rcises 1. If an organization must evaluate the following three information asset
ID: 3751843 • Letter: R
Question
rcises 1. If an organization must evaluate the following three information assets for risk man- agement, which vulnerability should be evaluated first for additional controls? Which should be evaluated last? Switch 147 connects a network to the Internet. It has two vulnerabilities: it is susceptible to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflow attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. You are 75 percent certain of the assumptions and data. . . Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of that attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implanted that reduces the impact of the vulnerability by 75 percent. You are 80 percent certain of the assumptions and data. Operators use an MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has an impact rating of 5. You are 90 percent certain of the assumptions and data . informa-Explanation / Answer
The main reason for managing risk in a firm is to safeguard the Interests and assets of the firm hence risk management
is vital to allow the system owner to understand the risk and its magnitude to allocate its scarce resources mitigating
it and reducing it manageable level since it can never be reduced to zero.
In determining the likelihood and impact for each risk we should identify threats and vulnerabilities. From the three information assets,
switch L47 has the highest risk of attack and there are no controls to counter it, but the probability of occurrence
is very low as compared to other information assets. MGMT45 has a high chance of being attacked but its impact is relative
small compared to other information assets WebSrv6 has the highest impact on the organization and could affect valuable
e- commerce transactions fully if attacked and this would affect the overall performance of the organization.
All the three information assets are key components to the organization hence the management should use all means
to minimize or eliminate the threat, but since resources are scarce the management should go for the assets that if tampered with
could affect other systems from performing. This company website is hosted by the server and all the hardware and software
components are also relying on the server hence if the server is not protected the company’s valuable information could be
exposed and tampered with.
detailed explanation:-
Assessing Potential Loss
To be effective, the values must be assigned by asking:
-Which threats present a danger to this organization’s assets in the given environment?
-Which threats represent the most danger to the organization’s information?
-How much would it cost to recover from a successful attack?
-Which threats would require the greatest expenditure to prevent?
-Which of the aforementioned questions is the most important to the protection of information from threats within this organization?
Percentage of Risk Mitigated by Current Controls:
If a vulnerability is fully managed by an existing control, it can be set aside.
If it is partially controlled, estimate what percentage of the vulnerability has been controlled.
Uncertainty:
It is not possible to know everything about every vulnerability.
The degree to which a current control can reduce risk is also subject to estimation error. A factor that accounts for uncertainty must always be added to the equations; it consists of an estimate made by the manager using good judgment and experience.
Risk Determination
For the purpose of relative risk assessment, = (risk equals likelihood of vulnerability occurrence) x (value (or impact)) – (percentage risk already controlled) + (an element of uncertainty).
(risk assessment):
Likelihood * Impact Value - % risk (controlled) + result of previous *uncertainty = risk
Switch L47 – (90 * .2) – ((90 * .2) * 0) + ((90 * .2) * .25)
= 22.5(90 * .1) – ((90 * .1) * 0) + ((90 * .1) * .25) = 11.25
WebSrv6 - (100 * .1) – ((100 * .1) * .75) + ((100 * .1) * .20) = 4.5
MGMT45 – (5 * .1) – ((5 * .1) * 0 + ((5 * .1) * .10) = .55
we use 2 opinion for this case:
Opinion 1: The system is in control and give maintenance for the impact risk, but other devices such as the Switch L47 is not in control and the MGMT45 will increase that risk.
If vulnerability is fully managed by an existing control, it can be set aside.
If it is partially controlled, estimate what percentage of the vulnerability has been controlled.
The risk identification process should designate, what function the reports serve, who is responsible for preparing them, and who reviews them.
Below is the table of the worksheets that should have been prepared by an information asset risk management team to this point.
Opinion2: The Switch 47 has the highest risk, but other side of WebSrv6 has impact value is 100 and require the no-stop operation.
I would evaluate the WebSrv6 for the additional controls first, depend on the company situation, but the company Web site is hosted by this server and performs valuable e-commerce transactions which can be compromised if the Server is not protected. If an attack on this Server occurs much of the company’s private data could be compromised which could harm the organization in many way. Protecting the server could also keep the organization safe from other threats and attacks.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.