1. What is risk management? Why is the identification of risks, by listing assets and their
vulnerabilities, so important to the risk management process?
Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s
information assets and infrastructure, and taking steps to reduce this risk to an acceptable level
2. According to Sun Tzu, what two key understandings must you achieve to be successful
According to Sun Tzu, the two key understandings we must achieve to be successful
in battle are Know Yourself and know the enemy.
First, you must identify, examine, and understand the information and systems ...view middle of the document...
3. Who is responsible for risk management in an organization? Which community of
interest usually takes the lead in information security risk management?
4. In risk management strategies, why must periodic review be a part of the process?
5. Why do networking components need more examination from an information security
perspective than from a systems development perspective?
6. What value does an automated asset inventory system have for the risk identification
7. What information attribute is often of great value for local networks that use static
8. Which is more important to the systems components classification scheme: that the
asset identification list be comprehensive or mutually exclusive?
9. What’s the difference between an asset’s ability to generate revenue and its ability to
10. What are vulnerabilities? How do you identify them?
11. What is competitive disadvantage? Why has it emerged as a factor?
12. What are the strategies for controlling risk as described in this chapter?
13. Describe the “defend” strategy. List and describe the three common methods.
14. Describe the “transfer” strategy. Describe how outsourcing can be used for this purpose.
15. Describe the “mitigate” strategy. What three planning approaches are discussed in the
text as opportunities to mitigate risk?
16. How is an incident response plan different from a disaster recovery plan?
The DR plan and the IR plan overlap to a degree. In many respects, the DR plan is the subsection
of the IR plan that covers disastrous events. The IR plan is also flexible enough to be
useful in situations that are near disasters, but that still require coordinated, planned actions.
While some DR plan and IR plan decisions and actions are the same, their urgency and outcomes
can differ dramatically. The DR plan focuses more on preparations completed before
and actions taken after the incident, whereas the IR plan focuses on intelligence gathering,
information analysis, coordinated decision making, and urgent, concrete actions.
17. What is risk appetite? Explain why risk appetite varies from organization to organization.
Risk appetite defines the quantity and nature of risk that organizations are willing to accept
as they evaluate the tradeoffs between perfect security and unlimited accessibility. For
instance, a financial services company, regulated by government and conservative by nature,
may seek to apply every reasonable control and even some invasive controls to protect its
information assets. Other, nonregulated organizations may also be conservative by nature,
seeking to avoid the negative publicity associated with the perceived loss of integrity...