Home Project Overview About the Project Executive Summary Conference Handouts & Slides Press Releases For Superintendents & Policy Makers For Technology Leaders Security Updates & Articles Online Security for Students Share Your Story Free Newsletter Contact Us Join CoSN Blogs and Podcast
Navigation Bar
Keep In Touch

Just fill out the form below, and we'll contact you whenever new information, case studies and best practices are posted to the site!








Please send me more information about becoming a CoSN Member

 
For Technology Leaders
 

The Planning Process

Security Planning Protocol Phase 2:
Risk Analysis

Flowchart Version of Phase 2

Now it is time to get specific. Following a streamlined version of the OCTAVE ® process, the security team will first estimate the negative impact to the district when IT-related assets are corrupted, disclosed, or taken out of service. Using impact to the district as a prioritizing dimension, the team will select the most important assets and review their vulnerabilities.

IT assets can be destroyed or misused for a huge number of reasons. Factors to scrutinize include physical and environmental hazards, policy and procedure controls, system configuration and maintenance, and accidental or intentional actions by staff, students, or outsiders. Again the focus of the security team sharpens, identifying the most significant vulnerabilities as well as the most immediate threats.

With a clear sense of what could go wrong and why the critical assets must be protected, the security team turns to stress testing, whether carried out in house or by outside experts. The testing process must address the potential vulnerabilities, whether a weakness in policy, a misconfigured firewall, or a seldom-locked door .

Phase 2 comes to a close like a cliffhanger before the commercial: the security team members know they have zeroed in on the most critical IT assets, they know what could happen if things go wrong… and now they know just what will go wrong if new security measures are not taken. This list of security gaps, when prioritized, forms the second major deliverable, the Risk Assessment Report, which sets the agenda for remediation.

Flowchart Version of Phase 2

>>Next Phase: Risk Reduction

 

2-A. What’s At Risk—and how much?

Purpose: To inventory IT assets and rank them in terms of importance to organizational goals.

Immediate outcome : From a list of all IT assets, prioritize those assets most critical to the organizational mission.

The OCTAVE ® risk impact model, when described in locally-relevant terms, provides efficient decision-making on threats and vulnerabilities

By focusing the IT inventory to the most critical assets, the security team will ensure that the more time-intensive steps that follow will be completed.

2-B. Assess Vulnerabilities & Threats

Purpose: To inventory and prioritize vulnerabilities and threats

Immediate outcome : To establish Risk Priorities that will guide the agenda for Security Stress Testing

Risk is determined by both vulnerabilities and threats, so the security team must evaluate which “threat actors” (sources) and “security holes” (opportunities) should be subjected to stress-testing. Priorities are set by impact (consequence) to the organization as a result of compromised IT-based assets.

2-C. Security Stress Tests

Purpose: To identify security gaps

Immediate outcome : To verify the relative effectiveness of security measures in minimizing risks enumerated in the previous step.

Stress Test results will help shape the security plan.

 

  
A Leadership Initiative of CoSN