Educause Security Discussion mailing list archives
Re: University-Wide Risk Assessment
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Fri, 18 Aug 2006 09:04:00 -0600
This is something I have been working on for the past several months and we have begun implementing it. I'll work on getting the docs on our website and send a link to the group when it's up (hopefully within a few days). In the mean time, the source material I used for developing our framework included: NIST 800 series documents OCTAVE Virginia Tech docs U Virginia docs Microsoft Risk Management Guide Burton Group articles on risk management Bits and pieces of some books and things like COSO and GAISP Bits and pieces from conferences/colleagues (including this past Educause security professionals conference) Educause also publishes a risk management framework doc, but it's pretty lightweight (might have been the goal). Pretty much everything listed above is freely available (except the Burton Group materials) - I expect most of you either already know of these items or can quickly find them. If it proves challenging to track them down, I'll dig up a list of links. I'm thinking about proposing a talk on our framework at the next Educause security professionals conference. Brad Judy IT Security Office Information Technology Services University of Colorado at Boulder
-----Original Message----- From: Alex Campoe [mailto:campoe () USF EDU] Sent: Friday, August 18, 2006 5:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] University-Wide Risk Assessment One thing that Connie Sadler from Brown University mentioned recently made me curious. We are about to embark on an attempt to perform a University-wide risk assessment program and we're trying to figure out how to go about doing it. Our environment is pretty large and decentralized. The questions are many, but I would like to know how other Universities approach the issue. Do you send out surveys, or is the RA done personally? How detailed are the questions? Do you cover both technical and procedural issues? Do you base the questions on existing policies? Who answers the questions? Individual techs or heads of departments? What method do you use? Electronic? Web based? Written and signed? Thanks -- -- Alex Campoe, CISSP Information Security Manager -- -- Associate Director, Systems -- -- Email: campoe () usf edu Phone: (813) 974-1796 -- -- Academic Computing University of South Florida -- -------------------------------------------------------------- ---------
Current thread:
- University-Wide Risk Assessment Alex Campoe (Aug 18)
- <Possible follow-ups>
- Re: University-Wide Risk Assessment Franklin, Elliott (Aug 18)
- Re: University-Wide Risk Assessment Hunt,Keith A (Aug 18)
- Re: University-Wide Risk Assessment Victoriano Casas, ISO (Aug 18)
- Re: University-Wide Risk Assessment Randy Marchany (Aug 18)
- Re: University-Wide Risk Assessment Franklin, Elliott (Aug 18)
- Re: University-Wide Risk Assessment Brad Judy (Aug 18)
- Re: University-Wide Risk Assessment Jim Dillon (Aug 18)
- Re: University-Wide Risk Assessment Cheek, Leigh (Aug 18)
- Re: University-Wide Risk Assessment Shirley Payne (Aug 18)
- Re: University-Wide Risk Assessment Rodney Petersen (Aug 21)