Risk Management

1. What is risk management? Why is the identification of risks, by listing assets and their vulnerabilities, so important to the risk management process?

• Risk management is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be controlled or mitigated.
• It is important because management needs to know the value of each company asset and what losses will be incurred if an asset is compromised.

2. According to Sun Tzu, what two key understandings must you achieve to be successful in battle?

• To reduce risk in an organization, the organization must know itself (including its assets and processes used to protect them) and know its enemy (the nature of the threats it faces).

3. Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?

• All stakeholders in the organization are responsible; management is accountable.
• Management usually takes the lead in information asset risk management. Management must begin the identification process for threats and risks to the company.

4. In risk management strategies, why must periodic review be a part of the process?

• Periodic reviews must be a part of risk management strategies because threats are constantly changing for a company. As a vulnerability of specific concern becomes completely managed by an existing control, it may no longer need to be considered for additional controls, just as new vulnerabilities may require the implementation of new controls.

5. Why do networking components need more examination from an information security perspective than from a systems development perspective?

• Networking components need more examination from an InfoSec perspective than from a systems development perspective because networking subsystems are often the entry point for external threats and the focal point of many attacks against the system.

6. What value does an automated asset inventory system have for the risk identification process?

• An automated asset inventory system would be valuable to the risk identification process because all hardware components are already identified by model, make, and location. Thus, management can review the system for the most critical items and assess their values.

7. What information attribute is often of great value for local networks that use static addressing?

• Several information attributes are not often tracked for software, including:
• IP address
• MAC address
• Manufacturer's model or part number

8. Which is more important to the systems components classification scheme: that the asset identification list be comprehensive or mutually exclusive?

• A comprehensive information asset classification scheme is more desirable because it implies that all assets will be included, even if they appear in more than one location.

9. What’s the difference between an asset’s ability to generate revenue and its ability to generate profit?

• Some assets may be able to operate and create revenue, but unable to earn a profit after expenses are paid.

10. What are vulnerabilities? How do you identify them?

• Vulnerabilities are opportunities for a threat to become a loss.