[unisog] Risk analysis

Brad Judy judy at colorado.edu
Wed Feb 15 23:46:23 GMT 2006

This area is largely my new focus and I have been doing a good amount of
reading and writing on the topic of late.  I recommend that you take a look
at some of the very good freely available documents on risk analysis and
management out there.  In particular, the NIST special publications, OCTAVE,
U Virginia's site, Educause, Microsoft's paper on the topic, Burton Group,
etc.  You'll see that there is general agreement on the concepts around risk
analysis and management.  

We are in the process of creating a number of system-wide policies related
to IT security that cover some areas that you should start with to perform
consistent risk analysis.  Some key items include consistent definitions and
classification for data sensitivity, system criticality and vulnerability
magnitude.  These will give you baseline, common definitions for some of the
items you mentioned like impact.  Once you have a common definition, you can
start with asset inventories that will identify sensitive data and critical
systems (knowing that they exist and where they are is the first step).
Having departments establish disaster recovery/business continuity plans
will lay out some mitigating factors for risk (and are an important business
practice anyway).  Hopefully you have, or can establish, some minimum
security standards as well.   

I think most folks on this list who have dealt with various breaches can
attest to the fact that the basics will take you a long way to reducing

While what I'm working on is simply based on the publicly available items I
have mentioned, and builds on our own policies, I intend to keep it as
portable as possible for sharing with the community.  As I mentioned, there
are items from other schools and Educause already out there for reference. 

BTW: Your greatest internal 'threat' isn't malicious at all, it's ignorance,
lack of resources and lack of forethought. 

If there is interest, I can pull up the URLs for the docs I mentioned, but I
imagine most of you are rather skilled with Google.  :)

Brad Judy

Information Technology Services
University of Colorado at Boulder

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Micheal Cottingham
Sent: Wednesday, February 15, 2006 2:29 PM
To: UNIversity Security Operations Group
Subject: [unisog] Risk analysis

I'm working on a paper to present to my boss, and am curious if anybody has
done any risk analysis or has any thoughts on it. I have Insider Threat in
front of me right now (great book so far) and he uses the
equation: Risk = (threat x vulnerabilities x probability x impact) /
countermeasures where countermeasures is: accept the risk, reduce the risk,
transfer the risk. What I'm looking for is if anybody has given this much
thought. For example, are different values placed on students as opposed to
faculty? Perhaps you split faculty and staff in to different categories and
drill down more. Or do you lump them all together?


unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list