[unisog] Risk analysis

Leigh Vincent l.vincent at ballarat.edu.au
Tue Feb 21 04:16:49 GMT 2006

Fair comment.  And yes all those things you indicated are included but
not in our top few as we have, like you, redundancy built in that drops
the overall risk factor due to good existing controls.

>>> vanepp at sfu.ca 02/21/06 3:01 pm >>>
On Tue, Feb 21, 2006 at 02:18:20PM +1100, Leigh Vincent wrote:
> I just like to add my thoughts on this I have just spent 2 years
> on Business Continuity Plans etc which involves performing a Risk
> analysis.
> The risk analysis that I did involved our "hands on" techs and
> brain storming over what threats our IT services could possibly face.

> >From this we looked at Existing Controls, Likelihood of the risk
> actually occurring, the impact which then by applying a mathematical
> calculation came out with an overall risk factor.
> >From this we established the a Terrorist attack was our number one
> mainly be cause there are no existing controls.  The next few were
> things like service packs, patch updates, portable devices,
> etc etc etc. We actually have a list of 21 possible risks.

	My first reaction to this is that you appear to have (but may
not in
practice) missed the most likely ones. That would be ones like 
fire/flood/earthquake wiping out your data center, one or more staff
irreplacable knowledge getting hit by a bus, quitting or otherwise
unavialable (maybe unlike us you don't have anyone in that catagory
Backhoe Bill excavating your fibre so you are up just fine but can't
to anyone including your users for a longish period (this is going to
exactly like you are down to your users).
	When I worked for an airline that had fully redundant everything

(including a cooling tower and dual paths to different city water
Backhoe Bill managed to take out a main water trunk above both of our
water feeds taking out both of them and something like a fire alarm
dumped the 
cooling tower causing down time (and great excitement all around). One
of the
three mainframes was aircooled (the other two needed water and had to
down) and blocks of dry ice and fans kept reservations rolling in on
the air
cooled mainframe (airco needed the water too ...).
	The smallish ones that do local damage are more likely to cause
grief than a major one like a terrorist attack. People understand down
in a terrorist attack, they don't understand (or at least don't forgive
easily) down time to something "minor" like a fire in your data center
"everyone else is up". 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
unisog mailing list
unisog at lists.sans.org 

More information about the unisog mailing list