1. As part of a formal risk assessment of the main file server for a small legal firm, you have identified the asset “integrity of the accounting records on the server” and the threat “financial fraud...

1. As part of a formal risk assessment of the main file server for a small legal firm, you have identified the asset “integrity of the accounting records on the server” and the threat “financial fraud by an employee, disguised by altering the accounting records.” Suggest reasonably values for the items in the risk register for this asset and threat with justifications for your choice.

2. As part of a formal risk assessment of the main file server in an IT security consultancy firm, you have identified the asset “confidentiality of techniques used to conduct penetration tests on customers, and the results of conducting such tests for clients, which are stored on the server” and the threat “theft/breach of this confidential and sensitive information by either an external or internal source.” Suggest reasonably values for the items in the risk register for this asset and threat, and provide justifications for your choices.

3. Consider the risk to “integrity of the accounting records on the server” from “financial fraud by an employee, disguised by altering the accounting records,” as discussed in Problem 1. From the list, select some suitable specific controls that could reduce this risk. Indicate what you believe would be the most cost-effective.

• Access Control


• Audit and Accountability


• Awareness and Training


• Configuration Management


• Contingency Planning


• Identification and Authentication


• Incident Response


• Maintenance


• Media Protection


• Personnel Security


• Physical and Environmental Protection


• Planning


• Program Management


• Risk Assessment


• Security Assessment and Authorization


• System and Communications Protection


• System and Information Integrity


• System and Services Acquisition