Ayesha Rajbhandari
CH 5

 

1.    If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional controls? Which should be evaluated first

 

à I think the number B should be evaluated first because the company could lose their customer because of the lack of proper services.

 

2.    Using the data classification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information would be confidential, sensitive but unclassified, or for public release.

 

à The password should be confidential and the information and confidentiality of the customers should be secured.

 

3.    Suppose XYZ Software Company has a new application development project, with projected revenues of $1.2 million, using the following table, calculate the ARO and ALE for each threat category the company faces for this project

 

Threat category

Cost per incident

Frequency of occurence

ARO

ALE

Programmer mistake

$5000

1 per week

52

$260,000

Loss of intellectual property

$75,000

1 per year

1

$75,000

Software piracy

$500

1 per week

52

$26,000

Theft of information

$5,000

1 per quarter

4

$10,000

earthquake

$250,000

1 per 20 years

0.05

$12,500

flood

$250,000

1 per 10 years

0.01

$25,000

fire

$500,000

1 per 10 years

0.1

$50,000

 

4.    How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence.

à The cost per incident is calculated based on the total value of asset. There is no sources or proof to show the frequency of attacks.

 

5.    Assume that a year has passed and XYZ has improved security by applying several controls. Using the information for Exercise 3 and the following table, calculate the post control ARO and ALE for each threat category

Threat category

Cost per incident

Frequency of occurence

Cost of control

Types of control

Programmer mistake

$5,000

1 per month

$20,000

training

Loss of intellectual property

$75,000

1 per 2 years

$15,000

Firewall/IDS

Software piracy

$500

1 per month

$30,000

Firewall/IDS

Earthquake

$250,000

1 per 20 years

$5,000

Insurance/backups

flood

$50,000

1 per 10 years

$10,000

Insurance/backups

fire

$100,000

1 per 10 years

$10,000

Insurance/backups

Web defacement

$500

1 per quarter

$10,000

Firewall