Educause Security Discussion mailing list archives

Re: risk asessment in edu

From: Karen Stopford <stopfordk () CT EDU>
Date: Fri, 19 Jun 2009 09:18:41 -0400

In security risk assessment we always start with the risks to confidentiality, integrity and availability of assets.  
The risk we are looking for is the risk of loss - mostly financial loss but also reputational loss.  Each asset may 
rate differently according to these dimensions.

Student data confidentiality is one area of risk, also employee data confidentiality and possibly trustee and alumni 
data as well.  There are compliance, identity theft and associated financial losses, and reputational risks here.  
Other risks to look at are:

-Availability of operational systems: registration, course scheduling, bursar, etc. - these systems must be up and 
running as expected in order to continue operations
-Network availability: Malicious code, DOS, uncontrolled configuration changes, etc. mean campus networks may be 
unavailable or not have enough bandwidth for needs
-Integrity of information and supporting systems: Grades can be altered, financial information can be incorrect or 
processing may not have the controls in place to deter and detect fraud
-Risk of loss of intellectual property
-Miscellaneous regulatory compliance risks: DMCA, GLBA, FERPA, HIPAA, Copyright Act (commercial software as well as 
other works) etc.

There are many more but if you start with the ones most likely to cause substantial losses, you will probably find 
yourself quite busy for a long, long time.

C. Karen Stopford, CISSP
Associate Executive Officer for I.T. Security
CT State University System
39 Woodland Street
Hartford, CT  06105
(860) 493-0116

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of reflect 
ocean
Sent: Thursday, June 18, 2009 3:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] risk asessment in edu

Hi.Recently I've been assigned information security responsabilities
and my first step is to determine what assets the organization wants
to protect.i'm struggling trying to come up with something else rather
than student data.
I definitely have a better understanding from the point of what
controls I have to implant (firewalls,ids,incident response
teams,etc...).the stage where i am is assets evaluation according to
some information secruity standards and after that i would continue
with risk assessment.
Has anyone conducted any of these assessments? What risks in terms of
information security do the educational organizations face?
Thank you

reflect.

Current thread:

Re: risk asessment in edu, (continued)
- Re: risk asessment in edu Dave Kovarik (Jun 18)
- Re: risk asessment in edu Dennis Meharchand (Jun 18)
- Re: risk asessment in edu Kevin Wilcox (Jun 18)
- Re: risk asessment in edu Bob Bayn (Jun 18)
- Re: risk asessment in edu jeff murphy (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 18)
- Re: risk asessment in edu Valdis Kletnieks (Jun 18)
- Re: risk asessment in edu reflect ocean (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 19)
- Re: risk asessment in edu Gary Flynn (Jun 19)
- Re: risk asessment in edu Karen Stopford (Jun 19)
- Re: risk asessment in edu reflect ocean (Jun 19)
- Re: risk asessment in edu Plesco, Todd (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)
- Re: risk asessment in edu Allison Dolan (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)