Documente Academic
Documente Profesional
Documente Cultură
Cooperative approach:
Risk management can‘t be done by one person or
HEI‘s higher-level management alone
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 3
Overview
Motivation
Risk management in HEIs – an analyst‘s perspective
Gap between reading about risk management and doing it
Next steps
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 4
SANS Analyst survey (June 2014):
„Higher education: Open and secure?“
46% of organisations
Security Teams
don‘t encrypt PII
understaffed and
on transit
under budget
https://www.sans.org/reading-room/whitepapers/analyst/higher-education-open-secure-35240
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 5
Decentral organisation, but cooperative
Business processes
HEI‘s CRM
... Faculty RM
(Team / IO)
Technicians
... ...
Service administrators
Service administrators
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 6
Decentral information flows, but also cooperative
HEI‘s CRM
... Faculty RM
(Team / IO)
... ...
Service administrators
Service administrators
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 7
Continuous risk management process
Higher-level management
Define your Establish the
RM Team
risk appetite RM context
Administrators
Likelihood &
Identify threats
Impact
Implemented
safeguards
Remediation
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 8
Where do I start and what do I do in there?
Desired benefits
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 10
How we created the risk management template
Interview LRZ security team Interview LRZ administrators Existing LRZ security concepts
Standards/Frameworks Literature:
(ISO/IEC 27005, scientific papers,
BSI IT Base protection, various web sources
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 11
Template content overview
Document‘s structure:
Metadata / introduction
Risk acceptance
Risk management
context
Threat identification +
Risk assessment
Remediation / measures
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 12
Metadata and introduction
Metadata
Author and version information
Storage location
Last modification / update until
Introduction
Objectives (HEI‘s overall risk
level vs. staff‘s perspective)
Cooperative risk management process
How to complete
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 13
HEI‘s risk appetite / acceptance
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 14
HEI‘s risk management context
Systems or / asset‘s prioritization
From: SANS Analyst Survey „Higher Education: Open and secure“ (June
2014)
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 15
Technicians‘ risk management context
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 16
Threat identification
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 18
Next steps
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 19
Conclusion