Scribd
Upload
162 views2 pages

INSY4900 Ch08

Risk management is the process of discovering and assessing risks to an organization and determining how to control or mitigate those risks. According to Sun Tzu, an organization must know itself and know its enemies in order to adequately secure information system assets. An organization is responsible for risk management and an automated asset inventory system would help with the risk identification process.

Uploaded by

EdmoneD.Washington
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
162 views2 pages

INSY4900 Ch08

Risk management is the process of discovering and assessing risks to an organization and determining how to control or mitigate those risks. According to Sun Tzu, an organization must know itself and know its enemies in order to adequately secure information system assets. An organization is responsible for risk management and an automated asset inventory system would help with the risk identification process.

Uploaded by

EdmoneD.Washington
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 2

Review

1. What is risk management?


Risk management is the process of discovering and assessing the risks to an
organization's operations and determining how those risks can be controlled or
mitigated.

4. According to Sun Tzu, what two things must be achieved to adequately


secure information system assets successfully?
To reduce risk in an organization, the organization must know itself and know its
enemy.

5. Who is responsible for risk managment in an organization?


10. What value would an automated asset inventory system have for the risk
identification process?
https://www.coursehero.com/file/p3m7pj2/Answer-The-resources-usedwhen-undertaking-information-asset-risk-management-is/
11. Which information attributes are seldom or never applied to software
elements?
https://www.coursehero.com/file/p3m7pj2/Answer-The-resources-used-whenundertaking-information-asset-risk-management-is/
12. Which information attribute is often of great value for networking equipment when
DHCP is not used?
14. Which is more important to the information asset classification scheme, that it be
comprehensive or that it be mutually exclusive?
16. How many categories should a data classification scheme include? Why?
18. What are vulnerabilities?

Exercises
1. If an organization has three information assets to evaluate for risk management as
shown in the accompanying data, which vulnerability should be evaluated for
additional controls first? Which one should be evaluated last?
Asset A:
Switch L47 connects a network to the Internet. It has two vulnerabilities. It is susceptible
to hardware failure at a likelihood of 0.2 and is subject to an SNMP buffer overflow

attack at a likelihood of 0.1. The switch has an impact rating of 90 and no current controls
in place. You are 75% certain of the assumptions and data.
Asset B:
Sever WebSrv6 hosts a company Web site and performs e-commerce transactions. It has a
Web server version that can be attacked by sending it invalid Unicode values. The
likelihood of that attack is estimated at 0.1. The server has been assigned an impact value
of 100, and a control has been implanted that reduces the impact of the vulnerability by
75%. You are 80% certain of the assumptions and data.
Asset C:
Operators use an MGMT45 control console to monitor operations in the server room. It
has no passwords and is susceptible to unlogged misuse by the operators. Estimates show
the likelihood of misuse is 0.1. There are no controls in place on this asset; it has an
impact rating of 5. You are 90% certain of the assumptions and data.

Closing Case:
1. What will Iris have on her to-do-list?
Plan and organize processes, create system component categories, develop inventory of
assets, identify threats, specify vulnerable assets, assign value or implact rating to assets,
assess likelihood for vulnerabilities, calculate relative risk factor for assets, preliminary
review of possible controls, and document findings.
2. What resources can Iris call on to assist her?
The management and users could be resourceful. There are also alot of Web sites
available with information to help organize, categorize, and prioritize all the assets.

You might also like