Kate Rohde

ITS 370

Chapter 5 Homework

 

Exercises:

1.     If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional controls? Which should be evaluated last?

a.     First that should be evaluated: “The switch L47 connects a network to the Internet.” Reason being it has the highest likelihood of failure and its impact rating is 90, which is very high.

b.     Last that should be evaluated: “Operators use an MGMT45 control console to monitor operations in the server room.” This has the lowest (by a huge margin) impact rating of 5.

 

3.     Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE for each threat category the company faces for this project.

 

Threat Category

Cost per Incident (SLE)

Frequency of Occurrence

Annual rate of Occurrence (ARO)

Annual Loss Expectancy (ALE)

Programmer Mistakes

$5,000

1 per week

52 times

$260,000

Loss of intellectual property

$75,000

1 per week

52 times

$3,900,000

Software piracy

$500

1 per week

52 times

$26,000

Theft of information (hacker)

$2,500

1 per quarter

4 times

$10,000

Theft of information (employee)

$5,000

1 per 6 months

2 times

$10,000

Web defacement

$500

1 per month

12 times

$6000

Theft of equipment

$5,000

1 per year

1 time

$5,000

Viruses, worms, Torjan horses

$1,500

1 per week

52 times

$78,000

Denial-of-service attacks

$250,000

1 per 20 years

0.05 times

$12,500

Earthquake

$250,000

1 per 20 years

0.05 times

$12,500

Flood

$250,000

1 per 10 years

0.10 times

$25,000

Fire

$500,000

1 per 10 years

0.10 times

$50,000

 

 

Case Exercises:

           Discussion Questions:

1.     Did Charlie effectively organize the work before the meeting? Why or why not? Make a list of important issues you think should be covered by the work plan. For each issue provide a short explanation.

a.     Overall, his organization was fairly well done. There are two things he could have done better. One would be to ensure that everyone had read the paperwork. Two make it clear to each department of the importance they play in the security of the company and role they play.

2.     Will the company get useful information from the team it has assembled? Why or why not?

a.     Overall, they have a decent start to the problem for security at hand. The information Charlie did explain made perfect sense and helped the employees understand better as to what is expected. It will also be extremely useful to have all departments taking place, so everyone is on the same page and thus a security increase.

3.     Why might some attendees resist the goals of the meeting? Does it seem that each person invited was briefed on the importance of the event and the issues behind it?

a.     What the sales manager said at the beginning of the meeting was a perfect example. Some departments may think security does not apply to them since they are not in security. In all reality, security is very important to them as well because they contribute to security safety and failure. Due to the sales managers question he obviously was not made aware of the seriousness of the issue.

 

Ethical Decision Making:

1.     In the hour just before the meeting which the data was due, she made up some values without much consideration beyond filling in the blanks. Is Amy’s approach to her assignment ethical?

a.     Amy fudging the numbers are definitely not ethical. Messing with a studies numbers and stats is never ethical.

2.     Charlie, “just put anything on the forms so we can check you off the list, and then you will get the bonus being paid to all team members. You can buy me lunch for the favor.” Is Amy now ethically justified in falsifying her data?

a.     Again, it is never ethical even if one’s manager says it’s okay, therefore the manager is also not being ethical. Everyone is susceptible to failing ethically, even managers. Also, Charlie is instigating a quid pro quo of personal means, which is never ethical either.

3.     Has Charlie acted ethically by establishing an expected paycheck for this arrangement?

a.     No, it is not ethical to ever bribe employees.