Section A. (80) For five possible points each, provide a brief explanation of the following in terms of Risk Management and Information Systems Security. Please note that if you copy a definition, you are required to cite the source.
- Briefly define:
- Asset –
- Threat –
- Vulnerability –
- Countermeasure –
- Contingency Plan –
- Provide a brief synopsis of your understanding of the value of a Risk Management program to an organization based on the lecture and reading.
- Explain why the risk management process is cyclical?
- Discuss the importance of providing and reinforcing security training of:
- Program Manager
- Approval Authority
- User
- Security Staff
- Systems Administrators
- Given the vulnerability “No firewall exists to prohibit vulnerable TCP/UDP services from network access”, Write a Recommended Countermeasure for it, within the context of the scenario, following the format of the example in the class presentation slides.
- Discuss in general terms (though you may use an example) how a Vulnerability interacts with a Threat against one or more Asset(s).
- Discuss the difference between a vulnerability and a safeguard (countermeasure).
- Briefly define:
- Confidentiality
- Integrity
- Availability
- Authentication
- Non-Repudiation
- Explain why “script kiddies” or “ankle-biters” are requiring less and less in-depth knowledge of Operating Systems and still can cause so much havoc on the Internet.
- Discuss the difference between a “Threat” and a “Threat Agent”.
- What are the typical steps in the Risk Assessment process?
- Provide four examples of physical security safeguards.
- Define/describe the concept of criticality as it relates to asset valuation. Provide an example.
- Briefly explain the difference between qualitative and quantitative risk analysis processes.
- Why is it so necessary to have a diversified team with a variety of experiential and work-related backgrounds for the RA?
- a) Briefly describe how each selection below is a threat to a network and b) list two vulnerability examples that you would look for/interview for when researching each. Do not provide the same vulnerability for more than one threat.
- Inadequate environmental controls
- Misuse of computer resources
- Unauthorized communication alteration
- Malicious software infestation
- Unauthorized user action
Section B. (20) Multiple choice: for two points each, select the answer that BEST completes the sentence or answers the statement in terms of Information Systems Security.
1. A Risk Assessment methodology that uses the quantification of assets and threats in numeric values, normally monetary, is known as:
- Annual Loss Expectancy
- Security Test and Evaluation
- Quantitative
- Qualitative
- Standard
- The three key aspects of IA that when combined with common sense are what IT risk management is all about are:
a. Protect, Detect, Recover
- Confidentiality, Integrity, Availability
- Destruction, Modification, Disclosure
- Assets, Threats, Safeguards (Countermeasures)
- Destruction, Disclosure, Denial of Service
- Using the qualitative risk analysis will determine each of the following EXCEPT:
- Probability of threats occurring
- Monetary value of assets
- Annual Loss Expectancy
- Non-Technical Vulnerabilities to our assets
- Technical Vulnerabilities to our assets
- The very last thing that is accomplished when completing a risk assessment, prior to delivery to the accreditor, is:
- Identification and documentation of additional recommended Countermeasures
- Writing the Introduction and Executive Summary
- Determining risk weights
- Quantifying the Annual Loss Expectancy
- Both “c” and “d”
- According to the Text, choose all that apply for the three stages of asset valuation, risk evaluation, and risk management:
- Are universal concepts applicable to both quantitative and qualitative risk assessments
- Are essential to summarize in the Executive Overview section of a quantitative risk assessment
- Are necessary when comparing tangible and intangible aspects of asset valuation
- Are important to consider only if the asset is of high value.
- Once a Risk Assessment has been performed on a network, it will have to be performed again?
- Never, once is enough.
- Each month.
- Whenever there is a significant change to the network that might introduce new vulnerabilities
- Upon Management direction.
- Both “b” and “c”, only.
- Both “c” and “d”, only.
- When required to develop an Annual Loss Expectancy, the resulting figure is actually anticipated to occur:
- Always that figure, each year.
- Only This Year
- Some time in the future, the impact of which is anticipated to be the combination of previous year “ALEs”, whether this year, the next or the one after that.
- Both “b” and “c”, only.
- When conducting an interview with an authoritative source and receive an answer to an important question, you should:
- Accept the answer and ensure it’s properly documented in the Risk Assessment.
- Verify the answer from a second authoritative source or document.
- Discount the answer because it was not provided in writing.
- Verify that the source should have access to the system information.
- Recommended additional countermeasures must be:
- Cost Effective.
- Mandatory for the organization.
- The very last thing developed before presenting the Risk Assessment to the Approval Authority.
- Provided, one-for-one with each and every vulnerability identified in the Risk Assessment (i.e., one recommended countermeasure for each vulnerability).
- Risk Assessments may result in friendly arguments among the team with applying risk weights or values because:
- All Risk Assessments are subjective.
- The Asset categories do not follow the normal Risk Assessment methodologies.
- The very last thing determined and documented before presenting the Risk Assessment to the Approval Authority are the risk weights.
- Some of the Team may not be knowledgeable in the Risk Assessment Charter process.
- Both “a” and “c”.
- Both “b” and “c”.
The post Risk Management and Information Systems Security appeared first on My Assignment Online.
