Educause Security Discussion mailing list archives
Re: Risk Tolerance
From: Stefan Wahe <0000009ffd3543ad-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Thu, 8 Aug 2019 15:46:34 +0000
David – This is a good topic to discuss. You are correct it is difficult to understand a meaningful risk tolerance score for a university or for any organization. I typically consider risk tolerance of a campus unit or organization independently. This is primarily due to the differing missions of the different units on campus spanning the components of teaching and learning, research, and administrative systems. In the attached document there are two tables that identify our risk impact and risk likelihood baseline. We offer the unit the opportunity to adjust the monetary and availability scales based on their threshold to define tolerance an information system outage (availability) or have the ability to monetarily address a breach, fines or lost revenue. I am working on an method to aggerate the results of the individual cybersecurity risk assessment results into an overall campus risk score. This will be used to inform leadership of the score and the reason for an increase or decrease in risk to determine their current risk tolerance and seek guidance in prioritization to address the residual risk. My thought is that overall risk tolerance of campus leaders shift in time based on current financial, political, or reputational influences that the leaders may be experiencing. Changes in leadership also impacts this. By setting and communicating current risk, we can gage their risk tolerance based on prioritization of implementing and maintaining security controls (financial support of people, process and tools). While not directly answering your question, I hope the information is worthwhile. Any thoughts or feedback is welcomed. Thanks – Stefan Wahe Stefan Wahe, CISSP ------------------ University of Wisconsin-Madison Office of Cybersecurity<https://it.wisc.edu/about/division-of-information-technology/strategic-operations-departments-people/cybersecurity/> Deputy Chief Information Security Officer Assistant Director, Governance, Risk Management, and Compliance HIPAA Security Officer (http://go.wisc.edu/hipaasecurity) Stefan.Wahe () wisc edu<mailto:Stefan.Wahe () wisc edu> 608-265-1177 [signature_419800592] -- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of David Eilken <david.eilken () DOMAIL MARICOPA EDU> Reply-To: "david.eilken () domail maricopa edu" <david.eilken () DOMAIL MARICOPA EDU> Date: Tuesday, August 6, 2019 at 2:26 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Risk Tolerance All, I'm looking to better understand an appropriate level of risk tolerance for educational institutions; in particular for a large sprawling college that does not do much research (lots of PII, little IP). I thought it be good to ask two simple questions. First, what do you feel is your org's risk tolerance on a scale of 1-10. Ten being that you have information security concerns but don't allocate specific budget for it and are comfortable accepting high levels of cyber risk. Second, although the Educause Security Almanac states an average of 3.6% of IT budget is allocated to IS, it would be interesting to know if you feel that you have the resources to obtain/maintain a reasonable level of PPT (People, Processes, and Technology) for IS that appropriately balances the costs of reducing cyber risks. As always thanks, Dave ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Attachment:
Risk Scoring-Cybersecurity-20190305.docx
Description: Risk Scoring-Cybersecurity-20190305.docx
Current thread:
- Risk Tolerance David Eilken (Aug 06)
- Re: Risk Tolerance Stefan Wahe (Aug 08)