If an organization has three information assets it evaluates for risk management
ID: 355819 • Letter: I
Question
If an organization has three information assets it evaluates for risk management purposes, as shown in the accompanying data below, which vulnerability should be evaluated for additional controls first? Which vulnerability should be evaluated last?
Switch L47 connects a network to the Internet. It has two vulnerabilities: (1) susceptibility to hardware failure, with a likelihood of 0.2 and (2) susceptibility to SNMP buffer overflow attack, with a likelihood of 0.1. This switch has an impact of 90 and has no current controls in place. There is a 75 percent certainty of the assumptions and data.
Server WebSrv6 hosts a company website and performs e-commerce transactions. It has web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such an attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implemented that reduces the impact of the vulnerability by 75 percent. There is an 80 percent certainty of the assumptions and data.
Operators use the MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset, which has an impact rating of 5. There is a 90 percent certainty of the assumptions and data.
Submission on the assignment should be approximately one page in length as a word document if possible.
Explanation / Answer
Assessing Potential Loss
To be effective, the values must be assigned by asking:
· Which threats present a danger to this organization’s assets in the given environment?
· Which threats represent the most danger to the organization’s information?
· How much would it cost to recover from a successful attack?
· Which threats would require the greatest expenditure to prevent?
· Which of the aforementioned questions is the most important to the protection of information from threats within this organization?
Percentage of Risk Mitigated by Current Controls
If a vulnerability is fully managed by an existing control, it can be set aside.
If it is partially controlled, estimate what percentage of the vulnerability has been controlled.
Uncertainty
It is not possible to know everything about every vulnerability.
The degree to which a current control can reduce risk is also subject to estimation error. A factor that accounts for uncertainty must always be added to the equations; it consists of an estimate made by the manager using good judgment and experience.
Risk Determination
For the purpose of relative risk assessment, = (risk equals likelihood of vulnerability occurrence) x (value (or impact)) – (percentage risk already controlled) + (an element of uncertainty).
In order to find out the vulnerabilities to be evaluated, rate the risk of vulnerability (risk assessment):
Likelihood * Impact Value - % risk (controlled) + result of previous *uncertainty = risk
Switch L47 – (90 * .2) – ((90 * .2) * 0) + ((90 * .2) * .25)
= 22.5(90 * .1) – ((90 * .1) * 0) + ((90 * .1) * .25) = 11.25
WebSrv6 - (100 * .1) – ((100 * .1) * .75) + ((100 * .1) * .20) = 4.5
MGMT45 – (5 * .1) – ((5 * .1) * 0 + ((5 * .1) * .10) = .55
I have two opinion for this case.
Opinion 1: The system is in control and give maintenance for the impact risk, but other devices such as the Switch L47 is not in control and the MGMT45 will increase that risk.
If vulnerability is fully managed by an existing control, it can be set aside.
If it is partially controlled, estimate what percentage of the vulnerability has been controlled.
The risk identification process should designate, what function the reports serve, who is responsible for preparing them, and who reviews them.
Below is the table of the worksheets that should have been prepared by an information asset risk management team to this point.
Opinion2: The Switch 47 has the highest risk, but other side of WebSrv6 has impact value is 100 and require the no-stop operation.
I would evaluate the WebSrv6 for the additional controls first, depend on the company situation, but the company Web site is hosted by this server and performs valuable e-commerce transactions which can be compromised if the Server is not protected. If an attack on this Server occurs much of the company’s private data could be compromised which could harm the organization in many way. Protecting the server could also keep the organization safe from other threats and attacks.