Updated Risk Assessment resources available

[Ced Bennett <ced.bennett () STANFORD EDU>]

Colleagues,

The Risk Assessment Working Group wishes to inform higher education
information security practioners of a few recent resource updates which are
now available from the Risk Management section of the IT Security Guide.
Each of these resources can be reached by navigating to the Risk Management
section of the IT Security Guide and looking in the Resources Developed by
the Security Task Force section of that page; direct URLs are provided
within this note for convenience.

*       Information Security Risk Assessment Consultants - This is a new
section which provides a list of vendors known to have conducted some form
of IS risk assessment for at least one higher education institution.  The
only way a vendor can get onto this list is to be placed there by some
EDUCAUSE member institution which has engaged the consultant.  Each entry on
this list provides a link to the institution which has provided the vendor
reference.  The list can be a starting place for schools which are seeking a
consultant; referencing institutions may be willing to provide additional
information about the vendor and the consulting engagement when asked.  The
list can be reached via this URL -
<https://wiki.internet2.edu/confluence/display/secguide/Information+Security
+Risk+Assessment+Consultants>
https://wiki.internet2.edu/confluence/display/secguide/Information+Security+
Risk+Assessment+Consultants

The value of this list increases as the number of referenced vendors and
referencing institutions increase.  If your institution has engaged an
information security consultant for some sort of security or risk assessment
activity in the past few years, please take a couple of minutes to provide
reference information to this list (instructions for easily adding
additional references are included as a part of this new section).

*       Risk Assessment Tools - This is a new section which provides links
to various tools which can aid with a risk assessment.  The tools are a mix
of some sold or licensed by vendors, some provided by colleague
institutions, and some from associations or standards groups.  It can be
reached via this URL -
<https://wiki.internet2.edu/confluence/display/secguide/Risk+Assessment+Tool
s>
https://wiki.internet2.edu/confluence/display/secguide/Risk+Assessment+Tools


As with the List of Consultants, the working group would appreciate any
references to other such tools to include on this list.

*        Information Security Governance (ISG) Self Assessment Tool for
Higher Education - This existing PDF version of the tool has been enhanced
by the addition of a Microsoft Excel version which (1) separates each
section onto a individual worksheets for increased flexibility of analysis
and entry and (2) provides for automatic summarization on the separate
scoring-worksheet.  Both versions of this tool can be reached via this URL -
http://connect.educause.edu/Library/Abstract/InformationSecurityGovern/43206

We hope you find this information useful -- and are able to provide
additional entry data for either of the two new sections.

Thank you,

Ced Bennett and Kathy Bergsma
Co-chairs of the Risk Assessment Working Group