Wyman Miles, Cornell-
Technology risk assessments – a lot of sound and fury, but we don’t find problems and we slow down implementation and governance. They’re currently doing 120 assessments per quarter with 4 security engineers.
Between cyber-liability insurance and contracts, and our portrayal as risks what are really just vendor stances, what do we really need to do?
Indiana jumping in feet first with HECVAT – Box one is done, hosted by REN-ISAC.
Notre Dame discovered a product that was coded by two guys in Russia and discarded it from consideration as a result of a security review.
Maybe we should only do real reviews where we know that sensitive data will be in play?
Frequently we find issues with products that are already in use, with or without central governance knowing about it.
“Most risks we discover are really our petty issues with implementations”
Stanford – need to get out in front of what people are actually using, and then spend time facilitating proper use. Use network flow analysis, purchase records.