Educause Security Discussion mailing list archives
Re: Risk Mapping Inadvertent Data Disclosures
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Tue, 18 Apr 2006 12:40:03 -0400
I suggest you look at the research of Virginia Rezmierski at the University of Michigan and the CIFAC project. There's material on the Educause site: http://www.educause.edu/Browse/645?PARENT_ID=660 Incident Handling / Response Press release at U-Mich http://www.umich.edu/news/index.html?Releases/2005/Nov05/r110705 ---- Original message ----
Date: Tue, 18 Apr 2006 12:22:08 -0400 From: James H Moore <jhmfa () RIT EDU> Subject: [SECURITY] Risk Mapping Inadvertent Data Disclosures To: SECURITY () LISTSERV EDUCAUSE EDU We are trying to prioritize some efforts. We are using our own internal experiences, but then thought that it would be good to see what types of behavior lead to data loss. We went to http://www.privacyrights.org/ar/chrondatabreaches.htm and looked at their summary of breaches. We highlighted the ones related to Higher Ed, because they are less productive targets, usually, than Banks. What we came up with is a lot with "Hacking" listed as the cause. We wanted to get a little more granular for things like (this list is off of the top of my head, additional sources welcome): Weak/Stolen/Poorly Managed Passwords Poorly managed accounts Improper/poorly managed Access Permissions Authentication / Access Control Fragmentation - Use of Email or IM to move information Weak vulnerability detection/management Inadequate host based defenses HR risk / Disgruntled Employee / Poor separation of duties Process Risks - Inadequate security review of technical information systems Process Risks - Inadequate process controls for publicly accessible information My requests are 2-fold 1) If anyone has reviewed their incidents and has produced a risk map that you are willing to share, either with the group or with me personally (and if you moved beyond the risk map to solutions/costs that would be good too. That is where we are headed) 2) You can respond to me personally if you had one of the high profile incidents listed in the http://www.privacyrights.org/ar/chrondatabreaches.htm list, and can better define "Hacking" for me with a root cause Any help would be greatly appreciated. We have the attention of our executive leadership and want to produce risk management based recommendations. Thanks, Jim - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-4122 (lab) (585) 475-7950 (fax) "We will have a chance when we are as efficient at communicating information security best practices, as hackers and criminals are at sharing attack information" - Peter Presidio
Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
Current thread:
- Risk Mapping Inadvertent Data Disclosures James H Moore (Apr 18)
- <Possible follow-ups>
- Re: Risk Mapping Inadvertent Data Disclosures Theresa M Rowe (Apr 18)
- Re: Risk Mapping Inadvertent Data Disclosures Steve Schuster (Apr 18)