Chapter 4 Risk Management
Chapter 4 - Risk Management
1. What is risk management? Why is identification of risks, by listing assets and their vulnerabilities, so important to the risk management process? Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Each of the three elements in the C.I.A. triangle, introduced in Chapter 1, is an essential part of every IT organization’s ability to sustain long-term competitiveness. When an organization depends on IT-based systems to remain viable, information security and the discipline of risk management must become an integral part of the economic basis for making business decisions. These decisions are based on trade-offs between the costs of applying information systems controls and the benefits realized from the operation of secured, available systems.
2. According to Sun Tzu, what two key understandings must you achieve to be successful? Know Yourself and Know the Enemy
3. Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management? The resources used when undertaking information asset risk management is usually provided by all three communities: Information Security, Information Technology and General Management.
4. In risk management strategies, why must periodic review be a part of the process? Periodic reviews must be a part of the risk management strategies because threats are constantly changing for a company. Also once any specific vulnerability is completely managed by an existing control it no longer needs to be considered for additional controls.
5. Why do networking components need more examination from an information security perspective than from a systems development perspective? Networking components need more examination from an information security perspective than from a
1. What is risk management? Why is identification of risks, by listing assets and their vulnerabilities, so important to the risk management process? Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Each of the three elements in the C.I.A. triangle, introduced in Chapter 1, is an essential part of every IT organization’s ability to sustain long-term competitiveness. When an organization depends on IT-based systems to remain viable, information security and the discipline of risk management must become an integral part of the economic basis for making business decisions. These decisions are based on trade-offs between the costs of applying information systems controls and the benefits realized from the operation of secured, available systems.
2. According to Sun Tzu, what two key understandings must you achieve to be successful? Know Yourself and Know the Enemy
3. Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management? The resources used when undertaking information asset risk management is usually provided by all three communities: Information Security, Information Technology and General Management.
4. In risk management strategies, why must periodic review be a part of the process? Periodic reviews must be a part of the risk management strategies because threats are constantly changing for a company. Also once any specific vulnerability is completely managed by an existing control it no longer needs to be considered for additional controls.
5. Why do networking components need more examination from an information security perspective than from a systems development perspective? Networking components need more examination from an information security perspective than from a