Scribd Logo
Upload

Welcome to Scribd!

  • Ite403 - Information Security - Chapter 4 Review: Study Guide Questions

    Uploaded by

    Aws Faeq
    25 views7 pages
    This document contains 15 questions about risk management strategies discussed in Chapter 4. The questions cover topics like defining risk management, identifying risks and vulnerabilities, responsible parties in an organization, reviewing risk management processes periodically, examining networking components from a security perspective, using automated asset inventories, identifying vulnerabilities, and strategies for controlling risk such as defending against threats, transferring risk, and mitigating risk through various planning approaches.

    Original Description:

    Original Title

    ITE403_Ch_REV_Ch04_Class_wk4_032020bnb

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document contains 15 questions about risk management strategies discussed in Chapter 4. The questions cover topics like defining risk management, identifying risks and vulnerabilities, responsible parties in an organization, reviewing risk management processes periodically, examining networking components from a security perspective, using automated asset inventories, identifying vulnerabilities, and strategies for controlling risk such as defending against threats, transferring risk, and mitigating risk through various planning approaches.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    25 views7 pages

    Ite403 - Information Security - Chapter 4 Review: Study Guide Questions

    Uploaded by

    Aws Faeq
    This document contains 15 questions about risk management strategies discussed in Chapter 4. The questions cover topics like defining risk management, identifying risks and vulnerabilities, responsible parties in an organization, reviewing risk management processes periodically, examining networking components from a security perspective, using automated asset inventories, identifying vulnerabilities, and strategies for controlling risk such as defending against threats, transferring risk, and mitigating risk through various planning approaches.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    ITE403 – INFORMATION SECURITY – CHAPTER 4 REVIEW

    Study Guide Questions

    1. What is risk management? Why is identification of risks, by listing assets and their
    vulnerabilities, so important to the risk management process?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    2. According to Sun Tzu, what two key understandings must you achieve to be successful?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    3. Who is responsible for risk management in an organization? Which community of


    interest usually takes the lead in information security risk management?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    4. In risk management strategies, why must periodic review be a part of the process?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    5. Why do networking components need more examination from an information security
    perspective than from a systems development perspective?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    6. What value does an automated asset inventory system have for the risk identification
    process?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    7. What information attribute is often of great value for networking equipment when DHCP
    is not used?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    8. Which is more important to the systems components classification scheme, that the list be
    comprehensive or mutually exclusive?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    _____________________________________________________________________________________________
    Page: 2
    9. What’s the difference between an asset’s ability to generate revenue and its ability to
    generate profit?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    10. What are vulnerabilities and how do you identify them?


    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    11. What is competitive disadvantage? Why has it emerged as a factor?


    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    12. What are the strategies from controlling risk as described in this chapter?

    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    _____________________________________________________________________________________________
    Page: 3
    13. Describe the “defend” strategy. List and describe the three common methods.
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    14. Describe the “transfer” strategy. Describe how outsourcing can be used for this
    purpose.
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    15. Describe the “mitigate” strategy. What three planning approaches are discussed in the
    text as opportunities to mitigate risk?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    _____________________________________________________________________________________________
    Page: 4
    1.
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    2.
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    3.
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    16. How is an incident response plan different from a disaster recovery plan?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    _____________________________________________________________________________________________
    Page: 5
    17. What is risk appetite? Explain why risk appetite varies from organization to organization?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    18. What is a Cost Benefit Analysis?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    19. What is the definition of single loss expectancy? What is annual loss expectancy?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    20. What is residual risk?
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    _____________________________________________________________________________________________
    Page: 6
    Exercise on Risk Calculation
    If an organization has three information assets to evaluate for risk management as shown
    in the accompanying data, which vulnerability should be evaluated for additional controls
    first? Which one should be evaluated last?
    An evaluation of the provided asset vulnerabilities results in:
    Asset A:
    This is a switch that has two vulnerabilities. The first involves a hardware failure
    likelihood of 0.2 and the second involves a buffer attack likelihood of 0.1. The
    switch has an impact rating of 90. Assumptions made on this asset have a 75%
    certainty.
    Asset B:
    This is a web server that deals with e-commerce transactions. It has one
    vulnerability with a likelihood of 0.1. However, it has an impact rating of 100.
    Assumptions made on this asset have an 80% certainty.
    Asset C:
    This is a control console with no password protection with a likelihood of attack
    of 0.1. It has no controls and an impact rating of 5. Assumptions made on this
    asset have a 90% certainty.
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________
    _______________________________________________________________________

    March 1, 2020

    _____________________________________________________________________________________________
    Page: 7

    You might also like