Home > Articles

  • Print
  • + Share This
This chapter is from the book

Apply Your Knowledge

You have seen in this chapter the importance of risk assessment. Inventorying assets, determining the risk to those assets, and evaluating countermeasure options are all part of good IT governance.

Exercises

2.1 Determining the steps for quantitative risk assessment

In this exercise, you examine the proper order for quantitative risk assessment.

Estimated Time: 5 minutes

  1. Place the following quantitative risk analysis steps and calculations in the proper sequential order (first step = 1, last step = 6):

    _____ Determine the annual rate of occurrence (likelihood of occurrence).

    _____ Identify threats to the asset.

    _____ Determine the asset value (AV).

    _____ Calculate the annualized loss expectancy for each asset.

    _____ Calculate the single loss expectancy.

    _____ Identify the exposure factor for each asset in relation to the threat.

  2. Compare your results to the answers here:
    1. Determine the asset value (AV).
    2. Identify threats to the asset.
    3. Identify the exposure factor for each asset in relation to the threat.
    4. Calculate the single loss expectancy.
    5. Determine the annual rate of occurrence.
    6. Calculate the annualized loss expectancy for each asset.

2.2 Calculate single loss expectancy

In this exercise, you calculate single loss expectancy.

Estimated Time: 10 minutes

  1. Examine Table 2.7 and fill in the ALE for each item shown.

    Table 2.7. Annualized Loss Expectancy

    IT Asset Name

    SLE Value

    Threat

    ARO Value

    ALE Value

    Cisco PIX firewall

    $4,795

    DoS attack

    .05

    WAN circuits (2 remote data centers)

    $3,250

    Power failure

    .15

    Cisco 6500 switch/router

    $5,400

    Power failure

    .15

    LAN connectivity

    $18,500

    Hardware failure

    .12

    Gateway servers—Pentium 4s

    $4,950

    Power failure

    .20

    Microsoft SQL Server

    $6,000

    Software vulnerability

    .60

    Oracle SQL data (customer data)

    $120,000

    Hacker attack

    .30

  2. Now compare your results to the values shown in Table 2.8:

    Table 2.8. Annualized Loss Expectancy Values

    IT Asset Name

    SLE Value

    Threat

    ARO Value

    ALE Value

    Cisco PIX firewall

    $4,795

    DoS attack

    .05

    $239

    WAN circuits (2 remote data centers)

    $3,250

    Power failure

    .15

    $487

    Cisco 6500 switch/router

    $5,400

    Power failure

    .15

    $810

    LAN connectivity

    $18,500

    Hardware failure

    .12

    $2,220

    Gateway servers—Pentium 4s

    $4,950

    Power failure

    .20

    $990

    Microsoft SQL Server

    $6,000

    Software vulnerability

    .60

    $3,600

    Oracle SQL data (customer data)

    $120,000

    Hacker attack

    .30

    $36,000

  3. Which item in Table 2.8 represents the greatest dollar risk when ranked per ALE?
  4. What three methods can be used to deal with risk?

Exam Questions

  1. Which of the following control documents describes a software-improvement process that is characterized by five levels, where each level describes a higher level of maturity?

    1. ISO 17799
    2. CMM
    3. COSO
    4. CobiT
  2. A network administrator should not share the duties of which of the following roles?

    1. Quality assurance
    2. Systems administrator
    3. Application programmer
    4. Systems analyst
  3. You are auditing a credit card payment system. Which of the following methods provides the best assurance that information is entered correctly?

    1. Audit trails
    2. Separation of data entry and computer operator duties
    3. Key verification
    4. Supervisory review
  4. Which level of the CMM is characterized by its capability to measure results by qualitative measures?

    1. Level 1
    2. Level 2
    3. Level 3
    4. Level 4
  5. Which of the following is most closely associated with bottom-up policy development?

    1. Aligns policy with strategy
    2. Is a very slow process
    3. Does not address concerns of employees
    4. Involves risk assessment
  6. Which of the following offers the best explanation of a balanced score card?

    1. Used for benchmarking a preferred level of service
    2. Used to measure the effectiveness of IT services by customers and clients
    3. Verifies that the organization's strategy and IT services match
    4. Measures the evaluation of help-desk employees
  7. Your organization is considering using a new ISP now that the current contract is complete. From an audit perspective, which of the following would be the most important item to review?

    1. The service level agreement
    2. The physical security of the ISP site
    3. References from other clients of the ISP
    4. Background checks of the ISP's employees
  8. Separation of duties is one way to limit fraud and misuse. Of the four separation-of-duties controls, which most closely matches this explanation: "This control allows employees access to cash or valuables"?

    1. Authorization
    2. Custody
    3. Recordkeeping
    4. Reconciliation
  9. Which of the following job roles can be combined to create the least amount of risk or opportunity for malicious acts?

    1. Systems analyst and quality assurance
    2. Computer operator and systems programmer
    3. Security administrator and application programmer
    4. Database administrator and systems analyst
  10. You have been asked to perform a new audit assignment. Your first task is to review the organization's strategic plan. Which of the following should be the first item reviewed?

    1. Documentation that details the existing infrastructure
    2. Previous and planned budgets
    3. Organizational charts
    4. The business plan

Answers to Exam Questions

  1. B. This capability maturity model specifies five levels of control for software maturity levels. Answer A is incorrect because ISO 17799 is a comprehensive set of controls designed to gauge best practices in information security. Answer C is incorrect because COSO was designed to help prevent and detect fraud in financial reports. Answer D is incorrect because CobiT was designed to aid in the development of good IT process and policies.
  2. C. A network administrator should not have programming responsibilities. Answers A, B, and D are all duties that an administrator can hold, but the network administrator might have end-user responsibilities, aid in the system administration, and help in the early phases of design.
  3. C. Key verification would provide the highest level of confidence. Answer A is incorrect because audit trails would provide details of the entered activities but would not improve accuracy. Answer B is incorrect because separating job roles would be an additional control but would not add any accuracy to the information that was entered incorrectly. Answer D is incorrect because supervisory review is a detective and compensating control, but is not the best answer.
  4. C. Level 3 of the capability maturity model is considered the defined level. Level 3 is characterized by its capability to use qualitative measurements. Answers A, B, and D are incorrect because the levels do not feature qualitative measurement.
  5. D. Bottom-up policy development addresses the concerns of operational employees because it starts with their input and concerns, and examines risk. Answers A, B, and C are incorrect because all these items are tied to top-down policy development. A top-down approach aligns with company policy, is a slow process, and might not fully address the concerns of employees.
  6. C. A balanced score card is used to match the organization's information technology to the strategy of the organization. Answer A is incorrect because it is not used for benchmarking, answer B is incorrect because it is not used to measure effectiveness, and answer D is incorrect because it is not used to evaluate help-desk employees.
  7. A. Anytime an outsourcing provider will provide a time-sensitive process, such as ISP services, an SLA is one way to obtain a guarantee of the level of service the outsourcing partner is agreeing to provide. The SLA should specify the uptime, response time, and maximum outage time they are agreeing to. Answer B is incorrect because physical security is important, but it is not the most important, in this case. Answers C and D are incorrect because neither would serve as an adequate measure for an independent evaluation of the ISP's service capability.
  8. B. Custody is the access to cash, merchandise, or inventories. Answer A is incorrect because authorization describes verifying cash, approving purchases, and approving changes. Answer C is incorrect because recordkeeping deals with preparing receipts, maintaining records, and posting payments. Answer D is incorrect because reconciliation deals with comparing dollar amounts, counts, reports, and payroll summaries.
  9. D. Database administrator and systems analyst are two roles that ISACA believes can be combined. Answers A, B, and C are incorrect because none of these positions should be combined. The auditor should understand how the combination of certain roles increases risk. As an example, a systems analyst should be discouraged from performing the duties of someone in a quality assurance role. If these roles are combined, quality-assurance levels could be compromised if strong compensating controls are not being used.
  10. D. Before auditors can begin any technical duties, they must understand the environment in which they are working. The best way to do that is to review the business plan, which details the goals of the organization. Only after the business plan has been reviewed should the other items listed be reviewed. Therefore, answers A, B, and C are incorrect.
  • + Share This
  • 🔖 Save To Your Account