1. List and describe briefly the three key areas of concern for risk management, risk ................, risk ................., and risk .................
2. Why is identification of risks, through a listing of assets and their vulnerabilities, so important to the risk management process? What are vulnerabilities?
3. Why do networking components need more examination from an information security perspective than from a systems development perspective?
Exercises
1. If an organization has three information assets to evaluate for risk management purposes as shown in the data on page 304 of your text, which vulnerability should be evaluated for additional controls first? Which vulnerability should be evaluated last?
n.b. the formula for risk is:
(The likelihood of the occurrence of a vulnerability) * (The value of the information asset) - (The percentage of risk mitigated by current controls) + (The uncertainty of current knowledge of the vulnerability). See pages 295-298 of your text.
2. Using the Web, search for at least three tools to automate risk assessment. Collect information on automated risk assessment tools. What do they cost? What features do they provide? What are the advantages and disadvantages of each one?
3. Compare the ISO/IEC 27001 outline with the NIST documents outlined in chapter 6. Which areas, if any, are missing from the NIST documents? Identify either the strengths and weaknesses of the NIST programs compared to the ISO standard.
4. Visit the Web site of one of the major technology organizations listed in chapter 7 (Microsoft, Oracle, and Cisco) plus the web site of another you choose on your own. Search these two Web sites for best security practices. What do you find?