Chapter Five

Max Werdin

Exercises:

1.      If an organization must evaluate the following three information assists for risk management, which vulnerability should be evaluated first for additional controls? Which one should be evaluated last?

The first issue that should be addressed is the MGMT45 control console as this has the highest likelihood of being misused as well as the highest impact rating. It is also the easiest one to respond to being assigning a password to each induvial user so the users can be tracked will take some man hours, but is very easy to accomplish.

2.      The last vulnerability that should be addressed is the switch that is susceptible to failures and buffer overflow. This would require a hardware replacement to address which is easy to do, but costs more than the others. It is also not in jeopardy of losing personal data which the other option certainly is.

Case Exercises:

1.     Did Charlie effectively organize the work before the meeting? Why or why not? Make a list of important issues you think should be covered by the work plan. For each issue, provide a short explanation.

I think Charlie could have better organized the work before the meeting. One example of this was the sales manager asking why his team was present. If Charlie would have better organized things, the sales manager would have understood exactly why he and some of his staff were present. As far as what should be covered by the work plan, I think examples or different threats the company faces as this would better explain why there is a need. What types of hardware are most susceptible so the less tach savvy personnel can make better judgements on their inventories. I also think a contingency plan should also be included in his plan.

2.     Will the company get useful information from the team is has assembled? I guess I could be wrong but I feel the information they will receive will be less than adequate. My reasoning for this is illustrated in my response above, but I feel Charlie could have explained the need for this as well as specific examples of vulnerable hardware and what could happen.

3.     Why might some attendees resist the goals of the meeting? Does it seem that each person invited was briefed on the importance of the event and the issues behind it? I believe they may resist as they do not have a well founded understanding of why they are doing this, what the risks truly are, what the ramifications may be, and what they are really looking for when constructing their inventories.

Ethical Decision Making:

Was fudging some of the numbers an ethical move for Amy to make? No, this was not an ethical move for her to take. This may lead the company to overlook some issues that they otherwise may have been better prepared for if they had truly known the figures. It essentially sets up the plan for potential failure being it doesn’t start off accurate.

With Charlies direction to make the move Amy made, does this now make it ethical? I would still have to say no as their area more people involved with this than just Charlie. It doesn’t just risk Charlie but the company as a whole. I would also say that Charlie acted unethically by doing this as he is no undermining the plan from the start as well and being he is championing it, if people were to find out what he said, they may not take it seriously.