Educause Security Discussion mailing list archives

Re: University-Wide Risk Assessment

From: "Franklin, Elliott" <franklin () TXSTATE EDU>
Date: Fri, 18 Aug 2006 08:47:42 -0500

At Texas State University we too have begun a similar effort.  We first
ran multiple NMAP scans to detect common server services.  Once we had a
list we were comfortable with, we then did best effort to identify the
department based on the server subnet and building.  We then developed a
web based Network Device Registration form.  Our Network Use policy
states that all devices acting in any role other than an individual
workstation or printer must be registered.  From this registration data,
we will prioritize and then personally visit each server to complete our
risk assessment. 

Elliott Franklin, CISSP
Information Security Analyst
Texas State University-San Marcos
http://www.vpit.txstate.edu/security 
512.245.2501

-----Original Message-----
From: Alex Campoe [mailto:campoe () USF EDU] 
Sent: Friday, August 18, 2006 6:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] University-Wide Risk Assessment

One thing that Connie Sadler from Brown University mentioned recently 
made me curious. We are about to embark on an attempt to perform a 
University-wide risk assessment program and we're trying to figure out 
how to go about doing it. Our environment is pretty large and 
decentralized.

The questions are many, but I would like to know how other Universities 
approach the issue. Do you send out surveys, or is the RA done 
personally? How detailed are the questions? Do you cover both technical 
and procedural issues? Do you base the questions on existing policies? 
Who answers the questions? Individual techs or heads of departments? 
What method do you use? Electronic? Web based? Written and signed?

Thanks


-- 
--  Alex Campoe, CISSP            Information Security Manager       --
--                                Associate Director, Systems        --
--  Email: campoe () usf edu         Phone: (813) 974-1796              --
--  Academic Computing            University of South Florida        --
-----------------------------------------------------------------------

Current thread:

University-Wide Risk Assessment Alex Campoe (Aug 18)
- <Possible follow-ups>
- Re: University-Wide Risk Assessment Franklin, Elliott (Aug 18)
- Re: University-Wide Risk Assessment Hunt,Keith A (Aug 18)
- Re: University-Wide Risk Assessment Victoriano Casas, ISO (Aug 18)
- Re: University-Wide Risk Assessment Randy Marchany (Aug 18)
- Re: University-Wide Risk Assessment Franklin, Elliott (Aug 18)
- Re: University-Wide Risk Assessment Brad Judy (Aug 18)
- Re: University-Wide Risk Assessment Jim Dillon (Aug 18)
- Re: University-Wide Risk Assessment Cheek, Leigh (Aug 18)
- Re: University-Wide Risk Assessment Shirley Payne (Aug 18)
- Re: University-Wide Risk Assessment Rodney Petersen (Aug 21)