Josh Waring

ITS 370 Hmwk #5

Shin Ping Tucker



1.)   If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional controls? Which should be evaluated last?

·       Switch L47 has a risk calculation of 27 = (0.2 + 0.1) * 90

·       Server WebSrv6 has a risk calculation of 7.5 = (0.1 * 75%) * 100

·       Control console MGMT45 has a risk calculation of 0.5 = (0.1) * 5

Based on the above calculations, Switch L47 should be evaluated first as it has the highest risk assessment score, and terminal MGMT45 should be evaluated last as it has the lowest score.


2.)   Suppose XYZ Software Company has a new application development project with projected revenues of $1.2million.  Based on given data, calculate the ARO and ALE for each threat category the company faces for this project.


Case Exercises-Discussion Questions

1.)   Did Charlie effectively organize the work before the meeting? Why/why not?  Make a list of important issues that should be covered by the work plan, and provide a short explanation for each.


I think Charlie did a pretty good job organizing the work before the meeting.  It sounds like he has a good project plan and a complete work list.  He also sounds like he has a good plan for how the work will commence going forward. 


I think important issues that should be covered by the work plan include (but not limited to) the following:

·       Identify risks – identify the existing risks to data security at SLS

·       Classify risks – classify the risks by type

·       Calculate asset valuation – calculate how much SLS stands to lose per risk per year

·       Identify key risks – identify risks that would be cost-effective to mitigate

·       Mitigate key risks – reduce/eliminate selected key risks


2.)   Will the company get useful info from the team it has assembled? Why/why not?

I think the company will get useful info, as it has assembled a large team from a wide variety of departments.  This should give a widescale view of risks associated with each department and what the company may need to do going forward to help mitigate these risks.


3.)   Why might some attendees resist the goals of the meeting? Does it seem that each person invited was briefed on the importance of the event and the issues behind it?

I think some attendees might resist the goals of the meeting as involves overhead work in finding what risks each department has and how much these risks stand to cost the company.  Some attendees might feel like this is a lot of work, and if their department has a lot of risks it might reflect negatively on them.

I don’t think everyone was briefed on the importance of the event, as the sales manager asked right away why he was there, which shows he didn’t fully understand the purpose and importance of the meeting.


Case Exercises-Ethical Decision Making

Amy’s approach to her assignment is unethical, as the numbers she made up may not only be incorrect; but could cause SLS to majorly miscalculate the cost of certain risks and end up costing SLS a lot of money.

If Amy falsified her data b/c Charlie said it was ok, it would still be unethical on Amy’s part, as even if not required, she should show integrity.  Since Charlie offered an expected payback for this arrangement, it is obvious that this would be unethical, both on Amy and Charlie’s part.