Re: Information Security Risk Assessment Process/Tools

[Richard Phung <richard.phung () SIMMONS EDU>]

Greetings--
I am in the process of completing a Risk Assessment based on the
NIST-CSF-800-53 using CyberSaint (https://cybersaint.io).

CyberSaint is a web-based utility that consists of a series of forms and
the output is displayed in attractive-looking dashboards.
For each control, you assign values like... "None, Partial, Full" and
Liklihood/Impact low-medium-high, etc.. and it calculates the risk scores.

You can do things like "snapshot-in-time" or before-and-after.
Other features include a POAM/RA/SSP and executive risk report outputs,
some policy templates, and they support other control frameworks... ISO,
CIS, GDPR.

Frankly, it beats the heck out of doing this kind of assessment with excel
spreadsheets and calculated columns.

--RP

On Thu, Feb 7, 2019 at 12:31 PM Barton, Robert W. <bartonrt () lewisu edu>
wrote:

> OK...we have done a small risk assessment here (qualitative).  It was
> targeting known trouble areas (identified by Networking, directors, and
> with a little C-suite input).  I did most of the collection, and work to do
> so.  We do not have group doing it.  We have changed our IT governance, and
> our data governance model here, so I hope that risk is something that will
> get more time in the coming months/years.
>
> I do have one more hope for a 'group' to work on the issue; since we are a
> Lasallian Catholic University, I have counterparts in other states.  I'm
> hoping I can drum up support for my model.
>
> Robert W. Barton
> Executive Director of Information Security and Policy
> Lewis University
> One University Parkway
> Romeoville, IL  60446-2200
> 815-836-5663
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Caston Thomas
> Sent: Thursday, February 7, 2019 6:57 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools
>
> I worked with this assessment process during the beta rollout.  Not sure
> where it stands today.  The founder of the company was formerly the Chief
> Security Architect for the Department of Homeland Security, and the
> assessment process was developed in concert with MIT for the DHS.
> http://www.preventbreach.com/services/
>
> I believe this assessment process is available to any education
> institution, regardless of where you're located...
>
> https://www.michigan.gov/documents/cybersecurity/cysafe_flyer_SOM3_468548_7.pdf
>
> Caston Thomas
> cthomas iworkstech.com
>
> This message (including any attachments) is intended only for
> the use of the individual or entity to which it is addressed and
> may contain information that is non-public, proprietary,
> privileged, confidential, and exempt from disclosure under
> applicable law or may constitute as attorney work product.
> If you are not the intended recipient, you are hereby notified
> that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone at
> (815)-836-5950 and
> (i) destroy this message if a facsimile or (ii) delete this message
> immediately if this is an electronic communication.
>
> Thank you.


-- 
---
Richard Phung  |  Information Security Analyst
Simmons University
300 The Fenway, Boston, MA 02115-5898
E:  richard.phung () simmons edu
P: 617.521.2692
C: 857.488.6818