All of these are important deliverables of our risk analysis, but the MOST important is the actionable items we can do to mitigate our risk to an acceptable level. We use the BIA to determine mitigations, the process owners need to know they are responsible for their risks, and we want the clear quantification of organizational risks, but they are all secondary to the actionable items we need to minimize our risks to acceptable levels.

Bob should notify the data owner FIRST. They can with our help determine how bad the damage is, and with the incident response team determine the appropriate corrective actions. We will later inform the steering committee, the customers and the regulatory agencies, if it is appropriate based on our internal policies and the regulations and laws we need to adhere to.

Looking at the ratio of false positives to false negatives would be the BEST metric to determine how effective our IDSs are. If it is configured to be as effective as possible, we would have minimal false positives (alert on allowed traffic), and minimal false negatives (no alert on malicious traffic). The number of attacks we detect, and number of successful attacks, or the ratio of successful to unsuccessful attacks in themselves are not enough to determine if our IDS is effective.

Acquiring a competing organization would have the largest impact on Information Security impact. We would need to integrate their staff, hardware, software, and everything else they have into our organization. We need to ensure everything in their organization is at the same high level of security standards as we have. This can often take months or years to ensure they are as secure as we are, and first then would we possibly connect the networks. Building a new office, moving a data center or upgrading our firewalls would still have Information Security impacts, but we already have procedures and policies in place to deal with events such as these.

The BEST mitigation to recommend senior management would be risk transference (We buy flooding insurance). Senior management were clear, they did not want risk acceptance, they wanted to mitigate. Risk rejection is knowing the risk is there but ignoring it (never OK). Senior management did also not want risk avoidance, we could have done that by not building the data center in the area that is prone to flooding.

Having a centralized information security management system will give us more predictable results and it will allow us to follow our policies much easier. Centralized systems are often cheaper than decentralized, but they are often less aligned with business unit's needs, since we apply the same posture across the entire enterprise.

We get the RTO from our business impact analysis, and it is part of our MTD (Maximum tolerable downtime). What is the maximum amount we can have a system or function down before we are severely impacted? A GAP analysis we use to map a path from our current state to our desired state. A SWOT analysis is analyzing the Strengths, Weaknesses, Opportunities and Threats of our organization. The risk analysis would be part of the business impact analysis, but not what we use for the RTO.

The chief operating officer (COO) is ideally whom you should report to, they are high enough in the organization and they have the 30,000ft view of both business operations and objectives. If not the COO, it should be the CEO, but that is not an answer option here, even if it was the COO would still be first choice. Legal counsel, auditors, and the Information Security manager would be key members of the steering committee, but none of them should sponsor the committee.

If we want to ensure the data has not been altered, the best way to do that is to compare a hash of the original file and a hash of the current file. The 2 hashes should be identical, if they are not the data was altered. We would not be able to tell what was changed, just that something was. The file size can easily be made to look the same as the original even if the data was altered. Using symmetric encryption can give us confidentiality, but not an integrity check. If the file is important, we would most likely use strong access control, but again it would not tell us if the file was altered, only that it would be difficult to access.

The best way to improve on incidence performance and consistent employee responses would be to test the plan. Testing the IDS/IPS is good to do but would have done nothing in this situation. A review of the incidence procedures may have helped, but the testing is much more efficient. Us making mandatory Information Security training is also good but would not have done anything in this case.