Educause Security Discussion mailing list archives

Re: Application Risk Assessment/Questionnaire??

From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Mon, 15 Nov 2010 21:08:46 -0700

Dear Connie,

First of all, I fully understand the desire to keep things simple, particularly when there is a need to get others to 
collaborate/cooperate.  Having said that, I am not aware of a simple, generic checklist that could identify, much less 
address security concerns.  What I used at a number of large complexes was a simplified process that went something 
like this:

 

1.       Work with departments to inventory the software that they use, what they use it for, who uses it, lead or 
point of contact, and the type of information that is entered, stored or accessed by the software.  This was done at a 
fairly high level to give security a better understanding of “what is out there”, 

2.       Use the inventory to begin a dialogue to better assess and quantify the departments risks – targeted 
checklists can be developed at this point,

3.       Determine what the departments should be doing and enlist key members of each department to help assess the 
risks.

 

One thing that proved helpful was to have the inventories and results stored in a system accessible from the 
departments.  The system was then used to keep the inventory reasonably up to date and facilitate scheduled 
assessments.  Over the course of several years, this approach greatly improved our ability to monitor and assess 
software and systems that were in use, and to develop more targeted and deeper controls in cases where use, laws, risks 
and other requirements made it necessary.

 

Hope this helps,

 

Ozzie Paez

SSE/SAIC

303-332-5363

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Connie 
Sadler
Sent: Monday, November 15, 2010 5:26 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Application Risk Assessment/Questionnaire??

 


Does anyone have a simple application assessment/checklist for security that they would be willing to share? I'm 
interested in having every department application/business owner perform an annual assessment of the basis things they 
should be doing - without getting too complex.

Thanks!

-- 
Connie
Stanford Medical Center

Current thread:

Application Risk Assessment/Questionnaire?? Connie Sadler (Nov 15)
- Re: Application Risk Assessment/Questionnaire?? Ozzie Paez (Nov 15)
- Re: Application Risk Assessment/Questionnaire?? Joshua Beeman (Nov 16)
  - Re: Application Risk Assessment/Questionnaire?? Valerie Vogel (Nov 16)