Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
Hw 2

Hw 2

Ratings: (0)|Views: 3,106 |Likes:
Published by ahhshuga

More info:

Published by: ahhshuga on Nov 02, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOCX, PDF, TXT or read online from Scribd
See more
See less

07/06/2013

pdf

text

original

 
ITEC 5001U, Fall 2012, Unit 2 Assignment 
Susanne Hall9/18/2012
From Chapter 4
1.
This question is worth 5% of the assignment.
Corresponding to
the 4
th
 
edition’s Review 
Question 7 on page 167 
. You’re inventorying your company’s assets. You need to assign
information attributes to each of your assets. What information attributes is often of greatvalue for local networks that use static addressing?
IP Addresses are of great value for local networks that use static addressing.
2.
This question is worth 5% of the assignment.
Corresponding to
the 4
th
 
edition’s Review 
Question 16 on page 168.
How is an incident response plan (IRP) different from a disasterrecovery plan?
The Incident Response Plan (IRP) focuses on the immediate response to anincident whereas the Disaster Recovery Plan (DRP) focuses on restoringoperations at the primary site after the disaster has occurred.For example the IRP answers questions such as
“What do I do now?”, “Whoshould I contact?”, and “What should I document?” The DRP includes
strategies to limit losses before and during the disaster. This plan includes stepsfor the recovery process, strategies to limit losses during the disaster, anddetailed steps to follow once the disaster is over.
 
3.
This question is worth 20% of the assignment.
Corresponding to
the 4
th
 
edition’s Exercise 1
on page 168.
XYZ Company has three information assets to evaluate for risk management,as shown in the data below. Which vulnerability should be evaluated for additional controlsfirst? Which one should be evaluated last? DO THE CALCULATIONS AS I DID IN CLASS ANDAS DESCRIBED IN THE TEXT.
SHOW YOUR RESULT AND YOUR WORK
. Then make yourdecision.
HINT
 –
while your calculated result is important, it may not be the overridingfactor in your decision
 –
think through the value of each asset to the business.Calculating the four vulnerabilities is worth 4% each. Your analysis and decision (afteryour calculations) is worth another 4%.
Likelihood * Impact Value - % risk (controlled) + result of previous *uncertainty = riskSwitch L47
 – 
(90 * .2)
 – 
((90 * .2) * 0) + ((90 * .2) * .25) = 22.5(90 * .1)
 – 
((90 * .1) * 0) + ((90 * .1) * .25) = 11.25WebSrv6 - (100 * .1)
 – 
((100 * .1) * .75) + ((100 * .1) * .20) = 4.5MGMT45
 – 
(5 * .1)
 – 
((5 * .1) * 0 + ((5 * .1) * .10) = .55
 
ITEC 5001U, Fall 2012, Unit 2 Assignment 
Asset Vulnerability Likelihood ImpactValueControl Un -CertaintyRiskSwitchL47HardwareFailure &.2 90 0 .25 22.5SNMP bufferoverflow.1 90 0 .25 11.25WebSrv6 Unicode .1 100 .75 .20 4.5MGMT45 UnloggedMisuse.1 5 0 .10 .55
Which vulnerability should be evaluated for additional controls first?
Even though Switch 47 has the highest risk I would evaluate the WebSrv6 foradditional controls first. The company Web site is hosted by this server andperforms valuable e-commerce transactions which can be compromised if theServer is not protected. If an attack on this Server occurs much of the
company’s private data could be compromised which could harm the
organization in many ways. Protecting the server could also keep theorganization safe from other threats and attacks.
Which one should be evaluated last?
I would evaluate the MGMT45 control console that monitors operations in theserver room last because the likelihood of misuse is low and it has the lowestimpact value and poses the least amount of risk to the organization.
4.
This question is worth 20% of the assignment:
Corresponding to
the 4
th
 
edition’s
Exercise 3on page 168-169:
suppose XYZ Software Company has a new application developmentproject, with projected revenues of $1,200,000. Using the following table calculate the AROand ALE for each threat category that XYZ Software Company faces for this project.
Notethat the values below may be different from those in the text.
 Also note that I’ve reduced 
the number of threat categories
– 
some of them were redundant.
 
ITEC 5001U, Fall 2012, Unit 2 Assignment 
XYZ Software Company, majorthreat categories for newapplications developmentCost perIncidentFrequency of OccurrenceSLE ARO ALE
Programmer mistakes $7,500 1 per week
$7,500 52 $390,000
Loss of intellectual property $75,000 1 per 6 months
$75,000 2 $150,000
Software piracy $500 1 every otherweek
$500 26 $13,000
Theft of information (hacker) $2,500 1 per quarter
$2,500 4 $10,000
Theft of information (employee) $5,000 1 per 6 months
$5,000 2 $10,000
Web defacement $1,500 1 per month
$1,500 12 $18,000
Theft of equipment $5,000 1 per year
$5,000 1 $5,000
Virus, worms, Trojan horses $2,500 1 every otherweek
$2,500 26 $65,000
Earthquake $250,000 1 per 20 years
$250,000 .05 $12,500
Flood $250,000 1 per 5 years
$250,000 .20 $50,000
5.
This question is worth 25% of the assignment.
Corresponding to
the 4
th
 
edition’s Exercise 5
on page 169.
A
ssume a year has passed and XYZ has improved security by applying anumber of controls.
Using the information from Exercise 3
 
(use revised values in the tablebelow for Exercise 3 for Cost per Incident & Frequency of Occurrence, not the values in thetextbook)
and the table in Exercise 5 on page 169, calculate the post-control ARO and ALEfor each threat category listed.
Note: some SLE’s may not have changed, and some Annual 
Rate of Occurrences may not have changed.
 Again, note that some values in the tablebelow may be different from those in the text.
Then answer the following question:
why have some values changed in the columns Costper Incident, and Frequency of Occurrence? How could a control affect one, but not theother? Answer this below the table.You need to assume that the values in the Cost of Control column presented in the table forExercise 5 are those unique costs directly associated with protecting against that threat. Inother words,
don’t worry about overlapping costs between controls.
Calculate the CBA forthe planned risk control for each threat category.

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->