Educause Security Discussion mailing list archives
Re: risk asessment in edu
From: reflect ocean <reflect.ocean () GMAIL COM>
Date: Fri, 19 Jun 2009 12:43:43 -0500
Thank you for your responses.I am not aware of existing equivalents to HIPAA or such regulations in our location.Altough i know enforcement of these kind of regulations outside are very strong. When reviewing ISO27001 (which is a standard we are taking into account in order to follow a basic approach towards security information management) i found something that maybe someone could explain.According to this standard,in brief, the next step right after getting support from organization directors to implement it,is to define the information security policy. Why would it be correct to define the security policy before a risk assessment? Can anyone explain? My understanding is that maybe this security policy is really a strategic security policy (organizationa overview) and not the security policy in itself. Thanks On Fri, Jun 19, 2009 at 8:18 AM, Karen Stopford<stopfordk () ct edu> wrote:
In security risk assessment we always start with the risks to confidentiality, integrity and availability of assets. The risk we are looking for is the risk of loss - mostly financial loss but also reputational loss. Each asset may rate differently according to these dimensions. Student data confidentiality is one area of risk, also employee data confidentiality and possibly trustee and alumni data as well. There are compliance, identity theft and associated financial losses, and reputational risks here. Other risks to look at are: -Availability of operational systems: registration, course scheduling, bursar, etc. - these systems must be up and running as expected in order to continue operations -Network availability: Malicious code, DOS, uncontrolled configuration changes, etc. mean campus networks may be unavailable or not have enough bandwidth for needs -Integrity of information and supporting systems: Grades can be altered, financial information can be incorrect or processing may not have the controls in place to deter and detect fraud -Risk of loss of intellectual property -Miscellaneous regulatory compliance risks: DMCA, GLBA, FERPA, HIPAA, Copyright Act (commercial software as well as other works) etc. There are many more but if you start with the ones most likely to cause substantial losses, you will probably find yourself quite busy for a long, long time. C. Karen Stopford, CISSP Associate Executive Officer for I.T. Security CT State University System 39 Woodland Street Hartford, CT 06105 (860) 493-0116 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of reflect ocean Sent: Thursday, June 18, 2009 3:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] risk asessment in edu Hi.Recently I've been assigned information security responsabilities and my first step is to determine what assets the organization wants to protect.i'm struggling trying to come up with something else rather than student data. I definitely have a better understanding from the point of what controls I have to implant (firewalls,ids,incident response teams,etc...).the stage where i am is assets evaluation according to some information secruity standards and after that i would continue with risk assessment. Has anyone conducted any of these assessments? What risks in terms of information security do the educational organizations face? Thank you reflect.
Current thread:
- Re: risk asessment in edu, (continued)
- Re: risk asessment in edu Dennis Meharchand (Jun 18)
- Re: risk asessment in edu Kevin Wilcox (Jun 18)
- Re: risk asessment in edu Bob Bayn (Jun 18)
- Re: risk asessment in edu jeff murphy (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 18)
- Re: risk asessment in edu Valdis Kletnieks (Jun 18)
- Re: risk asessment in edu reflect ocean (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 19)
- Re: risk asessment in edu Gary Flynn (Jun 19)
- Re: risk asessment in edu Karen Stopford (Jun 19)
- Re: risk asessment in edu reflect ocean (Jun 19)
- Re: risk asessment in edu Plesco, Todd (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)
- Re: risk asessment in edu Allison Dolan (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)