CISO Memo: On Being an Umpire
Security is an interesting area to be a professional in. Much of what we do is behind the scenes, and difficult to place a value on. Someone once said that security is "like being an umpire". What he meant by this was that, when you deliver security with precision and excellence, no one even knows you are there. But, on the rare occasion when security is in the spotlight, everyone has a comment.
The Brown Information Security Group has a goal of striking the perfect balance between these often-times mutually exclusive scenarios: place an emphasis on excellence and world class security, while also being in a position where commentary is prevalent, although positive in nature! How do we do this?
First, by being accessible and visible. ISG provides proactive security expertise throughout the university, by consulting on projects large and small, speaking at department meetings, providing mandatory and brown-bag training sessions, and fostering relationships with technology staff throughout Brown. Second, by identifying areas of risk improvement, and continually improving our processes and methods to ensure the security of the University.
In June, we'll be combining these two actions when we begin our bi-annual risk assessment process throughout much of the campus. The 2009 Risk Assessment has been updated with content from the IT Audit Manager, and matured through feedback, input, and guidance from our DCC and SysAdmin colleagues. We believe our visibility and openness has led to a better understanding of the role that the risk assessment plays, as well as preparing our campus for its implementation.
The self-administered assessment covers a great deal of security topics, including laptops, desktops, servers, account management, policies and procedures, physical access, confidential and protected information, and many other areas. The assessment is based upon recognized security standards, and is intended to be used to validate the security of the campus, highlight areas of concern, and aid in developing future security initiatives. The results will be shared with the University in the Fall.
Awareness is a key component of information security strategy, and I'm pleased that you've visited this issue of SecureIT! Please read all the articles, test your skills in "Spot the Phony", and learn about the supporting role that our new IT Audit Manager plays in the security mission. As always, I welcome your feedback on all security topics (contact us at ISG@brown.edu). Remember, Sec_rity is not complete without U!
Problems with this page? Write to secureit@brown.edu