Answer to the Question No- 1(a)
The security risk assessment team must understand the limitations of the interview process. Information
gathered during an interview should be considered as a way to identify areas for f
...
Answer to the Question No- 1(a)
The security risk assessment team must understand the limitations of the interview process. Information
gathered during an interview should be considered as a way to identify areas for further study. The
interviewer can make mistakes through misinterpretation of the questions or the answers provided, or
through misreporting what was said. Many security risk assessments are performed by teams with
relatively little experience. In these situations, the likelihood that a question or the answer provided is
misinterpreted is greatly increased. Even experienced information security professionals can misinterpret
what is said by the interviewee.
The interviewee can make mistakes as well. It is quite typical that the interviewee is unfamiliar with many
of the terms used within the interview process, or the interviewee may have a different understanding of
the question than the interviewer does. In these cases, the answer provided may not be accurate. Also,
interviewers tend to be eager to please and will attempt to answer questions as much as they can. This
process leads to guessing and “filling in the blanks.” Again, this can result in inaccurate answers.
Answer to the Question No- 1(b)
It is important to collect and retain the evidence for all data gathered during a security risk assessment.
Evidence is used to support the claims made during the analysis portion of the security risk assessment
process. Although this may sound like a lot of extra work, proper evidence collection and tracking does not
place an undue burden on the project. Instead, collecting and tracking evidence properly can actually
reduce the effort required to perform a security risk assessment. This evidence:
Is easy to do if you do it while you are gathering data.
Provides better data upon which to make judgments. It is easier to assess the value or
certainty of data if you know how you got it, i.e., “Somebody said this,” as opposed to “We
found this vulnerability.”
Provides a way to avoid arguments with the customer.
Answer to the Question No- 1(C)
Threat statement: “An employee may cause the release of sensitive information”
Associated administrative controls:
• Acceptable-use policy
• Monitoring
• Two-man control
• Job rotation
• Clearance refresh
[Show More]
