Which is more important to the system components classification scheme that the asset identification list be comprehensive or mutually exclusive?

Mike J Nagle

unread,

Aug 22, 2010, 5:30:55 AM8/22/10

to SEC-0130 Summer 2010

I'm sorry I did not post this two weeks ago, but here it is now.

7. What information attribute is often of great value for local
networks that use static addressing?

In networks that use static addressing, the IP Address is very useful
for identifying hardware assets, since in static addressing it does
not change. However, in networks that use DHCP to generate the IP
Address the addresses are seldom the same from one session to the
next. For those networks that use dynamic addressing, the MAC Address
is more useful.

8. Which is more important to the system components classification
scheme: that the asset identification list be comprehensive or
mutually exclusive?

“It is also important that the categories be both comprehensive and
mutually exclusive.” That is what the textbook says. What the textbook
does not seem to say, (or, at least, I can’t find where it does say,)
is whether the categories’ being comprehensive or their being mutually
exclusive is more important. Therefore, I will give my own opinion,
for what it’s worth.
Of the two, I believe that being mutually exclusive is more important.
While it is necessary that the system components all be classified and
accounted for, if the list is not mutually exclusive, some assets will
be listed two or more times, increasing the magnitude and complexity
of the task. If the list is first set up to be mutually exclusive,
adding an overlooked asset is a reasonably simple task. Identifying
and eliminating redundantly listed assets is far more difficult.

Elma Hartunian

unread,

Sep 4, 2010, 12:13:50 PM9/4/10

to

Nice work Mike.

Here is my response to #8

It is more important that the list be comprehensive than mutually exclusive. It would be far better to have a component assessed in an incorrect category rather than to have it go completely unrecognized during a risk assessment.

Honey Lance Morales

unread,

Jul 16, 2021, 11:07:37 AM7/16/21

to SEC-0130 Summer 2010

Wow, this was posted on 2010. So during that time, there was no google classroom and people used google groups instead.

Principles of Information Security, 4th Edition

Chapter 4

Review Questions

1.What is risk management? Why is identification of risks, by listing assets and their

vulnerabilities, so important to the risk management process?

Risk management is the process of identifying vulnerabilities in an organization’s

information systems and taking carefully reasoned steps to ensure the confidentiality,

integrity, and availability of all the components in the organization’s information system.

To protect assets, which are defined here as information and the systems that use, store,

and transmit information, you must understand what they are, how they add value to the

organization, and to which vulnerabilities they are susceptible. Once you know what you

have, you can identify what you are already doing to protect it. Just because you have a

control in place to protect an asset does not necessarily mean that the asset is protected.

Frequently, organizations implement control mechanisms, but then neglect the necessary

periodic review, revision, and maintenance. The policies, education and training

programs, and technologies that protect information must be carefully maintained and

administered to ensure that they are still effective.

2.According to Sun Tzu, what two key understandings must you achieve to be

successful?

An observation made by Chinese General Sun Tzu Wu stated, “If you know the enemy

and know yourself, you need not fear the result of a hundred battles. If you know yourself

but not the enemy, for every victory gained you will also suffer a defeat. If you know

neither the enemy nor yourself, you will succumb in every battle. In short, know yourself

and know the enemy.

3.Who is responsible for risk management in an organization? Which community of

interest usually takes the lead in information security risk management?

In an organization, it is the responsibility of each community of interest to manage the

risks that organization encounters. Each community of interest has a role to play. Since

the members of the information security community best understand the threats and

attacks that introduce risk into the organization, they often take a leadership role in

addressing risk.

4.In risk management strategies, why must periodic review be a part of the process?

Frequently, organizations implement control mechanisms, but then neglect the necessary

periodic review, revision, and maintenance. The policies, education and training

programs, and technologies that protect information must be carefully maintained and

administered to ensure that they are still effective.

5.Why do networking components need more examination from an information

security perspective than from a systems development perspective?

What two key understandings must you achieve to be successful in battle?

What information attributes is often of great value for local networks that use static addressing?

What are vulnerabilities How do you identify them?

What is risk appetite explain why risk appetite varies from organization to organization quizlet?