Educause Security Discussion mailing list archives
Re: Risk Mapping Inadvertent Data Disclosures
From: Steve Schuster <sjs74 () CORNELL EDU>
Date: Tue, 18 Apr 2006 13:14:56 -0400
Jim,We also started conducting such an exercise last year and produced the paper at the this link (http://www.cit.cornell.edu/computer/ security/data-loss-prepare.html). The paper serves as a good backdrop for the executives to better understand why we're doing what we're doing and has also served as a good road map toward better policies and procedures as we implement the recommendations.
While not exactly answering your specific questions below I thought that the document was at least worth sharing.
Good luck, sjs Steve Schuster Director, IT Security Office Cornell University sjs74 () cornell edu On Apr 18, 2006, at 12:22 PM, James H Moore wrote:
We are trying to prioritize some efforts. We are using our own internal experiences, but then thought that it would be good to see what types of behavior lead to data loss. We went tohttp:// www.privacyrights.org/ar/chrondatabreaches.htm and looked at their summary of breaches. We highlighted the ones related to Higher Ed, because they are less productive targets, usually, than Banks.What we came up with is a lot with “Hacking” listed as the cause.We wanted to get a little more granular for things like (this list is off of the top of my head, additional sources welcome):Weak/Stolen/Poorly Managed Passwords Poorly managed accounts Improper/poorly managed Access PermissionsAuthentication / Access Control Fragmentation – Use of Email or IM to move informationWeak vulnerability detection/management Inadequate host based defenses HR risk / Disgruntled Employee / Poor separation of dutiesProcess Risks – Inadequate security review of technical information systemsProcess Risks – Inadequate process controls for publicly accessible informationMy requests are 2-fold1) If anyone has reviewed their incidents and has produced a risk map that you are willing to share, either with the group or with me personally (and if you moved beyond the risk map to solutions/ costs that would be good too. That is where we are headed)2) You can respond to me personally if you had one of the high profile incidents listed in thehttp://www.privacyrights.org/ar/ chrondatabreaches.htm list, and can better define “Hacking” for me with a root causeAny help would be greatly appreciated. We have the attention of our executive leadership and want to produce risk management based recommendations.Thanks, Jim - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-4122 (lab) (585) 475-7950 (fax)"We will have a chance when we are as efficient at communicating information security best practices, as hackers and criminals are at sharing attack information" - Peter Presidio
Current thread:
- Risk Mapping Inadvertent Data Disclosures James H Moore (Apr 18)
- <Possible follow-ups>
- Re: Risk Mapping Inadvertent Data Disclosures Theresa M Rowe (Apr 18)
- Re: Risk Mapping Inadvertent Data Disclosures Steve Schuster (Apr 18)