Educause Security Discussion mailing list archives
Risk Assessment at a Service Provider
From: Steven Carmody <Steven_Carmody () BROWN EDU>
Date: Tue, 12 Jul 2011 13:32:58 -0400
Hi,I'm wondering whether any campus has developed a framework that they use to assess potential risk if a Service Provider site is compromised ? I'm thinking primarily of the wide variety of in-sourced business systems that campuses use today, many of them locally developed.
OMC 04-04 describes an approach for determining required LoA by identifying the Maximum Potential Impact if an SP is compromised, and then mapping that to a required authentication LoA.
However, the description of the process to assess potential impact is somewhat high level. I'm wondering if any campus has taken this a step further, and instituted a real process for doing this sort of assessment. For instance, do you use the same categories that appear in 04-04 ? Additional ones ? Do you have any guidelines describing how to do this sort of assessment (perhaps including examples) ?
Thanks for any information or pointers.
Current thread:
- Risk Assessment at a Service Provider Steven Carmody (Jul 12)