Summary: IT Organization and Security

Peter Burkholder pburkholder at pobox.com
Mon Dec 24 00:40:04 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Earlier in the month I asked Unisog readers to provide some feedback on where 
IT and IT security fit into their institutions' administrations.  Thanks to 
the 13 of you who responded.  Edited responses are included below, but a few 
observations first.  

Of the respondents, five represented institutions of 20,000 users or more.  
Two were from organizations of 1000 or fewer users.

I asked whether IT was represented with other top management, lower down the 
chain, or not at all; and whether IT representation was adequate for assuring 
security policy.  In general, the lower the IT representation, the lower the 
perceived quality of IT security policy.

	IT representation		Adequate Mgmt?
	-----------------		--------------
	High				Yes (4)
					Maybe (1)

	Middle				Yes (2)
					No (3)

	Insignificant			No (2)

The most interesting IT security admin setup was described like this:

	The overall responsibility for
        ensuring that information security practices are followed rests
        with the Information Security Officers (ISO's) appointed for at
        a minimum, each vice presidential area, campus, and college.
        
	The Information Security Administrators (ISA's) are others in
        the organization concerned with the technical establishment and
        maintenance of security for computing systems and networks...
	coordinated by their respective ISO's.

	In some organizations, separate personnel will be responsible
        for the administration of systems.  Individuals in this role are
        designated System Administrators (SA) and will by monitored by
        the ISA's.

This is in contrast to the three respondents who felt a weak admin structure 
was seriously detrimental to security.    Probably typical of that situation 
are these comments:

	There needs to be a CTO, and isn't; the lack of a highest-level
        voice which can speak for security makes getting the word out
        (and enforced) difficult at times.

	...

        Part of the problem here is the _extremely_ distributed computing
        model - there are little fiefdoms everywhere....That's not to say 			
	that there aren't folks out
        there who appreciate security, but [most] of them don't get the
        resources they need to _do_ anything about it.

Thanks again to all of you who responded.   

Cheers,

Peter	
- -- 
Peter Burkholder, SSCP
pburkholder at pobox.com 
2229 S Gilpin St                           ~~~  ~~  ~~~~    _o
Denver, CO 80210-4616                    ~~~  ~~~~ ~~    _`\<,_
(303) 282-7738                      ~~~~ ~~~   ~~~~     (*)/ (*)
- --
PGP: http://www.pburkholder.com/pgpkey.txt 
 or: http://search.keyserver.net:11371/pks/lookup?op=vindex&search=0x75624A11
 or: send mail w/ subject "GET 0x75624A11" to <pgp-public-keys at keys.pgp.net>
 PGP Fingerprint: 70 5D 8A F6 9D 4C 50 26 11 CA B0 05 E3 C3 F5 52 75 62 4A 11

Questions:

1) At what level is IT represented within management at your 
	school/lab/university?
  __ A: IT included in upper management
  __ B: IT represented in upper mgmt under a broader umbrella
  __ C: IT has no significant representation within management

2) Does IT security fall under Technology, Security or some hybrid beast?

3) Do you think the current IT/IT Security representation within the 
management structure is adequate? ?If not, why? ?What should be different?

4) How many users/hosts are supported within your organization?

5) How would you characterize the bulk of your users (e.g, undergraduates,
	grad students, administrators, faculty, researchers, etc.)

12 responses + 1 interview response:

=============================================================================
"Daniel Bidwell" <bidwell at andrews.edu>:	
Andrew's University
	A

	It [security] falls on the Sr. Systems Administrator.

	I have gotten good support from the CIO (who sits on the president's
		cabinet) about security measures.

	30-40 servers, 5000 users

	1000 non-students

"Ken Connelly" <Ken.Connelly at uni.edu>
University of Northern Iowa
	A: Top IT man is an associate VP under the Provost.

	IT security is part of IT, although not all is within the central
	IT group.  Most distributed sysadmins are professional IT people
	and take some/most of the responsibility for their own servers.
	Sometimes somebody (usually me) has to tell them they have a
	problem, but then they deal with it.

	Most management structures get in the way.  The one here is no
	exception.

	14,000 students, 2600 fac/staff, ~75 servers.  over 12,000 of
	the students are undergrad.

CONFIDENTIAL 

 	B

	Falls under general assumption: Don't worry about it until something 
	bites us.

	No.  Current position is to give everybody everything and not worry
	about consequences until somebody knocks on our door and complains.
	
	10000 users, 4000 hosts

	grad students, administrators, faculty, researchers, etc.)  80%
	 student, 18% fac/staff, 2% other

"H. Morrow Long" <morrow.long at yale.edu>
	1B: IT Director (University CIO) reports to two upper managers:
	         VP Finance and Admin    (Administrative side)
		 Provost                         (Academic side 

	Under IT

	Yes [adequate]

	26,000 users, 16,000 networked computers.

	10,000 employees (4,000 Faculty, 6,000 staff)
	10,000 students  (5,000 undergrads, 5,000 grad students)
	6,000 alumni-volunteers/unpaid-associates/etc.
	
CONFIDENTIAL 

	C: 

	IT

	No, everything we do is based on immediate dollar cost.  There is no long
	term cost/benefit analysis.

	1500 users/hosts

	1000 students 350 administrators 120 faculty

CONFIDENTIAL 

	B: We have three IT organizations Academic which
	  answers to the Provost, Administrative which answers to the Senior VP
	  (second in command) and Health Sciences which reports to the VP

	In order to better define and assign responsibility for
	information security throughout the organization, a separate
	infrastructure was developed.  The overall responsibility for
	ensuring that information security practices are followed rests
	with the Information Security Officers (ISO's) appointed for at
	a minimum, each vice presidential area, campus, and college.
	The Information Security Administrators (ISA's) are others in
	the organization concerned with the technical establishment and
	maintenance of security for computing systems and networks, and
	their roles and responsibilities with respect to information
	security should be coordinated by their respective ISO's.
	In some organizations, separate personnel will be responsible
	for the administration of systems.  Individuals in this role are
	designated System Administrators (SA) and will by monitored by
	the ISA's to insure compliance with security procedures.

	Yes

	11,000 faculty/staff and approximately 35,000 students

	5% support personnel
	5% faculty
	1% Administrators
	64% Undergrad
	15% grad
	10% undeclared

CONFIDENTIAL 
	A

	Security under IT

	In theory I report to IT director, but in the past they have
	delegated that other managers within central IT.  We have a new
	director and he has indicated that this is not satistfactory --
	what he will do about it isn't yet clear.

	30,000 users, 10,000 hosts

	25,000 students, 5,000 staff. 

CONFIDENTIAL 
	
	C

	Security under IT

	I don't know.  I'm not concerned about an IT security person
	being a manager, as long as management is aware of the issues and
	consults where necessary.  This is not the case at the moment;
	some managers are aware, but a lot of education is still needed.

	30K users, 10K hosts.

	26K students, 4K staff/faculty/other

"Richard Gadsden" <gadsden at musc.edu>
Medical University of South Carolina

	A

	IT

	Yes. We have a top-level IT Director who reports for the VP for
	Administration, and an Associate Provost for IT who reports to the
	VP for Academic Affairs, and I report to both of them.

	10,000 users and about 8,000 hosts

	faculty and graduate students (includes "real" graduate students,
	and students pursuing professional degrees, e.g. MD)

CONFIDENTIAL 

	A

	Security!

	Yes.  But we are considering a new position of Executive Deputy
	Director (reporting directly to the Exec. Dir. of IT) that would
	coordinate security activities (as well as other things.)

	16,000 users 6,000 hosts

	Students - 60% undergrad, 40% grad

CONFIDENTIAL 

	B

	I'd say "Technology" - the campus police, for example, don't have
	oversight, though we do cooperate.

	There needs to be a CTO, and isn't; the lack of a highest-level
	voice which can speak for security makes getting the word out
	(and enforced) difficult at times.  Of course, the reality is
	that the faculty ultimately rule here, so it's not entirely clear
	what could be done.

	35000 users/ 50000 hosts.  Wild guess.

	Hard to say - probably a fairly even split.  Research faculty
	seem to make the most noise, though.

	Part of the problem here is the _extremely_ distributed computing
	model - there are little fiefdoms everywhere, and the only way
	we're able to enforce any sort of security at all is because we
	run the network.  That's not to say that there aren't folks out
	there who appreciate security, but more of them don't get the
	resources they need to _do_ anything about it (getting "real
	work" done is always the priority), and at the moment _we_
	(Network Operations) don't have the resources to do it for all of
	them in any real sense.  But hope springs eternal that resources
	will be made available in time.

"Russ Harvey" <russ-harvey at ucr.edu>
Univ. of Calif., Riverside

	A
	My organization (Computing), has a CIO (an Associate Vice Chancellor),
	who reports to a Vice Chancellor of Administration, who in turn
	reports to the Chancellor.

	Of course there are many manifestations of IT at a university, but
	ours is the central campus organization that keeps student data and
	employee and departmental financial information. We also provide
	central services to the campus, including the standard DNS, mail,
	etc.

	2)
	IT security, for us, is in the technical realm, although we are
	pushing to create it as an entity unto itself.

	3)
	I think IT representation is adequate, and since security is so
	prominent these days, I think IT security will soon have its own 
	fiscal independence. It will still be represented, though, by the
	same CIO that represents IT in general to upper management.

	4)
	There are approximately 4,000 staff and 14,000 students. Our
	machine population is about 8,000.

	5)
	The bulk of the users we support are staff -- adminstrators,
	financial analysts -- running the day-to-day operations of
	their respective departments. We have two smaller groups,
	one supporting faculty, one students.
z
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPCZ5z+PD9VJ1YkoREQIQ0QCePDIMhfGq62aZHTYW/LeLqBllfQwAn2HW
KGDCFFUht1zZx64v3RwOiumq
=FSdC
-----END PGP SIGNATURE-----



More information about the unisog mailing list