...
Tip |
---|
|
Developing an effective risk management program is important in building an information security program. Risk management activities should take into account people, business processes (information handling), and technology. Evaluate and select risk management methods: - ISO/IEC 27005:2011 provides guidance in establishing a risk management program, and describes how to implement each phase of risk management (identification, assessment, treatment, monitoring and review)
- NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission and Information System View, describes the fundamentals and the process of completing risk assessments
- NIST Special Publication 800-30 Revision 1 is a Guide For Conducting Risk Assessments
- ISO/IEC 27002:2013 is an international standard that assists organizations with evaluating information security controls and performing risk treatment activities
- NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework, offers guidance in evaluating controls and applying risk treatment methods
- The HEISC Risk Management Framework is closely aligned with the guidance provided in the NIST publications cited above
- ISO/IEC 27005:2011, used in combination with the above framework, provide a complementary and comprehensive approach to identifying, assessing, and treating risks
Perform a high level risk assessment: - Identify risks associated with information handling/business processes and begin educating the stakeholder community about information security risk management and what’s involved in various stages (risk identification, assessment, treatment, monitoring and review)
- Visit each major stakeholder (senior staff, administrative department heads, etc.,) and discuss/evaluate:
3. Develop a ranking system to help you sort and prioritize their responses Evaluate risks and vulnerabilities associated with ‘technology and people’: - Identify IT-managed equipment/assets (use vulnerability scanning tools to conduct discovery scans and/or pull the information from an asset register)
- Run vulnerability scans on those assets (servers, network equipment, PCI network devices, for example)
- Verify where confidential information resides (use a Data Loss Prevention (DLP) tool to scan IT-managed workstations and network directories or try to identify this in general at stakeholder meetings) (See the HEISC Confidential Data Handling Blueprint for additional suggestions.)
- Have staff and faculty completed security awareness training that emphasizes data protection? (See the Cybersecurity Awareness Resource Library for Suggestions.)
Expand the information security risk management program: - Adopt specific methodologies described in the standards and guidelines listed in #1 above
- Complete a formal information security risk assessment across the university
- Take a phased or incremental approach if the institution is large or has decentralized IT operations
- Outsource risk assessments to third party service providers if you don’t have resources to perform them
- Reevaluate risks and vulnerabilities on a recurring basis as each risk assessment is a ‘snapshot’ at a point in time
- Explore the use of GRC solutions that can assist with developing a formal risk management system.
- See the HEISC GRC FAQ for an overview of GRC solutions.
- Review the following resources for additional recommendations:
Risk Management is the foundation of every good information security program. There are many approaches that an institution can take to identify risks that impact people, business processes (information handling), and technology. Prioritize identified risks and implement information security policies, controls, and compliance initiatives to assist with making information security program improvements. |
...
Panel |
---|
|
Objective: Develop a plan that identifies the controls necessary to reduce, retain, avoid, or transfer identified risks. |
There are a several ways to develop an effective risk treatment plan. One way is to follow the Risk Management Framework Phase 3, Mitigation Planning, that begins with the following two steps:
...
- Cyber Insurance is one way to reduce risks. However, if interested in this coverage, ask about the terms and conditions and review them carefully for potential exclusions. Most Cyber Insurance policies will not pay benefits if the insurance company determines that information affected during a data breach incident was not encrypted at rest. Additionally, they will scrutinize the protection applied to IT infrastructure where the information was stored to assess levels of protection and can deny the claim if they consider it inadequate or not meeting their standards. This coverage can be very expensive and conducting extensive research is warranted. Also take a look at the EDUCAUSE Cyber Insurance portalresource page and this informative article from the Wall Street Journal.
- Developing processes similar to The Standard for Personal Digital Identity Levels of Assurance can potentially assist with risk mitigation (see Identity Assurance at Virginia Tech).
...
Panel |
---|
|
Campus Case Studies On This Page Identity Assurance at Virginia Tech EDUCAUSE Resources - IT Risk Management: Try This Exercise at Your Institution, an example of using the EDUCAUSE Top Ten IT Issues as a guide to inform risk management practices (from Educause Review Online)
- Practical Approaches to Effective Risk Management, Presentation at EDUCAUSE Annual Conference, 2011
- Proactive Compliance through Information Systems Risk Management, Presentation at the MidAtlantic Regional Conference, 2011
- Cyber Insurance portal resource page for EDUCAUSE publications, presentations and other resources on this topic.
- Taking Risk Assessment from Project to Process: A Novel Approach Presentation at the Security Professionals Conference, 2010
- Risk Management Framework for an adaptable approach to risk management oriented toward higher education.
- Security Risk Assessment and Analysis portal Management resource page for EDUCAUSE publications, presentations and other risk assessment and analysis resources.
- Risk Management portal resource page for EDUCAUSE publications, presentations and other resources on this topic.
- Information Security Program Self-Assessment Tool is intended to help a CIO or CISO evaluate and track the maturity of an information security program.Privacy Risk Assessment portal for EDUCAUSE publications, presentations and other resources on this topic.
- Foundations for Effective Security Risk and Program Assessment, EDUCAUSE Security Professionals Conference 2010
- GRC FAQ: Frequently Asked Questions about Governance, Risk, and Compliance (GRC) Systems, 2012
Initiatives, Collaborations, & Other Resources |
...