Add to collection(s) Add to saved
  1. Business
  2. Management

Tutorial 4SD3043TutorsAnswers

advertisement 
Tutorial and Lab 4 – SD3043
Risk management - security
1.
What is risk management?
Answer: Risk management is the process of discovering and assessing the risks to an
organization's operations and determining how those risks can be controlled or mitigated.
2.
List and describe the key areas of concern for risk management.
Answer: Risk identification, risk assessment, and risk control.
3.
Which community of interest usually provides the resources used when
undertaking information asset risk management?
Answer: The resources used when undertaking information asset risk management is usually
provided by all three communities: Information Security, Information Technology and
General Management.
4.
In risk management strategies, why must periodic review be a part of the
process?
Answer: Periodic reviews must be a part of the risk management strategies because threats are
constantly changing for a company. Also once any specific vulnerability is completely
managed by an existing control it no longer needs to be considered for additional controls.
5.
Why do networking components need more examination from an information
security perspective than from a systems development perspective?
Answer: Networking components need more examination from an information security
perspective than from a systems development perspective because networking subsystems are
often the focal point of attacks against the system.
6.
What value would an automated asset inventory system have for the risk
identification process?
Answer: An automated asset inventory system would be valuable to the risk identification
process because all hardware components are already identified – models, make and locations
– thus management can review for the most critical items and assess the values.
7.
How many categories should a data classification scheme include? Why?
Answer: An organization would need as many categories as necessary to include all of it’s
need to treat different groupings with the needed differing levels of care. The text uses four
categories as a good place to begin: Public, For official use only, Sensitive, and Classified.
8.
What are vulnerabilities?
Answer: Vulnerabilities are opportunities for a threat to become a real issue or problem.
9.
Describe the TVA (Threat Vulnerability Assets) worksheet. What is it used for?
Answer: A worksheet that combines a prioritized list of assets and their vulnerabilities and a
list prioritizing threats facing the organization. The resulting grid provides a convenient
method of examining the “exposure” of assets, allowing a simplistic vulnerability assessment.
10.
What are the four risk control strategies? Describe each control strategy.
Answer: Avoidance, Transference, Mitigation, and Acceptance. (see lecture slides)
11.
Describe how outsourcing can be used for risk transference.
Answer: Outsourcing can be used for risk transference when an organization chooses to hire
an ISP or a consulting organization to provide products and services for them like buying and
configuring servers, hiring their own webmasters, web system administrators and even
specialized security experts. This allows the organization to transfer risk associated with
management of these complex systems to another organization that has experience in dealing
with those risks. Benefit of outsourcing is that the provider is responsible for disaster recovery
and through service level arrangements is responsible for guarantying server and website
availability.
12.
What conditions must be met to ensure that risk acceptance has been used
properly?
Answer: The following conditions must be met to ensure that risk acceptance has been used
properly: the level of risk posed to the asset has been determined, the probability of attack and
the likelihood of a successful exploitation of a vulnerability has been assessed, the annual rate
of occurrence of such an attack has been approximated, the potential loss that could result
from attacks has been estimated, a thorough cost-benefit analysis has been performed, controls
using each appropriate type of feasibility have been evaluated, it has been decided that the
particular function, service, information, or asset did not justify the cost of protection.
13.
What is a cost-benefit analysis?
Answer: A cost benefit analysis is an evaluation of the worth of the information assets to be
protected and the loss in value if those information assets became compromised by the
exploitation of a specific vulnerability.
14.
What is the difference between benchmarking and baselining? What is the
difference between due diligence and due care?
Answer: Benchmarking is the process of comparing yourself versus other companies seeking
the same results; base lining is the process of standardizing yourself with your own results.
Due Diligence and Due Care occur when an organization adopt a certain minimum level of
security.
Independent Lab Exercises
1.
Using the Web, search for at least three tools to automate risk assessment.
Collect information on automated risk assessment tools. What do they cost?
What features do they provide? What are the advantages and disadvantages of
each one?
Answer: The solution to this exercise will be unique for each student and will vary over time.
2.
Read more details about the OCTAVE Method
www.cert.org/octave/omig.html
http://www.units.muohio.edu/mcs/information_security/Octave/vol1/whatisoct
.html
Write a short summary about this method.
Related documents
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Examples of Community Asset Mapping
Examples of Community Asset Mapping
Asset
Asset
Integrated Concurrent Asset Monitoring System in
Integrated Concurrent Asset Monitoring System in
Addition to existing asset
Addition to existing asset
INVENTORY DISPOSAL FORM
INVENTORY DISPOSAL FORM
here
here
An extended misuse case notation
An extended misuse case notation
TEL2813/IS2820 Security Management Introduction Risk Management:
TEL2813/IS2820 Security Management Introduction Risk Management:
Risk Management: Assessing and Controlling Risk
Risk Management: Assessing and Controlling Risk
Assessing and Controlling Risk
Assessing and Controlling Risk
Risk Management and controlling Risk
Risk Management and controlling Risk
Download
advertisement