7CCSMSEM
Security Management
Tutorial Weeks 4 and 5
(Sketch of Solutions)
Question 1. Name and explain one of the main challenges to conduct risk management.
One of the main challenges for risk management is the risks that come from the organisation¡¯s supply chain. In particular, how members of the organisation¡¯s supply chain (including both products and services) assess and manage information security risk and the impacts that will have on the organisation need to be accounted for. This is because if one organisation is managing risks very well but one of the organisations in its supply chain are not, the organisation in question will be subject to the risks of the organisations in its supply chain. Examples of this include the breach Google suffered through the company that was its benefits provider and devices being sold in Amazon that are known to contain malware.
Question 2. What is an information Security Management System (ISMS)?
An information security management system (ISMS) is a set of policies and procedures for
systematically managing an organization’s digital assets.
Question 3. Does ISO27005 recommend a method for risk assessment? Explain.
ISO27005 provides guidance on implementing a risk management system to specifically support 27001 ISMS. It does not recommend a methodology for risk assessment, just on how to manage the risks so you can choose the method for risk assessment.
Question 4. Does the process of certification against ISO27000-series include a vulnerability assessment (e.g. using assurance techniques)? Explain.
No, it does not usually do so. The process of certification is more about assessing the effectiveness of the ISMS and the associated risk management processes, ensuring there is a systematic, rigorous, repeatable framework in place.
Question 5. Explain one advantage and one disadvantage of the global information infrastructure.
Example of Advantage (there are more in the slides): GII provides instant communications at low costs.
Example of Disadvantage(there are more in the slides): No overall responsibility, as the GII is composed of national information infrastructures with different jurisdictions but there is not a global governance body.
Question 6. What is a Market for Lemons and how does it apply to security economics?
The ¡¯market for lemons¡¯ was an example introduced by Akerlof (Noble prize winner) in 1970 to explain the concept of asymmetric information in eco- nomics. It presents the following simple yet profound insight: suppose that there are 100 used cars for sale in a town: 50 well-maintained cars worth $2000 each, and 50 ¡¯lemons¡¯ worth $1000. The sellers know which is which, but the buyers don¡¯t. What is the market price of a used car? You might think $1500; but at that price no good cars will be offered for sale. So the market price will be close to $1000. This is one reason poor security products predominate. When users can¡¯t tell good from bad, they might as well buy a cheap antivirus product for $10 as a better one for $20, and we may expect a race to the bottom on price.