-
Research
and Publications
Current Issue
May/June 2013
EDUCAUSE ReviewPublications
-
Conferences
and Events
Annual Conference
October 15–18, 2013
Register now!Events for all Levels and Interests
Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.
-
Career
Development
EDUCAUSE Institute
Leadership/Management Programs
Explore MoreCareer Center
Leadership and Management Programs
EDUCAUSE Institute
Advanced Programs
Project Management
Jump Start Your Career Growth
Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.
-
Focus Areas
and InitiativesLatest Topics
EDUCAUSE organizes its efforts around three IT Focus Areas
Join These Programs If Your Focus Is
-
Connect
and ContributeFind Others
Get on the Higher Ed IT Map
Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
-
About
EDUCAUSE
Lessons Learned from RIT’s First Security Posture Assessment
Thursday, January 1, 2004
Abstract
Rochester Institute of Technology (RIT) is the 11th largest private university in the United States with approximately 22,500 hosts on our network. We have one of the largest computer science and information technology programs in the nation, with 3,000 full-time students currently enrolled and 4,500 students projected within the next five years.
Concern has been growing within RIT regarding the increasing number of security threats and legal privacy mandates such as the Gramm-Leach-Bliley Act (GLBA) and Family Educational Rights and Privacy Act (FERPA).
In 2002, I discussed with the director of risk management and the VP of finance and administration the need to uncover technology and security gaps. I brought up that the proper context for evaluating security technology and gaps could not exclude the people and processes, which are more accurately measured during a security posture assessment. The classic capability maturity model (CMM) triad consists of people, technology, and processes. We decided to locate an objective outside vendor to conduct a campus-wide security posture assessment.
Security posture assessments measure the effectiveness of the communication of information security priorities. Posture assessments most often start at the top-level mission statements and finish with the effectiveness of currently implemented operational and technical controls.
When we first started asking for support, the general attitude was that an external assessment would simply discover what everyone already knew. However, we needed the external validation to add credibility and weight to the results. We knew people would be asked questions they had never been asked before, and more importantly, that they would see how their peers responded to the questions (during group interviews), making them more aware of the risks as well as what was being measured. The groups each included up to 20 people who responded to a list of questions about how they perceived threats as well as the processes they used for managing and handling campus information. If security priorities had not been clearly communicated prior to this, they were discussed during the group interviews, and this information fed into the final report.
Download This Resource
 |
