Re: Risk Mapping Inadvertent Data Disclosures

[Steve Schuster <sjs74 () CORNELL EDU>]

Jim,

	We also started conducting such an exercise last year and produced  
the paper at the this link (http://www.cit.cornell.edu/computer/ 
security/data-loss-prepare.html).  The paper serves as a good  
backdrop for the executives to better understand why we're doing what  
we're doing and has also served as a good road map toward better  
policies and procedures as we implement the recommendations.

	While not exactly answering your specific questions below I thought  
that the document was at least worth sharing.

Good luck,
sjs

Steve Schuster
Director, IT Security Office
Cornell University
sjs74 () cornell edu




On Apr 18, 2006, at 12:22 PM, James H Moore wrote:

> We are trying to prioritize some efforts.  We are using our own  
> internal experiences, but then thought that it would be good to see  
> what types of behavior lead to data loss.  We went tohttp:// 
> www.privacyrights.org/ar/chrondatabreaches.htm and looked at their  
> summary of breaches.  We highlighted the ones related to Higher Ed,  
> because they are less productive targets, usually, than Banks.
>
>
>
> What we came up with is a lot with “Hacking” listed as the cause.
>
> We wanted to get a little more granular for things like (this list  
> is off of the top of my head, additional sources welcome):
>
>
>
> Weak/Stolen/Poorly Managed Passwords
>
> Poorly managed accounts
>
> Improper/poorly managed Access Permissions
>
> Authentication / Access Control Fragmentation – Use of Email or IM  
> to move information
>
> Weak vulnerability detection/management
>
> Inadequate host based defenses
>
> HR risk / Disgruntled Employee / Poor separation of duties
>
> Process Risks – Inadequate security review of technical information  
> systems
>
> Process Risks – Inadequate process controls for publicly accessible  
> information
>
>
>
> My requests are 2-fold
>
> 1) If anyone has reviewed their incidents and has produced a risk  
> map that you are willing to share, either with the group or with me  
> personally (and if you moved beyond the risk map to solutions/ 
> costs  that would be good too.  That is where we are headed)
>
> 2) You can respond to me personally if you had one of the high  
> profile incidents listed in thehttp://www.privacyrights.org/ar/ 
> chrondatabreaches.htm list, and can better define “Hacking” for me  
> with a root cause
>
>
>
> Any help would be greatly appreciated.  We have the attention of  
> our executive leadership and want to produce risk management based  
> recommendations.
>
>
>
> Thanks,
>
>
>
> Jim
>
> - - - -
> Jim Moore, CISSP, IAM
> Information Security Officer
> Rochester Institute of Technology
> 13 Lomb Memorial Drive
> Rochester, NY 14623-5603
> (585) 475-5406 (office)
> (585) 475-4122 (lab)
> (585) 475-7950 (fax)
>
> "We will have a chance when we are as efficient at communicating  
> information security best practices, as hackers and criminals are  
> at sharing attack information"  - Peter Presidio