Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Lessons Learned from RIT’s First Security Posture Assessment
Thursday, January 1, 2004
Rochester Institute of Technology (RIT) is the 11th largest private university in the United States with approximately 22,500 hosts on our network. We have one of the largest computer science and information technology programs in the nation, with 3,000 full-time students currently enrolled and 4,500 students projected within the next five years.
Concern has been growing within RIT regarding the increasing number of security threats and legal privacy mandates such as the Gramm-Leach-Bliley Act (GLBA) and Family Educational Rights and Privacy Act (FERPA).
In 2002, I discussed with the director of risk management and the VP of finance and administration the need to uncover technology and security gaps. I brought up that the proper context for evaluating security technology and gaps could not exclude the people and processes, which are more accurately measured during a security posture assessment. The classic capability maturity model (CMM) triad consists of people, technology, and processes. We decided to locate an objective outside vendor to conduct a campus-wide security posture assessment.
Security posture assessments measure the effectiveness of the communication of information security priorities. Posture assessments most often start at the top-level mission statements and finish with the effectiveness of currently implemented operational and technical controls.
When we first started asking for support, the general attitude was that an external assessment would simply discover what everyone already knew. However, we needed the external validation to add credibility and weight to the results. We knew people would be asked questions they had never been asked before, and more importantly, that they would see how their peers responded to the questions (during group interviews), making them more aware of the risks as well as what was being measured. The groups each included up to 20 people who responded to a list of questions about how they perceived threats as well as the processes they used for managing and handling campus information. If security priorities had not been clearly communicated prior to this, they were discussed during the group interviews, and this information fed into the final report.