Educause Security Discussion mailing list archives
Re: risk asessment in edu
From: Allison Dolan <adolan () MIT EDU>
Date: Fri, 19 Jun 2009 15:10:24 -0400
While not disputing Valdis' perspective, which I think is valid, there is also reason to look at risk assessment at least at a high level before a policy. Specifically, you may want to understand what, if any laws and regulations apply re: data protection, know whether those laws/regulation apply to your organization, and if they do, do you have a little or a lot of that information. For example you may want to do some risk assessment re: PCI credit card compliance, to understand how your organization uses credit cards, which would help inform a security policy. No point in having a security policy re: credit cards if you never touch the things. ......Allison Dolan (617-252-1461) On Jun 19, 2009, at 2:12 PM, Valdis Kletnieks wrote:
On Fri, 19 Jun 2009 12:43:43 CDT, reflect ocean said:Why would it be correct to define the security policy before a risk assessment? Can anyone explain? My understanding is that maybe this security policy is really a strategic security policy (organizationa overview) and not the security policy in itself.Let's say you did it the other way around. You do the risk assessment first. You discover "we don't do a good job of auditing paperwork and data related to XYZ". Now - is that a problem or not? If the security policy says you should care about XYZ, then it *is* a problem. However, if XYZ just doesn't matter in the greater scheme of things, it's a "Who cares? We have actual work to do" issue. Concrete example: There's 3 or 4 laser printers in a small room attached to our staff area. We don't do a very careful job of tracking who prints what, simply because it's cheaper overall to just buy supplies as needed and deal with blatant abuses if they happen. If it costs $0.05 per page, but it costs more than that to track who printed what, it's not a risk to not track it. We're low on yellow toner, mention to the person who handles it to order some more, and get on with work. On the other hand, if we were processing secure/sensitive data, then we'd have a very good reason for making sure we knew *every single page* that was printed, and who printed it, and what it was, because those could be pages labelled Top Secret and disappearing into briefcases and laptop bags. Understand now why you need the policy before the risk assessment?
Current thread:
- Re: risk asessment in edu, (continued)
- Re: risk asessment in edu jeff murphy (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 18)
- Re: risk asessment in edu Valdis Kletnieks (Jun 18)
- Re: risk asessment in edu reflect ocean (Jun 18)
- Re: risk asessment in edu Wes Young (Jun 19)
- Re: risk asessment in edu Gary Flynn (Jun 19)
- Re: risk asessment in edu Karen Stopford (Jun 19)
- Re: risk asessment in edu reflect ocean (Jun 19)
- Re: risk asessment in edu Plesco, Todd (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)
- Re: risk asessment in edu Allison Dolan (Jun 19)
- Re: risk asessment in edu Valdis Kletnieks (Jun 19)