Educause Security Discussion mailing list archives
Re: Risk Assessments
From: Mike Erickson <Mike.Erickson () WICHITA EDU>
Date: Tue, 16 Nov 2004 11:42:17 -0600
We recently went through a "focussed" risk assessment by an external vendor. There were essentially four components: 1) Review policies, 2) External vulnerability assessment, 3) Internal vulnerability assessment, and 4) Targeted attack on several high-profile hosts (dns server, email server, etc). We did an RFP and had 30+ responses from potential vendors. We eventually contracted with Cisco Systems to do the assessment - they call it a "Security Posture Assessment". The entire project took about 6 weeks from initial communication regarding policies, through external and internal assessments, and final report production. We were very pleased with the "final product" which was an html-based document outlining all vulnerabilities discovered, a report on each of the areas listed above, best practices, and more. It is created such that we can "break it up" and provide detail to individual sys admins or local network admins for specific subnets without giving out the whole report. We are formulating our plan to remediate and resolve the issues discovered, and I anticipate we will make this an annual effort. I'd be glad to share additional information and specifics on or off-line. ------------------------------------------------------------------------------------------------------ Michael D. Erickson, Security Officer & Asst Director, Technical Services & Operations University Computing // Wichita State University mike.erickson () wichita edu // 316-978-3453 "Alt, Brandon C." <altb () EDUCATIONCENTRAL ORG> Sent by: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> 11/16/2004 09:46 AM Please respond to The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To SECURITY () LISTSERV EDUCAUSE EDU cc Subject [SECURITY] Risk Assessments Hello to the List! I am currently in the process of developing a formal and complete risk assessment for our organization. I wanted to find out if anyone else has gone through this, what tools and methods did you use, how long did it take, what were your results, and anything else that you might like to share about this. Does anyone have any thoughts on performing annual risk assessments? Thank to all! Brandon Alt Information Security Manager Technology Division Duval County Public Schools altb () educationcentral org ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Risk Assessments Tim Lane (Nov 16)
- <Possible follow-ups>
- Risk Assessments Alt, Brandon C. (Nov 16)
- Re: Risk Assessments Mike Erickson (Nov 16)
- Re: Risk Assessments Jamie A. Stapleton (Nov 16)
- Re: Risk Assessments Davis, Thomas R. (Nov 17)
- Re: Risk Assessments Ken Shaurette (Nov 23)
- Re: Risk Assessments Havens, Ben (Nov 24)
- Re: Risk Assessments Melissa Guenther (Nov 24)
- Re: Risk Assessments Scholz, Greg (Nov 24)
- Re: Risk Assessments Ken Shaurette (Nov 24)
- Re: Risk Assessments Ken Shaurette (Nov 24)