Q1.
What is the cost of the loss of data availability to the organization? Give two own examples of threats to data availability.
Q2.
The goal of a risk tolerance is to weighs the probable cost of compromises against the costs of security measures. We need to compare two different scenarios of security measures and their related risk. Complete the following table and conclude about which security measure is the best.
Base case | Security measure A | Security measure B | |
Asset Value (AV) | 100,000 SAR | 100,000 SAR | 100,000 SAR |
Exposure Factor (EF) | 80% | 20% | 80% |
Single Loss Expectancy (SLE): = AV*EF | |||
Annualized Rate of Occurrence (ARO) | 50% | 50% | 25% |
Annualized Loss Expectancy (ALE):= SLE*ARO | |||
ALE Reduction for security measures | NA | ||
Annualized security measures Cost | NA | 17,000 SAR | 4,000 SAR |
Annualized Net security measures Value | NA |
Note that the ALE Reduction for security measures = the Annualized Loss Expectancy (ALE) without security measure – the Annualized Loss Expectancy (ALE) with security measure.
Q3.
Information owners are responsible for classifying data and systems. Suppose you have a savings account at XYZ Bank that may contain your Account number, user ID, Password, residential ID, balance amount detail and transaction details. The bank staff in the bank use that information to service you with care.
Q4.
In a Private sector (commercial), the information system contains the following information:
Employee lists, Laboratory research, Payment card information, Organizational announcement, Product documentation, financial positions, annual reports, financial account numbers.
What type of classification commonly used by the Private sector? Where to fit the above mentioned information under the Private sector classification?
Who is the owner of above specified bank account information? Specify the different process of information owner begins with classification of information and ends with declassification.