District Security Rubric and Planning Grid: Security Indicators |
| Management: District Leadership |
| District Leadership: Oversight |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
Security
Goals
(A11) |
-- provides minimal direction and oversight on IT-related security issues.
-- acknowledges efforts made by IT Director to meet governing security and confidentiality regulations. |
-- develops a basic
mission statement on security.
-- authorizes IT
Director to ensure compliance with
governing security
and confidentiality regulations.
|
-- articulates a clear mission statement on security.
-- authorizes IT Director and security team to ensure compliance with governing security and confidentiality regulations.
-- is periodically involved in high level security planning. |
-- articulates a clear mission statement on security that is integrated with District policy and overall mission.
-- authorizes IT Director and security team to ensure compliance with governing security and confidentiality regulations.
-- regularly provides oversight of high level security planning. |
Legal Compliance
(A 12) |
-- Initial effort has been made to bring IT installations into compliance with security-related laws (FERPA, CIPA, HIPAA, etc.), but actual level of compliance is not clear. |
-- IT unit attempts to
manage compliance
with governing
security-related laws
(FERPA, CIPA,
HIPAA, etc.) as far
as major vulnera-
bilities are concerned (content filtering,
confidential databases) |
-- Security team assists with identifying potential concerns for compliance with all State and Federal Laws (FERPA, CIPA, HIPAA, etc.).
-- IT unit makes such compliance part of its protocol for new installations and periodic security reviews. |
-- Security team or external auditor verifies full compliance with all State and Federal Laws (FERPA, CIPA, HIPAA, etc.).
-- Compliance review is a routine component of new installations and periodic reviews. |
| Policy Implementation (A 13) |
-- District policy governing security efforts is limited to general statements that may be challenging to translate into specific security measures. |
-- District policy governing security efforts
provides a basic sense
of direction for implementing security.
Some policy areas
may be missing (e.g. enforcement procedures for security violations). |
-- District policy governing security efforts provides adequate direction for implementing security measures.
-- Some policy areas out of date or lack clarity.
-- District leaders specifically authorize the IT unit to enforce policy |
-- District policy governing security efforts provides effective direction with sufficient clarity to ensure appropriate implementation.
-- District leaders specifically authorize IT unit
to enforce policy. Security Team provides additional oversight. |
| District Leadership: Support |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
Budget and Human Resources
(A 14) |
No support specifically earmarked for security |
'Security' is not a
budget line item, but
some purchasing
reflects security needs. |
Key security-related items included in budget planning. |
Strong needs integrated into all IT budgeting. |
Communication
(A 15) |
Little or no leadership communication on security issues. |
Leadership occasionally delivers security
messages to stake
holders. |
Leadership regularly delivers clear message to stakeholders. |
Leadership effectively and frequently incorporates security message in to stakeholder communication when appropriate. |
| Management: IT Security Management |
| IT Security Management: Security Team |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
Charter & Responsibilities
(A 21) |
No formal security team exists. |
Ad hoc Security Team lacks formal authorization. |
Security Team is authorized by the district administrators to develop a security plan and oversee its implementation. |
Security Team is authorized by the school board
or committee to develop
a security plan and
oversee its implementation. |
Membership
(A 22) |
No formal security team exists.
IT staff and District leadership confer on security requirements on an ad hoc basis. |
Ad hoc Security Team includes:
-- teacher or administrator.
-- IT staff |
Security Team members include representatives from:
-- District Administration
-- School Board or community
-- teaching staff
-- IT staff |
Security Team members include:
-- Superintendent
-- School Board member
-- teacher
-- IT director & key staff
-- community representatives |
| IT Security Management: Security Planning |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
IT Planning in general
(A 31) |
-- Little or no comprehensive IT planning. |
-- IT planning includes some consideration of security. |
-- IT planning includes security as a component.
-- Security provisions included in contracts with vendors, consultants, and outsourced services are reviewed for compliance with District security requirements. |
-- IT planning fully integrates security requirements.
-- Security provisions included in contracts with vendors, consultants, and outsourced services are reviewed for compliance
with District security requirements.
-- District general security planning is fully coordinated with IT security planning. |
Security Plan
(A 32) |
-- Security practices exist without a formal security plan
-- Occasional testing and monitoring |
-- Security plan may exist only as an internal IT department document.
-- Plan includes occasional network testing, but validity of plan has not been verified. |
-- Security plan written or reviewed in past 24 months
-- Plan is derived from asset-based risk assessment process and:
-- includes end-user training and communication
-- includes periodic testing and monitoring. |
-- Security plan revised
or reviewed in past 12 months and discussed
and approved by district leadership and school
board. The Plan:
-- is derived from asset-based risk assessment process;
-- links District goals and policies, end-user training and communication;
-- includes periodic testing and monitoring. |
Security
Audit
(A 33) |
-- No security audit completed within past 36 months. |
-- Internal security audit completed within past 36 months.
-- Scope of audit linked to security plan (above). |
-- Internal security audit completed within past 18 months.
-- Scope of audit linked to security plan (above).
-- District provides budget support for security measures. |
-- Security audit
completed by independent consulting group
within past 18 months; internal audit completed within past 12 months.
-- Scope of audit
governed by comprehensive security plan. |
Crisis Management Plan
(A 34) |
IT Crisis Management plan does not yet exist.
-- Staff have not been trained specifically for
IT crisis management
-- District Crisis Management Plan includes few if any references to technology or
IT security. |
IT Crisis Management plan has been outlined; it may have been completed more than a year earlier and has not been updated.
-- Staff training for crises has been minimal.
-- District Crisis Management Plan includes brief references to IT and security issue |
IT Crisis Management plan uses the same asset-based model as the security plan; it includes details of major systems. The plan may have been completed more than a year earlier and has not been updated.
--The plan includes an inventory of required equipment. |
IT Crisis Management
plan uses the same
asset-based model as the security plan;
it includes details of all systems, from ISP to desktop.
-- The plan includes an inventory of required equipment redundancy and facilities for hot site redundancy.
-- The plan includes training and communication requirements. |
| IT Security Management: Security Implementation |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
IT Staffing Levels
(A 41) |
-- More than 750 computers per technical support staff person.
-- Insufficient numbers to expand IT services.
-- IT staff may be non-dedicated or part-time. |
Full-time staff. Staff/computer ratio approximately 1:750. |
staff to computer ratio: 1:500. |
-- Staff to computer ratio: 1:250.
-- IT systems operate
at a high level of reliability
due to effective organizational practices: further reduction in
staff-to-equipment ratios may produce only slight improvement in service levels. |
Staff competency
(A 42) |
-- Insufficiently trained in desktop support or network management. |
-- Job descriptions
indicate mixed net-
work and desktop
support roles without
specific mention of
security-related tasks. |
-- Clear division of responsibility between network and desktop support with clear assignment of responsibility for security tasks and roles. |
-- Clear division of responsibilities, including security-related tasks. Additionally, IT staff are cross-trained to provide backup support. |
Security Staffing
(A 43) |
No one specifically assigned to attend to security |
CTO or other management staff also deals with security |
A staff person is assigned to manage security |
A Chief Security Officer
exists |
Technology: Architecture and System Design
|
| Architecture and System Design: Overview |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
Architecture: Overview
(B 10) |
Architecture at basic stage; shortcomings exist in all areas (Perimeter Security, WAN security, Internet connection). |
Architecture lacks capacity for growth or implementation of stronger security measures; shortcomings exist in two or more areas (Perimeter Security, WAN security, Internet connection). |
Appropriate Architecture: solid functionality exists, but compared with advanced level, shortcomings exist in one or more areas (Perimeter Security, WAN security, Internet connection). |
Appropriate Architecture
with room to grow. |
| Architecture and System Design: Perimeter Defenses |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
DMZ
(B 11) |
DMZ: building servers double as firewalls (no DMZ). |
Firewall in place but no DMZ to protect email and web servers. |
DMZ, firewall, VPN services exist but may be inadequate for future growth or may result in bandwidth,server, or configuration issues. |
DMZ, firewall, VPN configured for appropriate
external access, email
and web services. |
Firewall
(B 12) |
Firewall software not present at all network entry points. |
Perimeter/intrusion defense: installed. |
Perimeter - intrusion defense: fully configured. |
Perimeter/intrusion
defense: a layered
strategy from desktop
to firewall provides fully integrated protection. |
Virus protection
(B 13) |
--Virus protection is not installed on all network-connected devices.
-- Virus definition updates are performed sporadically. |
Virus protection installed on all devices; centrally-managed updates for at least half of client computers; all other computers receive regular, manual updates. |
Centrally managed, integrated virus protection
-- firewall, intrusion detection is deployed to most workstations. |
Centrally managed, integrated virus
protection, firewall,
intrusion detection for
all workstations. |
| Content filtering and Spam control (B 14) |
Content filtering may have been implemented at some locations, but implementation is not monitored appropriately. |
Content filtering has been implemented for all locations, but monitoring is sporadic. |
Content filtering is properly monitored for effectiveness, but impact on throughput is unknown. |
Content filtering is
handled with devices
capable of delivering a
high level of effectiveness without significantly impacting network performance. |
VPN
(B 15) |
No VPN configured |
No VPN or insufficient VPN controls |
VPN permits a limited number of users to access the network remotely |
VPN configured to
provide secure access
to
all authorized
remote users. |
Wireless Access control
(B 16) |
Wireless Access: Reliance on end-user caution or light, localized usage to limit risk. |
Wireless access may be spreading faster than it can be properly controlled. Not all access points are properly configured. |
Wireless access is properly configured; Secondary strategies may include non-technical tactics (e.g. powering off access points over weekends). Intrusion risks are balanced against accessibility. |
Wireless access properly configured; secondary strategies (VPN, segmentation) provide additional layer of
security. Intrusion risks
are
minimized by monitoring and strong authenti-
cation control |
Extent of Implementation
(B 20) |
Network extent: No district-wide WAN or less than half of schools on WAN. |
Network extent: majority of district schools on WAN. |
Network extent: all district schools on WAN. |
Network extent: all district schools on WAN. |
Segmentation
(B 21) |
Segmentation: no network segmentation beyond building-level. |
Segmentation: no network segmentation beyond building-level. |
Segmentation: network appropriately segmented. |
Segmentation: centrally-managed building LANs, switches, servers. |
| Authentication and Authorization (B 22) |
Authentication - authorization:
not available |
Authentication & authorization: Not
managed via the
WAN, if at all. End
users have no access
beyond local LANs to
WAN resources
(except to specific
systems). |
Authentication
authorization:
system-wide implementation may be incomplete |
Authentication
authorization:
deployed throughout
district |
Redundancy
(B 23) |
Redundancy: servers may lack RAID 5 reliability; no spare parts on hand for critical network devices. |
Redundancy: critical district servers have RAID 5 reliability; some spare parts on hand. |
Redundancy: most critical servers are protected by redundant units. Spare components may not be available for all critical network devices. |
Redundancy: all critical servers are protected by redundant units. Spare components are available
for all critical network devices. |
Standardization
(B 24) |
Standardization: Building LANs not standardized, require local maintenance. |
Standardization: Building LANs not standardized, require local maintenance. |
Standardization: Most but not all building LANs, switches, servers support remote management. |
Standardization: standardized hardware, network configuration. |
| Remote Management (B 25) |
Remote Management: WAN lacks remote monitoring and management of routers, switches and LAN servers. |
Remote Management: Existing WAN devices may not support remote monitoring and management. As WAN expands, new devices will support remote management; legacy devices may remain in service past "retirement" age. |
Remote Management:
IT Plan implemented to eliminate legacy devices that cannot be remotely managed. |
Remote Management: All routers, switches and LAN servers are remotely monitored and managed. |
| Architecture and System Design: Internet |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
Bandwidth
(B 31) |
Bandwidth (dial-up, cable, or DSL) is insufficient. Bottlenecks occur frequently. |
Bandwidth (cable, DSL, frame relay, or T1), while improved, may not be sufficient for rapidly-growing use. Lack of reliability inhibits user confidence. |
Bandwidth is adequate for current requirements but may lack capacity for future expansion. Reliabilty, while improved, is still an issue for some users. |
Bandwidth is adequate for current requirements and expandable for future growth. Users have full confidence in the network. |
| Internet Infrastructure (B 32) |
No redundant internet access. |
No redundant internet access. |
Backup internet access on line (cable, DSL) for critical functions. |
Backup internet access
on line (cable, DSL) for critical functions. |
| Technology: IT Operations |
| IT Operations: WAN and LAN management |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
IT Operations: Overview
(B 50) |
Firefighting Mode:
-- Most time spent on urgent problems |
Growing pains:
-- IT operations include time allocated for some monitoring and maintenance |
Standards and procedures in place:
-- IT operations include time allocated for routine monitoring and maintenance. |
Efficient, growth-oriented operation:
-- IT operations include time allocated for routine monitoring and maintenance. |
Backups
(B 51) |
-- Backups may not include all mission-critical servers. |
-- Daily and weekly backups. Off-site storage not established |
-- Consistent backups including off-site storage; periodically tested. |
-- Consistent backups including off-site;
-- routinely tested.
-- File restoration
practice included in
crisis management preparedness. |
Routine Network Monitoring and Testing
(B 52) |
-- Minimal scheduled network checks.
-- No file integrity testing.
-- No capacity for password testing |
-- Daily checks for virus protection, network services, backup status.
-- No file integrity testing.
-- No capacity for District-wide password testing. |
-- Daily checks for network intrusion, virus protection, network services, backup status.
-- Monthly file integrity testing
-- password testing every 60-90 days. |
-- Live monitoring for network intrusion,
virus protection.
-- daily checks on
network services,
backup status.
-- maintenance logs
kept.
-- Monthly file integrity testing.
-- password testing
every 60-90 days.
-- Twice-yearly wireless network intrusion
detection |
Major Systems maintenance
(B 53) |
Major services (email, internet access) occasionally unavailable for 8 hours or more |
Major services (email, internet access) rarely unavailable for 8 hours or more |
Major services (email, internet access) rarely unavailable for more than 4 hours. |
Major services (email, internet access) rarely unavailable for more than 2 hours. |
| Documentation (B 54) |
-- No daily maintenance and monitoring logs.
-- System documentation is largely absent.
-- Equipment inventory managed at the building level. |
-- Maintenance logs kept.
-- System documentation is minimal; knowledge of system configuration is highly dependent on individuals.
-- Client computer inventory managed at building level; all network components managed by central IT group. |
-- Maintenance logs kept.
-- System documentation is maintained for critical services and network management.
-- Client computer inventory managed at district level; |
-- Maintenance logs kept.
-- System documentation is maintained for
all services and network management.
-- Client computer
inventory managed
at district level |
External Partners & Vendors
(B 55) |
-- External partners' or vendors' security practices are not known or verified. |
-- External partners' or vendors' security practices: documentation exists but practices are not verified. |
-- External partners' or vendors' security practices: vendors assert that federal, state, and district requirements are met. Vendor credentials are checked.
-- Emergency procedures for service restoration are established. |
-- External partners' or vendors' security practices: external audit reports
verify that federal, state, and district requirements
are met.
-- Redundant systems are in place; emergency procedures for service restoration are established.
If required, all code is escrowed. |
| IT Operations: End User Support |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
End User Security: Overview
(B 60) |
Unenforceable,
not verifiable:
--Workstation policies and protocols at the user level are
non-existent or haphazardly enforced. |
Increasing, not verifiable:
-- Workstation policies and protocols not adequate to support organizational IT security goals. |
Widely in use, generally verifiable:
-- Workstation policies and protocols at the user level assist organizational security with appropriate hardware and software controls. |
Seamless, highly verifiable:
-- Workstation policies
and protocols at the user level assist organizational security with appropriate hardware
and software controls. |
Installation configuration repair
(B 61) |
Client desktop computers: no remote management.
-- No capacity to rebuild computers using imaging software. |
Client desktop computers: mixed local and central responsibilities.
-- some computers can be rebuilt using imaging software. |
Client desktop computers: strong central policy, distributed management.
-- most computers can be rebuilt using imaging software. |
Client desktop
computers: strong central
policy, distributed management.
-- maximally efficient
repairs using imaging software. |
Standardization
(B 62) |
No standardization plan exists. Any de facto standards for hardware and software result from episodic bulk purchasing or donations.
-- no cycle of hardware replacement exists. |
Legacy software and hardware hampers standardization efforts.
--no cycle of hardware replacement exists.
-- typically four or five generations of both PCs and Macs may be on line. |
Legacy software and hardware are in the process of being phased out.
--5 to 6 year replacement cycle established.
--Number of operating systems supported has been reduced to 2 Mac and 2 PC systems. |
Standardization goals
are achieved.
-- 3 to 4 year replacement cycle established.
-- The majority of all computers use one
operating system. |
Patch management and application updates
(B 63) |
Servers, other network devices: sporadic.
|
Servers, other network devices: routine updates.
. |
Servers, other network devices: automated updates.
|
Servers, other
network devices:
automated updates.
|
Patch management and application updates
(B 63) |
Teacher and administrator computers:
virus
data and system updates (patch mgt)
are the responsi-
bility of end users.
|
Teacher and administrator computers:
IT
unit provides instructions and reminders for virus data file and
system updates (patch mgt) to end
users whose computers are
not automatically updated.
|
Teacher and administrator computers:
most
virus data and
system updates (patch
management) are managed remotely
for most computers.
|
Teacher and admin-istrator computers:
all virus data and
system updates (patch mg) are
managed remotely.
|
Patch management and application updates
(B 63) |
-- Classroom or
lab computers:
desktop management software may
be in use for
updates. |
-- Classroom or lab computers:
central IT staff use desktop mgt software for updates in some locations. |
Classroom and lab computers:
central IT staff
have established
effective update routines. |
-- Classroom and lab computers:
central IT staff have established efficient protocols to refresh operating systems and deploy software in all locations. |
Software Licensing
(B 64) |
Software licensing managed at the building level. |
Software licensing for operating systems, virus protection and office productivity software is site-licensed by central IT group; other software, purchased without central guidance or controlling policy is controlled at the building level. |
Software licensing for operating systems, virus protection and office productivity software is site-licensed by central IT group; other software is purchased with central guidance. |
Software licensing for operating systems, virus protection and office productivity software is
site-licensed by central
IT group; other soft
ware is purchased with central guidance or controlling policy to coordinate training
and encourage shareable knowledge. |
Passwords
(B 65) |
Password protection is end users’ responsibility; periodic password changes are not required. |
Password policies exist but are not centrally enforced nor routinely used in all locations. |
Password policy is monitored by LAN or WAN managers. |
Central password policy is monitored and enforced by WAN managers. |
| Advanced End User Security (B 66) |
Not applicable |
Not applicable |
Strong password requirements are in place for at-risk locations, databases, or systems. |
For large districts, biometric security devices, smartcards, or strong password requirements are in place on all computers. |
| Environmental and Physical Security |
| Environmental Security |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
Anticipation of natural disasters
(C 11) |
Environmental hazards given cursory attention: Flood or water damage: network devices may be in basements or sitting on floors. |
Environmental hazards partly addressed: Flood or water damage: network devices may be in basements or sitting on floors. |
Most environmental hazards addressed. Flood or water damage: critical infrastructure not at risk. |
Environmental hazards recognized and
addressed. Flood or
water damage: critical infrastructure not at
risk.
-- redundant equipment
and warning systems
are in place to guard
against other disasters. |
| Fire Protection (C 12) |
Fire: no dedicated alarms. Network equipment may be located in unlocked, multi-use spaces (offices, classrooms, etc.). |
Fire: no dedicated alarms. Network equipment may be located in space also used for storage or custodial purposes. |
Fire: alarms installed. Network equipment in clean, dedicated space. |
Fire: alarms and
suppression equipment installed. Network
equipment in clean, dedicated space. |
Climate Control
(C 13) |
Temperature and humidity: no dedicated HVAC for network devices. |
Temperature and humidity: network devices may lack protection from extreme heat, dampness. |
Temperature and humidity: network devices properly ventilated. |
Temperature and
humidity: network
devices properly
ventilated. |
| Power Supply (C 14) |
Power: minimal UPS support for servers. |
Power: most servers & network devices on UPS. |
Power: all servers & network devices protected by uninterruptible power supply units. |
Power: all servers
&
network devices
protected by UPS units
with backup power
available. |
Inspection and review
(C 15) |
No special environmental inspections are made. |
Facilities are inspected occasionally for hazards. |
Facilities are inspected periodically for most hazards |
Facilities and
emergency equipment are inspected on regular
basis by external
experts. |
| Physical Security |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
Physical Security: Overview
(C 20) |
IT facilities and infrastructure: not secure. |
IT facilities and infrastructure: partially secure. |
IT facilities and infrastructure: mostly secure. |
IT facilities and infrastructure: secure. |
Facilities
(C 21) |
-- many network devices are in shared or uncontrolled locations, e.g. book cupboards, custodial closets.
-- Network cabling may be exposed, within reach, or subject to damage during routine building cleaning and maintenance. |
-- Most network devices are in dedicated, secure locations.
-- Network cabling may be exposed, within reach, or subject to damage during routine building cleaning and maintenance. |
-- All network devices are in dedicated, secure locations.
-- Most network cabling is secure. |
-- All network devices
are in dedicated, secure spaces.
-- All network cabling is secure. |
| End User equipment security (C 22) |
-- Not all equipment is not physically secured where required. |
-- Not all equipment is physically secured where required. |
-- Most equipment is physically secured (locks, cables) where required. |
-- All equipment is
physically secured (locks, cables) where required. Equipment selection
criteria include physical durability. |
Access control
(C 23) |
-- Control of student access to computers depends on direct supervision.
-- Staff access to network devices is not restricted. |
-- Student access to computers is appropriately controlled in some locations.
-- Staff access to network devices is restricted in some locations. |
-- Student access to computers is appropriately monitored where required.
-- Staff access to network devices is restricted where appropriate. |
-- Student access to computers is
appropriately controlled
and remotely monitored where required.
-- Staff access to
network devices is
restricted where
appropriate. |
| End Users |
| Partners in Security |
| Indicator\Status: |
Basic |
Developing |
Adequate |
Advanced |
Awareness
(D 11) |
--Stakeholders generally lack expertise on and awareness of security issues. |
Expertise: District leaders often less capable than many teachers in the use of productivity tools.
--Leaders may lack experience on strategic technology planning, including security issues.
Awareness: Users are generally aware of organizational security concerns but lack specific knowledge on what to do. |
Expertise: District leaders demonstrate use of productivity tools.
-- Those charged with oversight of IT attend some trainings on strategic and managerial topics.
Awareness: Users are generally aware of essential security guidelines and follow some security procedures. |
Expertise: District
leaders demonstrate competency with
productivity tools and knowledge of strategic
and managerial IT
topics, including security.
Awareness: Users
integrate essential
security practices into everyday use of
technology. |
Training
(D 12) |
Limited training opportunities do not include security topics.
-- District leaders: often choose not to participate in IT training.
-- End Users: training not required.
-- Community: little or no training available. |
Security is mentioned in IT training and professional development but training is not consistently tied to security policy.
-- District leaders: occasionally participate in IT training.
-- End Users: Not all are trained.
-- Community: occasional awareness and outreach sessions are offered to the community. |
Security integrated into IT training and professional development.
-- District leaders: receive same IT training as all users.
-- End Users: Most are trained.
-- Community: Seasonal or periodic security awareness workshops are offered to the community. |
Security integrated
into IT training and professional devel-
opment.
-- District leaders:
receive regular user
training plus training
on strategic IT topics.
-- End Users: Professional development, 0including security
training, is tied to
district mission and
security requirements.
-- Community: Security
is integrated into all outreach. |
Communi-
cation (D 13) |
IT unit communicates to stakeholders only sporadically.
-- Leadership: receives periodic updates on IT and security issues.
-- End Users: receive only sporadic messages issued on security concerns.
-- Community: receives infrequent publicity on IT or security issues. |
IT unit communicates to stakeholders a few times per year.
-- Leadership: receives regular updates on IT and security issues.
-- End Users: receive occasional messages issued on security concerns.
-- Community: receives occasional publicity on IT or security issues. |
IT unit updates stakeholders on organizational security concerns on a monthly basis, or more frequently if significant vulnerabilities arise.
-- Leadership: receives regular updates on IT and security issues.
-- End Users: frequent messages issued on security concerns are disseminated using a variety of media.
-- Community: receives regular publicity on IT or security issues. |
IT unit updates stake
holders on organizational security concerns
on a monthly basis,
or more frequently if significant vulnerabilities arise.
-- Leadership: receives regular updates on IT
and security issues.
-- End Users: frequent messages issued on
security concerns are disseminated using a
variety of media.
-- Community: receives regular publicity on IT or security issues. |
Feedback
(D 14) |
No organized feedback mechanisms exist. |
Limited effort made to track stakeholder opinion and satisfaction.
-- IT Unit relies on stakeholders to bring complaints and suggestions forward. |
Help desk tracks problems and suggestions.
-- Survey of user opinions may be performed every other year.
-- All new IT initiatives including changes in security policy are reviewed by user groups. |
Help desk tracks
problems and suggestions.
-- Survey of user
opinions performed
and published at established intervals.
-- Users provide input
to IT initiatives through organized means such
as special interest groups
or regularly scheduled meetings. |
| Summary: Community of Trust (D 15) |
IT unit has almost no capacity to monitor security. IT systems are extremely vulnerable to internal damage. |
Increasing likelihood for security failures-- without clear policy or secure infrastructure-- may result in a climate of suspicion or confusion.
-- Early adopters of new technology may be frustrated by apparent unresponsiveness of IT unit to meet their needs. |
Decreasing likelihood for security failures-- the result of clear policy and significantly improved infrastructure-- reduces lingering suspicion and confusion.
-- Early adopters of new technology learn to collaborate with IT unit to ensure security. |
A secure network,
with reliable infra-
structure and
transparent security policies, provides effective,
mission-driven
learning opportunities without the weight of surveillance. |
