LP 5 Assignment: Chapter 5 Review Questions

Questions

1. What is risk management? Why is the identification of risks and vulnerabilities to assets so important in risk management? Risk Management is the process of identifying in an organization’s information systems and taking and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all components in the organization’s information system. To protect assets, which are defined here as information and the systems that use, store, and transmit information, you must understand what they are, how they add value to the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you can identify what you are already doing to protect it. Just because you have a control in place to protect an asset is protected. Frequently, organizations implement control mechanisms, but then neglect the necessary periodic review, revision, and maintenance. The policies, education, and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they are still effective.

2. According to Sun Tzu, what two key understandings must you achieve to be successful in battle? An observation made by Chinese General Sun Tzu Wu stated, “If you know the enemy

LP 5 Assignment: Chapter 5 Review Questions

and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. In short, know yourself and know the enemy.

3. Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management? In an organization, it is the responsibility of each community of interest to manage the risks that organization encounters. Each community of interest has a role to play. Since the members of the information security community best understand the threats and attacks that introduce risk into the organization, they often take a leadership role in addressing risk.

4. In risk management strategies, why must periodic review be part of the process? Frequently, organizations implement control mechanisms, but then neglect the necessary periodic, review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they are still effective.

LP 5 Assignment: Chapter 5 Review Questions

5. Why do networking components need more examination from an information security perspective than from a systems development perspective? When analyzing a network from a systems development perspective you only have to concentrate on getting the network up and running. From an information security standpoint, you have to carefully examine each component of a network to secure its integrity, identify its vulnerabilities, assess the likelihood of an incident, perform a cost benefit analysis, etc.

6. What value does an automated asset inventory system have during risk identification? An automated asset inventory system can categorize the different assets of a network. In addition to this categorization, an automated asset inventory system can identify the sensitivity and security priority of each of these assets, making it easier to plan out security for a network.

7. What information attribute is often of great value for local networks that use static addressing? In networks that use static addressing, the IP Address is very useful for identifying hardware assets, since in static addressing it does not change. However, in networks that use DHCP to generate the IP Address the addresses are seldom the same from one

LP 5 Assignment: Chapter 5 Review Questions

session to the next. For those networks that use dynamic addressing, the MAC Address is more useful.

8. When devising a classification scheme for systems components, is it more important that the asset identification list be comprehensive or mutually exclusive? “It is also important that the categories be both comprehensive and mutually exclusive.” That is what the textbook says. What the textbook does not seem to say, (or, at least, I can’t find where it does say,) is whether the categories’ being comprehensive or their being mutually exclusive is more important. Therefore, I will give my own opinion, for what it’s worth. Of the two, I believe that being mutually exclusive is more important. While it is necessary that the system components all be classified and accounted for, if the list is not mutually exclusive, some assets will be listed two or more times, increasing the magnitude and complexity of the task. If the list is first set up to be mutually exclusive, adding an overlooked asset is a reasonably simple task. Identifying and eliminating redundantly listed assets is far more difficult.

9. What’s the difference between an asset’s ability to generate revenue and its ability to generate profit? They both depend on

LP 5 Assignment: Chapter 5 Review Questions

a particular asset however some services may have large revenue clause, but are operating on such thin or nonexistent margins that they do not generate a profit.

10. What are vulnerabilities? How do you identify them? Vulnerabilities is a loop hole in the system for a hacker to get through. You can identify these vulnerabilities by doing different tests and using different software or programs.

11. What is competitive disadvantage? Why has it emerged as a factor? A competitive disadvantage occurs when a company falls behind the competition in its ability to maintain the highly responsive services required in today’s marketplace.

This is a factor because almost all organizations has IT system in this day and time. Therefore, organizations need to obtain or improve their IT systems to avoid falling in behind all others.

12. What five strategies for controlling risk are described in this chapter?

1. Deferred- The defend control strategy attempts to reduce the impact caused by the exploitation of the vulnerability.

2. Transfer- The transfer control strategy attempts to shift risk to other assets, other processes, or other organizations.

LP 5 Assignment: Chapter 5 Review Questions

3. Mitigate- The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.

4. Accept- The Accept control strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.

5. Terminate- The terminate control strategy directs the organization to avoid those business activities that introduce uncontrollable risks.

13. Describe the defense strategy for controlling risk. List and describe the three common methods.

Application of policy.

Education and training

Application of technology

14. Describe the transfer strategy for controlling risk. Describe how outsourcing can be used for this purpose.

15. Describe the mitigation strategy for controlling risk. What three planning approaches are discussed in the text as opportunities to mitigate risk?

LP 5 Assignment: Chapter 5 Review Questions

16. How is an incident response plan different from a disaster recovery plan?

17. What is risk appetite? Explain why it varies among organizations.

18. What is a cost-benefit analysis?

19. What is single loss expectancy? What is annualized loss expectancy?

20. What is residual risk?