Mendoza, Mecaela Janine R.

M3T2 – Essay Questions

Please answer the following:

1. How does NIST define risk management? How does risk management protect the
organization’s information from IT threats?

The National Institute of Standards and Technology or NIST define risk management as
the process of identifying and assessing risk, followed by implementing the necessary
procedures to reduce such risk to acceptable levels. Risk management plays an important
role in protecting organizations’ information from IT threats. The management focuses
more on risks that leads from IT system with threats such as fraud, erroneous decisions,
loss of productive time, data inaccuracy, unauthorized data disclosure and loss of public
confidence that can make the organization at risk. In addition, a well-designed IT risk
management process will be a great help to have an effective and successful security
program to protect the IT assets of an organization.

2. Define risk assessment.

According to Otero, risk assessment is considered as the foundation of the audit function
as they assist in developing the process for planning individual audits. It improves the
quality, quantity, and accessibility of planning data, such as risk areas, past audits and
results, and budget information. Also, it examines potential audit projects in the audit
universe and choose those that have the greatest risk exposure to be performed first.
Lastly, it provides a framework for allocating audit resources to achieve maximum
benefits.
3. NIST is one of the several professional standards that provide guidance to auditors and
managers involved in the risk assessment process. How does NIST guidelines have
assisted federal agencies and organizations in significantly improving their overall IT
security quality?

NIST guidelines, including the SP 800-30, have assisted federal agencies and
organizations in significantly improving their overall IT security quality by:

• providing a standard framework for managing and assessing organizations’ IS

risks, while supporting organizational missions and business functions;
• allowing for making risk-based determinations, while ensuring cost-effective
implementations;
• describing a more flexible and dynamic approach that can be used for monitoring
the information security status of organizations’ IS;
• supporting a bottom-up approach in regards to information security, centering on
individual IS that support the organization; and
• promoting a top-down approach related to information security, focusing on
specific IT-related issues from a corporate perspective.

4. List and describe examples of four resources for tools and techniques used in the
identification and evaluation of IT-related risks
 • NIST.gov. The NIST has been a leader in providing tools and techniques to
support IT. It has a number of support tools that can be used by private small-to-
large organizations for risk assessment purposes.

• GAO.gov. The U.S. Government Accountability Office (GAO) has provided a

number of audits, control, and security resources as well as identification of best
practices in managing and reviewing IT risk in many areas.

• Expected loss approach. A method developed by IBM that assesses the probable
loss and the frequency of occurrence for all unacceptable events for each
automated system or data file. Unacceptable events are categorized as either:
accidental or deliberate disclosure; accidental or deliberate modification; or
accidental or deliberate destruction.

• Scoring approach. Identifies and weighs various characteristics of IT systems. The

approach uses the final score to compare and rank their importance.
5. What effect does insurance have on risk?
Insurance distributes losses so that a devastating loss to an individual or business is
spread equitably among a group of insured members. Surely, insurance can’t prevent loss
nor reduces its cost but it will reduce the risk, whereas, risk is the possibility of an adverse
deviation from a desired outcome. Insurance is one of the important components of risk
management as this is one or risk-control tool. Businesses must have a way to protect
themselves and recover their losses.

In the IT environment, there are special risks that are commonly handled by insurance,
including:
• Damage to computer equipment
• Cost of storage media
• Cost of acquiring the data stored on the media
• Damage to outsiders
• Business effects of the loss of computer functions

6. Discuss what cyber insurance is. Why do you think cyber insurance is frequently excluded
from traditional commercial general liability policies, or not specifically defined in
traditional insurance products?

Cyber insurance is an insurance product designed to protect organizations and individuals

from risks relating to It infrastructures and activities. Since the initial focus of the cyber
insurance market was on providing errors and omissions coverage for companies
providing technology-based services, it is not specifically defined in traditional insurance
products. This is because before, there were just few companies who are providing
services that are technology-based, or maybe other companies who are technology-
based doesn’t really give that much attention on the possibility of having cyber insurance.
In addition, it was stated on the book by Otero that most of the organizations did not
necessarily report the full impact of their information security breaches in order to avoid
negative publicity and damage the trust of their customers.