Educause Security Discussion mailing list archives
Re: Information Security Risk Assessment Process/Tools
From: Richard Phung <richard.phung () SIMMONS EDU>
Date: Thu, 7 Feb 2019 14:35:29 -0500
Greetings-- I am in the process of completing a Risk Assessment based on the NIST-CSF-800-53 using CyberSaint (https://cybersaint.io). CyberSaint is a web-based utility that consists of a series of forms and the output is displayed in attractive-looking dashboards. For each control, you assign values like... "None, Partial, Full" and Liklihood/Impact low-medium-high, etc.. and it calculates the risk scores. You can do things like "snapshot-in-time" or before-and-after. Other features include a POAM/RA/SSP and executive risk report outputs, some policy templates, and they support other control frameworks... ISO, CIS, GDPR. Frankly, it beats the heck out of doing this kind of assessment with excel spreadsheets and calculated columns. --RP On Thu, Feb 7, 2019 at 12:31 PM Barton, Robert W. <bartonrt () lewisu edu> wrote:
OK...we have done a small risk assessment here (qualitative). It was targeting known trouble areas (identified by Networking, directors, and with a little C-suite input). I did most of the collection, and work to do so. We do not have group doing it. We have changed our IT governance, and our data governance model here, so I hope that risk is something that will get more time in the coming months/years. I do have one more hope for a 'group' to work on the issue; since we are a Lasallian Catholic University, I have counterparts in other states. I'm hoping I can drum up support for my model. Robert W. Barton Executive Director of Information Security and Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 -----Original Message----- From: The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Caston Thomas Sent: Thursday, February 7, 2019 6:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools I worked with this assessment process during the beta rollout. Not sure where it stands today. The founder of the company was formerly the Chief Security Architect for the Department of Homeland Security, and the assessment process was developed in concert with MIT for the DHS. http://www.preventbreach.com/services/ I believe this assessment process is available to any education institution, regardless of where you're located... https://www.michigan.gov/documents/cybersecurity/cysafe_flyer_SOM3_468548_7.pdf Caston Thomas cthomas iworkstech.com This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
-- --- Richard Phung | Information Security Analyst Simmons University 300 The Fenway, Boston, MA 02115-5898 E: richard.phung () simmons edu P: 617.521.2692 C: 857.488.6818
Current thread:
- Information Security Risk Assessment Process/Tools Casanova, Jodi (Feb 06)
- <Possible follow-ups>
- Re: Information Security Risk Assessment Process/Tools Valerie Vogel (Feb 06)
- Re: Information Security Risk Assessment Process/Tools Caston Thomas (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Barton, Robert W. (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Richard Phung (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Hagan, Sean (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Barnes, William (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Penn, Blake C (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Casanova, Jodi (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Penn, Blake C (Feb 08)
- Re: Information Security Risk Assessment Process/Tools Barton, Robert W. (Feb 07)