CISO Memo: Looking Back, Moving Forward
I've always found it fascinating when someone mentions to me "I can't believe the holidays are here already. It seems like the year started only yesterday." I think that if they took the time to review the past year, they would be amazed at what they experienced, and it certainly would not feel like it had been only one day long. As I sat down to practice what I preach, and to think about 2008 from a Brown Information Security perspective, this exercise proved true for us as well. Here are some of the highlights:
- We formalized the Information Security Group: Beginning with the creation of ISG in July, the group achieved several benchmarks that we set. A shared mission and vision statement was adopted, as well as new branding to identify our group and its role in the organization. Along the way, we established initial credibility with small improvements, better response times, keeping our word, and accepting additional responsibilities.
- We established partnerships and working agreements to inject a security mindset and excitement across the campus: ISG personnel fostered working agreements, attended meetings, met one-on-one, and covered a lot of the campus to introduce our role, and pledge our support to make our Brown colleagues successful in their mission. Along the way we've established strong relationships with key technology personnel in the University's decentralized areas, and had continual interaction with the campus Departmental Computing Coordinators (DCC's), System Administrators, and Department of Public Safety. In addition, we've supported Brown's mission by providing assistance and expertise to Human Resources, the Office of the Chief University Auditor, the Office of Student Life, and the University Deans.
- We created a brighter spotlight on Security Awareness: Throughout the last six months of 2008, ISG improved upon or introduced several methods of awareness tools. ISG personnel were found at several campus wide events, such as Be Safe at Brown Day, the semester-opening Brown Resource Fair, and safety and security events hosted by the Department of Public Safety. In October we sponsored a highly successful Cyber Security Awareness Month, including online resources and in-person training on a different information security topic each week. And, in addition to the long running and successful "Protecting Brown Information" class held each month, we also added brown bag training sessions on topics to help our community in their personal lives as well, such as installing a wireless router, mitigating identify theft, phishing awareness, and social networking safety.
- We committed to ensuring our policies and documentation is available and understood: While information security is far from static, and continual review and update are both necessary and valuable, ISG has updated and created new documentation for our colleagues. Utilizing feedback from our partners and customers, several forms were updated to reflect the current environment and technologies, in-depth process flows were developed and documented with partnering teams to eliminate redundancies, gaps and conflicts, and numerous improvements were made to our ISG website. Look for additional improvements in this area in the coming year.
- We identified our goals and targets for 2009: While addressing the day-to-day information security tasks, completing several foundational areas to build upon, and supporting numerous projects across the campus, we also have set the direction for the coming year. Among the items on our list are the development of an Information Security Strategic Plan, a focus on web application security support, the development of a process to "certify" the security of a department, a robust scanning program to protect the Brown infrastructure, and working with other CIS and Brown technology groups to create a better technology infrastructure.
ISG has accomplished a great deal in 2008, and while it didn't feel like "one day", it certainly went by very quickly. I believe we've made great strides in the three components of our mission statement, which are providing proactive security expertise, engineering robust security architecture, and enhancing a culture of security awareness.
We look forward to improving upon all of the progress success we've witnessed in 2008, while enhancing the support and value we provide to all of you. Please feel free to contact us at ISG@brown.edu to let us now how you think we are doing, and what areas of security that are important in your part of the Brown community. Remember, Sec_rity is not complete without U!