Educause Security Discussion mailing list archives

Re: Risk Assessments

From: Mike Erickson <Mike.Erickson () WICHITA EDU>
Date: Tue, 16 Nov 2004 11:42:17 -0600

We recently went through a "focussed" risk assessment by an external
vendor. There were essentially four components: 1) Review policies, 2)
External vulnerability assessment, 3) Internal vulnerability assessment,
and 4) Targeted attack on several high-profile hosts (dns server, email
server, etc).

We did an RFP and had 30+ responses from potential vendors. We eventually
contracted with Cisco Systems to do the assessment - they call it a
"Security Posture Assessment". The entire project took about 6 weeks from
initial communication regarding policies, through external and internal
assessments, and final report production. We were very pleased with the
"final product" which was an html-based document outlining all
vulnerabilities discovered, a report on each of the areas listed above,
best practices, and more. It is created such that we can "break it up" and
provide detail to individual sys admins or local network admins for
specific subnets without giving out the whole report.

We are formulating our plan to remediate and resolve the issues
discovered, and I anticipate we will make this an annual effort.

I'd be glad to share additional information and specifics on or off-line.

------------------------------------------------------------------------------------------------------
Michael D. Erickson, Security Officer & Asst Director, Technical
Services & Operations
University Computing // Wichita State University
mike.erickson () wichita edu // 316-978-3453

"Alt, Brandon C." <altb () EDUCATIONCENTRAL ORG>
Sent by: The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
11/16/2004 09:46 AM
Please respond to
The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>

To
SECURITY () LISTSERV EDUCAUSE EDU
cc

Subject
[SECURITY] Risk Assessments

Hello to the List!

I am currently in the process of developing a formal and
complete risk assessment for our organization. I wanted to find out if
anyone else has gone through this, what tools and methods did you use, how
long did it take, what were your results, and anything else that you might
like to share about this. Does anyone have any thoughts on performing
annual risk assessments?

Thank to all!

Brandon Alt
Information Security Manager
Technology Division
Duval County Public Schools
altb () educationcentral org

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

Current thread:

Re: Risk Assessments Tim Lane (Nov 16)
- <Possible follow-ups>
- Risk Assessments Alt, Brandon C. (Nov 16)
- Re: Risk Assessments Mike Erickson (Nov 16)
- Re: Risk Assessments Jamie A. Stapleton (Nov 16)
- Re: Risk Assessments Davis, Thomas R. (Nov 17)
- Re: Risk Assessments Ken Shaurette (Nov 23)
- Re: Risk Assessments Havens, Ben (Nov 24)
- Re: Risk Assessments Melissa Guenther (Nov 24)
- Re: Risk Assessments Scholz, Greg (Nov 24)
- Re: Risk Assessments Ken Shaurette (Nov 24)
- Re: Risk Assessments Ken Shaurette (Nov 24)