Luis Gutierrez CSC 116 Homework #4

1. What is risk management? Why is the identification of risks, by listing assets and their vulnerabilities, so important to the risk management process? Risk management is the process of identifying risk, as represented by vulnerabilities, to an organizations information assets and infrastructure, and taking steps to reduce this risk to an acceptable level 3. Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management? Each community of interest has a role to play in managing the risks that an organization encounters and the information security community takes the lead in information security risk management. 6. What value does an automated asset inventory system have for the risk identification process? The inventory listing is usually available in a database or can be exported to a database for custom information on security assets. Once stored, the inventory listing must be kept current, often by means of a tool that periodically refreshes the data. When you move to the later steps of risk management, which involve calculations of loss and projections of costs, the case for the use of automated risk management tools for tracking information assets becomes stronger. 9. What s the difference between an asset s ability to generate revenue and its ability to generate profit? They both depend on a particular asset however some services may have large revenue clause, but are operating on such thin or nonexistent margins that they do not generate a profit.

10. What are vulnerabilities? How do you identify them? They are specific avenues that threat agents can exploit to attack an information asset. They are chinks in the armor, a flaw or weakness in an information asset, security procedure, design, or control that could be exploited accidentally or on purpose to breach security.` 12. What are the strategies for controlling risk as described in this chapter? There are many strategies for controlling risk: The defend control strategy The transfer control strategy The mitigate control strategy The accept control strategy

Luis Gutierrez CSC 116 Homework #4

The terminate control strategy 16.How is an incident response plan different from a disaster recovery plan? The DR plan and the IR plan overlap to a degree. In many respects, the DR plan is the subsection of the IR plan that covers disastrous events. The IR plan is also flexible enough to be useful in situations that are near disasters, but that still require coordinated, planned actions. While some DR plan and IR plan decisions and actions are the same, their urgency and outcomes can differ dramatically. The DR plan focuses more on preparations completed before and actions taken after the incident, whereas the IR plan focuses on intelligence gathering, information analysis, coordinated decision making, and urgent, concrete actions 18.What is a cost benefit analysis? It determines whether or not a particular control is worth its cost. CBAs may be calculated before a control or safeguard is implemented to determine if the control is worth implementing. 19.What is the definition of single loss expectancy? What is annual loss expectancy? A single loss expectancy (SLE) is the calculation of the value associated with the most likely loss from an attack. It is a calculation based on the value of the asset and the exposure factor (EF) , which is the expected percentage of loss that would occur from a particular attack, Annual loss expectancy is usually determined through an annualized loss expectancy (ALE) , which is calculated from the ARO and SLE, as shown here: ALE = SLE X ARO

1. If an organization has three information assets to evaluate for risk management, as shown in the accompanying data, which vulnerability should be evaluated for additional controls first? Which one should be evaluated last? The Server WebSrv6 should be evaluated first, The server has been assigned an impact value of 100, and a control has been implanted that reduces the impact of the vulnerability by 75 percent. You are 80 percent certain of the assumptions and data.

Luis Gutierrez CSC 116 Homework #4

The MGMT45 control console should be evaluated last because there are no controls in place on this asset; it has an impact rating of 5. You are 90 percent certain of the assumptions and data.

3. Suppose XYZ Software Company has a new application development project, with projected revenues of $1,200,000. Using the following table, calculate the ARO and ALE for each threat category that XYZ Software Company faces for this project.

XYZ Software Company, Cost major threat categories for per new applications Incide development nt Programmer mistakes &oss of intellectual property (oftware piracy Theft of information )hacker* Theft of information )employee* -eb defacement Theft of e+uipment .irus, worms, Tro/an horses 1enial2of2service attacks Earth+uake 3lood 3ire !,""" '!,""" !"" $,!"" !,""" !"" !,""" #,!"" $,!""

Frequency of ccurrenc e # per week # per year # per week # per +uarter # per % months # per month # per year # per week # per +uarter

S!"

#$

#!"

!,""" '!,""" !"" $,!"" !,""" !"" !,""" #,!"" $,!""

!$." #." !$." ,." $." #$." #." !$." ,." ".# ".# ".#

$%",""" '!,""" $%,""" #",""" #",""" %,""" !,""" '0,""" #",""" #$,!"" $!,""" !","""

$!","" # per $" years $!","" " " $!","" # per #" years $!","" " " !"","" # per #" years !"","" " "

,. 4ow might 567 (oftware 8ompany arrive at the values in the above table9 3or each entry, describe the process of determining the cost per incident and fre+uency of occurrence. #. :t is most likely that the 567 (oftware 8ompany employed an economic feasibility study or cost benefit analysis to arrive at the values in their cost and incident table.

Luis Gutierrez CSC 116 Homework #4

$. 3or each of the entries in the chart, the cost per incident and the fre+uency of occurrence could have been reached through several, varied methods. . ;ll of these methods combined could provide the numbers for the costs and fre+uency for the chart listed.

!. ;ssume a year has passed and 567 has improved security by applying a number of controls. <sing the information from Exercise = and the following table, calculate the post2control ;>? and ;&E for each threat category listed

S!" Programmer mistakes &oss of intellectual property !,""" '!,"""

#$ #""@ !"@ %",""" =',!""

#!"

C%# #0",""" $$,!""

(oftware piracy Theft of information )hacker* Theft of information )employee*

!"" $,!"" !,"""

#""@ #""@ #""@

%,""" !,""" !,"""

2#",""" 2#",""" 2#","""

-eb defacement

!""

#""@

$,"""

2#,,"""

Theft of e+uipment .irus, worms, Tro/an horses 1enial2of2service attacks Earth+uake 3lood 3ire

!,""" #,!"" $,!"" $!",""" !",""" #"","""

!"@ #""@ #""@ !@ #"@ #"@

$,!"" #0,""" !,""" #$,!"" !,""" #","""

2#$,!"" ,!,""" 2#$,!"" 2!,""" #",""" =","""

Luis Gutierrez CSC 116 Homework #4

8ase (tudy #. 1id 8harlie effectively organize the work before the meeting9 -hy or why not9 Aake a list of the important issues you think should be covered by the work plan. 3or each issue, provide a short explanation. -e can say that charlie has effectively organized the work before meeting because he had investigated the needs, designed a work plan and even submitted it to each employee in before. 4e planned everything properly. ; work plan is a tool for planning during a specific period of time that identifies the problems to be solved, and ways to solve them.3ollowing are some ma/or issues that are to be covered by a work planB :ntroductionB it includes things like who can use the document and what the work plans will not deal with etc. -hy a work plan is needed and with in what time it is to be covered. Coals and ob/ectivesB 4ere it is determined that what out puts are to be drawn based on the goals and ob/ectives of the organization. >esources and constraints that are needed to solve the issue are to be known. $. -ill the company get useful information from the team it has assembled9 -hy or why not9 6es the company will surely get useful information from the team. The team was asked to identify the assets. -hile identifying the assets they come across various like, the most valuable assets,the assets that generate profit, the assets which are more expensive etc. ?nce they identify and classify the risks the assets are facing, they can reduce or eliminate the risks. 4ence it is helpful for the company. =. -hy might some attendees resist the goals of the meeting9 1oes it seem that each person invited was briefed on the importance of the event and the issues behind it9

Luis Gutierrez CSC 116 Homework #4

Decause of the security issues, attendees might be resisting for goals of the meeting and may include the loss of data unauthorized access and steal of data. ;utomated systems is needed for everyone to learn about the importance of what is happening and the conse+uences that are behind it.