Educause Security Discussion mailing list archives
Re: Information Security Risk Assessment Process/Tools
From: "Penn, Blake C" <blake.penn () SECURITY GATECH EDU>
Date: Fri, 8 Feb 2019 15:08:30 +0000
I usually use OCTAVE Allegro. Feel free to email directly if you want more details. Blake blake.penn () security gatech edu<mailto:blake.penn () security gatech edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Casanova, Jodi Sent: Thursday, 7 February, 2019 17:08 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools Blake, I agree with your first statement! You mentioned a few actual risk assessment frameworks – I would be interested to hear which RA framework you use and more about your methodology. Thanks! Jodi From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Penn, Blake C Sent: Thursday, February 7, 2019 3:34 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools CIS, NIST 800-53, etc. are great but assessments against these are assessments against controls or requirements and are not actual risk assessments. ISO 27005, OCTAVE, FAIR, etc. are actual risk assessment frameworks. Some perform control assessments against ISO 27002 but those controls were only designed to be used as potential risk treatments for risks identified during the ISO 27001 process (which requires actual risk assessment). I’m not saying that they aren’t a good set of controls, though, just that you can’t be “ISO 27002 compliant” as it wasn’t developed as an auditable framework for the reason mentioned above. Blake Penn Information Security Policy and Compliance Manager Cyber Security Georgia Institute of Technology (404) 385-5480 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Barnes, William Sent: Thursday, 7 February, 2019 15:21 To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools I’ll second the CSAT as well…. I’ve put our information into there so now I have a nice base level for comparison of areas of improvement. Thanks! --Bill ************************************************************************* * Bill Barnes, RHCE, CISSP * Manager of Technology Support Services * and Library Network Administrator * Technology Support Services * Bloomsburg University * ph: 570-389-2813 * e-mail: wbarnes () bloomu edu<mailto:wbarnes () bloomu edu> ************************************************************************* From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Hagan, Sean Sent: Thursday, February 7, 2019 3:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools For those that are members of MS-ISAC (free if you qualify), CIS has recently (last week, I believe) released the CSAT which provides a free web-based assessment tool for conducting a CIS/CSC20-based risk assessment. It’s perhaps not a true risk assessment, but I suppose you could measure risk based on your level of adoption (or lack thereof) of the various controls. It’s also probably nowhere near as comprehensive as a paid solution from an entity that specializes in risk assessment, but it’s free and maybe a good starting point for resource limited institutions to get an idea of where to focus efforts. It has a number of options for exporting data out and some potentially interesting comparison stuff to see how you compare across your industry (not sure if they’ll ever actually do anything with that or not). It might be particularly interesting if you were part of a multi-campus or multi-institution system and if it allowed for built-in comparisons between – but I have no idea if it does now or will in the future. Finally (and most importantly, of course), the CSAT has a pretty dashboard… ☺ https://csat.cisecurity.org<https://urldefense.proofpoint.com/v2/url?u=https-3A__csat.cisecurity.org&d=DwMGaQ&c=HS1CjnFyfzCL6mp0nkGYYw&r=z7rhnLScbI2ZMu5xJQtvRm4ZYMCANUqvYWFejn63z24&m=uCfeFb2FWYYnWKbglrcy0ycuHc8mqApQTAU3cGHNmLc&s=MrenOPKe4O0HMho8njRov4TpR0j7tnCEBHyxVZlnW4M&e=> Good luck! Sean ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sean Hagan Chief Information Security Officer Yavapai College (928) 717-7651 – direct https://www.yc.edu<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.yc.edu_&d=DwMGaQ&c=HS1CjnFyfzCL6mp0nkGYYw&r=z7rhnLScbI2ZMu5xJQtvRm4ZYMCANUqvYWFejn63z24&m=uCfeFb2FWYYnWKbglrcy0ycuHc8mqApQTAU3cGHNmLc&s=LHL5j6JhXsyITZjw5kYlT8DILr7jDvZTeRO_bmAHxls&e=> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Richard Phung Sent: Thursday, February 7, 2019 12:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools Greetings-- I am in the process of completing a Risk Assessment based on the NIST-CSF-800-53 using CyberSaint (https://cybersaint.io<https://urldefense.proofpoint.com/v2/url?u=https-3A__linkprotect.cudasvc.com_url-3Fa-3Dhttps-253a-252f-252fcybersaint.io-26c-3DE-2C1-2CPKLDs0m7l8bmUVq40XLoyE71xa4GM266h8j4kp5hQnzfdR1dSKlCDYXKWTWanYzgYyEsZwQvTRwNvUpLdG1GUUkCYacBxhS30NsMUwbbdhrnT6-2DRF4sGlA-2C-2C-26typo-3D1&d=DwMGaQ&c=HS1CjnFyfzCL6mp0nkGYYw&r=z7rhnLScbI2ZMu5xJQtvRm4ZYMCANUqvYWFejn63z24&m=uCfeFb2FWYYnWKbglrcy0ycuHc8mqApQTAU3cGHNmLc&s=Q9wmk66Owwl_7m8x6yII1dVTBpdwRGb4t4F8gO8rRgc&e=>). CyberSaint is a web-based utility that consists of a series of forms and the output is displayed in attractive-looking dashboards. For each control, you assign values like... "None, Partial, Full" and Liklihood/Impact low-medium-high, etc.. and it calculates the risk scores. You can do things like "snapshot-in-time" or before-and-after. Other features include a POAM/RA/SSP and executive risk report outputs, some policy templates, and they support other control frameworks... ISO, CIS, GDPR. Frankly, it beats the heck out of doing this kind of assessment with excel spreadsheets and calculated columns. --RP On Thu, Feb 7, 2019 at 12:31 PM Barton, Robert W. <bartonrt () lewisu edu<mailto:bartonrt () lewisu edu>> wrote: OK...we have done a small risk assessment here (qualitative). It was targeting known trouble areas (identified by Networking, directors, and with a little C-suite input). I did most of the collection, and work to do so. We do not have group doing it. We have changed our IT governance, and our data governance model here, so I hope that risk is something that will get more time in the coming months/years. I do have one more hope for a 'group' to work on the issue; since we are a Lasallian Catholic University, I have counterparts in other states. I'm hoping I can drum up support for my model. Robert W. Barton Executive Director of Information Security and Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Caston Thomas Sent: Thursday, February 7, 2019 6:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools I worked with this assessment process during the beta rollout. Not sure where it stands today. The founder of the company was formerly the Chief Security Architect for the Department of Homeland Security, and the assessment process was developed in concert with MIT for the DHS. http://www.preventbreach.com/services/<https://urldefense.proofpoint.com/v2/url?u=https-3A__linkprotect.cudasvc.com_url-3Fa-3Dhttp-253a-252f-252fwww.preventbreach.com-252fservices-252f-26c-3DE-2C1-2C6g-2DE199p68RY4IP9r8SFEFqTIzKvp8lKyhZeUC18Zr8o6hNy0jEC2NQ8ISC3HIW77kPWGgNdlVeIv-2DHTrMPY1GfGwkq-5FWN6RjpDFa3ATKkrlr0R8wtGEx8Y-2C-26typo-3D1&d=DwMGaQ&c=HS1CjnFyfzCL6mp0nkGYYw&r=z7rhnLScbI2ZMu5xJQtvRm4ZYMCANUqvYWFejn63z24&m=uCfeFb2FWYYnWKbglrcy0ycuHc8mqApQTAU3cGHNmLc&s=oZ6hMq9vMM4r1VqFIqOuSZaZNKniDNW0aRpTGb-gRNY&e=> I believe this assessment process is available to any education institution, regardless of where you're located... https://www.michigan.gov/documents/cybersecurity/cysafe_flyer_SOM3_468548_7.pdf<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.michigan.gov_documents_cybersecurity_cysafe-5Fflyer-5FSOM3-5F468548-5F7.pdf&d=DwMGaQ&c=HS1CjnFyfzCL6mp0nkGYYw&r=z7rhnLScbI2ZMu5xJQtvRm4ZYMCANUqvYWFejn63z24&m=uCfeFb2FWYYnWKbglrcy0ycuHc8mqApQTAU3cGHNmLc&s=gcN5TaagX5reols8BxS0dUdRLJc0FGZajBlb6W137rs&e=> Caston Thomas cthomas iworkstech.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__linkprotect.cudasvc.com_url-3Fa-3Dhttp-253a-252f-252fiworkstech.com-26c-3DE-2C1-2CpETzhsCd8nPN9m0c1OjV05-2DoBzJTi8KNTnc1EJ1TLBwyL-5F11rjeWrxPcO4R3egn-2DvfB3Koa0dciIrr-2DUzPg3crEV-5FA4DsrpmTKZfEMFN7obYDDOwXq-5Fh-2DQYhoWM-2C-26typo-3D1&d=DwMGaQ&c=HS1CjnFyfzCL6mp0nkGYYw&r=z7rhnLScbI2ZMu5xJQtvRm4ZYMCANUqvYWFejn63z24&m=uCfeFb2FWYYnWKbglrcy0ycuHc8mqApQTAU3cGHNmLc&s=Nod1w_isXcjV2pZxAiqCQF4hTF8vArUaKUdC5XW0uVA&e=> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. -- --- Richard Phung | Information Security Analyst Simmons University 300 The Fenway, Boston, MA 02115-5898 E: richard.phung () simmons edu<mailto:richard.phung () simmons edu> P: 617.521.2692 C: 857.488.6818
Current thread:
- Information Security Risk Assessment Process/Tools Casanova, Jodi (Feb 06)
- <Possible follow-ups>
- Re: Information Security Risk Assessment Process/Tools Valerie Vogel (Feb 06)
- Re: Information Security Risk Assessment Process/Tools Caston Thomas (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Barton, Robert W. (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Richard Phung (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Hagan, Sean (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Barnes, William (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Penn, Blake C (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Casanova, Jodi (Feb 07)
- Re: Information Security Risk Assessment Process/Tools Penn, Blake C (Feb 08)
- Re: Information Security Risk Assessment Process/Tools Barton, Robert W. (Feb 07)