 1) Project Management Office/Group/Process: security as milestones, part of the project intake process, etc. 2) Legal: Security review as a requirement before OLC will signoff on a contract 3) Procurement: Security review as a requirement before Purchasing/Finance/etc. gives out the money 4) Insurance/Risk Management: Security review as an input into the overall risk management and insurance conversation Cheers, Brian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Smith-Sweeney Assistant Director ITS Technology Security Services, New York University http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.