Instructions:
Match each description to its plan by writing the description’s number in the appropriate blank. Some descriptions may apply to two or more plans.
Plans:
Business continuity plan (BCP) 2, 9, and 10
Disaster recovery plan (DRP) 1, 3, and 4
Business impact analysis (BIA) 5 and 7
Incident response plan 8
Descriptions:
1. May be part of a BCP or referred to in a BCP (DRP)
2. Covers all functions of a business, including IT systems, facilities, and personnel (BCP) 3. Includes critical business functions (CBFs) (DRP)
4. Details emergency response and activities (DRP)
5. Generally includes interviews, surveys, or meetings to assess environment (BIA) 6. Includes the five Ws—who, what, where, when, and why—and one H—how (CIRT) 7. Includes maximum acceptable outages (MAOs) (BIA)
8. Often specifies hot, warm, and cold sites (Incident Response Plan) 9. Helps an organization continue to operate during and after a disruption (BCP) 10. Generally includes only mission-critical systems (BCP)
tructions:
Match common encryption algorithms and methods with the scenarios representing real-world business applications and requirements.
Common encryption algorithms and methods:
Data Encryption Standard (DES)
Rivest, Shamir, and Adleman (RSA) encryption algorithm
Triple DES
Diffie-Hellman key exchange
International Data Encryption Algorithm (IDEA)
El Gamal encryption algorithm
Carlisle Adams and Stafford Taveres (CAST) algorithm
Elliptic curve cryptography (ECC)
Blowfish
Secure Sockets Layer (SSL)
Advanced Encryption Standard (AES)
Digital signature
Qualitative Risk Assessment
Single loss expectancy (SLE): Total loss expected from a single incident Annual rate of occurrence (ARO): Number of times an incident is expected to occur in a year Annual loss expectancy (ALE): Expected loss for a year
ALE = SLE X ARO
Safeguard value: Cost of a safeguard or control
Scenario: Richman Investments provides high-end smartphones to several employees. The value of each smartphone is $500, and approximately 1,000 employees have these company-owned devices. In the past year, employees have lost or damaged 75 smartphones.
With this information, calculate the following:
SLE = $500
ARO = 75
ALE = $37.500
Richman is considering buying insurance for each smartphone. Use the ALE to determine the usefulness of this safeguard. For example, Richman could purchase insurance for each device for $25 per year. The safeguard value is $25 X 1,000 devices, or $25,000. It is estimated that if the insurance is purchased, the ARO will decrease to 5. Should the company purchase the insurance?
Determine the effectiveness of the safeguard:
Current ALE = $37500
ARO with control = 5
ALE with control = $2500
Savings with control = 35000 (Current ALE – ALE with control) Safeguard value (cost of control) = $25,000
Realized savings = 10000 (Savings with control – safeguard value)
Should Richman buy the insurance? Explain your answer.
Clearly this is cost effective. Instead of losing $37500 a year, the organization spends $25000 and only loses $2500 with the realized savings of $10000. Qualitative Risk Assessment
Probability: The likelihood that a threat will exploit a vulnerability. Probability can use a scale of low, medium, and high, assigning percentage values to each. Impact: The negative result if a risk occurs. You can use low, medium, or high to describe the impact. You can calculate the risk level using the following formula:
Risk Level = Probability X Impact
Scenario: Richman Investments is concerned about the security of its customer data. Management has determined that the three primary risks the company faces in protecting the data are as follows: Unauthorized access by an external party
Sabotage by an internal employee
Hardware failures
Richman has created scales for the probability and impact of risks as follows: Probability: Low = 10%, Medium = 50%, and High = 100%
Impact: Low = 10, Medium = 50, and High = 100
After surveying key individuals in the company, Richman calculated the probability and impact of each risk, as shown in the table below. Based on the information given above, calculate the risk level for each risk:
CategoryProbabilityImpactRisk Level
Unauthorized access by an external party2550
Sabotage by an internal employee75100
Hardware failures3025