Project One
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
313
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
3
Uploaded by PrivateBraveryEmu1997
1.
Scope
: Risk management is a comprehensive, and can be quite complicated, activity that requires the entire company to be involved. The current plan appears to show a high-
level overview of Workers Werks Credit Union’s(WWCU) risk management strategy. It begins by laying out the escalation process and the various roles that each executive and manager plays to ensure that WWCU is prepared to respond to any risk that may be discovered. The risk management plan should be viewed in the same way as any other change that requires the participation of the entire management team. a.
How does the plan describe its objectives?
A primary goal, but not the sole purpose of, this plan is to safeguard the business' profitability by ensuring that all the company's systems are secured, and its risk management system does not result in unnecessary spending. To do this, the plan spells forth a risk management technique that must be followed in a certain order. The first stage is to identify the information system, which requires several inputs,
one of which is a description of how to safeguard the IT design.
b.
How does the plan balance risk and cost?
The plan includes a risk evaluation section that describes, in several steps, what the company should do to protect its systems against common cybersecurity threats that may occur. This is to reduce risks and promote a secure network. The
cost of a data breach could be quite high and severely impact the company. To avoid such a costly issue, the plan contains a threat assessment component that will aid in recognizing possible hazards and reducing them before they occur.
c.
In what ways does the plan cover the business objectives end to end?
The first step suggested by NIST for risk management is classification of information systems and the information processed, stored, or transferred on those
systems. The plan specifies how it will categorize information based on these three tenets: confidentiality, integrity, and availability. This is also known as the CIA triad.
d.
How does the plan address all stakeholders who could be impacted by a cybersecurity attack?
Under the assets section, the organization appears to be aware of the controls that must be implemented to achieve the main goal, which is to secure critical assets. If that information is compromised that might hurt stakeholders.
2.
Risk
: Determine how the current plan identifies risks. a.
How does the plan identify the risks, vulnerabilities, and threats that could impact mission-critical business functions and processes?
The plan specifies a risk assessment process that includes identifying assets that need to be protected, identifying threats to the system, identifying existing
security controls used to protect those assets, and identifying vulnerabilities and how they will be fixed.
b.
How does the plan identify industry-related risks (internal and external)?
It is nearly impossible to identify every single possible security risk and vulnerability to a business. This risk management plan that WWCU has requires its IT and Cybersecurity team to conduct risk assessment to determine potential harm as well as exposure factors that are likely to be caused by an identified threat or vulnerability. One approach the firm is using is the concept of “risk treatment” which includes choices such as risk control, retention, and risk avoidance.
3.
Impact
: Analyze how the identified risks might impact the organization’s assets. a.
How does the plan identify key assets and activities that need to be protected?
There are effect values that are assigned as low, moderate, or high. These values represent the potential impact a risk has on important assets. Each tenet of the CIA Triad should be considered and given a space in the risk assessment. Team members can utilize their expertise to assess the possibility of a threat and, if necessary, establish impact categories to assist in determining risk exposure.
b.
How does the plan estimate the financial impact of losses?
A quantitative risk analysis should be included in the strategy to quantify the financial cost and loss. Each asset must be given a value and quantitative risk analysis may help with that. The analysis may also help with evaluating the cost of countermeasures and controls that can be used to mitigate vulnerabilities and possible risks. Each risk can then be given a priority. The highest priorities go to the vulnerability and risk that have the highest impact.
c.
How does the plan address business continuity and asset replacement?
Even in the event of a data breach, business continuity is very important. Having a plan in place to continue operations would be beneficial to the company. This plan does not have a strategy in place. The strategy should consider how to back up data, how to handle damaged or lost assets, and how to combat system downtimes.
4.
Mitigation
: Evaluate the current plan’s mitigation recommendations. a.
How effectively does the plan translate the risk assessment into a risk mitigation plan?
WWCU needs to be sure to have strategies in place to reduce the likelihood of risk incidence or effect. It would be able to reduce risks to an acceptable level by applying protections to identified risks and vulnerabilities.
b.
How does the plan prioritize risk elements?
One of the measures that was specified in the risk management plan was the implementation of security controls. Security policies, when properly implemented, may also aid in the effort to reduce risks to an acceptable level. The current risk management plan does not have any methods for applying security policies.
5.
Legal Compliance
: Assess how the plan addresses legal considerations.
If security standards and regulations are not followed, the company may face legal costs and litigation because of data breaches. A section outlining how the organization will guarantee. compliance with applicable security rules and regulations must be included. Being compliant entails not only adhering to legal statutes and regulations, but also adhering to the company's own policies and processes. The risk management strategy does not specify how the business will demonstrate compliance. It was important to include a strategy for how it would ensure optimal security practices in its operations, as well as processes for changing such policies as needed.
6.
Non-Compliance
: Determine how the plan anticipates the implications of non-
compliance.
Company compliance mandates that it not only follows applicable laws, but also, its own policies and procedures. The current risk management plan does not layout or make any mention of how the company would prove compliance. It would be best to layout documentation that would have proof of compliance as well to make changes to policies and procedures that become outdated or non-compliant with industry standards.
7.
Ethical Considerations
: Assess how the plan aligns with current ethical codes within the
cybersecurity field.
WWCU needs to have a code of ethics in place to ensure that its security operations are compliant with the law. It is easy to believe a company follows its own code of ethics, but it is still important to have a plan for how it will guarantee that everyone in the company is working to maintain a secure system and protect the information on it. WWCU must develop a clear set of rules that define behavioral expectations and ensure that correct IT security procedures are followed.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help