Re: Risk Assessments

["Davis, Thomas R." <tdavis () IU EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----Original Message----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alt, Brandon C.
Sent: Tuesday, November 16, 2004 10:47 AM To:
SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Risk Assessments

> developing a formal and complete risk assessment

Hi Brandon,
  The one thing I might add to the other posts is that it's all too
common for the terms "risk assessment" and "vulnerability assessment"
to be used incorrectly.  So, if you do end up contracting with an
external agency to develop and/or perform a risk assessment for you,
you'll want them to clearly articulate which you're going to pay for.
 ;-)  

  Vulnerability assessments tend to focus on network and host based
vulnerability scans (and perhaps physical security), and are one part
of an overall risk assessment.  Risk assessments take a broader view
of the entire business process and review other issues such as
sensitivity of the data (i.e., where should attention be focused),
backups, disaster recovery, policy, etc.

- -- 
Tom Davis, Information Technology Security Officer, CISSP, CISM
Office of the VP for Information Technology, Indiana University
PGP key or S/MIME certificate: https://www.itso.iu.edu/staff/tdavis/

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQZtH6nMQ7XQGtBENEQJmXACfR9VhrpVmqvicuYcMT1JcQnbzAgAAoING
XWw+Vv7XTRVcesRtapgGXstg
=xP2S
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.