Re: risk asessment in edu

[jeff murphy <jcmurphy () BUFFALO EDU>]

On Jun 18, 2009, at 3:18 PM, reflect ocean wrote:

> Hi.Recently I've been assigned information security responsabilities
> and my first step is to determine what assets the organization wants
> to protect.i'm struggling trying to come up with something else rather
> than student data.

student data (ferpa), financial data, financial transactions (pci),
medical records. it can vary depending upon what your school does, the
services it offers. it's probably easiest to start with what
regulations apply to you and go from there.

> I definitely have a better understanding from the point of what
> controls I have to implant (firewalls,ids,incident response
> teams,etc...).

controls arent always technical. got anyone collecting paper records?
those count too. are they controlled? are they disposed of properly?


> the stage where i am is assets evaluation according to
> some information secruity standards and after that i would continue
> with risk assessment.
> Has anyone conducted any of these assessments? What risks in terms of
> information security do the educational organizations face?

pretty much the same as anyone, if you lose control of a large amount
of regulated data (say social security numbers + contact information)
you are liable for some pretty heavy financial repercussions. if you
lose control of something that you've classified internally as
sensitive (say a budget proposal) the risk is harder to quantify. most
of the time you ask a) what fines would we have to pay, b) what sort
of law suits would result, c) whats the impact to our public image
when deciding how to approach a risk (combine that with how likely the
risk is and how much will it costs to mitigate, sort and then go lobby
for funding the top-N)

as an aside, posting from an ostensibly anonymous account is, imo, bad
form.

> Thank you
>
> reflect.

Attachment: smime.p7s
Description: