Re: University-Wide Risk Assessment

["Cheek, Leigh" <lcheek () UTK EDU>]

The University of Tennessee has been taking a more Sarbenes-Oxley approach
this year. Below is a link to the methodology that David Crawford from the
Texas system developed and we have been using.

http://universityrisk.tamu.edu/AssessmentTool.aspx


Thanks,
Leigh Cheek, CIA, CISA
Auditor
Audit and Consulting Services
University of Tennessee
149 Conference Center Building
Knoxville, TN 37996-4114
(865) 974-4420
fax (865) 974-6171
lcheek () utk edu

-----Original Message-----
From: Alex Campoe [mailto:campoe () USF EDU]
Sent: Friday, August 18, 2006 7:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] University-Wide Risk Assessment

One thing that Connie Sadler from Brown University mentioned recently made
me curious. We are about to embark on an attempt to perform a
University-wide risk assessment program and we're trying to figure out how
to go about doing it. Our environment is pretty large and decentralized.

The questions are many, but I would like to know how other Universities
approach the issue. Do you send out surveys, or is the RA done personally?
How detailed are the questions? Do you cover both technical and procedural
issues? Do you base the questions on existing policies?
Who answers the questions? Individual techs or heads of departments?
What method do you use? Electronic? Web based? Written and signed?

Thanks


--
--  Alex Campoe, CISSP            Information Security Manager       --
--                                Associate Director, Systems        --
--  Email: campoe () usf edu         Phone: (813) 974-1796              --
--  Academic Computing            University of South Florida        --
-----------------------------------------------------------------------

Attachment: smime.p7s
Description: