Educause Security Discussion mailing list archives
Re: University-Wide Risk Assessment
From: Rodney Petersen <rpetersen () EDUCAUSE EDU>
Date: Mon, 21 Aug 2006 07:57:09 -0600
I would also encourage you to consult some resources developed by the EDUCAUSE/Internet2 Security Task Force: Risk Assessment Framework http://www.educause.edu/LibraryDetailPage/666?ID=CSD4380 (Note: this document provides a high-level overview on the subject of conducting a risk assessment of information systems within higher education. It is being fleshed out with more details and examples by the STF Risk Assessment Working Group.) Information Security Governance Self Assessment Tool for Higher Education http://www.educause.edu/ir/library/pdf/SEC0421.pdf (Note: Section II on Risk Management assesses the risk management process of your organization as it relates to creating an information security strategy and program. While the two is not intended to substitute for an university-wide risk assessment, many of the questions throughout the tool are indicate of areas to be addressed as part of that process.) Effective IT Security Practices Guide for Higher Education http://www.educause.edu/security/guide (See links to "Preliminary Risk Assessment", "Risk Analysis of Critical Areas and Processes", and "Institution-Wide Risk Assessment" under "Links" on right-side of page.) -Rodney -------------------------------------------------- Rodney J. Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE 1150 18th Street, N.W., Suite 1010 Washington, D.C. 20036 (202) 331-5368 / (202) 872-4200 (202) 872-4318 (FAX) EDUCAUSE/Internet2 Security Task Force www.educause.edu/security -------------------------------------------------- -----Original Message----- From: Alex Campoe [mailto:campoe () USF EDU] Sent: Friday, August 18, 2006 7:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] University-Wide Risk Assessment One thing that Connie Sadler from Brown University mentioned recently made me curious. We are about to embark on an attempt to perform a University-wide risk assessment program and we're trying to figure out how to go about doing it. Our environment is pretty large and decentralized. The questions are many, but I would like to know how other Universities approach the issue. Do you send out surveys, or is the RA done personally? How detailed are the questions? Do you cover both technical and procedural issues? Do you base the questions on existing policies? Who answers the questions? Individual techs or heads of departments? What method do you use? Electronic? Web based? Written and signed? Thanks -- -- Alex Campoe, CISSP Information Security Manager -- -- Associate Director, Systems -- -- Email: campoe () usf edu Phone: (813) 974-1796 -- -- Academic Computing University of South Florida -- -----------------------------------------------------------------------
Current thread:
- University-Wide Risk Assessment Alex Campoe (Aug 18)
- <Possible follow-ups>
- Re: University-Wide Risk Assessment Franklin, Elliott (Aug 18)
- Re: University-Wide Risk Assessment Hunt,Keith A (Aug 18)
- Re: University-Wide Risk Assessment Victoriano Casas, ISO (Aug 18)
- Re: University-Wide Risk Assessment Randy Marchany (Aug 18)
- Re: University-Wide Risk Assessment Franklin, Elliott (Aug 18)
- Re: University-Wide Risk Assessment Brad Judy (Aug 18)
- Re: University-Wide Risk Assessment Jim Dillon (Aug 18)
- Re: University-Wide Risk Assessment Cheek, Leigh (Aug 18)
- Re: University-Wide Risk Assessment Shirley Payne (Aug 18)
- Re: University-Wide Risk Assessment Rodney Petersen (Aug 21)