Re: Risk Mapping Inadvertent Data Disclosures

[Theresa M Rowe <rowe () OAKLAND EDU>]

I suggest you look at the research of Virginia Rezmierski at the University of Michigan and the CIFAC project.  There's 
material on the Educause site:
http://www.educause.edu/Browse/645?PARENT_ID=660

Incident Handling / Response
Press release at U-Mich
http://www.umich.edu/news/index.html?Releases/2005/Nov05/r110705


---- Original message ----
> Date: Tue, 18 Apr 2006 12:22:08 -0400
> From: James H Moore <jhmfa () RIT EDU>
> Subject: [SECURITY] Risk Mapping Inadvertent Data Disclosures
> To: SECURITY () LISTSERV EDUCAUSE EDU
>
>   We are trying to prioritize some efforts.  We are
>   using our own internal experiences, but then thought
>   that it would be good to see what types of behavior
>   lead to data loss.  We went to
>   http://www.privacyrights.org/ar/chrondatabreaches.htm
>   and looked at their summary of breaches.  We
>   highlighted the ones related to Higher Ed, because
>   they are less productive targets, usually, than
>   Banks.
>
>
>
>   What we came up with is a lot with "Hacking" listed
>   as the cause.
>
>   We wanted to get a little more granular for things
>   like (this list is off of the top of my head,
>   additional sources welcome):
>
>
>
>   Weak/Stolen/Poorly Managed Passwords
>
>   Poorly managed accounts
>
>   Improper/poorly managed Access Permissions
>
>   Authentication / Access Control Fragmentation - Use
>   of Email or IM to move information
>
>   Weak vulnerability detection/management
>
>   Inadequate host based defenses
>
>   HR risk / Disgruntled Employee / Poor separation of
>   duties
>
>   Process Risks - Inadequate security review of
>   technical information systems
>
>   Process Risks - Inadequate process controls for
>   publicly accessible information
>
>
>
>   My requests are 2-fold
>
>   1) If anyone has reviewed their incidents and has
>   produced a risk map that you are willing to share,
>   either with the group or with me personally (and if
>   you moved beyond the risk map to solutions/costs
>   that would be good too.  That is where we are
>   headed)
>
>   2) You can respond to me personally if you had one
>   of the high profile incidents listed in the
>   http://www.privacyrights.org/ar/chrondatabreaches.htm
>   list, and can better define "Hacking" for me with a
>   root cause
>
>
>
>   Any help would be greatly appreciated.  We have the
>   attention of our executive leadership and want to
>   produce risk management based recommendations.
>
>
>
>   Thanks,
>
>
>
>   Jim
>
>   - - - -
>   Jim Moore, CISSP, IAM
>   Information Security Officer
>   Rochester Institute of Technology
>   13 Lomb Memorial Drive
>   Rochester, NY 14623-5603
>   (585) 475-5406 (office)
>   (585) 475-4122 (lab)
>   (585) 475-7950 (fax)
>
>   "We will have a chance when we are as efficient at
>   communicating information security best practices,
>   as hackers and criminals are at sharing attack
>   information"  - Peter Presidio
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services