Fun From FAIR Training

Filed by Alex | 3 comments


  • Sorry for the slow week. We had two sets of training that went (we thought) really, really well.

    One of the things we do is ask learners to bring in scenarios that they want to run through FAIR. FAIR is notoriously applicable, and so we often get some fun analysis. Here’s a sample of what we did:

    • Risk to average OS X using SMB owner of an OS X virus (hint: think “low”)
    • Sending PII via spreadsheets unencrypted to 3rd party vendors (SS#’s to Payroll services).
    • Removing the firewall in front of web apps (How Jericho of us!).
    • Losing a laptop (Poop happens).
    • 1099s VPN in and try to access core assets they don’t have privileges for.
    • Does it make sense for me to buy a whole-house generator for power outages?

    Also, I made a graphic for your enjoyment that explains why I believe that certain risk management approaches are really just “issue” management:

    Posted on December 12

    • 3 comments

    1. Jack Dec 12

      We also analyzed:

      * The risk associated with losing sensitive medical information on thumb drives
      * The risk associated with using 40-bit encryption (vs. 128-bit) for on-line credit card transactions
      * The risk associated with speeding in a school zone

      Jack

    2. Jack F Dec 12

      I especially liked the speeding analysis…I was able to apply it immediately by knowing how fast to drive home ;-)

    3. Alex Dec 13

      @Jack F:

      http://apnews.myway.com/article/20081213/D951FQH80.html

      See?! Evidence!!!

    Leave a reply