For every advancement made in the world of technology, someone is out there looking to exploit technology in new and nefarious ways. Therefore, having solid information security policies and procedures is an essential first step in any organization’s cyber defense.
At Michigan State University, the Governance, Risk, and Compliance (GRC) team within MSU IT’s Information Security department serves as the security entry point for users on campus.
“We’re not the exciting side of information security,” said Brian Martinez, GRC team lead. “We don’t stop hackers directly. But to us, this stuff is exciting. We really enjoy what we do.”
Martinez and his six-person team consult with departments across the university to create policy, processes, and procedures dealing directly with information security and the use of technology.
“Our job is to be the general information security experts,” Martinez said. “We try to influence the culture around security in a positive way, making sure people are mindful and cognizant of security best practices.”
The team is assigned the role of risk management. They perform risk assessments to identify risks that need mitigation and verify departments and projects are compliant with applicable security standards and regulations set forth by the university, state, and federal statutes. Raising security awareness through security training is also a key role of the GRC team.
The team is also available to assess security processes and procedures if there is a security breach on campus.
“We can come in post-breach, figure out where the shortcomings were and shore those up, and strengthen our position to make sure that doesn’t happen again,” Martinez said.
The team found opportunities to enhance its risk assessment procedures in response to campus incidents.
“We go into a unit or college and learn about their data, give more scrutiny to systems, and highlight risks,” Martinez said.
