Why do networking components need more examination from an information security perspective

5) Why do networking components need more examination from an
information security perspective than from a systems development
perspective?

When analyzing a network from a systems development perspective you
only have to concentrate on getting the network up and running. From
an information security standpoint, you have to carefully examine each
component of a network to secure its integrity, indentify its
vulnerabilities, assess the likelihood of an incident, perform a cost
benefit analysis, etc.

6) What value does an automated asset inventory system have for the
risk identification process?

An automated asset inventory system can categorize the different
assets of a network. In addition to this categorization, an automated
asset inventory system can identify the sensitivity and security
priority of each of these assets, making it easier to plan out
security for a network.

Principles of Information Security, 4th Edition

Chapter 4

Review Questions

1.What is risk management? Why is identification of risks, by listing assets and their

vulnerabilities, so important to the risk management process?

Risk management is the process of identifying vulnerabilities in an organization’s

information systems and taking carefully reasoned steps to ensure the confidentiality,

integrity, and availability of all the components in the organization’s information system.

To protect assets, which are defined here as information and the systems that use, store,

and transmit information, you must understand what they are, how they add value to the

organization, and to which vulnerabilities they are susceptible. Once you know what you

have, you can identify what you are already doing to protect it. Just because you have a

control in place to protect an asset does not necessarily mean that the asset is protected.

Frequently, organizations implement control mechanisms, but then neglect the necessary

periodic review, revision, and maintenance. The policies, education and training

programs, and technologies that protect information must be carefully maintained and

administered to ensure that they are still effective.

2.According to Sun Tzu, what two key understandings must you achieve to be

successful?

An observation made by Chinese General Sun Tzu Wu stated, “If you know the enemy

and know yourself, you need not fear the result of a hundred battles. If you know yourself

but not the enemy, for every victory gained you will also suffer a defeat. If you know

neither the enemy nor yourself, you will succumb in every battle. In short, know yourself

and know the enemy.

3.Who is responsible for risk management in an organization? Which community of

interest usually takes the lead in information security risk management?

In an organization, it is the responsibility of each community of interest to manage the

risks that organization encounters. Each community of interest has a role to play. Since

the members of the information security community best understand the threats and

attacks that introduce risk into the organization, they often take a leadership role in

addressing risk.

4.In risk management strategies, why must periodic review be a part of the process?

Frequently, organizations implement control mechanisms, but then neglect the necessary

periodic review, revision, and maintenance. The policies, education and training

programs, and technologies that protect information must be carefully maintained and

administered to ensure that they are still effective.

5.Why do networking components need more examination from an information

security perspective than from a systems development perspective?

Which is more important to the systems components classification scheme that the list be comprehensive or mutually exclusive?

What four areas can be examined when performing the risk identification process?

What are the key areas of concern for risk management?

Is information security risk management usually a static or dynamic process?