Crossing Organizational Boundaries to Achieve Mutual Security

1
Crossing Organizational Boundaries to Achieve
Mutual Security
Peter J. Murray, Ph.D. James E. McNamee,
Ph.D. Vice President and CIO Associate Dean and
CIO University of Maryland Baltimore University
of Maryland School of Medicine
2
IT Security

• Challenges and Preparedness
• Many organizations have recognized the problems
  severity and are working to minimize the risk and
  damage from the next computer virus or attack on
  network and systems. The degree of preparedness,
  however, varies from one organization to the
  next, and some institutions of higher education
  have yet to develop quality IT security services.
• Kvavik and Voloudakis (2003). Information
  Technology Security Governance, Strategy, and
  Practice in Higher Education, Research Study from
  the Educause Center for Applied Research.

3
University of Maryland Baltimore (UMB)

• Large, complex academic health, human services,
  law and hospital center
• Addressing IT security challenges and problems in
  a complex environment
• CIOs agreed to change the culture and build a
  collaborative environment

4
Building a Collaborative Environment

• A multi-organization IT security strategy
• Help desk coordination
• Security technologies implemented
• Policies and procedures re-written
• Preparing for HIPAA Privacy rule
• Closing organizational gaps
• Yet, the security program was still not strong
  enough

5
Rising Threats, Regulatory Compliance

• Virus infections and hack attempts
• Grow 150 yearly
• Deplete bandwidth
• Threaten research, teaching and business
  processes
• HIPAA regulations impact healthcare IT
• Federal mandate
• Calls for IS preparedness

6
Joint Organizational Response

• Leadership jointly called for safe computing
• CIOs formed technical Security Committee
• Campus (UMB)
• School of Medicine (SoM)
• Physicians practice plan (UPI)
• Hospital (UMMC)
• Committee charged to write standards and policies
  to boost network and workstation security

7
Existing State

• UMB Acceptable Use Policy
• Defined allowed and prohibited behaviors on the
  network
• Disparate IT practices
• No device naming conventions
• Mix of managed and unmanaged workstations
• Laissez faire security measures

8
Low-Hanging Security Fruit

• Network device naming
• Password management
• Anti-virus management
• OS patch management
• Remote access
• Incident response

9
HIPAA Security-Inspired

• Media reuse/disposal
• Mobile devices
• Authentication authorization
• Termination of access
• Secure transmission
• Disaster recovery
• Etc.

10
The Security Committee Other Success Factors

• Leadership direction and support
• Improved communication
• Professional and social interaction
• Sharing expertise
• Openness and collaborative spirit
• No organizational barriers, just problem-solving
• Cohesiveness, effectiveness, and mutual benefit

11
Plans for the Future

• Use Collaborative Solutions Model for other
  initiatives
• Additional Working Committees formed
• Directory services
• Wireless
• eLearning
• Technology classrooms
• We show by example that by sharing goals,
  expertise, knowledge, and resources, mutual
  benefits and success with information technology
  can be achieved within, and across,
  organizational boundaries.