Educause Security Discussion mailing list archives
Re: Campus threat models
From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Thu, 10 Aug 2006 12:25:50 -0600
Brad, I wish you luck in this search. I find most shops dive right into risk assessment processes without developing a comprehensive threat model, which undermines the veracity of the assessment. Nonetheless it is common. One thought to help you along in building your own threat model would be the suggestion to use a complete governance model, namely COBIT version 3 or 4 (go for four if you can, it's the latest) and identify the threats to each part of the lifecyle. (Simply imagine what things impair the control objectives for each domain element, and you have your threats identified!) Then you need to match lifecycle disciplines to your various business units. Due to the way COBIT is oriented, this will be business objective based, much more sound viewpoint than simply an IT limited scope. You'll find health care, services, data delivery (NASA, DoD contracts for certain, a lot of atmospheric stuff at CU) requirements, health and safety monitoring and warning services (HVAC sensors and stuff) and any number of things you will have never imagined when you apply this to your campus. Think of the campus as a micro-community with all services and you will find most any-city will be represented in some part somewhere, particularly in the research areas. Heck, housing will cover the entire cycle several times over. If you haven't been looking at NIST 800 series guidelines and documents I'd suggest you give them a try - while not directly HE oriented, I'm betting you'll find some good general templates, and given my previous supposition that the campus is a micro-community, much will map directly to your efforts. NIST standards and guidelines seem like over-kill sometime, but they can be quite revealing, and I can't imagine they don't contain some threat modeling guidance that won't be helpful. You might want to look at some of the guidance out there by Disaster Recovery oriented organizations regarding Business Impact Analysis. I find the stuff from the Canadian groups tends to be more lucid and usable than what I've found in the US sites on this topic. A threat model that does not in some way begin to speak to impact may not be of much use. Finally, if you find some good models out there, get permission to share them, I'm predicting this area to be poorly covered at present, but with many interested participants heading down the right path. Maybe you'll be the first? Best regards, Jim ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** -----Original Message----- From: Brad Judy [mailto:Brad.Judy () COLORADO EDU] Sent: Thursday, August 10, 2006 9:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Campus threat models During the course of developing a risk assessment and management practice on our campus, I have been working on a general, campus-level threat model. This is a broad, non-application specific threat model to help people understand the overall threats to campus IT and the associated risk. I hope it could also serve as a template for departments to expand upon for threats specific to their services/processes. I didn't see any Educause docs specific to threat modeling and the Educause risk assessment framework actually doesn't mention general threat modeling (it does discuss threat analysis as a step in the process in assessing risk to critical assets). A lot of reading on the topic of threat modeling is about application development and there are some free tools out there with this focus, but much of it didn't see very applicable to more general threat modeling. It seems that building a thought-out threat model removes guesswork and supposition during discussions regarding security and can be a useful guide in decision making. Naturally, such documents need to be regularly updated for changing services and threats. How many of you have developed this kind of threat model for your campus? If you have developed one, is it publicly available or can you send a copy? (I'm not looking for sensitive details, just how you documented general, common threats.) Thanks, Brad Judy IT Security Office Information Technology Services University of Colorado at Boulder
Current thread:
- Campus threat models Brad Judy (Aug 10)
- <Possible follow-ups>
- Re: Campus threat models Jim Dillon (Aug 10)