Chat with AI
Deck 8: Risk Management: Identifying and Assessing Risk
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/28
Play
Full screen (f)
Deck 8: Risk Management: Identifying and Assessing Risk
1
Mike and Iris were flying home from the meeting. The audit committee's reaction had not been what they expected.
"I'm glad they understood the situation," Mike said. "I'd like you to start revising our risk management documentation to make it a little more general. It sounds like the board will want to take our approach company-wide soon."
Iris nodded and pulled out her notepad to make a to-do list.
What will Iris have on her to-do list
"I'm glad they understood the situation," Mike said. "I'd like you to start revising our risk management documentation to make it a little more general. It sounds like the board will want to take our approach company-wide soon."
Iris nodded and pulled out her notepad to make a to-do list.
What will Iris have on her to-do list
Ms. I's to-do-list will contain the following aspects to be incorporated for effectiveness:
• Evaluation of the risk controls.
• Determination of cost effectiveness of control options.
• Installation of the proper controls.
• Overseeing the controls.
• Identification of the risks.
• Assessment of the risks.
• Summarization of the findings.
• Evaluation of the risk controls.
• Determination of cost effectiveness of control options.
• Installation of the proper controls.
• Overseeing the controls.
• Identification of the risks.
• Assessment of the risks.
• Summarization of the findings.
2
If an organization has three information assets to evaluate for risk management purposes, as shown in the accompanying data, which vulnerability should be evaluated for additional controls first Which vulnerability should be evaluated last
Switch L47 connects a network to the Internet. It has two vulnerabilities: (1) susceptibility to hardware failure, with a likelihood of 0.2, and (2) susceptibility to an SNMP buffer overflow attack, with a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. There is a 75 percent certainty of the assumptions and data.
Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has Web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such an attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implemented that reduces the impact of the vulnerability by 75 percent. There is an 80 percent certainty of the assumptions and data.
Operators use the MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset, which has an impact rating of 5. There is a 90 percent certainty of the assumptions and data.
Switch L47 connects a network to the Internet. It has two vulnerabilities: (1) susceptibility to hardware failure, with a likelihood of 0.2, and (2) susceptibility to an SNMP buffer overflow attack, with a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. There is a 75 percent certainty of the assumptions and data.
Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has Web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such an attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implemented that reduces the impact of the vulnerability by 75 percent. There is an 80 percent certainty of the assumptions and data.
Operators use the MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset, which has an impact rating of 5. There is a 90 percent certainty of the assumptions and data.
Vulnerability is recognised as exact ways that the threat agents can exploit to attack an information asset. It can also be explained as a certain fault or some specific weakness in an information asset, the security process, the specific design or even the management that can either be exploited inadvertently or on purpose to violate the security. The vulnerabilities that would be evaluated first and last have been listed and discussed below:
• In this case, the second vulnerability will be estimated first. The reason is that vulnerability indicates that there is type of fault in the control of an information asset. The second vulnerability provides a control that will help in the reduction of the impact of the vulnerability by around 75%. Along with this, there is also an 80% assurance of the assumption and information.
• In this case, the third vulnerability would be estimated last. The reason is that there is no management in place on the particular asset and the rating of the impact is just 5%.
• In this case, the second vulnerability will be estimated first. The reason is that vulnerability indicates that there is type of fault in the control of an information asset. The second vulnerability provides a control that will help in the reduction of the impact of the vulnerability by around 75%. Along with this, there is also an 80% assurance of the assumption and information.
• In this case, the third vulnerability would be estimated last. The reason is that there is no management in place on the particular asset and the rating of the impact is just 5%.
3
What is risk management
Risk management refers to the mitigation of risk. It inspects and maintains a record of the assets belonging to a firm. The management of the firm bears the responsibility for recognizing and maintaining a record and alleviates the risks that are a threat to the firm.
In present times, the information security has the predominant role in carrying out the functions of the risk management.
In present times, the information security has the predominant role in carrying out the functions of the risk management.
4
Mike and Iris were flying home from the meeting. The audit committee's reaction had not been what they expected.
"I'm glad they understood the situation," Mike said. "I'd like you to start revising our risk management documentation to make it a little more general. It sounds like the board will want to take our approach company-wide soon."
Iris nodded and pulled out her notepad to make a to-do list.
What resources can Iris call on to assist her
"I'm glad they understood the situation," Mike said. "I'd like you to start revising our risk management documentation to make it a little more general. It sounds like the board will want to take our approach company-wide soon."
Iris nodded and pulled out her notepad to make a to-do list.
What resources can Iris call on to assist her
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
5
Using the Web, search for at least three tools to automate risk assessment. Collect information on automated risk assessment tools. What do they cost What features do they provide What are the advantages and disadvantages of each one
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
6
List and describe the key areas of concern for risk management.
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
7
Using the list of threats to InfoSec presented in this chapter, identify and describe three instances of each that were not mentioned in the chapter.
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
8
Why is identification of risks, through a listing of assets and their vulnerabilities, so important to the risk management process
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
9
Using the data classification scheme presented in this chapter, identify and classify the information contained in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information is confidential, sensitive but unclassified, or suitable for public release
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
10
According to Sun Tzu, what two things must be achieved to secure information assets successfully
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
11
Using the asset valuation method presented in this chapter, conduct a preliminary risk assessment on the information contained in your home. Answer each of the valuation questions listed in the section of this chapter titled "Identify and Prioritize Threats and Threat Agents." What would it cost if you lost all your data
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
12
Who is responsible for risk management in an organization
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
13
Using the Internet, locate the National Association of Corporate Directors' Web site. Describe its function and purpose. What does this association say about board member liability for InfoSec issues
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
14
Which community of interest usually takes the lead in information asset risk management
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
15
Which community of interest usually provides the resources used when undertaking information asset risk management
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
16
In risk management strategies, why must periodic reviews be a part of the process
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
17
Why do networking components need more examination from an InfoSec perspective than from a systems development perspective
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
18
What value would an automated asset inventory system have for the risk identification process
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
19
Which information attributes are seldom or never applied to software elements
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
20
Which information attribute is often of great value for networking equipment when Dynamic Host Configuration Protocol (DHCP) is not used
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
21
When you document procedures, why is it useful to know where the electronic versions are stored
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
22
Which is more important to the information asset classification scheme, that it be comprehensive or that it be mutually exclusive
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
23
What is the difference between an asset's ability to generate revenue and its ability to generate profit
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
24
How many categories should a data classification scheme include Why
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
25
How many threat categories are listed in this chapter Which is noted as being the most frequently encountered, and why
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
26
What are vulnerabilities
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
27
Describe the TVA worksheet. What is it used for
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
28
Examine the simplest risk formula presented in this chapter. What are its primary elements
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 28 flashcards in this deck.
