- What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
- What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?
- How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
Question 1
What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
Question 2
What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?
Question 3
How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
In the News
Wrap Up
Unit#1a presentation: Slides
Unit#1b presentation: Slides
Note on difference between the security objectives: Integrity and Availability:
In thinking through our discussion of the possible overlap in meaning and confusion between integrity and availability, the difference between the two becomes clear when we recognize that:
- Integrity of information implies trust in the validity, correctness, and authorized value of each datum (i.e. single data value) of information
- Availability of information implies physical/virtual ability to access and use information.
Thus a loss or breach of integrity may result in an incorrect decision or mistake due to data inaccuracy or reliance on a datum or data (i.e. plural of datum) lacking authoritative sanction. In contrast, a loss of availability of information may result in inability to perform one or more tasks. A breach of either integrity or availability may lead to adverse effect on organizational operations, organizational assets, or individuals. We will continue our discussion next week in class.
All Questions
- What are 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
- How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
- Which information security objective(s) could be put at risk if the alternative safeguards recommended by the FGDC guidelines are applied? Explain how the objective(s) is put at risk by the mitigation(s).
Question 1
What are 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
Question 2
How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
Question 3
Which information security objective(s) could be put at risk if the alternative safeguards recommended by the FGDC guidelines are applied? Explain how the objective(s) is put at risk by the mitigation(s).