[unisog] Risk analysis

Leigh Vincent l.vincent at ballarat.edu.au
Tue Feb 21 03:18:20 GMT 2006

I just like to add my thoughts on this I have just spent 2 years working
on Business Continuity Plans etc which involves performing a Risk

The risk analysis that I did involved our "hands on" techs and managers
brain storming over what threats our IT services could possibly face. 
>From this we looked at Existing Controls, Likelihood of the risk
actually occurring, the impact which then by applying a mathematical
calculation came out with an overall risk factor.

>From this we established the a Terrorist attack was our number one risk
mainly be cause there are no existing controls.  The next few were
things like service packs, patch updates, portable devices, ignorance
etc etc etc. We actually have a list of 21 possible risks.

This data is then used in conjunction with a Business Impact Analysis
(BIA) to feed into the business Continuity Plan.

Lots of work.


Leigh Vincent
Information Security Officer
Information Services
University of Ballarat
PO Box 663

Ph.: 03-5327 9386
Mobile: 0439 357 203 
l.vincent at ballarat.edu.au

>>> micheal.cottingham at sv.vccs.edu 02/16/06 8:29 am >>>
I'm working on a paper to present to my boss, and am curious if
has done any risk analysis or has any thoughts on it. I have Insider
Threat in front of me right now (great book so far) and he uses the
equation: Risk = (threat x vulnerabilities x probability x impact) /
countermeasures where countermeasures is: accept the risk, reduce the
risk, transfer the risk. What I'm looking for is if anybody has given
this much thought. For example, are different values placed on
as opposed to faculty? Perhaps you split faculty and staff in to
different categories and drill down more. Or do you lump them all


unisog mailing list
unisog at lists.sans.org 

More information about the unisog mailing list