Security Consulting and Assessment
Securing workstations, servers, and other devices in a University atmosphere can be a challenge. The KU network is constantly being probed for vulnerabilities. In addition, new initiatives for security in grant environments, federal regulations, such as HIPAA, FERPA and GLBA, have required much more stringent guidelines for security. Please contact ITSO at 864-8080 or firstname.lastname@example.org to learn how we can assist your department in developing, planning and designing security protocols in your environment.
The IT Security Office offers security consulting to help University customers understand and compy with best practices. Most importantly, we help protect your data and systems.
The Security Office staff will arrange time to discuss strategies and/or methods for securing your environment and reducing your exposure to the outside world. This may include working with third-party vendors for application security.
Risk management is the ongoing process of identifying risks—whether accidental or malicious—to information assets and implementing plans to address and mitigate those risks. Often, however, the number of assets potentially at risk outweighs the resources available to manage them. It is therefore extremely important to know where to apply available resources to mitigate risk in a cost-effective and efficient manner. Risk assessment is the part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation.
There are many points to consider in the design, implementation, and goals of a Risk Assessment Methodology.
- Risk assessment should be thought of as an ongoing process, not as a one-time project. The process is described as a set of steps that are continually repeated. At the outset, however, there is a startup process that usually is not repeated.
- Conducting a university-wide information risk assessment is a process that will require strong commitment from upper administration and collaboration between cross-functional units. Assessing information risks is a management issue, not a technology issue; therefore, to be most effective, the process should be considered the responsibility of all members of management.
- In light of current and pending federal and state legislation, it is imperative for universities to recognize that information risk management must be part of their strategic planning.
- Due to the complexities of a university environment, a university-wide information risk assessment requires planning and, more importantly, a strategy that systematically increases the scope of the information risk assessment until it encompasses all university areas.
- An effective university information risk assessment needs to become a part of the culture of the university community, involving not only IT-staff but also all staff, administrators, faculty, and students. Education and awareness efforts should be aimed at all of these constituencies.
- Effective risk management practices require a "risk aware" culture: universities need to expand their information security training and awareness programs to emphasize the importance of adopting risk management principles.
- A sound risk management program can serve as the basis for prioritizing and resolving possible funding conflicts.
The IT Security Office uses a risk assessment methodology called the OCTAVE method.