1- As a common practice, employees, contractors, and outsourcers sign two basic
ID: 2417696 • Letter: 1
Question
1- As a common practice, employees, contractors, and outsourcers sign two basic agreements: confidentiality agreement and acceptable use agreement. What is a difference between both agreements, and what are the functions performed in each agreement?
2- What is a risk assessment? How an organization acts to manage risks?
3- Why labeling is important in the information classification. Give examples on the different labeling forms?
4-You have been tasked to create an inventory system contains a minimum of three hardware and three software assets for the computer lab at your college. List at least five characteristics that will be used to identify hardware assets, and another five characteristics to identify software assets?
Explanation / Answer
Answer:1 Confidentiality agreements, sometimes called secrecy or nondisclosure agreements, are contracts entered into by two or more parties in which some or all of the parties agree that certain types of information that pass from one party to the other or that are created by one of the parties will remain confidential. Such agreements are often used when a company or individual has a secret process or a new product that it wants another company to evaluate as a precursor to a comprehensive licensing agreement.
An Acceptable Use Policy (AUP), acceptable usage policy or fair use policy, is a set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guide lines as to how it should be used.
There is a minute difference between these two forms of agreements:
Confidentiality, integrity and availability are the founding stables of insuring that information is secure. An acceptable use policy enforces confidentiality, integrity and availability by limiting access and disclosure to authorized users, “the right people”, and preventing access or disclosure to unauthorized ones “the wrong people.”As well as requiring employees to authenticate themselves in order to controls access to data system resources and in turn hold employees responsible if violations occur under their user id.
Answer: 2
Risk assessment involves three steps:
1. Risk identification:
This is the phase where threats, vulnerabilities and the associated risks are identified. This process has to be systematic and comprehensive enough to ensure that no risk is unwittingly excluded. It is very important that during this stage all risks are identified and recorded, regardless of the fact that some of them may already be known and likely controlled by the organization.
The first step is to generate a comprehensive list of sources of threats, risks and events that might have an impact on the achievement of each of the objectives as identified in the Definition of Scope and Framework. These events might prevent, degrade, delay or enhance the achievement of those objectives.
2. Analysis of relevant risks:
Risk analysis is the phase where the level of the risk and its nature are assessed and understood. This information is the first input to decision makers on whether risks need to be treated or not and what is the most appropriate and cost-effective risk treatment methodology. It is done by following types of analysis:
Qualitative analysis
In qualitative analysis, the magnitude and likelihood of potential consequences are presented and described in detail. The scales used can be formed or adjusted to suit the circumstances, and different descriptions may be used for different risks.
Qualitative analysis may be used:
§ as an initial assessment to identify risks which will be the subject of further, detailed analysis;
§ where non-tangible aspects of risk are to be considered (e.g. reputation, culture, image etc.)
§ where there is a lack of adequate information and numerical data or resources necessary for a statistically acceptable quantitative approach.
Semi-quantitative analysis
In semi-quantitative analysis the objective is to try to assign some values to the scales used in the qualitative assessment. These values are usually indicative and not real, which is the prerequisite of the quantitative approach.
Therefore, as the value allocated to each scale is not an accurate representation of the actual magnitude of impact or likelihood, the numbers used must only be combined using a formula that recognizes the limitations or assumptions made in the description of the scales used.
It should be also mentioned that the use of semi-quantitative analysis may lead to various inconsistencies due to the fact that the numbers chosen may not properly reflect analogies between risks, particularly when either consequences or likelihood are extreme.
Quantitative analysis
In quantitative analysis numerical values are assigned to both impact and likelihood. These values are derived from a variety of sources. The quality of the entire analysis depends on the accuracy of the assigned values and the validity of the statistical models used.
Impact can be determined by evaluating and processing the various results of an event or by extrapolation from experimental studies or past data. Consequences may be expressed in various terms of
§ monetary
§ technical
§ operational
§ human
3. Evaluation of risk:
During the risk evaluation phase decisions have to be made concerning which risks need treatment and which do not, as well as concerning on the treatment priorities. Analysts need to compare the level of risk determined during the analysis process with risk criteria established in the Risk Management context (i.e. in the risk criteria identification stage). It is important to note that in some cases the risk evaluation may lead to a decision to undertake further analysis.
The criteria used by the Risk Management team have to also take into account the organization objectives, the stakeholder views and of course the scope and objective of the Risk Management process itself.
The decisions made are usually based on the level of risk but may also be related to thresholds specified in terms of:
§ consequences (e.g. impacts),
§ the likelihood of events,
§ the cumulative impact of a series of events that could occur simultaneously.
Answer: 3
Labelling ensures about the product quality. It mentions about the ingredients used in its production, relative dates of usage, benefits of using the product etc. Without labelling, a consumer cannot get these information related to the product he is using.
Different labelling forms are:
Hiding the label element
In this approach, the <label> element is provided to identify a form control within the code, but it is visually hidden to avoid redundancy for users who can derive the purpose from the visual cues.
Using aria-label
The aria-label attribute can also be used to identify form controls. This approach is generally well supported by screen readers and other assistive technology, but, unlike the title attribute (see next section), the information is not conveyed to visual users.
Using the title attribute
The title attribute can also be used to identify form controls. This approach is generally less reliable and not recommended because some screen readers and assistive technologies do not interpret the title attribute as a replacement for the label element, possibly because the title attribute is often used to provide non-essential information. The information of the title attribute is shown to visual users as a tool tip when hovering over the form field with the mouse.
Answer:4
Characteristics for physical assets:
Characteristics for software assets:
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.