Monthly Archive for December, 2008

Director of Information Security

Security is the next great frontier for our IT department. Currently we have no single person or team tasked with protecting the data we house… and we house some seriously important data. The web team builds apps every week that gather FERPA-protected data from students. Banner stores every employee’s personal data, and our staff have direct access to that information (humans are the weakest link in the security chain, right?).

Our current method of handling security is distributed ownership. Pete watches the network. Application developers and DBAs use the best skills they have at their disposal. Steve Tharp and the CSC work collaboratively on setting password policies (see image below). ITS Coordinators and the CSC do what they can to help customers without infringing on privacy or seeing data they shouldn’t. Basically we’re all on our own trying to make the best decisions we can, but security is an afterthought in general. It’s what we examine when our job is done.

Password Security

I’ve secured approval to add a new Director to our ITS staff: The Director of Information Security position was posted officially on the Friday after Thanksgiving. I’m hoping to fill the position by early 2009 but we’ll move faster or slower depending on when the right candidate surfaces.

By adding this new position, who reports directly to the CIO, we will solve a few problems that have been identified by our internal auditors:

  1. The Director, while not having any actual reports to direct, will be a one-stop-shop for policies, procedures and answers about how we can best protect crucial student and staff data
  2. By having this member as part of ITS, we have an ally who can help us during the construction and roll-out of new systems. The alternative would be for someone outside of ITS who polices our actions (think MPs or IA in a police force) and reports to the CFO. While that might actually be more secure, that reporting arrangement would result in lower productivity which is something we cannot afford given the small size of our team.
  3. By having a team-member within ITS whose sole responsibility is data security, we can work more closely with Davenport’s existing security team (headed by V.P. Duane Terpstra) to bridge the grey area between physical security and data security.

Overall, adding this position makes a lot of sense. While I wasn’t 100% sure about creating a job with the title “Director” in it that had no direct reports, in the end we’re going that way because we may add people to that team eventually (most schools do) and it does convey (to people outside ITS who won’t work with the DIS every day) the importance and authority I want this role to have.

We will be asking this person to author policies and procedures, advise on projects and work with teams outside of ITS to make sure that the security systems and procedures we put in place are adhered to University-wide.

If you have questions about this role, feel free to shoot me an email or ask your supervisor.

Thanks for reading.
- Brian