7CCSMSEM
Security Management
Tutorial Week 3
Question 1. What are the differences between Threat Assessment, Vulnerability Assessment and Risk Assessment?
Question 2. Which are the six steps for Risk Management?
Question 3. Once the key risks have been assessed, what action is unacceptable for very low risks?
1) They can be ignored.
2) They can be accepted.
3) They can be reduced.
Question 4. What does a risk management plan include?
Question 5. A widget manufacturer has a network of 100 workstations and 1 server without Internet connectivity or anti-virus software. The company now installs a new server to provide Internet connectivity for employees to send/receive email and surf the Internet. The company has asked you to determine the annual loss that can be expected from viruses and determine if it is beneficial in terms of cost to purchase licensed copies of anti-virus software. What you know:
• You read in a trade magazine that other widget companies have reported an 80 percent chance of viruses infecting their network after installing Internet connectivity.
• The cost of restoring the network after an infection would be £10,000 (considering loss of productivity, data, etc.).
• A vendor will sell licensed copies of anti-virus software for all servers and the 100
workstations at a cost of £3,000 per year. Now:
1. What is the Annualized Rate of Occurrence (ARO) for this risk?
2. What is the Annual Loss Expectancy?
3. What would you do with this risk? Explain why and include the specific name of the
risk treatment type you would use, together with the particular action recommended for this risk.