Search| Browse| Contribute
Library| Blogs| Jobs| Podcasts| Wikis| Feeds
Page Location:
Home > Browse > Information Technology Management and Leadership > Audit and Compliance (3 records)
Alternate ViewsRSS

Audit and Compliance

Recent blog entries tagged with Audit and Compliance.

Building a Security Program to Include Metrics
Created by Valerie M. Vogel (EDUCAUSE) on August 13, 2008

In "Security Metrics: A Solution in Search of a Problem", a recent EDUCAUSE Quarterly article, Joel Rosenblatt (Manager of Computer and Network Security, Columbia University) describes how the creation and collection of appropriate metrics can enhance an institution's security program. Learn about some potential metrics in the following areas: policy and compliance, network and machine monitoring, outreach and education, legal compliance, authorization and authentication, asset protection, and privacy.

| | | | | |
vvogel's blog  Login to post comments  Send to Friend  343 reads

E07 Podcast: Improving IT Governance Through Formal Change Management
Created by Kelly Walker (Tintinnabulous) on November 16, 2007

This 24-minute podcast recorded during the EDUCAUSE 2007 Annual Conference features Danny Smith, Senior Director IT Services, Marquette University speaking on Improving IT Governance Through Formal Change Management.

The session abstract:

Changes to complex systems require careful planning and coordination to ensure additional incidents are not created in the production environment. This presentation will detail how Marquette University implemented ITIL-based change management to stabilize the infrastructure, gain visibility of work, and comply with financial audits.

Sponsored by Real Networks

| | | |
kellywalker's blog  Login to post comments  1 attachment  Send to Friend  632 reads

EDUCAUSE Security Conference: Herding cats and campuses: addressing distributed security and compliance issues
Created by Lida L. Larsen (EDUCAUSE) on April 17, 2007
Summary
Herding cats and campuses: addressing distributed security and compliance issues
Kathleen Kimball, Senior Director, ITS Security Operations and Services, PennState
David Lindstrom, Chief Privacy Office, PennState
 
2007 EDUCAUSE Security Professionals Conference
Thursday, April 12, 2007
Denver, CO
 
Notes:
Kimball and Lindstrom began their presentation with a quick overview of their statewide environment which serves 83,721 students plus more than 60K staff and faculty at 24 campuses, a medical school, agriculture extensions, and their World Campus online learning program. They have one backbone network statewide and push terabits of data.
 
Their distributed governance and other issues make the security problem more difficult. Many users aren’t doing the “traditional” things like teaching and many are “home users” and that’s the level of their skills as well. In addition, culturally there is a tradition of independence among the campuses and the emphasis on process by committee and consensus makes for a slow process.
 
They see their major security threats coming from constant hostile probes in a situation where security is often dependent on non-technical users.
 
What’s happening in the security arena?
Watching trends they note that there is
  • growing sophistication of network attacks (bots, bots, and more bots)
  • increasing complexity of detecting and removing residual malicious software
  • growing number of vendor security updates to be handled
  • Increasingly mobile population of Internet capable devices connecting to unmanaged networks and then returning to PennState nets.
At the same time they see
  • decreasing amount of time for global spread of worms and other malware
  • less ability to stop intruders at the network border
  • less time available to keep up with vendor security updates
  • Decreasing window of time to detect and deter network based attacks.
Legal and regulatory landscape
Lindstrom suggested that when in doubt, laws are passed, or policy is written, in an attempt to control what is increasingly becoming uncontrollable. He pointed out the 9 or so policies that PennState has produced relating to security and privacy. 
 
Lindstrom and Kimball represent the two sides of the house:  administrative and academic and find that they work together well in their respective institutional duties to reasonably secure sensitive data in their care.
 
At PennState, the network is distributed and so is the responsibility for data security. Each Dean or Administrative Officer is responsible for the data security policies and security implementations in their respective units. These local policies have the force of overall university policy and are intended to be guidelines for systems administrators.
 
In order for any unit to connect to the university network they must have a network administrative, technical, and security contact. These folks are key in incident notifications. There are financial officers in each unit and they help with compliance issues. Currently the biggest problem is that only a network address is generally knows for university systems when an incident response begins.
 
Lindstrom noted that units handing administrative data have additional requirements that are outlined in their “Trusted Network Specifications” and access to the net is not given unless they sign in ink that they’ll be responsible. Units with an exception to hold SSNs have even more requirements. In spite of these policies and security precautions--there is a perceived gap between policy and performance for a number of reasons. Those reasons are primarily the plethora of compliance issues such as FERPA, HIPPA, Graham Leach Bliley, Pennsylvania’s Breach of Personal Information Notification, PCI-DSS (credit card industry standards) and undoubtedly more coming.
 
PennState feels that they must do better.
  • Improving the state of privacy and network security practices is essential and it is a distributed problem that needs a distributed solution
  • Raising the bar with regard to security practices and policies, ability to comply with existing policies and laws, and increase their agility for responding to new laws that come along. 
--and all of this across the 24+ fiefdoms that comprise PennState.
 
From this the PennState Information Privacy and Security (IPAS) project was born.
It developed from a joint effort between ITS and the Corporate Controller who sold university leadership on the gap between policy and practice. It is sponsored jointly by the Provost and CFO and the responsibility for oversight rests on the CIO and University Controller. Similarly, Kimball and Lindstrom represent the two sides of the house in their roles. It is a big enough central project that it was split 3 ways between budgets/budget executives. Audit, finance, corporate controller and firewall audit (small piece of the overall) was something they could all get their arms around.
 
IPAS
This is a multi-year, multi-phase, university-wide project with some overlap in the timing of the phases.
Phase 1 – evaluate and remediate if necessary PCI-DSS systems and networks
Phase 2 – take lessons learned and apply to systems and networks handling sensitive university information
 
Three project team members were drafted from existing staff for two year assignments to the project: Project Manager, Senior Network Analyst, and Project Technical Coordinator. Copies of the brochure for IPAS were distributed to the session attendees and it was noted that it includes these three staff members, their responsibilities, and their contact information. Leadership from distributed units provided the staff resources.
 
Lindstrom and Kimball listed the specifics of the two phases.
| | | | |
llarsen's blog  Login to post comments  Read more  Send to Friend  3624 reads