Educause Security Discussion mailing list archives
Campus threat models
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Thu, 10 Aug 2006 09:51:32 -0600
During the course of developing a risk assessment and management practice on our campus, I have been working on a general, campus-level threat model. This is a broad, non-application specific threat model to help people understand the overall threats to campus IT and the associated risk. I hope it could also serve as a template for departments to expand upon for threats specific to their services/processes. I didn't see any Educause docs specific to threat modeling and the Educause risk assessment framework actually doesn't mention general threat modeling (it does discuss threat analysis as a step in the process in assessing risk to critical assets). A lot of reading on the topic of threat modeling is about application development and there are some free tools out there with this focus, but much of it didn't see very applicable to more general threat modeling. It seems that building a thought-out threat model removes guesswork and supposition during discussions regarding security and can be a useful guide in decision making. Naturally, such documents need to be regularly updated for changing services and threats. How many of you have developed this kind of threat model for your campus? If you have developed one, is it publicly available or can you send a copy? (I'm not looking for sensitive details, just how you documented general, common threats.) Thanks, Brad Judy IT Security Office Information Technology Services University of Colorado at Boulder
Current thread:
- Campus threat models Brad Judy (Aug 10)
- <Possible follow-ups>
- Re: Campus threat models Jim Dillon (Aug 10)