Re: Presenting Enterprise Risk Register to the board?

[Dan Jones <Dan.Jones () COLORADO EDU>]

We have been using the FFIEC Cybersecurity 
Assessment<https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017_Inherent_Risk_Profile.pdf> tool to discuss a new 
security baseline (and more specifically the related spreadsheet/automated assessment tool from 
FSSCC<https://www.fsscc.org/>).  The initial discussions, after working up through leadership, focused explaining our 
inherent risk profile and the rationale for our target maturity levels. I felt it a more productive to have a 
discussion along the lines of “here is our level of inherent risk, based on our inherent risk we have these options for 
maturity targets, and here is why we believe these targets are appropriate.”  It has helped direct the conversation 
from “are we secure” to “how secure should we be.”

We did need to modify the inherent risk profile to better reflect higher education and research institutions.    Other 
than that we’ve not needed to make substantial changes.  If anyone wants to see more details send me a note and I’ll 
send a generic sample.

--
Dan Jones
Associate Vice Chancellor for Integrity, Safety, and Compliance
University of Colorado Boulder
Chief Information Security Officer
University of Colorado
t. 303.735.6637


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Schwartz, John" 
<jschwartz () WPI EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, April 16, 2019 at 1:52 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Presenting Enterprise Risk Register to the board?

Hi

Depending on the Board members and what they are used to.  I tend to have better luck with Heat Maps and Quadrant.


John Schwartz



Chief Information Security Officer (CISO)



[cid:ea816377-09aa-4c8c-abf1-23966b109fc4]

Worcester Polytechnic Institute

100 Industrial Road

Worcester, MA. 01609

e-mail: jschwartz () wpi edu

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Brian Kelly 
<bkelly () EDUCAUSE EDU>
Sent: Tuesday, April 16, 2019 3:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Presenting Enterprise Risk Register to the board?

CAUTION: This email originated from outside of the WPI email system. Do not click links or open attachments unless you 
recognize the sender and know the content is safe.


Good afternoon,

We have a member interested in presentation strategies for Presenting Enterprise Risk Register to the board.

What has worked well for others? Presenting Dashboards, Heat maps, Quadrants, etc



Let me know your thoughts and experiences.



Thanks in advance,



Brian



Brian Kelly

Director, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good

Follow HEISC on 
LinkedIn<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fhigher-education-information-security-council-heisc-%2F&data=02%7C01%7Cjschwartz%40WPI.EDU%7Cc9bdd3983e85442eeaa608d6c2a36ecd%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C636910404530832108&sdata=NTczNl1mQhE4AjroYXlgHT8DRlKdMaQae5TUm%2FMYASA%3D&reserved=0>
 | Twitter: @HEISCouncil | bkelly () educause edu<mailto:bkelly () educause edu>

direct: 720.406.6757 |  
educause.edu<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2F&data=02%7C01%7Cjschwartz%40WPI.EDU%7Cc9bdd3983e85442eeaa608d6c2a36ecd%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C636910404530832108&sdata=BOKp5Ga%2Fx0t3FebXvaSh%2FzH4Vt9Iv4SfoIQ9wzChxGE%3D&reserved=0>

1150 18th Street, NW, Suite 900 Washington, DC 20036