Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Assessment

From: Jack Suess <jack () UMBC EDU>
Date: Wed, 28 Jul 2004 23:07:57 -0400
I might suggest you look at the EDUCUASE/ effective security practices
guide.

http://www.educause.edu/asp/km/term_resources.asp?Term_ID=665

Jim moore of Rochester Institute of Technology has a good case study.

I also know of one done at Prince Georges Community College in Maryland.


From two panel presentations on risk management that I have been on the

sense is that outsourcing risk assessment has the following
characteristics:

1. It is a lot of work to manage scope, set up interviews, and provide the
necessary data to properly do a risk assessment. Don't under estimate
this;

2. Outside consultants can be costly. Minimum is $100/hour and usually
more. For fixed bid, make sure they will produce something you can use.

3. It is important to understand the methodology a group will use. Most
are focused on NSA or NIST methodolgies. Make them tell you their
methodology and then verify it is compatible with your culture.

4. One benefit is that sometimes outside groups have more "credibility"
with upper management.

5. If you decide to do this yourself look at the URL for some links on
getting started. Also Gary DeClute of Wisconsin and Randy Marchany of
Virginia Tech have done great work in this area.

I should also say that the EDUCAUSE Security Task force has a risk
management working group. This is chaired by Rob Clark, Director of Audit
at Georgia Tech. I know they are working on some materials for release.

jack suess,

CIO UMBC


On Wed, 28 Jul 2004, Tom Neiss wrote:


Can anyone share their experiences with conducting a Security Risk
Assessment.
Cost
Scope of Work
Experience
Thanks,
tn

Thomas R. Neiss
Director of Telecommunications and Information Security
University at Albany
State University of New York
1400 Washington Avenue MSC 209
Albany, NY 12222
tneiss () uamail albany edu
(518) 437-3803
(518) 437-3810 (FAX)

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.



**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: