[unisog] Risk analysis

Allen Mundt at Work allenatwork at sbcglobal.net
Wed Feb 15 22:49:45 GMT 2006


We have done one recently to implement our Security Program in general and 
for HIPAA.  I work at a County government, and 'lurk' on this list, as I 
find some of the postings rather interesting, and we do have some 
library/education related departments in our County.  The real challenge is 
to determine the end-game of the Risk Analysis.  In many cases it can be use 
to prioritize, create a basis for resources, etc.  Quite honestly, we would 
up doing a Qualitative, rather than a Quantitative.  We did create a 
spreadsheet of values for the various risks we felt were pertinent, here in 
the upper Midwest.  We used some of the NIST materials, and made heavy use 
of Pelltier's book "Information Security Risk Analysis".  If interested 
contact me directly, and I can share a few more details.

Allen

******************************************************************************************************************************
Allen Mundt

"It is not the style of clothes one wears, neither the kind of automobile 
one drives,
    nor the amount of money one has in the bank, that counts. These mean 
nothing.
       It is simply service that measures success."
           --  George Washington Carver
******************************************************************************************************************************
----- Original Message ----- 
From: "Micheal Cottingham" <micheal.cottingham at sv.vccs.edu>
To: "UNIversity Security Operations Group" <unisog at lists.sans.org>
Sent: Wednesday, February 15, 2006 3:29 PM
Subject: [unisog] Risk analysis


> I'm working on a paper to present to my boss, and am curious if anybody
> has done any risk analysis or has any thoughts on it. I have Insider
> Threat in front of me right now (great book so far) and he uses the
> equation: Risk = (threat x vulnerabilities x probability x impact) /
> countermeasures where countermeasures is: accept the risk, reduce the
> risk, transfer the risk. What I'm looking for is if anybody has given
> this much thought. For example, are different values placed on students
> as opposed to faculty? Perhaps you split faculty and staff in to
> different categories and drill down more. Or do you lump them all 
> together?
>
> Micheal
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog 



More information about the unisog mailing list