Re: [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools

["Shankar, Anurag" <ashankar () IU EDU>]

Sorry, I should have added a bit more info – it’s for 800-53rev4 moderate baseline.  What took the most effort in 
creating the spreadsheet is this – instead of asking “whether you have this control in place?”, I attempted to 
translate the control into a question that mere humans can understand (the 800-53 afflicted will know what I mean) …

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Shankar, Anurag" 
<ashankar () IU EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, February 7, 2019 at 3:27 PM
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools

 

Interestingly, our security office just redirected my attempt to access cybersaint.io saying it is a known malware 
host, hmmm …

 

I’ve used the NIST RMF for a long time here at IU and, since I didn’t find anything when I looked, have developed my 
own 800-53 based risk assessment spreadsheet.  Granted it’s only a spreadsheet, but hey, spreadsheets rule the world.  
Anyway, I am happy to share it if anyone is interested.  Just email me.

 

Regards,

 

Anurag

 

---

Anurag Shankar,  Ph.D.  Email: ashankar [at] iu.edu  Phone: +1 (812) 856-6978

Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University

2719 E. 10th Street, Suite 231, Bloomington, IN 47408

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Barnes, William" 
<wbarnes () BLOOMU EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, February 7, 2019 at 3:21 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [External] Re: [SECURITY] Information Security Risk Assessment Process/Tools

 

This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from 
external sources.

I’ll second the CSAT as well….   I’ve put our information into there so now I have a nice base level for comparison of 
areas of improvement.

 

 

Thanks! 

--Bill 

************************************************************************* 

* Bill Barnes, RHCE, CISSP

* Manager of Technology Support Services 

* and Library Network Administrator 

* Technology Support Services

* Bloomsburg University 

* ph: 570-389-2813 

* e-mail: wbarnes () bloomu edu

*************************************************************************

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Hagan, Sean
Sent: Thursday, February 7, 2019 3:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools

 

For those that are members of MS-ISAC (free if you qualify), CIS has recently (last week, I believe) released the CSAT 
which provides a free web-based assessment tool for conducting a CIS/CSC20-based risk assessment.  It’s perhaps not a 
true risk assessment, but I suppose you could measure risk based on your level of adoption (or lack thereof) of the 
various controls.

 

It’s also probably nowhere near as comprehensive as a paid solution from an entity that specializes in risk assessment, 
but it’s free and maybe a good starting point for resource limited institutions to get an idea of where to focus 
efforts.  It has a number of options for exporting data out and some potentially interesting comparison stuff to see 
how you compare across your industry (not sure if they’ll ever actually do anything with that or not).  It might be 
particularly interesting if you were part of a multi-campus or multi-institution system and if it allowed for built-in 
comparisons between – but I have no idea if it does now or will in the future.  Finally (and most importantly, of 
course), the CSAT has a pretty dashboard… J

 

https://csat.cisecurity.org

 

Good luck!

 

Sean

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sean Hagan

Chief Information Security Officer
Yavapai College

(928) 717-7651 – direct

https://www.yc.edu

 

 

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Richard Phung
Sent: Thursday, February 7, 2019 12:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools

 

Greetings--

I am in the process of completing a Risk Assessment based on the NIST-CSF-800-53 using CyberSaint 
(https://cybersaint.io).

CyberSaint is a web-based utility that consists of a series of forms and the output is displayed in attractive-looking 
dashboards.
For each control, you assign values like... "None, Partial, Full" and Liklihood/Impact low-medium-high, etc.. and it 
calculates the risk scores.

You can do things like "snapshot-in-time" or before-and-after.

Other features include a POAM/RA/SSP and executive risk report outputs, some policy templates, and they support other 
control frameworks... ISO, CIS, GDPR.


Frankly, it beats the heck out of doing this kind of assessment with excel spreadsheets and calculated columns.

 

--RP

 

On Thu, Feb 7, 2019 at 12:31 PM Barton, Robert W. <bartonrt () lewisu edu> wrote:

OK...we have done a small risk assessment here (qualitative).  It was targeting known trouble areas (identified by 
Networking, directors, and with a little C-suite input).  I did most of the collection, and work to do so.  We do not 
have group doing it.  We have changed our IT governance, and our data governance model here, so I hope that risk is 
something that will get more time in the coming months/years.

I do have one more hope for a 'group' to work on the issue; since we are a Lasallian Catholic University, I have 
counterparts in other states.  I'm hoping I can drum up support for my model.  

Robert W. Barton
Executive Director of Information Security and Policy
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663


-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Caston Thomas
Sent: Thursday, February 7, 2019 6:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Information Security Risk Assessment Process/Tools

I worked with this assessment process during the beta rollout.  Not sure where it stands today.  The founder of the 
company was formerly the Chief Security Architect for the Department of Homeland Security, and the assessment process 
was developed in concert with MIT for the DHS.
http://www.preventbreach.com/services/

I believe this assessment process is available to any education institution, regardless of where you're located...
https://www.michigan.gov/documents/cybersecurity/cysafe_flyer_SOM3_468548_7.pdf

Caston Thomas
cthomas iworkstech.com

This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone at (815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.


 

-- 

---

Richard Phung  |  Information Security Analyst

Simmons University

300 The Fenway, Boston, MA 02115-5898

E:  richard.phung () simmons edu

P: 617.521.2692
C: 857.488.6818

Attachment: smime.p7s
Description: