[unisog] Risk analysis

Leigh Vincent l.vincent at ballarat.edu.au
Tue Feb 21 04:16:49 GMT 2006


Fair comment.  And yes all those things you indicated are included but
not in our top few as we have, like you, redundancy built in that drops
the overall risk factor due to good existing controls.



>>> vanepp at sfu.ca 02/21/06 3:01 pm >>>
On Tue, Feb 21, 2006 at 02:18:20PM +1100, Leigh Vincent wrote:
> I just like to add my thoughts on this I have just spent 2 years
working
> on Business Continuity Plans etc which involves performing a Risk
> analysis.
> 
> The risk analysis that I did involved our "hands on" techs and
managers
> brain storming over what threats our IT services could possibly face.

> >From this we looked at Existing Controls, Likelihood of the risk
> actually occurring, the impact which then by applying a mathematical
> calculation came out with an overall risk factor.
> 
> >From this we established the a Terrorist attack was our number one
risk
> mainly be cause there are no existing controls.  The next few were
> things like service packs, patch updates, portable devices,
ignorance
> etc etc etc. We actually have a list of 21 possible risks.

	My first reaction to this is that you appear to have (but may
not in
practice) missed the most likely ones. That would be ones like 
fire/flood/earthquake wiping out your data center, one or more staff
with 
irreplacable knowledge getting hit by a bus, quitting or otherwise
becoming 
unavialable (maybe unlike us you don't have anyone in that catagory
:-)),
Backhoe Bill excavating your fibre so you are up just fine but can't
connect
to anyone including your users for a longish period (this is going to
look 
exactly like you are down to your users).
	When I worked for an airline that had fully redundant everything

(including a cooling tower and dual paths to different city water
mains)
Backhoe Bill managed to take out a main water trunk above both of our
city
water feeds taking out both of them and something like a fire alarm
dumped the 
cooling tower causing down time (and great excitement all around). One
of the
three mainframes was aircooled (the other two needed water and had to
shut 
down) and blocks of dry ice and fans kept reservations rolling in on
the air
cooled mainframe (airco needed the water too ...).
	The smallish ones that do local damage are more likely to cause
you 
grief than a major one like a terrorist attack. People understand down
time 
in a terrorist attack, they don't understand (or at least don't forgive
as 
easily) down time to something "minor" like a fire in your data center
when
"everyone else is up". 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
_______________________________________________
unisog mailing list
unisog at lists.sans.org 
http://www.dshield.org/mailman/listinfo/unisog


More information about the unisog mailing list