Re: risk asessment in edu

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Fri, 19 Jun 2009 12:43:43 CDT, reflect ocean said:

> Why would it be correct to define the security policy before a risk
> assessment? Can anyone explain? My understanding is that maybe this
> security policy is really a strategic security policy (organizationa
> overview) and not the security policy in itself.

Let's say you did it the other way around. You do the risk assessment first.

You discover "we don't do a good job of auditing paperwork and data related
to XYZ".

Now - is that a problem or not?  If the security policy says you should care
about XYZ, then it *is* a problem.  However, if XYZ just doesn't matter in the
greater scheme of things, it's a "Who cares? We have actual work to do" issue.

Concrete example:  There's 3 or 4 laser printers in a small room attached to
our staff area.  We don't do a very careful job of tracking who prints what,
simply because it's cheaper overall to just buy supplies as needed and deal
with blatant abuses if they happen.  If it costs $0.05 per page, but it costs
more than that to track who printed what, it's not a risk to not track it.
We're low on yellow toner, mention to the person who handles it to order some
more, and get on with work.

On the other hand, if we were processing secure/sensitive data, then we'd have
a very good reason for making sure we knew *every single page* that was printed,
and who printed it, and what it was, because those could be pages labelled
Top Secret and disappearing into briefcases and laptop bags.

Understand now why you need the policy before the risk assessment?

Attachment: _bin
Description: