Post excerpted from a statement released by Andrew Sears, Dean of IST and Interim Chief Information Security Officer
I would like to provide an update about some recent changes for The Office of Information Security (OIS). This includes realignment of teams internal to OIS as well as the integration of the Privacy Office and certain aspects of identity and access functions. I believe these recent changes strengthen the organization, will allow OIS to be more responsive in addressing the mission of the university, and better position OIS to address the university’s evolving needs in this are.
OIS was formed from ITS’s Security and Services (SOS) group a little over a year ago. We have made a lot of progress during the past year focusing on operational excellence, data protection, and developing relationships across the University.
OIS had been operating using a four team structure that was carried over from SOS. The teams were built around the core functions of intrusion detection, incident response, forensics, and compliance. While this structure met the need of the old SOS organization, the new OIS has found this organization had limitations. To become more proactive and agile, OIS has decided to consolidate to three teams built around Consulting and Services, Enterprise Security, and Compliance. The new organization took effect on October 24th.
The new Consulting and Service’s team was created to help match challenges with solutions. This team will ensure that services such as sensitive data discovery, encryption, and Modulo continue to be delivered with a strong customer focus. Forensics will fall under this team as well and is expected to benefit from cross training and leveraging additional team members to meet peak demand for the service. Consulting is expected to be a key component of this team over time as OIS seeks to become more involved in providing guidance to units early in the development and procurement cycles of technologies. Randy Hegarty has moved to this team and will be assuming many of the consulting duties.
The Enterprise Security team will continue to focus on providing core security functions. System and web application assessments, pentesting activities, and some elements of incident response have moved into this team. We expect this collection of activities will align with ongoing intrusion detection and prevention efforts to facilitate increased information sharing and improved responsiveness.
The Compliance team, under the management of Joe Gridley, will continue a transition into a more proactive group focused on helping university stakeholders understand and meet compliance issues that impact academic, administrative, and research computing.
We anticipate this new structure will help us respond quicker, better utilize information and skills, and become more agile. A search will begin shortly for new managers for both the Consulting and Services team as well as the Enterprise Security team.
I am also pleased to announce that the Privacy Office has become part of OIS. This transition from Compliance and Ethics is a natural fit as privacy continues to be an important consideration for the university and many of the data protections discussions coincide with OIS.
Finally, I am also pleased to announce that aspects of Identity Management have become part of OIS. This includes responsibility for developing and maintaining policy and procedures intended to help the university make sound access management decisions. In the near future, OIS will be launching a search for a new Director of Identity and Access Management to to support this position.