Educause Security Discussion mailing list archives
Re: Presenting Enterprise Risk Register to the board?
From: Dan Jones <Dan.Jones () COLORADO EDU>
Date: Tue, 16 Apr 2019 20:38:25 +0000
We have been using the FFIEC Cybersecurity Assessment<https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017_Inherent_Risk_Profile.pdf> tool to discuss a new security baseline (and more specifically the related spreadsheet/automated assessment tool from FSSCC<https://www.fsscc.org/>). The initial discussions, after working up through leadership, focused explaining our inherent risk profile and the rationale for our target maturity levels. I felt it a more productive to have a discussion along the lines of “here is our level of inherent risk, based on our inherent risk we have these options for maturity targets, and here is why we believe these targets are appropriate.” It has helped direct the conversation from “are we secure” to “how secure should we be.” We did need to modify the inherent risk profile to better reflect higher education and research institutions. Other than that we’ve not needed to make substantial changes. If anyone wants to see more details send me a note and I’ll send a generic sample. -- Dan Jones Associate Vice Chancellor for Integrity, Safety, and Compliance University of Colorado Boulder Chief Information Security Officer University of Colorado t. 303.735.6637 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Schwartz, John" <jschwartz () WPI EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, April 16, 2019 at 1:52 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Presenting Enterprise Risk Register to the board? Hi Depending on the Board members and what they are used to. I tend to have better luck with Heat Maps and Quadrant. John Schwartz Chief Information Security Officer (CISO) [cid:ea816377-09aa-4c8c-abf1-23966b109fc4] Worcester Polytechnic Institute 100 Industrial Road Worcester, MA. 01609 e-mail: jschwartz () wpi edu ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Brian Kelly <bkelly () EDUCAUSE EDU> Sent: Tuesday, April 16, 2019 3:40 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Presenting Enterprise Risk Register to the board? CAUTION: This email originated from outside of the WPI email system. Do not click links or open attachments unless you recognize the sender and know the content is safe. Good afternoon, We have a member interested in presentation strategies for Presenting Enterprise Risk Register to the board. What has worked well for others? Presenting Dashboards, Heat maps, Quadrants, etc Let me know your thoughts and experiences. Thanks in advance, Brian Brian Kelly Director, Cybersecurity Program EDUCAUSE Uncommon Thinking for the Common Good Follow HEISC on LinkedIn<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fhigher-education-information-security-council-heisc-%2F&data=02%7C01%7Cjschwartz%40WPI.EDU%7Cc9bdd3983e85442eeaa608d6c2a36ecd%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C636910404530832108&sdata=NTczNl1mQhE4AjroYXlgHT8DRlKdMaQae5TUm%2FMYASA%3D&reserved=0> | Twitter: @HEISCouncil | bkelly () educause edu<mailto:bkelly () educause edu> direct: 720.406.6757 | educause.edu<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2F&data=02%7C01%7Cjschwartz%40WPI.EDU%7Cc9bdd3983e85442eeaa608d6c2a36ecd%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C636910404530832108&sdata=BOKp5Ga%2Fx0t3FebXvaSh%2FzH4Vt9Iv4SfoIQ9wzChxGE%3D&reserved=0> 1150 18th Street, NW, Suite 900 Washington, DC 20036
Current thread:
- Presenting Enterprise Risk Register to the board? Brian Kelly (Apr 16)
- Re: Presenting Enterprise Risk Register to the board? Schwartz, John (Apr 16)
- <Possible follow-ups>
- Re: Presenting Enterprise Risk Register to the board? Dan Jones (Apr 16)