Analysis of risk management-information systems security


Assignment:

Section A. (80) For five possible points each, provide a brief explanation of the following in terms of Risk Management and Information Systems Security. Please note that if you copy a definition, you are required to cite the source.

1. Briefly define:

• Asset -

• Threat -

• Vulnerability -

• Countermeasure -

• Contingency Plan -

2. Provide a brief synopsis of your understanding of the value of a Risk Management program to an organization based on the lecture and reading.

3. Explain why the risk management process is cyclical?

4. Discuss the importance of providing and reinforcing security training of:

• Program Manager

• Approval Authority

• User

• Security Staff

• Systems Administrators

5. Given the vulnerability "No firewall exists to prohibit vulnerable TCP/UDP services from network access", Write a Recommended Countermeasure for it, within the context of the scenario, following the format of the example in the class presentation slides.

6. Discuss in general terms (though you may use an example) how a Vulnerability interacts with a Threat against one or more Asset(s).

7. Discuss the difference between a vulnerability and a safeguard (countermeasure).

8. Briefly define:

• Confidentiality

• Integrity

• Availability

• Authentication

• Non-Repudiation

9. Explain why "script kiddies" or "ankle-biters" are requiring less and less in-depth knowledge of Operating Systems and still can cause so much havoc on the Internet.

10. Discuss the difference between a "Threat" and a "Threat Agent".

11. What are the typical steps in the Risk Assessment process?

12. Provide four examples of physical security safeguards.

13. Define/describe the concept of criticality as it relates to asset valuation. Provide an example.

14. Briefly explain the difference between qualitative and quantitative risk analysis processes.

15. Why is it so necessary to have a diversified team with a variety of experiential and work-related backgrounds for the RA?

16. a) Briefly describe how each selection below is a threat to a network and b) list two vulnerability examples that you would look for/interview for when researching each. Do not provide the same vulnerability for more than one threat.

1. Inadequate environmental controls

2. Misuse of computer resources

3. Unauthorized communication alteration

4. Malicious software infestation

5. Unauthorized user action

Section B. (20) Multiple choice: for two points each, select the answer that BEST completes the sentence or answers the statement in terms of Information Systems Security.

1. A Risk Assessment methodology that uses the quantification of assets and threats in numeric values, normally monetary, is known as:

a. Annual Loss Expectancy

b. Security Test and Evaluation

c. Quantitative

d. Qualitative

e. Standard

2. The three key aspects of IA that when combined with common sense are what IT risk management is all about are:

a. Protect, Detect, Recover

b. Confidentiality, Integrity, Availability

c. Destruction, Modification, Disclosure

d. Assets, Threats, Safeguards (Countermeasures)

e. Destruction, Disclosure, Denial of Service

3. Using the qualitative risk analysis will determine each of the following EXCEPT:

a. Probability of threats occurring

b. Monetary value of assets

c. Annual Loss Expectancy

d. Non-Technical Vulnerabilities to our assets

e. Technical Vulnerabilities to our assets

4. The very last thing that is accomplished when completing a risk assessment, prior to delivery to the accreditor, is:

a. Identification and documentation of additional recommended Countermeasures

b. Writing the Introduction and Executive Summary

c. Determining risk weights

d. Quantifying the Annual Loss Expectancy

e. Both "c" and "d"

5. According to the Text, choose all that apply for the three stages of asset valuation, risk evaluation, and risk management:

a. Are universal concepts applicable to both quantitative and qualitative risk assessments

b. Are essential to summarize in the Executive Overview section of a quantitative risk assessment

c. Are necessary when comparing tangible and intangible aspects of asset valuation

d. Are important to consider only if the asset is of high value.

6. Once a Risk Assessment has been performed on a network, it will have to be performed again?

a. Never, once is enough.

b. Each month.

c. Whenever there is a significant change to the network that might introduce new vulnerabilities

d. Upon Management direction.

e. Both "b" and "c", only.

f. Both "c" and "d", only.

7. When required to develop an Annual Loss Expectancy, the resulting figure is actually anticipated to occur:

a. Always that figure, each year.

b. Only This Year

c. Some time in the future, the impact of which is anticipated to be the combination of previous year "ALEs", whether this year, the next or the one after that.

d. Both "b" and "c", only.

8. When conducting an interview with an authoritative source and receive an answer to an important question, you should:

a. Accept the answer and ensure it's properly documented in the Risk Assessment.

b. Verify the answer from a second authoritative source or document.

c. Discount the answer because it was not provided in writing.

d. Verify that the source should have access to the system information.

9. Recommended additional countermeasures must be:

a. Cost Effective.

b. Mandatory for the organization.

c. The very last thing developed before presenting the Risk Assessment to the Approval Authority.

d. Provided, one-for-one with each and every vulnerability identified in the Risk Assessment (i.e., one recommended countermeasure for each vulnerability).

10. Risk Assessments may result in friendly arguments among the team with applying risk weights or values because:

a. All Risk Assessments are subjective.

b. The Asset categories do not follow the normal Risk Assessment methodologies.

c. The very last thing determined and documented before presenting the Risk Assessment to the Approval Authority are the risk weights.

d. Some of the Team may not be knowledgeable in the Risk Assessment Charter process.

e. Both "a" and "c".

f. Both "b" and "c".

Hints

An asset is a valuable skill, quality, or resources that a firm owns and benefits from I generating income.

A threat is a negative event or situation that can cause a risk to become a loss.

A threat agent is a specific type of threat, such as a particular worm or virus.

Vulnerability defines the weaknesses in a firm that can be exploited by threats to gain access to an asset.

Countermeasure defines the opposing measure to weaken a threat or danger.

A contingency plan is a devised plan made to deal with emergencies.

A risk management program,

  • Identify problems before their occurrence
  • Plans risk handling activities
  • Mitigate the adverse effects of threats

Risk assessment process has a lifecycle that involves,

  • Identifying risks
  • Assessing the risks
  • Controlling the risks
  • Reviewing risk control

Confidentiality is an ethical duty of keeping information private.

Integrity is a quality of honesty, doing well at all circumstances.

Availability defines the ability of a user to access information the correct format.

Authentication is the process of confirming a user's identity.

Non-repudiation is a service which provides proof of integrity and origin of data.

Request for Solution File

Ask an Expert for Answer!!
Risk Management: Analysis of risk management-information systems security
Reference No:- TGS03036835

Expected delivery within 24 Hours