IS3110 Quiz 6 2015

1. Define an SLA and state why it is required in a risk adverse organization
Is a document that identifies an expected level of performance. It identifies the minimum uptime or the maximum downtime. Organizations use SLAs as contracts between a service provider and a customer. An SLA can identify monetary penalties if the terms are not met. Also at the bare minimum is should be the organizational Mission. If your organization has SLAs with other organizations, these should be included in the risk management review. You should pay special attention to monetary penalties. For example, an SLA could specify a maximum downtime of four hours. After four hours, hourly penalties will start to accrue. You can relate this to the maximum acceptable outage (MAO).

2. Using the USER domain, define risks associated with users and explain what can be done to mitigate them. Are related to social engineering. Users can be conned and tricked. A social engineer tries to trick a user into giving up information or performing an unsafe action. You can try to minimize these risks by raising user awareness. Implement acceptable use policies (AUPs) to ensure users know what they should and should not be doing. Use logon banners to remind users of the AUP. Send out occasional e-mails with security tidbits to keep security in their minds. Use posters in employee areas.

3. Using the WORKSTATION domain, define risks associated within that domain and explain what can be done to reduce risks in that domain.

These are related to malware and Viruses. Users can bring malware from home on Universal Serial Bus (USB) flash disks. They can accidentally download malware from Web sites. They can also install malware from malicious e-mails. The primary protection is to ensure that you install antivirus (AV) software. Additionally, you need to update AV signatures regularly. You can’t depend on the users to keep their signatures up to date. Instead, you must take control of the process. Many AV vendors provide tools to automatically install and update AV software on workstations. You must also be sure to keep operating systems up to date. When security patches become available, they should be evaluated and deployed when needed. Many of these security patches remove vulnerabilities. Without the patch, the systems remain vulnerable.

4. List four compliance laws, regulations, or mandates and explain them.
a. GLBA This is a standard for any organization dealing with Financials like a BANK
b. HIPPA HIPAA applies to any organization that handles health information. The obvious organizations that handle health information are hospitals and doctor’s offices. However, HIPAA reaches much farther than the medical industry. Health information includes any data that relates to the health of individuals
c. SOX is a standard for any organization that deals with Trade and Exchange.
d. ERPA = Is a set standard for educational Organizations which protect children from the age of 13 an below from viewing potential disturbing images on the Internet.

5. Define risk with a formula. Explain what each variable means.
The formula for risk is as follows:
Vulnerability X Threat = RISKS

A Vulnerability can be an open port that shouldn’t be open, Which can be exploited. Furthermore Vulnerability can be software as well as Physical access to a computer or server that shouldn’t be accessible.
A Threat can be a disgruntle employee can has the capability to do harm to an IT infrastructure.
Risks is when there’s an assessment performed and that can be determined the possibility or Potential Exploitation of Vulnerability by the Potential Threat. Also risk can be rated as High, Medium, and Low.