Re: Scoring Security Controls in an RFP

["Jones, Dan" <Dan.Jones () UMASSMED EDU>]

Has anyone :-)

Here is an "Application Insecurity Index" spreadsheet. It takes a number of elements into consideration and 
differentiates *Inherent Risk* from *Incurred Risk*. This is intended to generate a high-level order-of-magnitude score 
in order to prioritize other activities. 

SANS also offers some guidance on helping to infuse security governance with technology-based procurements. 

Best,

Dan Jones
ISO
UMass Medical School

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Grisham
Sent: Thursday, March 18, 2010 1:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Scoring Security Controls in an RFP

Healthcare has traditionally not purchased applications and systems based on their security controls.  I'm working on 
changing that here.  Has anyone set up a scoring criteria on security controls for an RFP that they would be willing to 
share?




Cheers --grish
David D. Grisham, Ph.D.,  CISM, CHSP
Manager, IT Security,
UNM Hospitals, IT Division
Suite 3131
933 Bradbury Drive, SE
Albuquerque, New Mexico 87106
Ph: (505) 272-5657 
Department FAX 272-7143, Desk Fax 272-9927
Work email:  dgrisham () salud unm edu
Adjunct Faculty, Computer Science, UNM
Academic & personal email:  dave () unm edu

The unauthorized disclosure or interception of e-mail is a federal crime.  See 18 U.S.C. Sec. 2517(4). This e-mail is 
intended only for the use of those to whom it is addressed and may contain information which is privileged, 
confidential and exempt from disclosure under the law.  If you have received this e-mail in error, do not distribute or 
copy it.  Delete it immediately and attachments, if any,  and notify me by telephone. Please do not forward or 
disseminate the information in this written document.
.

Attachment: ApplicationInsecurityIndex.xls
Description: ApplicationInsecurityIndex.xls