Educause Security Discussion mailing list archives
Re: risk asessment in edu
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 19 Jun 2009 15:50:09 -0400
On Fri, 19 Jun 2009 15:10:24 EDT, Allison Dolan said:
While not disputing Valdis' perspective, which I think is valid, there is also reason to look at risk assessment at least at a high level before a policy. Specifically, you may want to understand what, if any laws and regulations apply re: data protection, know whether those laws/regulation apply to your organization, and if they do, do you have a little or a lot of that information.
I'd call that phase "gathering info for defining the policy" rather than calling it "risk analysis". Yes, it's an important phase of the security policy life cycle, but it's not "risk analysis". There's a subtle difference between "What things do we have to worry about?" (which is the big question when developing the policy) and "Which of the things we *are* worrying about are we likely to get burned on?" (which is the risk analysis phase).
Attachment:
_bin
Description:
Current thread:
- Re: risk asessment in edu, (continued)
- Re: risk asessment in edu Wes Young (Jun 18)
- Re: risk asessment in edu Valdis Kletnieks (Jun 18)
- Re: risk asessment in edu reflect ocean (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 19)
- Re: risk asessment in edu Gary Flynn (Jun 19)
- Re: risk asessment in edu Karen Stopford (Jun 19)
- Re: risk asessment in edu reflect ocean (Jun 19)
- Re: risk asessment in edu Plesco, Todd (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)
- Re: risk asessment in edu Allison Dolan (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)