Educause Security Discussion mailing list archives

Risk Mapping Inadvertent Data Disclosures

From: James H Moore <jhmfa () RIT EDU>
Date: Tue, 18 Apr 2006 12:22:08 -0400

We are trying to prioritize some efforts.  We are using our own internal
experiences, but then thought that it would be good to see what types of
behavior lead to data loss.  We went to
http://www.privacyrights.org/ar/chrondatabreaches.htm and looked at
their summary of breaches.  We highlighted the ones related to Higher
Ed, because they are less productive targets, usually, than Banks.

 

What we came up with is a lot with "Hacking" listed as the cause.  

We wanted to get a little more granular for things like (this list is
off of the top of my head, additional sources welcome):

 

Weak/Stolen/Poorly Managed Passwords

Poorly managed accounts

Improper/poorly managed Access Permissions

Authentication / Access Control Fragmentation - Use of Email or IM to
move information

Weak vulnerability detection/management

Inadequate host based defenses

HR risk / Disgruntled Employee / Poor separation of duties

Process Risks - Inadequate security review of technical information
systems

Process Risks - Inadequate process controls for publicly accessible
information 

 

My requests are 2-fold

1) If anyone has reviewed their incidents and has produced a risk map
that you are willing to share, either with the group or with me
personally (and if you moved beyond the risk map to solutions/costs
that would be good too.  That is where we are headed)

2) You can respond to me personally if you had one of the high profile
incidents listed in the
http://www.privacyrights.org/ar/chrondatabreaches.htm list, and can
better define "Hacking" for me with a root cause

 

Any help would be greatly appreciated.  We have the attention of our
executive leadership and want to produce risk management based
recommendations.

 

Thanks,

 

Jim

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

"We will have a chance when we are as efficient at communicating
information security best practices, as hackers and criminals are at
sharing attack information"  - Peter Presidio

Current thread:

Risk Mapping Inadvertent Data Disclosures James H Moore (Apr 18)
- <Possible follow-ups>
- Re: Risk Mapping Inadvertent Data Disclosures Theresa M Rowe (Apr 18)
- Re: Risk Mapping Inadvertent Data Disclosures Steve Schuster (Apr 18)