Mike J Nagle
unread,
Aug 22, 2010, 5:30:55 AM8/22/10
to SEC-0130 Summer 2010
I'm sorry I did not post this two weeks ago, but here it is now.
7. What information attribute is often of great value for local
networks that use static addressing?
In networks that use static addressing, the IP Address is very useful
for
identifying hardware assets, since in static addressing it does
not change. However, in networks that use DHCP to generate the IP
Address the addresses are seldom the same from one session to the
next. For those networks that use dynamic addressing, the MAC Address
is more useful.
8. Which is more important to the system components classification
scheme: that the asset identification list be comprehensive or
mutually exclusive?
“It is also important that
the categories be both comprehensive and
mutually exclusive.” That is what the textbook says. What the textbook
does not seem to say, (or, at least, I can’t find where it does say,)
is whether the categories’ being comprehensive or their being mutually
exclusive is more important. Therefore, I will give my own opinion,
for what it’s worth.
Of the two, I believe that being mutually exclusive is more important.
While it is necessary that the system components all be
classified and
accounted for, if the list is not mutually exclusive, some assets will
be listed two or more times, increasing the magnitude and complexity
of the task. If the list is first set up to be mutually exclusive,
adding an overlooked asset is a reasonably simple task. Identifying
and eliminating redundantly listed assets is far more difficult.
Elma Hartunian
unread,
Sep 4, 2010, 12:13:50 PM9/4/10
to
Nice work Mike.
Here is my response to #8
It is more important that the list be comprehensive than mutually exclusive. It would be far better to have a component assessed in an incorrect category rather than to have it go completely unrecognized during a risk assessment.
Honey Lance Morales
unread,
Jul 16, 2021, 11:07:37 AM7/16/21
to SEC-0130 Summer 2010
Wow, this was posted on 2010. So during that time, there was no google classroom and people used google groups instead.
Principles of Information Security, 4th Edition
Chapter 4
Review Questions
1.What is risk management? Why is identification of risks, by listing assets and their
vulnerabilities, so important to the risk management process?
Risk management is the process of identifying vulnerabilities in an organization’s
information systems and taking carefully reasoned steps to ensure the confidentiality,
integrity, and availability of all the components in the organization’s information system.
To protect assets, which are defined here as information and the systems that use, store,
and transmit information, you must understand what they are, how they add value to the
organization, and to which vulnerabilities they are susceptible. Once you know what you
have, you can identify what you are already doing to protect it. Just because you have a
control in place to protect an asset does not necessarily mean that the asset is protected.
Frequently, organizations implement control mechanisms, but then neglect the necessary
periodic review, revision, and maintenance. The policies, education and training
programs, and technologies that protect information must be carefully maintained and
administered to ensure that they are still effective.
2.According to Sun Tzu, what two key understandings must you achieve to be
successful?
An observation made by Chinese General Sun Tzu Wu stated, “If you know the enemy
and know yourself, you need not fear the result of a hundred battles. If you know yourself
but not the enemy, for every victory gained you will also suffer a defeat. If you know
neither the enemy nor yourself, you will succumb in every battle. In short, know yourself
and know the enemy.
3.Who is responsible for risk management in an organization? Which community of
interest usually takes the lead in information security risk management?
In an organization, it is the responsibility of each community of interest to manage the
risks that organization encounters. Each community of interest has a role to play. Since
the members of the information security community best understand the threats and
attacks that introduce risk into the organization, they often take a leadership role in
addressing risk.
4.In risk management strategies, why must periodic review be a part of the process?
Frequently, organizations implement control mechanisms, but then neglect the necessary
periodic review, revision, and maintenance. The policies, education and training
programs, and technologies that protect information must be carefully maintained and
administered to ensure that they are still effective.
5.Why do networking components need more examination from an information
security perspective than from a systems development perspective?