Governance
A successful InfoSec function relies heavily on solid governance.
Higher education institutions need a framework for evaluating third party providers of information technology (IT), development and security. And they need a process to ensure departments, schools or colleges inside their organizations follow strict processes and protocols when making technology decisions or purchases.
Part of this governance process is simply asking the right questions.
Set up a meeting with your top technology staffers and ask the following:
o Do we have an InfoSec function? To whom does it report?
o What does our security function look like?
o How do we vet third party technology providers? How do we know they are doing things the right way?
o Do we have gateways and forced check-ins in order to get something done, such as a code review before any new websites are launched?
Starting this basic dialogue will get the ball rolling and ensure you don’t stall in your quest to provide the highest level of security for your institution’s critical stakeholders – students, alumni, and staff.
Next, remember that imitation is the greatest form of flattery.
Look Around
Government, the defense and financial services industries do this well. They have the best practices, which you can learn with your technology team.
The Building Security in Maturity Model (BSIMM) is also a great place to start; see how information security in your college or university compares to others in order to take the necessary steps to evolve and get better.
A great example of an industry-specific security measure is the concept of vaulting, where convenience stores and retailers never store credit card numbers from transactions or loyalty programs on site.
They are placed in an off site “vault” that protects information from hackers.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply