LP 5 Assignment: Chapter

5 Review Questions
Questions
1. What is risk management? Why is the
identification of risks and vulnerabilities to assets
so important in risk management? Risk
Management is the process of identifying in an
organizations information systems and taking and
taking carefully reasoned steps to ensure the
confidentiality, integrity, and availability of all
components in the organizations information
system. To protect assets, which are defined here
as information and the systems that use, store, and
transmit information, you must understand what
they are, how they add value to the organization,
and to which vulnerabilities they are susceptible.
Once you know what you have, you can identify
what you are already doing to protect it. Just
because you have a control in place to protect an
asset is protected. Frequently, organizations
implement control mechanisms, but then neglect
the necessary periodic review, revision, and
maintenance. The policies, education, and training
programs, and technologies that protect
information must be carefully maintained and
administered to ensure that they are still effective.

LP 5 Assignment: Chapter
5 Review Questions
2. According to Sun Tzu, what two key
understandings must you achieve to be successful
in battle? An observation made by Chinese
General Sun Tzu Wu stated, If you know the
enemy and know yourself, you need not fear the
result of a hundred battles. If you know yourself
but not the enemy, for every victory gained you
will also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in every
battle. In short, know yourself and know the
enemy.
3. Who is responsible for risk management in an
organization? Which community of interest usually
takes the lead in information security risk
management? In an organization, it is the
responsibility of each community of interest to
manage the risks that organization encounters.
Each community of interest has a role to play.
Since the members of the information security
community best understand the threats and
attacks that introduce risk into the organization,
they often take a leadership role in addressing risk.
4. In risk management strategies, why must
periodic review be part of the process? Frequently,

LP 5 Assignment: Chapter
5 Review Questions
organizations implement control mechanisms, but
then neglect the necessary periodic, review,
revision, and maintenance. The policies, education
and training programs, and technologies that
protect information must be carefully maintained
and administered to ensure that they are still
effective.
5. Why do networking components need more
examination from an information security
perspective than from a systems development
perspective? When analyzing a network from a
systems development perspective you only have to
concentrate on getting the network up and
running. From an information security standpoint,
you have to carefully examine each component of
a network to secure its integrity, identify its
vulnerabilities, assess the likelihood of an incident,
perform a cost benefit analysis, etc.
6. What value does an automated asset inventory
system have during risk identification? An
automated asset inventory system can categorize
the different assets of a network. In addition to
this categorization, an automated asset inventory
system can identify the sensitivity and security

LP 5 Assignment: Chapter
5 Review Questions
priority of each of these assets, making it easier to
plan out security for a network.
7. What information attribute is often of great value
for local networks that use static addressing? In
networks that use static addressing, the IP Address
is very useful for identifying hardware assets, since
in static addressing it does
not change. However, in networks that use DHCP
to generate the IP Address the addresses are
seldom the same from one session to the next. For
those networks that use dynamic addressing, the
MAC Address is more useful.
8. When devising a classification scheme for
systems components, is it more important that the
asset identification list be comprehensive or
mutually exclusive? It is also important that the
categories be both comprehensive and
mutually exclusive. That is what the textbook
says. What the textbook does not seem to say, (or,
at least, I cant find where it does say,) is whether
the categories being comprehensive or their being
mutually exclusive is more important. Therefore, I
will give my own opinion, for what its worth.
Of the two, I believe that being mutually exclusive

LP 5 Assignment: Chapter
5 Review Questions
is more important. While it is necessary that the
system components all be classified and accounted
for, if the list is not mutually exclusive, some assets
will be listed two or more times, increasing the
magnitude and complexity
of the task. If the list is first set up to be mutually
exclusive,
adding an overlooked asset is a reasonably simple
task. Identifying and eliminating redundantly listed
assets is far more difficult.
9. Whats the difference between an assets ability
to generate revenue and its ability to generate
profit? They both depend on a particular asset
however some services may have large revenue
clause, but are operating on such thin or
nonexistent margins that they do not generate a
profit.
10. What are vulnerabilities? How do you identify
them? Vulnerabilities is a loop hole in the system
for a hacker to get through. You can identify these
vulnerabilities by doing different tests and using
different software or programs.

LP 5 Assignment: Chapter
5 Review Questions
11. What is competitive disadvantage? Why has it
emerged as a factor? A competitive disadvantage
occurs when a company falls behind the
competition in its ability to maintain the highly
responsive services required in todays
marketplace.
This is a factor because almost all organizations
has IT system in this day and time. Therefore,
organizations need to obtain or improve their IT
systems to avoid falling in behind all others.
12. What five strategies for controlling risk are
described in this chapter?
1. Deferred- The defend control strategy attempts
to reduce the impact caused by the exploitation of
the vulnerability.
2. Transfer- The transfer control strategy attempts
to shift risk to other assets, other processes, or
other organizations.
3. Mitigate- The mitigate control strategy attempts
to reduce the impact caused by the exploitation of
vulnerability through planning and preparation.

LP 5 Assignment: Chapter
5 Review Questions
4. Accept- The Accept control strategy is the choice
to do nothing to protect a vulnerability and to
accept the outcome of its exploitation.
5. Terminate- The terminate control strategy directs
the organization to avoid those business activities
that introduce uncontrollable risks.
13. Describe the defense strategy for controlling
risk. List and describe the three common methods.
Application of policy.
Education and training
Application of technology
14. Describe the transfer strategy for controlling
risk. Describe how outsourcing can be used for this
purpose.
15. Describe the mitigation strategy for controlling
risk. What three planning approaches are discussed
in the text as opportunities to mitigate risk?
16. How is an incident response plan different from
a disaster recovery plan?

LP 5 Assignment: Chapter
5 Review Questions
17. What is risk appetite? Explain why it varies
among organizations.
18. What is a cost-benefit analysis?
19. What is single loss expectancy? What is
annualized loss expectancy?
20. What is residual risk?