Educause Security Discussion mailing list archives
Re: risk asessment in edu
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 19 Jun 2009 14:12:24 -0400
On Fri, 19 Jun 2009 12:43:43 CDT, reflect ocean said:
Why would it be correct to define the security policy before a risk assessment? Can anyone explain? My understanding is that maybe this security policy is really a strategic security policy (organizationa overview) and not the security policy in itself.
Let's say you did it the other way around. You do the risk assessment first. You discover "we don't do a good job of auditing paperwork and data related to XYZ". Now - is that a problem or not? If the security policy says you should care about XYZ, then it *is* a problem. However, if XYZ just doesn't matter in the greater scheme of things, it's a "Who cares? We have actual work to do" issue. Concrete example: There's 3 or 4 laser printers in a small room attached to our staff area. We don't do a very careful job of tracking who prints what, simply because it's cheaper overall to just buy supplies as needed and deal with blatant abuses if they happen. If it costs $0.05 per page, but it costs more than that to track who printed what, it's not a risk to not track it. We're low on yellow toner, mention to the person who handles it to order some more, and get on with work. On the other hand, if we were processing secure/sensitive data, then we'd have a very good reason for making sure we knew *every single page* that was printed, and who printed it, and what it was, because those could be pages labelled Top Secret and disappearing into briefcases and laptop bags. Understand now why you need the policy before the risk assessment?
Attachment:
_bin
Description:
Current thread:
- Re: risk asessment in edu, (continued)
- Re: risk asessment in edu Bob Bayn (Jun 18)
- Re: risk asessment in edu jeff murphy (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 18)
- Re: risk asessment in edu Valdis Kletnieks (Jun 18)
- Re: risk asessment in edu reflect ocean (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 19)
- Re: risk asessment in edu Gary Flynn (Jun 19)
- Re: risk asessment in edu Karen Stopford (Jun 19)
- Re: risk asessment in edu reflect ocean (Jun 19)
- Re: risk asessment in edu Plesco, Todd (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)
- Re: risk asessment in edu Allison Dolan (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)