Information Security managment

Security Management

Information Security Management

Managing the information security at a major university is never an easy task, and especially with a team of only ten the complexities and the resource demands can sometimes make the situation seem all but impossible even on the best of days. When the former head of information security management suddenly departs as the result of an FBI arrest -- and when that arrest stems from the fact that this Chief Security Officer was a member of Anonymous, the most active and influential (so far as the public is aware, at least) cyber-terrorist group (as identified by law enforcement) -- the situation only becomes that much more difficult. As the interim Chief Security Officer newly in charge of ensuring university information security and with a team of employees ready to tackle the task, there are both immediate and long-term plans that need to be made and put into action.

The first order of business is ensuring that the former Chief Security Officer did not in any way utilize or compromise the university's own information technology system for Anonymous' purposes. If the allegations against him are true, and given his arrest it is reasonable to move forward with the possibility that he was involved in something nefarious, then there will need to be a complete check of all security systems currently in place. This could potentially take weeks in and of itself, and if any significant flaws are found it will take even longer. While it would have been difficult for the CSO to implement anything truly compromising without any other team member's knowledge, this potential does exist and must be controlled for given the nature of the CSO's removal from office.

During the initial overview and evaluation of the current security systems in place in the university's information technology system, identification of potential upgrades and other adjustments can also be made. This will ensure not only greater general security in the system following the former CSO's departure, but also generally assuring that the information technology security methods put in place for the university will be the best available. Long-term changes also need to be made in the information technology department to prevent any future misuse of the information technology security system at the university, whether or not any such misuse occurred at the hands of the former CSO. Increased levels of peer scrutiny and an explicit and concrete system of redundant oversights and independent reviews within the information security team should be adopted as a means of controlling against any purposeful malfeasance on the part of the team members. Regular timed tests and reviews of the security system should also take place, and the initial designs for these programs should all be developed as soon as the initial review process is accomplished. At the same time, it should be remembered that this position is not necessarily permanent, and plans should be left flexible and adaptable so that there is not a great waste of resource and effort in developing plans that are changed by the new CSO when appointed.