1. If an organization has three information assets to evaluate for risk management purposes, as shown in the accompanying data, which vulnerability should be evaluated for additional controls first? Which vulnerability should be evaluated last?
• Switch L47 connects a network to the Internet. It has two vulnerabilities: (1) susceptibility to hardware failure, with a likelihood of 0.2, and (2) susceptibility to an SNMP buffer overflow attack, with a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. There is a 75 percent certainty of the assumptions and data. • Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has Web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such an attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implemented that reduces the impact of the vulnerability by 75 percent. There is an 80 percent certainty of the assumptions and data. • Operators use the MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset, which has an impact rating of 5. There is a 90 percent certainty of the assumptions and data.
2. Using the Web, search for at least three tools to automate risk assessment. Collect information on automated risk assessment tools. What do they cost? What features do they provide? What are the advantages and disadvantages of each one?
Do not copy/paste word from word from websites without website name or use old examples.
Expert Answer
The main reason for managing risk in a firm is to safeguard the Interests and assets of the firm hence risk management
is vital to allow the system owner to understand the risk and its magnitude to allocate its scarce resources mitigating
it and reducing it manageable level since it can never be reduced to zero.
In determining the likelihood and impact for each risk we should identify threats and vulnerabilities. From the three information assets,
switch L47 has the highest risk of attack and there are no controls to counter it, but the probability of occurrence
is very low as compared to other information assets. MGMT45 has a high chance of being attacked but its impact is relative
small compared to other information assets WebSrv6 has the highest impact on the organization and could affect valuable
e- commerce transactions fully if attacked and this would affect the overall performance of the organization.
All the three information assets are key components to the organization hence the management should use all means
to minimize or eliminate the threat, but since resources are scarce the management should go for the assets that if tampered with
could affect other systems from performing. This company website is hosted by the server and all the hardware and software
components are also relying on the server hence if the server is not protected the company’s valuable information could be
exposed and tampered with.
Answer for Question 2:
1.Risk assessment toolbox:
The UCOP Office of Risk Services (OPRS) offers several Excel-based tools intended to support the risk assessment process at each of the UC locations.
2.UC Tracker:
Information on UC Tracker, a web based tool to facilitate the review and documentation of key department controls as required by SAS 112/115.
3.UC Ready:
MISSION CONTINUITY PLANNING
A systemwide program that enables all of our campuses, medical centers and national laboratory to better prepare to meet the challenges of resuming business operations after a major event occurs.
4.New initiative risk review workbook:
Helps you consider the strategic, financial, operational, compliance, reporting, and reputational risks associated with a new initiative or project.