Tokin Shrestha Information Systems Security Assignment 4 04/10/2012 1. What is risk management?

Why is the identification of risks, by listing assets and their vulnerabilities, so important to the risk management process? Risk management is the process of identifying risk, as represented by vulnerabilities, to an organizations information assets and infrastructure, and taking steps to reduce this risk to an acceptable level

2. According to Sun Tzu, what two key understandings must you achieve to be successful in battle? According to Sun Tzu, the two key understandings we must achieve to be successful in battle are Know Yourself and know the enemy. Know yourself First, you must identify, examine, and understand the information and systems currently in place within your organization. This is self-evident. To protect assets, which are defined here as information and the systems that use, store, and transmit information, you must know what they are, how they add value to the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you can identify what you are already doing to protect it. Just because a control is in place does not necessarily mean that the asset is protected. Frequently, organizations implement control mechanisms but then neglect the necessary periodic review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they remain effective. Know the Enemy Having identified your organizations assets and weaknesses, you move on to Sun Tzus second step: Know the enemy. This means identifying, examining, and understanding the threats facing the organization. You must determine which threat aspects most directly affect the security of the organization and its information assets, and then use this information to create a list of threats, each one ranked according to the importance of the information assets that it threatens. 3. Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?

4. In risk management strategies, why must periodic review be a part of the process?

5. Why do networking components need more examination from an information security perspective than from a systems development perspective? 6. What value does an automated asset inventory system have for the risk identification process?

7. What information attribute is often of great value for local networks that use static addressing? 8. Which is more important to the systems components classification scheme: that the asset identification list be comprehensive or mutually exclusive? 9. Whats the difference between an assets ability to generate revenue and its ability to generate profit? 10. What are vulnerabilities? How do you identify them? 11. What is competitive disadvantage? Why has it emerged as a factor? 12. What are the strategies for controlling risk as described in this chapter? 13. Describe the defend strategy. List and describe the three common methods. 14. Describe the transfer strategy. Describe how outsourcing can be used for this purpose. 15. Describe the mitigate strategy. What three planning approaches are discussed in the text as opportunities to mitigate risk?

16. How is an incident response plan different from a disaster recovery plan?
The DR plan and the IR plan overlap to a degree. In many respects, the DR plan is the subsection of the IR plan that covers disastrous events. The IR plan is also flexible enough to be useful in situations that are near disasters, but that still require coordinated, planned actions. While some DR plan and IR plan decisions and actions are the same, their urgency and outcomes can differ dramatically. The DR plan focuses more on preparations completed before and actions taken after the incident, whereas the IR plan focuses on intelligence gathering, information analysis, coordinated decision making, and urgent, concrete actions.

17. What is risk appetite? Explain why risk appetite varies from organization to organization. Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. For instance, a financial services company, regulated by government and conservative by nature, may seek to apply every reasonable control and even some invasive controls to protect its information assets. Other, nonregulated organizations may also be conservative by nature, seeking to avoid the negative publicity associated with the perceived loss of integrity from the exploitation of a vulnerability. Thus, a firewall vendor may install a set of firewall rules that are far stricter than normal because the negative consequence of being hacked would be catastrophic in the eyes of its customers. Other organizations may take on dangerous risks through ignorance. The reasoned approach to risk is one that balances the expense (in terms of finance and the usability of information assets) of controlling vulnerabilities against the losses possible if these vulnerabilities were exploited. 18. What is a cost benefit analysis? In its simplest definition, CBA (or economic feasibility) determines whether or not a particular control is worth its cost. CBAs may be calculated before a control or safeguard is implemented to determine if the control is worth implementing. CBAs can also be calculated after controls have been functioning for a time. Observation over time adds precision to the evaluation of the benefits of the safeguard and the determination of whether the safeguard is functioning as intended. While many

techniques exist, the CBA is most easily calculated using the ALE from earlier assessments before the implementation of the proposed control, which is known as ALE(prior). Subtract the revised ALE, estimated based on the control being in place, known as ALE(post). Complete the calculation by subtracting the annualized cost of the safeguard (ACS). CBA ALE(prior) ALE(post) ACS 19. What is the definition of single loss expectancy? What is annual loss expectancy? A single loss expectancy (SLE) is the calculation of the value associated with the most likely loss from an attack. It is a calculation based on the value of the asset and the exposure factor (EF), which is the expected percentage of loss that would occur from a particular attack, as follows: SLE asset value exposure factor (EF) where EF equals the percentage loss that would occur from a given vulnerability being exploited. Once those values are established, the equation can be completed to determine the overall lost potential per risk. This is usually determined through an annualized loss expectancy (ALE), which is calculated from the ARO and SLE, as shown here: ALE SLE ARO 20. What is residual risk? Even when vulnerabilities have been controlled as much as possible, there is often still some risk that has not been completely removed, shifted, or planned for. This remainder is called residual risk. To express it another way, residual risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset less the effect of asset value-reducing safeguards.