Security Risk Assessment and Analysis

This ECAR research bulletin discusses the trend to use a variety of risk assessment frameworks and standards to create an information security program that is sufficiently comprehensive for colleges and universities. These standards include the Control Objectives for Information and related Technology (CobiT) IT control framework, the Information Technology Infrastructure Library (ITIL) service management framework, and the set of information control objectives now commonly referred to as ISO 27001. In specific, the process of implementing this framework at Georgia State University (GSU) is discussed. In addition, the bulletin provides a rationale for an information security governance framework that enables executives to see the degree to which their information security programs are effective in assessing and mitigating risks, protecting confidential data, aligning goals with institutional academic and business objectives, and continuously improving over time.

In this session, we will address the current cybersecurity issues that are challenging higher education leaders today as they try to stay on top of the risks associated with attacks on information systems from internal and external sources. Emerging enterprise risk management (ERM) methodologies will be examined as a source of guidance for creating an effective risk-based approach for managing current and future threats.

The University of Florida is implementing a risk assessment process using Achilles, an internally developed web application and specialized survey tool intended to facilitate the interview phase of a risk assessment. While Achilles does not provide a mitigation strategy, several views of responses help establish the risk profile.

In 2005, the University of Notre Dame suffered a serious incident that brought information security into the campus spotlight. In response, we partnered with a Big Four consulting firm to conduct a comprehensive IT risk assessment. Two years later, we're halfway through a four-year risk management program.

The Dartmouth Cyber-Security Initiative is an ongoing collaboration between faculty, staff, and students focused on projects aimed at improving the security of the College's information systems. By coordinating research interests with practical concerns, the initiative has resulted in a number of innovative procedures and tools. One such tool is Achilles. Integrated with popular assessment tools such as Nessus and NMAP, Achilles is an easy to use, enterprise-scale analysis console that allows institutions to rank, manage, and track assessment results for thousands of systems.

Learn how Weill Cornell Medical College employs a nontraditional risk management methodology to accurately measure risk, build compelling and successful budget requests, and graphically illustrate trends understandable to technical and nontechnical stakeholders. Attendees will receive Excel tools they can use to manage their own risk assessments in this way.

A level of assurance (LoA) refers to the degree of certainty that (1) a resource owner can assume a specific known physical person is associated with credentials issued by a registration authority, and (2) that physical person presented credentials before attempting to access the resource. The requirements for the level of certainty at both ends of that set of transactions should be driven by a risk assessment based on the value of the resources being protected. This session will describe the concept of LoA, outline its general components, and discuss how PKI can fit into a successful implementation of LoA.