ISA Management 6
14. Which is more important to the information asset classification scheme: that it be comprehensive or that it be mutually exclusive?
Answer: A comprehensive information asset classification scheme is more desirable because it implies that all assets will be included, even if they appear in more than one location.
5. Who is responsible for risk management in an organization?
Answer: All stakeholders in the organization are responsible; management is accountable.
10. What value would an automated asset inventory system have for the risk identification process?
Answer: An automated asset inventory system would be valuable to the risk identification process because all hardware components are already identified by model, make, and location. Thus, management can review the system for the most critical items and assess their values.
16. How many categories should a data classification scheme include? Why?
Answer: An organization would need as many categories as necessary to include all of the different groupings with the appropriate levels of care. This chapter describes an approach that uses Public, Internal, and Confidential categories.
1. What is risk management?
Answer: Risk management is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be controlled or mitigated.
12. Which information attribute is often of great value for networking equipment when the Dynamic Host Configuration Protocol (DHCP) is not used?
Answer: If the IP address can be tied to specific assets, it can be very useful for asset tracking.
3. Why is identification of risks, through a listing of assets and their vulnerabilities, so important to the risk management process?
Answer: It is important because management needs to know the value of each company asset and what losses will be incurred if an asset is compromised.
13. When you document procedures, why is it useful to know where the electronic versions are stored?
Answer: It is useful because the documents can be updated when required and can be retrieved quickly if systems are unavailable.
6. Which community of interest usually takes the lead in information asset risk management?
Answer: Management usually takes the lead in information asset risk management. Management must begin the identification process for threats and risks to the company.
9. Why do networking components need more examination from an InfoSec perspective than from a systems development perspective?
Answer: Networking components need more examination from an InfoSec perspective than from a systems development perspective because networking subsystems are often the entry point for external threats and the focal point of many attacks against the system.
8. In risk management strategies, why must periodic reviews be a part of the process?
Answer: Periodic reviews must be a part of risk management strategies because threats are constantly changing for a company. As a vulnerability of specific concern becomes completely managed by an existing control, it may no longer need to be considered for additional controls, just as new vulnerabilities may require the implementation of new controls.
2. List and describe the key areas of concern for risk management.
Answer: Risk identification, risk assessment, risk appetite, and risk control.
11. Which information attributes are seldom or never applied to software elements?
Answer: Several information attributes are not often tracked for software, including: • IP address • MAC address • Manufacturer's model or part number
15. What is the difference between an asset's ability to generate revenue and its ability to generate profit?
Answer: Some assets may be able to operate and create revenue, but unable to earn a profit after expenses are paid.
19. Describe the TVA worksheet. What is it used for?
Answer: The TVA worksheet combines a prioritized list of assets and their vulnerabilities and a list that prioritizes threats facing the organization. The resulting grid provides a convenient method of examining the "exposure" of assets, allowing a simple vulnerability assessment.
20. Examine the simplest risk formula presented in this chapter. What are its primary elements?
Answer: The primary elements in risk estimation are likelihood of loss, value exposed to loss, percent of potential loss already controlled, and an allowance for uncertainty.
7. Which community of interest usually provides the resources used when undertaking information asset risk management?
Answer: The resources used when undertaking information asset risk management are usually provided by all three communities: InfoSec, IT, and general management.
4. According to Sun Tzu, what two things must be achieved to secure information assets successfully?
Answer: To reduce risk in an organization, the organization must know itself (including its assets and processes used to protect them) and know its enemy (the nature of the threats it faces).
17. How many threat categories are listed in this chapter? Which is noted as being the most frequently encountered, and why?
Answer: Twelve threat categories are discussed in the chapter. The most frequently encountered category is often "human error or failure" because it is often the hardest to control, as access must be given to trusted insiders as a requirement for them to perform their assigned duties.
18. What are vulnerabilities?
Answer: Vulnerabilities are opportunities for a threat to become a loss.