Re: risk asessment in edu

[reflect ocean <reflect.ocean () GMAIL COM>]

Thank you for your responses.I am not aware of existing equivalents to
HIPAA or such regulations in our location.Altough i know enforcement
of these kind of regulations outside are very strong.
When reviewing ISO27001 (which is a standard we are taking into
account in order to follow a basic approach towards security
information management) i found something that maybe someone could
explain.According to this standard,in brief, the next step right after
getting support from organization directors to implement it,is to
define the information security policy.
Why would it be correct to define the security policy before a risk
assessment? Can anyone explain? My understanding is that maybe this
security policy is really a strategic security policy (organizationa
overview) and not the security policy in itself.

Thanks


On Fri, Jun 19, 2009 at 8:18 AM, Karen Stopford<stopfordk () ct edu> wrote:
> In security risk assessment we always start with the risks to confidentiality, integrity and availability of assets.  
> The risk we are looking for is the risk of loss - mostly financial loss but also reputational loss.  Each asset may 
> rate differently according to these dimensions.
>
> Student data confidentiality is one area of risk, also employee data confidentiality and possibly trustee and alumni 
> data as well.  There are compliance, identity theft and associated financial losses, and reputational risks here.  
> Other risks to look at are:
>
> -Availability of operational systems: registration, course scheduling, bursar, etc. - these systems must be up and 
> running as expected in order to continue operations
> -Network availability: Malicious code, DOS, uncontrolled configuration changes, etc. mean campus networks may be 
> unavailable or not have enough bandwidth for needs
> -Integrity of information and supporting systems: Grades can be altered, financial information can be incorrect or 
> processing may not have the controls in place to deter and detect fraud
> -Risk of loss of intellectual property
> -Miscellaneous regulatory compliance risks: DMCA, GLBA, FERPA, HIPAA, Copyright Act (commercial software as well as 
> other works) etc.
>
> There are many more but if you start with the ones most likely to cause substantial losses, you will probably find 
> yourself quite busy for a long, long time.
>
> C. Karen Stopford, CISSP
> Associate Executive Officer for I.T. Security
> CT State University System
> 39 Woodland Street
> Hartford, CT  06105
> (860) 493-0116
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> reflect ocean
> Sent: Thursday, June 18, 2009 3:19 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] risk asessment in edu
>
> Hi.Recently I've been assigned information security responsabilities
> and my first step is to determine what assets the organization wants
> to protect.i'm struggling trying to come up with something else rather
> than student data.
> I definitely have a better understanding from the point of what
> controls I have to implant (firewalls,ids,incident response
> teams,etc...).the stage where i am is assets evaluation according to
> some information secruity standards and after that i would continue
> with risk assessment.
> Has anyone conducted any of these assessments? What risks in terms of
> information security do the educational organizations face?
> Thank you
>
> reflect.