In many institutions of higher education, computing environments are generally characterized by some degree of decentralization, with greater decentralization in large research universities, according to a report by M. Santosus. There are certainly advantages to fulfilling the needs of individual users and groups, to the greatest degree possible, with decentralized computing environments. However, information security is inherently...
a central function. The information security paradigm --you are only as strong as your weakest link -- recognizes that we must be able to measure the effectiveness of information security policies, technologies, and programs at the lowest levels of the organization. In addition, since the university as a whole is the registered legal entity, the institution implicitly assumes all liabilities, including those that might be due to the lack of security in any one departmental unit.
At the University of Rochester, we have learned that successful information security programs depend on mediation by someone who knows the members of the department, is seen by those members as having department-wide responsibility and credible with the communication of best practices. To this end, we are formalizing the role of Information Security Liaisons in the divisions and departments. These individuals will help to evaluate and mitigate security and compliance concerns and risks, while giving Chief Information Security Officers the visibility needed to develop metrics and monitor progress. This distributed approach to information security ensures that each department is aware of and accountable for its role with regard to the communication of information security education and training materials, compliance with policies and standards, and implementation of information security technology solutions.
The University of Rochester's information security program also employs several layers of defense through a combination of policy, technology, and community awareness in collaboration with the units. The university has made significant investments in information security technologies. These technologies span all levels of a defense-in-depth strategy from our perimeter to the individual end points. The distributed computing teams are engaged in defining requirements and designing technology solutions that support their departmental needs. In addition, where possible, the tools selected allow the departments to administer and manage the technology with overall monitoring maintained within the central organization.
Finally, we have institutionalized a University Data Security Committee, which is co-chaired by the Provost and General Counsel. The committee membership consists of the Chief Information Officers, Chief Information Security Officers, Divisional Information Security Liaisons, and representations from audit and other areas with high-risk data. The University Data Security Committee helps to prioritize information security activities based on the results of annual risk assessments, sponsors university-wide information security policies, and monitors overall performance metrics.
With ever-evolving threats to information security, it is essential to properly secure data and minimize risk while still enabling users to educate, collaborate, and innovate in this digital environment. Centrally managed information technology solutions help to make information environments more secure almost by default. However, the rapid transformation of information technology towards highly flexible, consumer-oriented tools increases the opportunity for users to make choices that may put an organization's information at risk of a breach. Much of the success of an information security program depends on the everyday choices that members of the community make when using information technology and accessing information. In such a decentralized computing environment, strategies to protect the institution's information assets can only truly succeed with a collaborative strategy between the central information technology teams and decentralized units.
From the development and deployment of an Information Technology Strategic Plan for security and compliance, to measurement of our overall progress in meeting our information security goals, we have strived to include members from across the university community. In a decentralized environment, it is critical that we recognize that one size may not fit all. Understanding the unique needs of the different groups within the university community and leveraging the expertise of the decentralized teams has helped position us to reduce our information security risk and increase our overall compliance posture in a more comprehensive and sustainable way.
|SECURITY 7 AWARDS|
Title: Chief Information Security Officer
Organization: University of Rochester
INFORMATION SECURITY MAGAZINE'S 6TH ANNUAL SECURITY 7 AWARDS
Consumerization of IT and enterprise evolution: Consumer devices in the workplace and the shift to cloud services require new security standards.
An effective information security program requires ongoing monitoring: A successful information security program uses ongoing oversight and monitoring to manage risks.
Online banking security is a balancing act: Online banking security requires providing users with choices in order to minimize risk without becoming intrusive.
Government transformation through technological innovation: The economic crisis gives government entities the opportunity to change for the better.
Maintaining health care privacy and security: In the world of health care, the more we value privacy, the harder we work to protect it.
Implementing an information security strategy in a decentralized environment: Implementing data security in a decentralized organization requires a collaborative approach.
Fighting online fraud requires delicate balance: Countermeasures for thwarting Internet fraudsters must be balanced with customer service.