The EDUCAUSE/Internet2 Security Task Force risk assessment / management framework is intended to provide high-level guidance for an effective cyber-risk assessment and management process for institutions of higher education. It is intended to provide a model process which can be adapted, as needed, for any institution regardless of size, funding model, or culture.
Background and overview:
In virtually every aspect of education, research, and administration there is an increased reliance on digital information and the technologies that support it. With this comes an increasing level of responsibility to protect these information assets from accidental or malicious exposure or damage. In light of current and pending federal and state legislation, it is imperative for universities to recognize that information risk management must be part of their strategic and continuity planning.
Risk management is the ongoing process of identifying these risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit valuable assets and the impact if an exploit is successful.
Often, the number of assets potentially at risk exceeds the resources available to manage them. It is therefore extremely important to know where to apply available resources to mitigate risk in an efficient and cost-effective manner. It is also important to balance security with usability.
Risk assessment is the part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation. It is a large part of the overall risk management process; many of the steps described in this framework focus on the assessment process. Risk decisions are made all the time, sometimes without deep consideration and may even be based upon intuition. A formalized risk management process can uncover risks that were not anticipated, resolve funding conflicts, and help enhance executive buy-in to security improvements.
Risk assessment is the part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation. It is a large part of the overall risk management process; many of the steps described in this framework focus on the assessment process. Risk decisions are made all the time, sometimes without deep consideration and may even be based upon intuition. A formalized risk management process can uncover risks that were not anticipated, resolve funding conflicts, and help enhance executive buy-in to security improvements.
Using the Framework:
Risk assessment and management scope may vary. For instance, assessments may be conducted as part of the planning and purchasing process for significant projects or systems. Assessments may also be conducted in response to IT security incidents to help ensure incidents do not recur. They may also be conducted on some regular, periodic basis to assure ongoing compliance and up-to-date security measures.
Index
- Phase 0: Strategic Risk Assessment Planning (a one-time process)
- Process 2: Apply Classification Criteria to Rank Data Assets and Related IT Resources
- Process 3: Identify Threats, Vulnerabilities and Controls that will be Evaluated
- Process 4: Establish Criteria that will be used to Evaluate Threats, Vulnerabilities and Controls - Phase 1: Operational Data Collection
- Process 1: Strategic Perspective - Senior Management
- Process 2: Operational Perspective: Infrastructure - Technical
- Process 3: Operational Perspective: Applications - General staff
- Process 4: Technical Perspective - Technical Evaluation - Phase 2: Risk Analysis
- Process 1: Review Documentation and Technical Data
- Process 2: Consolidate and Prioritize Perspectives - Phase 3: Mitigation Planning
- Process 1: Agree on a Strategy to Mitigate Risks
- Process 2: Document and Implement Mitigation
- Process 3: Evaluate Mitigation Progress and Plan Next Assessment
No hay comentarios:
Publicar un comentario