INFO5301 Information Security Management
4. Contractors
Answer:
A
It is commonly stated that internal threats comprise 70% – 80% of the overall threat to a com-
pany. The reason is employees already have privileged access to a wide range of company
assets. In contrast, people from outside who want to cause damage must obtain this level
of access before they can carry out the type of damage internal personnel could dish out. A
lot of the damages caused by internal employees are brought about by mistakes and system
misconfigurations.
Duration: 5 min
Exercise 4:
To perform and review the risk analysis, the team members must come from different de-
partments of the organizations. Which of the following is true? Explain why?
1. To make sure the process is fair and that no one is left out.
2. Because people in different departments understand the risks of their department.
Thus, it ensures the data going into the analysis is as close to reality as possible.
3. Because the people in the different departments are the ones causing the risks, so they
should be the ones held accountable.
4. It is not true. It should be a small group brought in from outside the organization
because otherwise the analysis is biased and unusable.
Answer:
(2) is true.
An analysis is only as good as the data that goes into it. Data pertaining to risks the company
faces should be extracted from the people who understand best the business functions and
environment of the company. Each department understands its own threats and resources,
and may have possible solutions to specific threats that affect its part of the company.
For instance, the team members may be part of management, application programmers, IT
staff, systems integrators, and operational managers, any key personnel from key areas of
the organization.
Duration: 5 min
Exercise 5:
Many types of threat agents can take advantage of several types of vulnerabilities. Match
the following threat agents to vulnerabilities that they can exploit.
Information Security Management Page 3of 6