Hunter Wikstrom

ITS 370 Chapter 5



2. Using the data classification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information would be confidential, sensitive but unclassified, or for public release?

Bold strategy trying to convince me to reveal all my confidential information in a question. The information that would be classified on my computer would be anything involving my school information such as enrollment prices and loan information. I don’t keep very much important information on a physical device. The sensitive stuff would be my email accounts that are signed in, but it wouldn’t be a huge deal if the contents were to be shared. My work emails are never on the computer and require dual authentication to sign in. Public release would be everything on my desktop or in my word files. I don’t care who has access to this information.

1. If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional controls? Which should be evaluated last?

The proper steps are listed in order now

1.       • Switch L47 connects a network to the Internet. It has two vulnerabilities: it is susceptible to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflow attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. You are 75 percent certain of the assumptions and data.

2.       • Server WebSrv6 hosts a company Web site and performs e-commerce transactions.  It has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of that attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implanted that reduces the impact of the vulnerability by 75 percent. You are 80 percent certain of the assumptions and data.

3.       Operators use an MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has an impact rating of 5. You are 90 percent certain of the assumptions and data.


Case Exercises

1. Did Charlie effectively organize the work before the meeting? Why or why not? Make a list of important issues you think should be covered by the work plan. For each issue, provide a short explanation.

Charlie did a good job of organizing the meeting before it took place. He took the time to create organized teams and was sure to include departments from allover within the department. Charlie knew that they needed to go over the assets and ensure that everything important was covered in the risk assessment.

I think they need to focus on a several plans

·         Incident response – plan for while the incident is in progress

·         Disaster Recovery – after the disaster procedures

·         Business Continuity- long-term strategy that implements both

2. Will the company get useful information from the team it has assembled? Why or why not?

I believe that Charlie will see results from the team that he has put together. He is getting insight from multiple departments on what they believe is important and what they believe to be the most important assets to their department. This shows what it is important from a different perspective and lets him know if he needs to retrain his staff.

3. Why might some attendees resist the goals of the meeting? Does it seem that each person invited was briefed on the importance of the event and the issues behind it?

Many attendees may resist the goals of the meeting because they believe that information security isn’t a part of their responsibility and that it will just be additional work for them, and they don’t want to deal with busy work. I don’t believe the people that attended the meeting were briefed before they attended the meeting because there seemed to be some shock in the meeting about what was being asked of them.


Suppose Amy Windahl left the kickoff meeting with a list of over 200 assets that needed to be evaluated. When she looked at the amount of effort needed to finish assessing the asset values and their risk evaluations, she decided to “fudge” the numbers so that she could attend a concert and then spend the weekend with her friends. In the hour just before the meeting in which the data was due, she made up some values without much consideration beyond filling in the blanks. Is Amy’s approach to her assignment ethical?

Hell no. Amy is ignoring her responsibilities because she is pursuing her own self-interest. She is putting the company in financial risk by ignoring what she was supposed to do all just so she can attend a concert and doesn’t want to put the effort in. I think this would be in very poor taste on her end and she would be doing a disservice to the company.

After the kickoff meeting, suppose Charlie had said, “Amy, the assets in your department are not that big of a deal for the company, but everyone on the team has to submit something.  Just put anything on the forms so we can check you off the list, and then you will get the bonus being paid to all team members. You can buy me lunch for the favor.”

Is Amy now ethically justified in falsifying her data? Has Charlie acted ethically by establishing an expected payback for this arrangement?

Amy would still be in the wrong for falsifying the data, but it wouldn’t be as much of a detriment as originally thought. Charlie Is not only acting unethically, he is technically committing a for of “if this than that” form of business misconduct by offering a bonus in exchange for a reward. Not a good look.