Educause Security Discussion mailing list archives
Re: Scoring Security Controls in an RFP
From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Thu, 18 Mar 2010 16:32:09 -0400
Has anyone :-) Here is an "Application Insecurity Index" spreadsheet. It takes a number of elements into consideration and differentiates *Inherent Risk* from *Incurred Risk*. This is intended to generate a high-level order-of-magnitude score in order to prioritize other activities. SANS also offers some guidance on helping to infuse security governance with technology-based procurements. Best, Dan Jones ISO UMass Medical School -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Grisham Sent: Thursday, March 18, 2010 1:34 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Scoring Security Controls in an RFP Healthcare has traditionally not purchased applications and systems based on their security controls. I'm working on changing that here. Has anyone set up a scoring criteria on security controls for an RFP that they would be willing to share? Cheers --grish David D. Grisham, Ph.D., CISM, CHSP Manager, IT Security, UNM Hospitals, IT Division Suite 3131 933 Bradbury Drive, SE Albuquerque, New Mexico 87106 Ph: (505) 272-5657 Department FAX 272-7143, Desk Fax 272-9927 Work email: dgrisham () salud unm edu Adjunct Faculty, Computer Science, UNM Academic & personal email: dave () unm edu The unauthorized disclosure or interception of e-mail is a federal crime. See 18 U.S.C. Sec. 2517(4). This e-mail is intended only for the use of those to whom it is addressed and may contain information which is privileged, confidential and exempt from disclosure under the law. If you have received this e-mail in error, do not distribute or copy it. Delete it immediately and attachments, if any, and notify me by telephone. Please do not forward or disseminate the information in this written document. .
Attachment:
ApplicationInsecurityIndex.xls
Description: ApplicationInsecurityIndex.xls
Current thread:
- Scoring Security Controls in an RFP David Grisham (Mar 18)
- <Possible follow-ups>
- Re: Scoring Security Controls in an RFP Michael Fink (Mar 18)
- Re: Scoring Security Controls in an RFP Jones, Dan (Mar 18)