Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools
From: "Casanova, Jodi" <Jodi.Casanova () NORTHERN EDU>
Date: Tue, 26 Feb 2019 02:29:56 +0000
Hi Cam - I checked out SaltyCloud's site and it sounds very interesting. I've conducted one test run of a risk assessment on our own and it was very cumbersome. I would love to hear more about your experience with ISORA. Any change we could chat? Thanks! Jodi -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Cam Beasley Sent: Monday, February 11, 2019 11:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools we’ve had really good luck with our ISORA tool over the last 12-years (https://security.utexas.edu/isora). it accommodates federated EDU environments really well and also just about any framework you want to use. it also provides an inventory management component and there’s very helpful reporting/trending for key stakeholders, boards, etc. we’re also planning to extend a free HECVAT hosted option (with ISORA as the base) for the EDU community in April. ~cam.
On Feb 7, 2019, at 2:40 PM, Shankar, Anurag <ashankar () IU EDU> wrote: Sorry, I should have added a bit more info – it’s for 800-53rev4 moderate baseline. What took the most effort in creating the spreadsheet is this – instead of asking “whether you have this control in place?”, I attempted to translate the control into a question that mere humans can understand (the 800-53 afflicted will know what I mean) … From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Shankar, Anurag" <ashankar () IU EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Thursday, February 7, 2019 at 3:27 PM To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools Interestingly, our security office just redirected my attempt to access cybersaint.io saying it is a known malware host, hmmm … I’ve used the NIST RMF for a long time here at IU and, since I didn’t find anything when I looked, have developed my own 800-53 based risk assessment spreadsheet. Granted it’s only a spreadsheet, but hey, spreadsheets rule the world. Anyway, I am happy to share it if anyone is interested. Just email me. Regards, Anurag --- Anurag Shankar, Ph.D. Email: ashankar [at] iu.edu Phone: +1 (812) 856-6978 Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University 2719 E. 10th Street, Suite 231, Bloomington, IN 47408 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Barnes, William" <wbarnes () BLOOMU EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Thursday, February 7, 2019 at 3:21 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from external sources. I’ll second the CSAT as well…. I’ve put our information into there so now I have a nice base level for comparison of areas of improvement. Thanks! --Bill ************************************************************************* * Bill Barnes, RHCE, CISSP * Manager of Technology Support Services * and Library Network Administrator * Technology Support Services * Bloomsburg University * ph: 570-389-2813 * e-mail: wbarnes () bloomu edu ************************************************************************* From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Hagan, Sean Sent: Thursday, February 7, 2019 3:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools For those that are members of MS-ISAC (free if you qualify), CIS has recently (last week, I believe) released the CSAT which provides a free web-based assessment tool for conducting a CIS/CSC20-based risk assessment. It’s perhaps not a true risk assessment, but I suppose you could measure risk based on your level of adoption (or lack thereof) of the various controls. It’s also probably nowhere near as comprehensive as a paid solution from an entity that specializes in risk assessment, but it’s free and maybe a good starting point for resource limited institutions to get an idea of where to focus efforts. It has a number of options for exporting data out and some potentially interesting comparison stuff to see how you compare across your industry (not sure if they’ll ever actually do anything with that or not). It might be particularly interesting if you were part of a multi-campus or multi-institution system and if it allowed for built-in comparisons between – but I have no idea if it does now or will in the future. Finally (and most importantly, of course), the CSAT has a pretty dashboard… J https://csat.cisecurity.org Good luck! Sean ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sean Hagan Chief Information Security Officer Yavapai College (928) 717-7651 – direct https://www.yc.edu From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Richard Phung Sent: Thursday, February 7, 2019 12:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools Greetings-- I am in the process of completing a Risk Assessment based on the NIST-CSF-800-53 using CyberSaint (https://cybersaint.io). CyberSaint is a web-based utility that consists of a series of forms and the output is displayed in attractive-looking dashboards. For each control, you assign values like... "None, Partial, Full" and Liklihood/Impact low-medium-high, etc.. and it calculates the risk scores. You can do things like "snapshot-in-time" or before-and-after. Other features include a POAM/RA/SSP and executive risk report outputs, some policy templates, and they support other control frameworks... ISO, CIS, GDPR. Frankly, it beats the heck out of doing this kind of assessment with excel spreadsheets and calculated columns. --RP On Thu, Feb 7, 2019 at 12:31 PM Barton, Robert W. <bartonrt () lewisu edu> wrote:OK...we have done a small risk assessment here (qualitative). It was targeting known trouble areas (identified by Networking, directors, and with a little C-suite input). I did most of the collection, and work to do so. We do not have group doing it. We have changed our IT governance, and our data governance model here, so I hope that risk is something that will get more time in the coming months/years. I do have one more hope for a 'group' to work on the issue; since we are a Lasallian Catholic University, I have counterparts in other states. I'm hoping I can drum up support for my model. Robert W. Barton Executive Director of Information Security and Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Caston Thomas Sent: Thursday, February 7, 2019 6:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools I worked with this assessment process during the beta rollout. Not sure where it stands today. The founder of the company was formerly the Chief Security Architect for the Department of Homeland Security, and the assessment process was developed in concert with MIT for the DHS. http://www.preventbreach.com/services/ I believe this assessment process is available to any education institution, regardless of where you're located... https://www.michigan.gov/documents/cybersecurity/cysafe_flyer_SOM3_468548_7.pdf Caston Thomas cthomas iworkstech.com This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.-- --- Richard Phung | Information Security Analyst Simmons University 300 The Fenway, Boston, MA 02115-5898 E: richard.phung () simmons edu P: 617.521.2692 C: 857.488.6818
Current thread:
- Re: [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools Shankar, Anurag (Feb 07)
- Re: [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools Shankar, Anurag (Feb 07)
- Re: [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools Cam Beasley (Feb 11)
- Re: [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools Casanova, Jodi (Feb 25)
- Re: [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools Cam Beasley (Feb 11)
- Re: [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools Shankar, Anurag (Feb 07)