Educause Security Discussion mailing list archives

Re: risk asessment in edu

From: Allison Dolan <adolan () MIT EDU>
Date: Fri, 19 Jun 2009 15:10:24 -0400

While not disputing Valdis' perspective, which I think is valid,
there is also reason to look at risk assessment at least at a high
level before a policy.  Specifically, you may want to understand
what, if any laws and regulations apply re: data protection, know
whether those laws/regulation apply to your organization, and if they
do, do you have a little or a lot of that information.  For example
you may want to do some risk assessment re:  PCI credit card
compliance, to understand how your organization uses credit cards,
which would help inform a security policy.  No point in having a
security policy re: credit cards if you never touch the things.

......Allison  Dolan (617-252-1461)



On Jun 19, 2009, at 2:12 PM, Valdis Kletnieks wrote:

On Fri, 19 Jun 2009 12:43:43 CDT, reflect ocean said:

Why would it be correct to define the security policy before a risk
assessment? Can anyone explain? My understanding is that maybe this
security policy is really a strategic security policy (organizationa
overview) and not the security policy in itself.


Let's say you did it the other way around. You do the risk
assessment first.

You discover "we don't do a good job of auditing paperwork and data
related
to XYZ".

Now - is that a problem or not?  If the security policy says you
should care
about XYZ, then it *is* a problem.  However, if XYZ just doesn't
matter in the
greater scheme of things, it's a "Who cares? We have actual work to
do" issue.

Concrete example:  There's 3 or 4 laser printers in a small room
attached to
our staff area.  We don't do a very careful job of tracking who
prints what,
simply because it's cheaper overall to just buy supplies as needed
and deal
with blatant abuses if they happen.  If it costs $0.05 per page,
but it costs
more than that to track who printed what, it's not a risk to not
track it.
We're low on yellow toner, mention to the person who handles it to
order some
more, and get on with work.

On the other hand, if we were processing secure/sensitive data,
then we'd have
a very good reason for making sure we knew *every single page* that
was printed,
and who printed it, and what it was, because those could be pages
labelled
Top Secret and disappearing into briefcases and laptop bags.

Understand now why you need the policy before the risk assessment?

Current thread:

Re: risk asessment in edu, (continued)
- Re: risk asessment in edu jeff murphy (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 18)
- Re: risk asessment in edu Valdis Kletnieks (Jun 18)
- Re: risk asessment in edu reflect ocean (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 19)
- Re: risk asessment in edu Gary Flynn (Jun 19)
- Re: risk asessment in edu Karen Stopford (Jun 19)
- Re: risk asessment in edu reflect ocean (Jun 19)
- Re: risk asessment in edu Plesco, Todd (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)
- Re: risk asessment in edu Allison Dolan (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)