Every organization uses its information to support its business operations. When there are threats in the internal and external environments, they create the risk of information loss or damage. This course examines the design and construction of a risk management program, including policies and plans, to support the identification and treatment of risk to the organization’s information assets.
View Syllabus
From the lesson
Conducting the RM Process [Module 2.3]
Taught By
Michael Whitman, Ph.D., CISM, CISSP
Professor of Information Security
Herbert J. Mattord, Ph.D., CISM, CISSP, CDP
Professor of Information Security
Explore our Catalog
Join for free and get personalized recommendations, updates and offers.
Verified Answer and Explanation
Explanation
et, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magna. Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pu
Verified Answer
acinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magna. Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetu
Principles of Information Security, 4th Edition
Chapter 4
Review Questions
1.What is risk management? Why is identification of risks, by listing assets and their
vulnerabilities, so important to the risk management process?
Risk management is the process of identifying vulnerabilities in an organization’s
information systems and taking carefully reasoned steps to ensure the confidentiality,
integrity, and availability of all the components in the organization’s information system.
To protect assets, which are defined here as information and the systems that use, store,
and transmit information, you must understand what they are, how they add value to the
organization, and to which vulnerabilities they are susceptible. Once you know what you
have, you can identify what you are already doing to protect it. Just because you have a
control in place to protect an asset does not necessarily mean that the asset is protected.
Frequently, organizations implement control mechanisms, but then neglect the necessary
periodic review, revision, and maintenance. The policies, education and training
programs, and technologies that protect information must be carefully maintained and
administered to ensure that they are still effective.
2.According to Sun Tzu, what two key understandings must you achieve to be
successful?
An observation made by Chinese General Sun Tzu Wu stated, “If you know the enemy
and know yourself, you need not fear the result of a hundred battles. If you know yourself
but not the enemy, for every victory gained you will also suffer a defeat. If you know
neither the enemy nor yourself, you will succumb in every battle. In short, know yourself
and know the enemy.
3.Who is responsible for risk management in an organization? Which community of
interest usually takes the lead in information security risk management?
In an organization, it is the responsibility of each community of interest to manage the
risks that organization encounters. Each community of interest has a role to play. Since
the members of the information security community best understand the threats and
attacks that introduce risk into the organization, they often take a leadership role in
addressing risk.
4.In risk management strategies, why must periodic review be a part of the process?
Frequently, organizations implement control mechanisms, but then neglect the necessary
periodic review, revision, and maintenance. The policies, education and training
programs, and technologies that protect information must be carefully maintained and
administered to ensure that they are still effective.
5.Why do networking components need more examination from an information
security perspective than from a systems development perspective?