Re: University-Wide Risk Assessment

["Victoriano Casas, ISO" <vcasas () AUSTIN UTEXAS EDU>]

Alex,

The University of Texas at Austin is putting the finishing touches on
our campus wide Risk Assessment deployment.  Let me try and answer your
specific questions, then I'll add a link to my applied research project
(ARP, like a mini-thesis) which I wrote last spring for my Masters.

> Do you send out surveys, or is the RA done personally? 

YES - you can use surveys to ask data owners (and custodians) to
classify their data (eg. Confidential, Sensitive but not confidential,
public, etc).  We at UT-Austin use Category I, II, III
(http://www.utexas.edu/its/policies/opsmanual/dataclassification.html)  

> How detailed are the questions? 

Depends on the scope.  

We used the NIST Security Self-Assessment Guide for IT Systems (Swanson,
2001) (http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf)
as a basis.  

We removed all the unrelated (Federal) stuff and inserted UT-Austin
policy (http://www.utexas.edu/its/policies), UT-System policy
(http://www.utsystem.edu/bpm/53.htm) and Texas Administrative Code
(http://info.sos.state.tx.us/pls/pub/readtac$ext.ViewTAC?tac_view=5&ti=1
&pt=10&ch=202&sch=C&rl=Y) to come up with a long list of questions.

We then made sure we covered both department based questions and host
based questions.  Now we have a large question bank that we pick and
choose from depending on the assessment.

> Do you cover both technical and procedural issues? 

YES - see the NIST guide for more info.

> Do you base the questions on existing policies? 

OH YEAH!   Without policies in place, there's nothing to base your
assessment on - unless you use state and federal laws/rules/regulations.

> Who answers the questions? Individual techs or heads of departments? 

Techs (or, IT Custodians) AND the Department Heads (or, IT Owners)
certifies the answers.

> What method do you use? Electronic? Web based? Written and signed?

Mostly electronic web based (for our survey and our exception process).


I hope that helps.  Here is a link to my ARP:
http://ecommons.txstate.edu/arp/109 
 
Good luck!
Victoriano Casas III, MPA, CISSP
Information Security Office
The University of Texas at Austin
security.utexas.edu
v 512.232.9371


> -----Original Message-----
> From: Alex Campoe [mailto:campoe () USF EDU] 
> Sent: Friday, August 18, 2006 6:48 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] University-Wide Risk Assessment
>
> One thing that Connie Sadler from Brown University mentioned 
> recently made me curious. We are about to embark on an 
> attempt to perform a University-wide risk assessment program 
> and we're trying to figure out how to go about doing it. Our 
> environment is pretty large and decentralized.
>
> The questions are many, but I would like to know how other 
> Universities approach the issue. Do you send out surveys, or 
> is the RA done personally? How detailed are the questions? Do 
> you cover both technical and procedural issues? Do you base 
> the questions on existing policies? 
> Who answers the questions? Individual techs or heads of departments? 
> What method do you use? Electronic? Web based? Written and signed?
>
> Thanks
>
>
> -- 
> --  Alex Campoe, CISSP            Information Security 
> Manager       --
> --                                Associate Director, Systems 
>        --
> --  Email: campoe () usf edu         Phone: (813) 974-1796       
>        --
> --  Academic Computing            University of South Florida 
>        --
> --------------------------------------------------------------
> ---------