Educause Security Discussion mailing list archives
Re: University-Wide Risk Assessment
From: "Victoriano Casas, ISO" <vcasas () AUSTIN UTEXAS EDU>
Date: Fri, 18 Aug 2006 09:40:30 -0500
Alex, The University of Texas at Austin is putting the finishing touches on our campus wide Risk Assessment deployment. Let me try and answer your specific questions, then I'll add a link to my applied research project (ARP, like a mini-thesis) which I wrote last spring for my Masters.
Do you send out surveys, or is the RA done personally?
YES - you can use surveys to ask data owners (and custodians) to classify their data (eg. Confidential, Sensitive but not confidential, public, etc). We at UT-Austin use Category I, II, III (http://www.utexas.edu/its/policies/opsmanual/dataclassification.html)
How detailed are the questions?
Depends on the scope. We used the NIST Security Self-Assessment Guide for IT Systems (Swanson, 2001) (http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf) as a basis. We removed all the unrelated (Federal) stuff and inserted UT-Austin policy (http://www.utexas.edu/its/policies), UT-System policy (http://www.utsystem.edu/bpm/53.htm) and Texas Administrative Code (http://info.sos.state.tx.us/pls/pub/readtac$ext.ViewTAC?tac_view=5&ti=1 &pt=10&ch=202&sch=C&rl=Y) to come up with a long list of questions. We then made sure we covered both department based questions and host based questions. Now we have a large question bank that we pick and choose from depending on the assessment.
Do you cover both technical and procedural issues?
YES - see the NIST guide for more info.
Do you base the questions on existing policies?
OH YEAH! Without policies in place, there's nothing to base your assessment on - unless you use state and federal laws/rules/regulations.
Who answers the questions? Individual techs or heads of departments?
Techs (or, IT Custodians) AND the Department Heads (or, IT Owners) certifies the answers.
What method do you use? Electronic? Web based? Written and signed?
Mostly electronic web based (for our survey and our exception process). I hope that helps. Here is a link to my ARP: http://ecommons.txstate.edu/arp/109 Good luck! Victoriano Casas III, MPA, CISSP Information Security Office The University of Texas at Austin security.utexas.edu v 512.232.9371
-----Original Message----- From: Alex Campoe [mailto:campoe () USF EDU] Sent: Friday, August 18, 2006 6:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] University-Wide Risk Assessment One thing that Connie Sadler from Brown University mentioned recently made me curious. We are about to embark on an attempt to perform a University-wide risk assessment program and we're trying to figure out how to go about doing it. Our environment is pretty large and decentralized. The questions are many, but I would like to know how other Universities approach the issue. Do you send out surveys, or is the RA done personally? How detailed are the questions? Do you cover both technical and procedural issues? Do you base the questions on existing policies? Who answers the questions? Individual techs or heads of departments? What method do you use? Electronic? Web based? Written and signed? Thanks -- -- Alex Campoe, CISSP Information Security Manager -- -- Associate Director, Systems -- -- Email: campoe () usf edu Phone: (813) 974-1796 -- -- Academic Computing University of South Florida -- -------------------------------------------------------------- ---------
Current thread:
- University-Wide Risk Assessment Alex Campoe (Aug 18)
- <Possible follow-ups>
- Re: University-Wide Risk Assessment Franklin, Elliott (Aug 18)
- Re: University-Wide Risk Assessment Hunt,Keith A (Aug 18)
- Re: University-Wide Risk Assessment Victoriano Casas, ISO (Aug 18)
- Re: University-Wide Risk Assessment Randy Marchany (Aug 18)
- Re: University-Wide Risk Assessment Franklin, Elliott (Aug 18)
- Re: University-Wide Risk Assessment Brad Judy (Aug 18)
- Re: University-Wide Risk Assessment Jim Dillon (Aug 18)
- Re: University-Wide Risk Assessment Cheek, Leigh (Aug 18)
- Re: University-Wide Risk Assessment Shirley Payne (Aug 18)
- Re: University-Wide Risk Assessment Rodney Petersen (Aug 21)