Information Security Risk Assessment and Pointed Reporting: Scalable Approach

Network managers of Higher Educational Institutes, are well aware of general information security issues, related to campus networks. There are well developed security metrics, giving exhaustive list of security controls, required to mitigate different risks. Accordingly, various security measures and technologies are being deployed. However, at present, not enough attention is being paid on measuring the effectiveness of these controls and overall state of security in the institution. In this study, attempt is made to build a metric based assessment and reporting plan, specific to the needs of an academic environment. Proposed assessment metric facilitates iterative implementation, by prioritizing each metric. Secondly, to reduce response time, a novel approach of pointed reporting is suggested, where responsibilities are distributed across the institution, based on relevant roles. In this approach, security exceptions are reported directly to the predefined roles, responsible for that particular security control. This pointed reporting, delivers message to the right person in minimum time, resulting in improved response time. The proposed assessment metric and pointed reporting structure, will improve overall security governance. As security measures and practices can be assessed systematically and remedial actions can be taken in less time, which is so crucial for effective security governance.