Educause Security Discussion mailing list archives
Re: risk asessment in edu
From: Karen Stopford <stopfordk () CT EDU>
Date: Fri, 19 Jun 2009 09:18:41 -0400
In security risk assessment we always start with the risks to confidentiality, integrity and availability of assets. The risk we are looking for is the risk of loss - mostly financial loss but also reputational loss. Each asset may rate differently according to these dimensions. Student data confidentiality is one area of risk, also employee data confidentiality and possibly trustee and alumni data as well. There are compliance, identity theft and associated financial losses, and reputational risks here. Other risks to look at are: -Availability of operational systems: registration, course scheduling, bursar, etc. - these systems must be up and running as expected in order to continue operations -Network availability: Malicious code, DOS, uncontrolled configuration changes, etc. mean campus networks may be unavailable or not have enough bandwidth for needs -Integrity of information and supporting systems: Grades can be altered, financial information can be incorrect or processing may not have the controls in place to deter and detect fraud -Risk of loss of intellectual property -Miscellaneous regulatory compliance risks: DMCA, GLBA, FERPA, HIPAA, Copyright Act (commercial software as well as other works) etc. There are many more but if you start with the ones most likely to cause substantial losses, you will probably find yourself quite busy for a long, long time. C. Karen Stopford, CISSP Associate Executive Officer for I.T. Security CT State University System 39 Woodland Street Hartford, CT 06105 (860) 493-0116 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of reflect ocean Sent: Thursday, June 18, 2009 3:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] risk asessment in edu Hi.Recently I've been assigned information security responsabilities and my first step is to determine what assets the organization wants to protect.i'm struggling trying to come up with something else rather than student data. I definitely have a better understanding from the point of what controls I have to implant (firewalls,ids,incident response teams,etc...).the stage where i am is assets evaluation according to some information secruity standards and after that i would continue with risk assessment. Has anyone conducted any of these assessments? What risks in terms of information security do the educational organizations face? Thank you reflect.
Current thread:
- Re: risk asessment in edu, (continued)
- Re: risk asessment in edu Dave Kovarik (Jun 18)
- Re: risk asessment in edu Dennis Meharchand (Jun 18)
- Re: risk asessment in edu Kevin Wilcox (Jun 18)
- Re: risk asessment in edu Bob Bayn (Jun 18)
- Re: risk asessment in edu jeff murphy (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 18)
- Re: risk asessment in edu Valdis Kletnieks (Jun 18)
- Re: risk asessment in edu reflect ocean (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 19)
- Re: risk asessment in edu Gary Flynn (Jun 19)
- Re: risk asessment in edu Karen Stopford (Jun 19)
- Re: risk asessment in edu reflect ocean (Jun 19)
- Re: risk asessment in edu Plesco, Todd (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)
- Re: risk asessment in edu Allison Dolan (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)