130 likes | 274 Views
Creating Executive Awareness about Information Security. Joy Hughes, VP, George Mason Univ. jhughes@gmu.edu Jack Suess, VP, UMBC jack@umbc.edu EDUCAUSE ANNUAL 2005. George Mason University. 40 years old, 30,000 students, four campuses Strong deans, but centralized funding model
E N D
Creating Executive Awareness about Information Security Joy Hughes, VP, George Mason Univ. jhughes@gmu.edu Jack Suess, VP, UMBC jack@umbc.edu EDUCAUSE ANNUAL 2005
George Mason University • 40 years old, 30,000 students, four campuses • Strong deans, but centralized funding model • Computing somewhat distributed, somewhat centralized • Goal to be in top 100 w.r.t. research $ • Traditional excellence: performing arts, public policy, economics, IT. Now becoming biosciences: $25M lab; NIH cancer team • Two Nobel prize winners on faculty; yet 40% of faculty are adjuncts
UMBC • 39 years old, 12,000 students, 1 campus • Research/extensive designation - focus on science, engineering, IT, and public policy • Moving from centralized to decentralized in management • Stable management team, most have been in place for 10 years.
Aspects of the Culture that Influence Mason’s Security Strategies • IT staff can not order others to use certain hardware/software or to take particular security measures. • Decisions are made in a collegial manner with much opportunity for input from broad sections of the campus community. • The president is external; he can not lead without the support of the deans, faculty, Board, etc.
Aspects of Culture that Influence UMBC’s Security Strategies • Collegiality - the management team is stable and works together on issues. Weekly VP’s/Deans meeting allows group to share issues. • Strong support for governance structure and governance works closely with administration • Founders are retiring, which is causing culture to change
Aspects of the Political System at Mason that Influence Security Strategies • IT can not charge back for security services. • The deans are more inclined to listen to their own experts when it comes to technology rather than to IT. • The Budget Group has to be perceived as engaged in processes that are reasonably fair and strategic or it will lose legitimacy and not be able to function.
Aspects of Political System at UMBC Influencing Security • Governance process makes policy approval lengthy and requires significant time from sponsoring entity • Small enough that people know each other and expect personal communication. • President has tremendous support, even after 14 years!
Mason Strategies to Promote Executive Awareness Engage: • the president’s chief of staff: (he sets the Board agenda and Cabinet agenda) • the distributed SAs: (if they support what you are doing, they will let their leaders know – and vice versa) • the technology thought leaders in the academic units: (the deans listen to them) • the auditors:(they report to the Board) • the Budget Group: (duh! they have the money)
UMBC Strategies to Promote Executive Awareness • Engage - around points of leverage • President - his concern is maintaining good legislative audits • Provost - his concern is academic integrity • VP of Research - regulatory compliance • My personal engagement in the formal governance process • Engage departmental IT Staff • Engage central IT staff
Strategies to Promote Executive Awareness • Create Groups that will Influence Executives : a compliance team a systems administrators leadership team a group of security liaisons appointed by their deans an executive enterprise risk management group
Strategies to Promote Executive Awareness • Leverage security into • Existing channels in your institution • Governance • Budget and Planning • Departmental IT liaisons • Personal Discussions with key stakeholders • Central and departmental IT
What I’d Tell My Successor to Do! • Use your ex-officio status to connect with governance groups • Set up regular individual meetings with other VP’s and Deans to discuss IT and security issues before bringing them up in the VP meetings • Continue IT security working group meetings • Learn the culture before proposing new policies.
Security Resources • EDUCAUSE/Internet2 Security Task Forcehttp://www.educause.edu/security • To view and/or download the video:www.educause.edu/LibraryDetailPage/666?ID=CSD4121