Risk Assessment at a Service Provider

[Steven Carmody <Steven_Carmody () BROWN EDU>]

Hi,

I'm wondering whether any campus has developed a framework that they use 
to assess potential risk if a Service Provider site is compromised ? I'm 
thinking primarily of the wide variety of in-sourced business systems 
that campuses use today, many of them locally developed.

OMC 04-04 describes an approach for determining required LoA by 
identifying the Maximum Potential Impact if an SP is compromised, and 
then mapping that to a required authentication LoA.

However, the description of the process to assess potential impact is 
somewhat high level. I'm wondering if any campus has taken this a step 
further, and instituted a real process for doing this sort of 
assessment. For instance, do you use the same categories that appear in 
04-04 ? Additional ones ? Do you have any guidelines describing how to 
do this sort of assessment (perhaps including examples) ?

Thanks for any information or pointers.