Your employer is pleased that you have become CISSP certifie

Your employer is pleased that you have become CISSP certified and would now like you to evaluate your company’s security policy. Your boss believes that encryption should be used for all network traffic and that a $50,000 encrypted database should replace the current customer database. Based on what you know about risk management, upon what should your decision to use encryption and purchase the new database be based? Choose the most correct answer.

A. If an analysis shows that there is potential risk, the cost of protecting the network and database should be weighed against the cost of the deterrent.

B. If an analysis shows that the company’s network is truly vulnerable, systems should be implemented to protect the network data and the customer database.

C. If the network is vulnerable, systems should be implemented to protect the network and the database, regardless of the price.

D. Because it is only a customer database and the company is not well known, the probability of attack is not as great; therefore, the risk should be accepted or transferred through the use of insurance.

Solution

A. Risk management requires that vulnerabilities be examined, that loss expectancy be calculated, that a probability of occurrence be determined, and that the costs of countermeasures be estimated. Only then can it be determined whether the value of the asset outweighs the cost of protection. It is possible that the cost of protection outweighs the value of the asset. Whereas some risk assessments use dollar amounts (quantitative) to value the assets, others use ratings (qualitative) based on breaches of confidentiality, integrity, and availability to measure value.