Educause Security Discussion mailing list archives
Re: Security Assessment
From: Jack Suess <jack () UMBC EDU>
Date: Wed, 28 Jul 2004 23:07:57 -0400
I might suggest you look at the EDUCUASE/ effective security practices guide. http://www.educause.edu/asp/km/term_resources.asp?Term_ID=665 Jim moore of Rochester Institute of Technology has a good case study. I also know of one done at Prince Georges Community College in Maryland.
From two panel presentations on risk management that I have been on the
sense is that outsourcing risk assessment has the following characteristics: 1. It is a lot of work to manage scope, set up interviews, and provide the necessary data to properly do a risk assessment. Don't under estimate this; 2. Outside consultants can be costly. Minimum is $100/hour and usually more. For fixed bid, make sure they will produce something you can use. 3. It is important to understand the methodology a group will use. Most are focused on NSA or NIST methodolgies. Make them tell you their methodology and then verify it is compatible with your culture. 4. One benefit is that sometimes outside groups have more "credibility" with upper management. 5. If you decide to do this yourself look at the URL for some links on getting started. Also Gary DeClute of Wisconsin and Randy Marchany of Virginia Tech have done great work in this area. I should also say that the EDUCAUSE Security Task force has a risk management working group. This is chaired by Rob Clark, Director of Audit at Georgia Tech. I know they are working on some materials for release. jack suess, CIO UMBC On Wed, 28 Jul 2004, Tom Neiss wrote:
Can anyone share their experiences with conducting a Security Risk Assessment. Cost Scope of Work Experience Thanks, tn Thomas R. Neiss Director of Telecommunications and Information Security University at Albany State University of New York 1400 Washington Avenue MSC 209 Albany, NY 12222 tneiss () uamail albany edu (518) 437-3803 (518) 437-3810 (FAX) ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Security Assessment Tom Neiss (Jul 28)
- <Possible follow-ups>
- Re: Security Assessment Jack Suess (Jul 28)