Creating a Risk-Based Security Strategy
This month EDUCAUSE released their 2018 Top 10 IT Issues in Higher Ed. It comes as no surprise that once again Information Security topped the list for the third year running. This year EDUCAUSE phrased the #1 IT issue as “Developing a risk-based security strategy that keeps pace with security threats and challenges.”
That leads us to ask what is a risk-based security strategy and where does a campus start in creating one? Well for starters the authors at EDUCAUSE suggest that campuses “Pick a framework to follow (e.g., the CIS Controls or the NIST Cybersecurity Framework to set a baseline for where you are and to plan for how to improve within the chosen framework.” Assessing risk is critical for both demonstration of required compliance standards (e.g., FERPA, GLBA 314.4(b)) as well as to document institution wide risk over time and thus provide a roadmap to safeguarding risks and maturing campus security posture.
With the EDUCAUSE Security Professional Conference (SPC) only a few weeks away, we at SaltyCloud have decided to take the next few weeks to focus our blog on development of a Risk-based security strategy in Higher Ed. More specifically we will focus on the Role of Risk Assessments within a Risk-based security strategy with the intended goal to drive discussion around several areas pertinent to Higher Ed. Topics will include: Getting Started with an It Risk Assessment in Higher Ed, What Frameworks to Use, How Risk Assessment Fits into a Broader Risk Management Plan and How to Use the Output of a Risk Assessment.
Give us your comments, tell us what you want to hear about, and be sure to check back or subscribe for new posts.
Regulations can help direct our efforts to where work might need to be done, but risk assessments give us advance notice of exactly where those gaps might be. Using a variety of applicable regulatory frameworks, anyone can shore up their compliance through the use of questionnaire-based risk assessments.