Educause Security Discussion mailing list archives
Re: risk asessment in edu
From: jeff murphy <jcmurphy () BUFFALO EDU>
Date: Thu, 18 Jun 2009 15:58:33 -0400
On Jun 18, 2009, at 3:18 PM, reflect ocean wrote:
Hi.Recently I've been assigned information security responsabilities and my first step is to determine what assets the organization wants to protect.i'm struggling trying to come up with something else rather than student data.
student data (ferpa), financial data, financial transactions (pci), medical records. it can vary depending upon what your school does, the services it offers. it's probably easiest to start with what regulations apply to you and go from there.
I definitely have a better understanding from the point of what controls I have to implant (firewalls,ids,incident response teams,etc...).
controls arent always technical. got anyone collecting paper records? those count too. are they controlled? are they disposed of properly?
the stage where i am is assets evaluation according to some information secruity standards and after that i would continue with risk assessment. Has anyone conducted any of these assessments? What risks in terms of information security do the educational organizations face?
pretty much the same as anyone, if you lose control of a large amount of regulated data (say social security numbers + contact information) you are liable for some pretty heavy financial repercussions. if you lose control of something that you've classified internally as sensitive (say a budget proposal) the risk is harder to quantify. most of the time you ask a) what fines would we have to pay, b) what sort of law suits would result, c) whats the impact to our public image when deciding how to approach a risk (combine that with how likely the risk is and how much will it costs to mitigate, sort and then go lobby for funding the top-N) as an aside, posting from an ostensibly anonymous account is, imo, bad form.
Thank you reflect.
Attachment:
smime.p7s
Description:
Current thread:
- risk asessment in edu reflect ocean (Jun 18)
- <Possible follow-ups>
- Re: risk asessment in edu jeff murphy (Jun 18)
- Re: risk asessment in edu Dave Kovarik (Jun 18)
- Re: risk asessment in edu Dennis Meharchand (Jun 18)
- Re: risk asessment in edu Kevin Wilcox (Jun 18)
- Re: risk asessment in edu Bob Bayn (Jun 18)
- Re: risk asessment in edu jeff murphy (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 18)
- Re: risk asessment in edu Valdis Kletnieks (Jun 18)
- Re: risk asessment in edu reflect ocean (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 19)
- Re: risk asessment in edu Gary Flynn (Jun 19)
(Thread continues...)