Harrisburg University ISEM 580 Summer 2017
IT Security Risk Management Overview
Objectives
What is Security Risk Management
The goals, value, and benefits of Security Risk Analysis
Security Program (Principles & Elements)
IT Security Risk Analysis Approaches (Quantitative & Qualitative)
IT Security Risk Analysis Report
Definitions & References
2
What is Security Risk Management?
Security Risk Management relies on properly identifying and valuing the company’s assets and implementing security policies, procedures, standards, and guidelines to protect and ensure the integrity, confidentiality, and availability of these assets.
3
IT Security Risk Analysis- Goals
Goals of Security Risk Analysis
Identify assets and their criticality and value to the organization
Identify vulnerabilities and threats
Quantify the probability and business impact of these potential threats
Provide an economic balance between the impact of the threat and the cost of the countermeasure
Determine the effectiveness of security program
4
IT Security Program- Principles
Security Program Main Principles:
Availability
Integrity
Confidentiality
5
IT Security Management Program
Security Program Elements
Security Governance & Management
Information Security Policies
Business Continuity & Disaster Recovery
Identity Access Management
Administrative, Technical, and Physical Controls
Software Development Lifecycle
Physical & Environmental Security
Security Architecture Model & Profile
Incident Response
Risk and Vulnerability Management
Asset Identification and Management
Logging and Monitoring
Compliance
Security Awareness and Training
6
IT Security Risk Analysis- Questions
Questions regarding IT Security Risk Analysis
Why should a risk analysis be conducted?
When should a risk analysis be conducted?
What can a risk analysis analyze?
What can the results of risk analysis tell an organization?
Who should review the results of a risk analysis?
How is the success of risk analysis measured?
7
IT Security Risk Analysis- Benefits
Customer, investor, stockbroker, investor, taxpayer confidence in the organization
Protect confidentiality of sensitive information
Protect sensitive operational data from inappropriate disclosure
Avoid third-party liability for legal or malicious acts committed with the organization systems
Ensure that the organization’s computer, network, and data are not misused or wasted
Avoid fraud
Avoid expense and disruptive incidents
Complied with pertinent laws and regulations
Avoid a unruly behaviors and incidents in the workplace
8
IT Security Risk Analysis
Components, Approaches, & Best Practices
9
IT Security Risk Analysis- Methodology
10
Security risk analysis, otherwise known as risk assessment, is fundamental to the security of any organization. It is essential in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed.
IT Security Risk Analysis- Asset Identification
11
Asset: Anything that has value to an organization
Most enterprises divide assets into two major categories: Physical (or Fixed) Assets and Logical Assets
Asset identification is the use of attributes and methods to uniquely identify an asset
IT Security Risk Analysis- Methodology
12
Vulnerability: is a software, hardware, procedural , or human weakness that may provide an attacker the open door they are looking for to enter a computer network an obtain unauthorized access to resources within the environment.
Threat: is any potential danger to information systems. Hence, the threat is when someone or something can identify and take advantage of/exploit a vulnerability.
Risk: is a likelihood of a threat agent taking advantage of a vulnerability and corresponding business impact.
IT Security Risk Analysis- Threat Identification
13
Threats are normally classified into three main categories:
Natural Threats
Accidental Threats
Intentional Threats
IT Security Risk Analysis- Threat Identification
Some common natural threats are:
Flood
Ice storm
Severe thunderstorms
Blizzard
Earthquake
Flash flood
Tornado
14
IT Security Risk Analysis- Threat Identification
Some common accidental threats are:
Disclosure
Electrical disturbance
Environmental failure
Software error
Hardware failure
Operator/User error
Fire
Software error
15
IT Security Risk Analysis- Threat Identification
Some common intentional threats are:
Alteration of data
Alteration of software
Disclosure
Fraud
Theft
Employee sabotage
Strike
Unauthorized Use
16
IT Security Risk Analysis
Quantitative IT Security Risk Analysis Approach
17
Quantitative IT Security Risk Analysis
18
Quantitative IT Security Risk Analysis- ALE, SLE, ARO
19
Risk Analysis Calculations (Potential Loss per Threat)
Single Loss Expectancy (SLE)
SLE = (Asset Value) x (Exposure Factor) ; where Exposure factor (EF) represents the percentage loss a realized threat could have on a certain asset.
Annualized Loss Expectancy (ALE)
ALE = SLE x ARO ; where ARO is annualized rate of occurrence; frequency a specific threat takes place within one year timeframe.
IT Security Risk Analysis
Qualitative IT Security Risk Analysis Approach & Best Practices
20
Qualitative IT Security Risk Analysis
The steps involved in conducting a qualitative security risk analysis are as follows:
Define Scope (define what is to be examined and accomplished)
Assemble a competent team
Identify Threats (determine which threads can cause harm to the asset under review)
Determine threat probability and prioritization (determine how often each of the identified threats is likely to occur)
Determine Impact (determine the impact to the asset under review)
Calculate total threat impact (calculation of probability and impact rankings resulting in the overall Risk Factor)
Identify safeguards and cost to implement (controls and countermeasures, usually ranked in order)
Risk Analysis Report (the results of the risk analysis process must be presented to management in a formal report)
21
Qualitative IT Security Risk Analysis - Threat Probability and Prioritization
22
Once the threats have been identified, the risk analysis team will need to determine how often each of the identified threats is likely to occur. In a qualitative analysis the frequencies are expressed as low medium and high or some variation of and can be given a numeric value by applying an assigned number as outlined in the threat priority table illustrated above.
Qualitative IT Security Risk Analysis Threat Impact Level Values
23
The security risk analysis team defines threat levels and their associated values. They then determine the impact to the asset under review if the specific threat were to occur. In a qualitative analysis the threat levels are defined and apply an assigned number value, as illustrated in the table above
Qualitative IT Security Risk Analysis – Total Threat Impact
24
The security analysis team adds the threat priority figure to the impact value to achieve the overall risk factor for each verified threat.
After all the risk factors have been calculated, the team must sort the entire table by the values of the risk factor column in order of priority from the highest value to the lowest value. Those with a risk factor of 8 or greater are then moved to the safe guard identification worksheet.
Is important to note, no enterprise has sufficient resources to examine all the risk and pay to implement all of the safeguards, regardless of their impact and probability
Qualitative IT Security Risk Analysis – Risk Controls & Safegaurds
25
Risk Control Categories:
Avoidance Controls: our proactive safeguards that attempt to minimize the risk of accidental or intentional intrusions
Assurance Controls: our controls and strategies employed to ensure the ongoing effectiveness of the existing controls and safeguards
Detection Controls: our techniques and programs use to ensure early detection, interception, in response of security breaches
Recovery Controls: our planning and response services to rapidly restore and secure environments as well as investigating the source of the breaches
Qualitative IT Security Risk Analysis – Identify Safeguards
26
It is important to estimate the cost to implement each of the controls to be incorporated into the risk assessment report for senior management considered in the final determinations.
The cost analysis should ensure that the safeguard recommended meet the business objectives and provide adequate level of asset protection for the investment.
Qualitative IT Security Risk Analysis – Risk Analysis Report
27
The results of the risk analysis process must be presented to management in a form of formal report.
Report serves two purposes:
To report findings
To serve as a historical document
Qualitative IT Security Risk Analysis – Risk Analysis Report
28
Risk Analysis Report Outline
Executive Summary
Introduction
Threat Identification
Risk Factor Determination
Safeguard Determination
Cost Benefit Analysis
Recommendations
Appendix
IT Security Risk Management
Definitions & References
29
Security Management - Definitions
Vulnerability: is a software, hardware, procedural , or human weakness that may provide an attacker the open door they are looking for to enter a computer network an obtain unauthorized access to resources within the environment.
Threat: is any potential danger to information systems. Hence, the threat is when someone or something can identify and take advantage of/exploit a vulnerability.
Threat Agent: an entity that takes advantage of a vulnerability.
Risk: is a likelihood of a threat agent taking advantage of a vulnerability and corresponding business impact.
Exposure: is an instance of being exposed to losses from a threat agent.
Countermeasure: is a safeguard put in place to mitigate the potential risk (e.g., hardware device, software, procedure, controls, training, etc.)
Due Care: steps taken to show that the company has taken responsibility for the activities that occur within the organization and taken the necessary steps to protect the company, recourses, and employees
30
Security Management - Definitions
Privacy : a security principle that protects an individual’s information and employs controls to ensure that this information is not disseminated or accessed in an unauthorized manor.
Authentication: to verify the identity of a person requesting the use of a system and/or access to network resources.
Authorization (Access control): determine what access rights that person has and granting access after the person has been properly identified and authenticated.
Accountability (Auditing):
Assure that you can tell who did what when and convince yourself that the system keeps its security promises.
Includes non-repudiation (NR) -- the ability to provide proof of the origin or delivery of data.
NR protects the sender against a false denial by the recipient that the data has been received. Also protects the recipient against false denial by the sender that the data has been sent..
a receiver cannot say that he/she never received the data or the sender cannot say that he/she never sent any data
Permissions: the type of authorized interactions that a person can have with an object (e.g., read, write, execute, add, modify, delete).
Encryption: The transformation of plaintext into unreadable cipher text.
Due Diligence: The process of systematically evaluating information to identify vulnerabilities, threats, and issues relating to an organization’s overall risk.
31
Security Management - Definitions
Administrative Controls: Policies, standards, procedures, guidelines, screening, security awareness training
Technical Controls: Logical access controls, encryption, security devices, identification, and authentication
Physical Controls: Facilities protection, security guards, locks, monitoring, environmental controls, and intrusion detection
Identifying Information: The set of an asset’s attributes that may be useful for identifying that asset, including discoverable information about the asset and identifiers assigned to the asset
32
Security Management - Definitions
Disclosure: the unauthorized or premature exit door release of proprietary, classified, company confidential, personal, or otherwise sensitive information
Electrical disturbance: a momentary fluctuation in political power source
Environmental failure: an interruption in the supply of controlled environment support such as air quality, air conditioning, humidity, heating, and water
Hardware failure: a unit or component failure of sufficient magnitude to cause delays in processing or monetary loss to the enterprise
Operator/User error: an accidental, improper, or otherwise ill-chosen act by an employee that results in processing delays, equipment damage, data loss, or modify data
Fire: an instance of combustion that produces damage through heat, smoke, or suppression agent
Software error: an extraneous or erroneous data in an operating system or application program that results in processing errors, data output errors, or processing delays
33
Security Management - Definitions
Alteration of data: an unintentional modification, insertion, or deletion of data, rather by an authorized user or not
Alteration of software: an unintentional modification, insertion, or deletion of an operating system or application system program, whether by an authorized user or not
Disclosure: the unauthorized or premature intentional release a proprietary, classified, company confidential, personal, or otherwise sensitive information
Fraud: a deliberate unauthorized manipulation of hardware, software, or information
Theft: the unauthorized appropriation of hardware, software, you, computer supplies, or data of the classified nature
Employee sabotage: a deliberate action taken by an employee, group of employees, or not employees working together to disrupt enterprise operations
Strike: an organized employee action designed to halt or disrupt normal business operations
Unauthorized use: an unauthorized use of the computer equipment or programs
34
Security Management - Standards
ISO/IEC 27001 & 27002: guidelines for establishment, implementation, control, and improvement of information security management systems
ISO/IEC 27004: standard for information security management
ISO/IEC 27005: guideline for establishing a risk management approach to information security
ISO/IEC 27006: guideline for certification/registration Process
ISO/IEC 27799: guide for protecting personal health information
NIST Special Publication (SP) 800-53: outlines security requirements and security controls federal information systems and pass IT security audits performed under the Federal Information Security Management Act
NIST Cybersecurity Framework Version 1.0: risk-based Cybersecurity Framework—a set of existing standards, guidelines and practices to help organizations manage cyber risks.
NIST Special Publication 800-39: guidance for an integrated, organization-wide program for managing information security risk to organizational operations, assets, individuals, and other organizations
35
Assignments
Chapter 8 (IT Managers Handbook)
Homework 5: Risk Management
Project 2
Part A: Create an IT Governance Matrix
Part B: Create a Governance Charter for Enterprise Security Committee
Part C: Write a Information Security Policy for Data Classifications
36
Elevator Pitch This assignment will be graded separately.
Elevator Pitch Your boss needs you to summarize the key elements of your marketing plan before she attends the next corporate board meeting. You are required to present this to her in the form of an elevator pitch. The elevator pitch was originally devised to make a quick sales pitch to venture capitalists. Your objective is to convince your boss that your marketing plan is well-thought-out and credible. You must decide what key points you need to include from your written plan that will convince her that the new concept will be successful.
Harrisburg University ISEM 580 Summer 2017
IT Project Risk Management Overview
Objectives
What is Project Risk & Project Risk Management
The goal and value of risk management
Key stages of risk management
Project Risk Management approaches and best practices
2
What is Project Risk ?
Project risk is defined by PMI as 'an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives'.
3
What is Project Risk Management?
Project risk management is a method of finding risks, classifying risks and mitigating risks.
4
The Goal of Project Risk Management
The goal of project risk management is identifying potential risk, analyzing risk to determine those that have the greatest probability of occurring, identifying the risks that have the greatest impact on the project if they should occur, and defining plans that help mitigate or lessen the risks impact or avoid the risks while making the most of opportunity.
5
Value of Project Risk Management
Project risk management delivers a number of values to the project, including:
Recognizes uncertainty and provides forecasts of possible outcomes.
Produces better business outcomes through more informed decision making
Has a positive influence on creative thinking and innovation
Creates better project control—reduces overhead and time, and enhances benefits.
Contributes to project success
6
Importance of Project Risk Management
Project risk management is an important aspect of project management.
According to the Project Management Institute's PMBOK, Risk management is one of the ten knowledge areas in which a project manager must be competent.
Understanding project risks enables project teams to more effectively fulfill business goals and objectives as well as meet service expectations.
7
Effective Project Risk Management – Behaviors to Avoid
WSDOT Project Risk Management Guide-November 2014
8
Effective Project Risk Management avoids the following behaviors:
Paying too little attention to risk management
Not allocating sufficient resources for risk management
Unable to identify risks before they become issues
Poorly defined or not following project management process and procedures
Missing Opportunities
Project Risk Management – Balanced Approach
9
IT Managers Role in IT Project Risk Management
WSDOT Project Risk Management Guide-November 2014
10
As an IT manager you should coordinate with the PM and project team to:
Ensure proper due diligence in IT project planning and estimations
Coordinate with key stakeholders and subject matter experts to identify, assess/analyze, and respond to major risks
Continually monitor IT project triple constraints, progress, risks, response actions, and results
Maintain a good understanding of the overall health and evolving risk profile of the IT projects in your portfolio
Facilitate compliance with IT governance and polices associated with project management
Manage stakeholders expectations; ensuring timely accurate communications
Listen to stakeholders and project team members; investigate and verify concerns and use appropriate channels to raise awareness or take necessary actions to resolve
Risk Management Stages
Components, Approaches, & Best Practices
11
Project Risk Management - Stages
Risk Management Involves the following stages:
Risk Management Planning
Risk Identification
Risk Analysis & Quantification (Qualitative & Quantitative)
Risk Response
Risk Monitoring & Control
12
Project Risk Management - Planning Stage
WSDOT Project Risk Management Guide-November 2014
13
Project Risk Management - Planning Stage
WSDOT Project Risk Management Guide-November 2014
14
Risk management must commence early in project development and proceed as the project evolves and project information increases in quantity and quality.
Consider the resources needed for project risk management and build them into the project development budget and schedule.
When preparing the Project Management Plan and work activities for IT Projects, we must include both pillars of risk management.
Project Risk Management - Planning Stage
WSDOT Project Risk Management Guide-November 2014
15
How to Plan for Project Risk Management
Determine the level of risk assessment for your project
Incorporate risk management activities into the project schedule
Make risk management an agenda item for regularly scheduled project meetings
Communicate the importance of risk management to the entire project team
Establish the expectation that risk will be managed, documented, and reported
Project Risk Management - Planning Stage
WSDOT Project Risk Management Guide-November 2014
16
Tips for managing Project Risk Management Plan
Allow time in the schedule for prep activities; this includes review and QA/QC of project schedules and cost estimates at appropriate times
Allow a budget for risk assessment, risk management, and risk response activities
Report on the status of project risk in regularly scheduled project meetings
Know the organization’s tolerance for risk
Contact the Enterprise Project Management Office (EPMO) and EA to discuss the possibility of integrating the risk assessments with a business solution architecture (BSA) processes (conduct workshops).
Project Risk Management- Risk Identification Stage
WSDOT Project Risk Management Guide-November 2014
17
Risk identification involves determining which risks might affect the project and documenting their characteristics.
Project Risk Management – Risk Identification
WSDOT Project Risk Management Guide-November 2014
18
| Project Lifecycle | Systems Development Lifecycle |
| Initiation (Scoping) | Feasibility |
| Planning & Estimating | Requirements |
| Scheduling | Design |
| Execution | Build |
| Control & Monitoring | Test & Validate |
| Implementation |
Risk identification occurs throughout most phases of the IT project life cycle and SDLC. The probability of risk is greatest earlier than later in the project lifecycle.
Project Risk Management – Risk Identification
19
Techniques for Risk Identification
Document Reviews
Brainstorming
Lessons Learned
Other Methods
Tips for Risk Identification
Determine, for your project, what constitutes “significant” risk
Thoroughly describe the risk
Include specialty groups and/or other persons who may have meaningful input regarding the challenges the project may face
Determine who “owns” the risk and who will develop a response
Risk Should Be:
Specific
Measurable
Relevant
Time-Bound
Response
Project Risk Management- Risk Profile Sheet
20
Project Risk Management- Risk Analysis & Quantification Stage
21
Qualitative Risk Analysis: is concerned with the discovering the probability of a risk of an occurring and impact the risk will have if it does occur. You should perform qualitative risk analysis throughout the work of the project. This is the most common and probably the easiest method for analyzing risk for projects.
Risk Analysis & Quantification Stage – Qualitative Analysis
22
Risk Analysis & Quantification Stage – Qualitative Analysis
23
Qualitative Analysis - Risk Profile Sheet
WSDOT Project Risk Management Guide-November 2014
24
Project Risk Management- Risk Analysis & Quantification Stage
25
Quantitative Risk Analysis: numerically estimates the probability that a project will meet its cost and time objectives.
Determine Cardinal Scale Values (numbers expressed between zero and 1.0 probability) to both probability and impact so that you can calculate the overall risk score
Risk Analysis & Quantification Stage – Quantitative Analysis
26
Risk Analysis & Quantification Stage – Quantitative Analysis
27
Risk Analysis & Quantification Stage – Quantitative Analysis
28
Several other quantitative techniques exist, including sensitivity analysis, decision tree analysis and simulation techniques.
Since most of these require extensive analysis and significant investments in software and mathematical proficiencies (e.g., variance based methods, dimensional modeling, regression analysis), they aren’t ideally suited to small and medium-sized projects.
Risk Analysis & Quantification Stage – Quantitative Analysis
29
Decision Tree Analysis. This is a diagramming method that shows the sequence of interrelated decisions and expected results of choosing one alternative over another. It is usually used for risk events that impact time or cost.
Risk Analysis & Quantification Stage – Quantitative Analysis
WSDOT Project Risk Management Guide-November 2014
30
Monte Carlo methods (or Monte Carlo experiments) are a broad class of computational algorithms that rely on repeated random sampling to obtain numerical results. Monte Carlo simulation, or probability simulation, is a technique used to understand the impact of risk and uncertainty in financial, project management, cost, and other forecasting models.
Risk Analysis & Quantification Stage – Quantitative Analysis
WSDOT Project Risk Management Guide-November 2014
31
Basic forecasting model for estimating the total time it will take to complete a particular IT project. In this case, it's a EIS implementation project, with three parts (Job 1, Job 2, & Job 3). The parts have to be done one after the other, so the total time for the project will be the sum of the three parts; totaling 14-Months. This is an estimate but this model can't tell us anything about risk. How likely is it that the project will be completed on time?
Risk Analysis & Quantification Stage – Quantitative Analysis
WSDOT Project Risk Management Guide-November 2014
32
Create a model using a Monte Carlo simulation for estimating the total time it will take to complete the EIS project. Build the model by estimating the minimum, most likely, and maximum expected time (based on our experience, or expertise, or historical information). Now there is a range of possible outcomes.
Note: This Monte Carlo simulation will use the beta-PERT distribution to generate random values based on a minimum, most likely, and maximum value.
Risk Analysis & Quantification Stage – Quantitative Analysis
WSDOT Project Risk Management Guide-November 2014
33
The Monte Carlo simulation, randomly generates values for each of the tasks, then calculates the total time to completion. The simulation was run 500 times. Based on the results of the simulation, you will be able to describe some of the characteristics of the risk in the model.
To evaluate the likelihood of a particular result, count how many times the model returned that result in the simulation. In this case, we want to know how many times the result was less than or equal to a particular number of months.
Risk Analysis & Quantification Stage – Quantitative Analysis
WSDOT Project Risk Management Guide-November 2014
34
The Monte Carlo simulation results displayed in a graph. The simulation results reveals that there is only a 34% chance – about 1 out of 3 – that any individual trial will result in a total time of 14 months or less. On the other hand, there is a 79% chance that the project will be completed within 15 months.
Project Risk Management- Risk Analysis & Quantification Stage
35
Risk response is the process of developing options and determining actions to enhance opportunities and reduce threats to achieving the project’s objectives.
From a quantitative risk analysis perspective you should require a risk response plan for risk analysis resulting with an overall risk value equal to critical or significant. Similarly, from a qualitative risk analysis perspective you should require risk response plan for risks scores greater than or equal to a predefined threshold (Risk Score >= 8 in our qualitative model).
Project Risk Management- Risk Response Stage
36
| Risk Outcomes |
| Known risks with predictable outcomes |
| Known risks with uncertain outcomes |
| Unknown risks with unpredictable outcomes |
Project Risk Management- Risk Response Stage
37
Risk response plan should include at least the following elements:
Risk ID no
Risk name and description
Risk Owner
Analysis approach and results (risk score, risk value, expected value, probability, priority)
Risk triggers, effects, and impacts the project (e.g., scope, schedule, budget, performance)
Risk Response (e.g., strategy, timeframe, and responsible party)
Resources (e.g., people, things, costs)
Appendix (additional and supporting information)
Project Risk Management- Risk Monitoring & Control Stage
38
Risk monitoring and control tracks identified risks, monitors residual risks, and identifies new risks; ensuring the execution of risk plans and evaluating their effectiveness in reducing risk.
Risk monitoring and control is an ongoing process for the life of the project.
Involves a risk audit review process as a part of the project close-out phase to identify things that went well and opportunities for improvement and preventing future reoccurrences
Assignments
Chapters 4, 8 (IT Managers Handbook)
Homework 5: Risk Management
Project 2
Part A: Create an IT Governance Matrix
Part B: Create a Governance Charter for Enterprise Security Committee
Part C: Write a Information Security Policy for Data Classifications
39
Harrisburg University ISEM 580 Summer 2017
Business Risk Management Overview
Objectives
Key Terms
Risk Management Overview
Types of Risks
Risk Informed Decision Model
Risk Management Important to Project Success
Decision Tree Analysis
2
Risk Management – Key Terms
Risk: is the potential of gaining or losing something of value. Values (such as physical health, social status, emotional well-being, or financial wealth) can be gained or lost when taking risk resulting from a given action or inaction, foreseen or unforeseen.
Uncertainty: The lack of complete certainty, that is, the existence of more than one possibility whereby the "true" outcome/state/result/value is not known, unpredictable, or uncontrollable.
Risk Perception: is the subjective judgment people make about the severity and probability of a risk, and may vary person to person. Any human endeavor carries some risk, but some are much riskier than others.
Default: is failure to meet the legal obligations or terms and conditions of a contract (loan, bond, bank notes, line of credit, unpaid wages, tax liabilities, other debt obligations, etc.).
Threat: is the intent to inflict harm or loss on another person; Threats can be subtle or overt. From a IT perspective: a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause harm.
3
Risk Management – Key Terms
Vulnerability: Susceptible to physical harm or damage. A security vulnerability is a weakness in a product or systems that could allow an attacker to compromise the integrity, availability, or confidentiality of that product or system.
Risk Tolerance: is a more specific measure of the degree of uncertainty that an organization is willing to accept in respect to negative changes to its business, assets, or security.
Risk Appetite: the amount and type of risk that an organization is prepared to pursue, retain, or take (according to ISO 31000)
Residual Risk: is defined as the threat a risk poses after considering the current mitigation activities in place to address it.
4
Risk Management – Strategic Alignment
Align your risk tolerances with your strategic goals and business models When risk tolerances are aligned with both overall risk appetite and strategic goals, they will lower residual risk and contribute to achieving your strategic goals.
5
Risk Management Overview
6
What is Risk Management, Approach & Plan?
Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.
Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level
The risk management approach determines the processes, techniques, tools, and team roles and responsibilities for a specific project.
The risk management plan describes how risk management will be structured and performed on the project
7
Effective Risk Management Characteristics
Create value – resources expended to mitigate risk should be less than the consequence of inaction
Be an integral part of organizational processes (strategic, Tactical, operational)
Be part of decision making process
Explicitly address uncertainty and assumptions
Be a systematic and structured process
Be based on the best available information
Be tailorable
Take human factors into account
Be transparent and inclusive
Be dynamic, iterative and responsive to change
Capable of continual improvement and enhancement
Continually or periodically re-assessed
8
Business Owner’s Perspective on Risk
Business Owner’s Perspective on Risk:
Business Risk: refers to the chance a business's cash flows are not enough to cover its operating expenses like cost of goods sold, rent and wages.
Systematic risk refers to the chance an entire market or economy will experience a downturn or even fail.
Unsystematic risk describes the chance a specific company or line of business will experience a downturn or even fail.
Financial risk refers to the chance a business's cash flows are not enough to pay creditors and fulfill other financial responsibilities.
9
Business Financial Risk – Internal & External Factors
Interest Rate Risk: The interest rate is often the number-one component of financial risk. Banks and lenders offer business loans at a specific interest rate.
A credit risk is the risk of default on a debt that may arise from a borrower failing to make required payments.
Market risk is the risk of losses in positions arising from movements in market prices. Financial risks can also be linked to the overall market risk in the business environment.
10
Business Financial Risk – Internal & External Factors
Cash Flow plays an important role in financial risk. Business owners often use external financing to start their new business venture. External financing represents fixed cash outflows that must be paid regardless of the company profitability.
Volatility risk is the risk of a change of price of a portfolio as a result of changes in the volatility of a risk factor.
Legal risk is the risk of litigation resulting in financial or reputational loss due to the lack of awareness or misunderstanding of, ambiguity in, or reckless indifference to, the way law and regulation apply to your business, its relationships, processes, products and services.
11
Business Financial Risk – Internal & External Factors
Compliance Risk: Risks associated with compliance are those subject to legislative or bureaucratic rule and regulations, or those associated with best practices for investment purposes.
Reputation risk, is a risk of loss resulting from damages to a firm's reputation, in lost revenue; increased operating, capital or regulatory costs; or destruction of shareholder value, consequent to an adverse or potentially criminal event even if the company is not found guilty.
Liquidity risk is a financial risk that for a certain period of time a given assets, security, or commodity cannot be traded quickly enough in the market without impacting the market price.
12
Business Financial Risk – Internal & External Factors
Economic Risk: Companies are exposed to financial risk from various aspects of the overall economy.
Performance Risk: include the risks that the completed project, when complete, fails to perform as intended or fails to meet business requirements that justified it.
Operational risk is "the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses
13
Business Operational Risk – Causes
Internal Fraud
External Fraud
Employment Practices and Workplace
Clients, Products, and Business Practice
Damage to Physical Assets
Business Disruption and Systems Failures
Execution, Delivery, and Process Management
Project and Portfolio Management
14
Risk Informed Decision Model
15
International Organization for Standardization (ISO)- (Defined the Principles of Risk Management)
How to reduce Business Risk
16
Reducing Business Risk – Recommendations
Review the existing system of internal controls, which provide checks and balances for every aspect of a company
Establish Business Risk Assessment & Measurement Methods
Develop Risk Management & Contingency Plans
Plan Evaluations
Employ the services of an internal control consultant
17
Risk Response Strategies
18
Risk – Response Strategies
Avoidance
Transference
Mitigation
Acceptance
Contingency Planning
19
Benefits of Risk Management Program
20
Risk – Response Strategies
Financial
Protecting Resources
Business Culture
21
Why Risk Management is Important to Project Success
22
Risk – Response Strategies
Plans
Preparation
Results
Evaluation
23
Conducting Quantitative Risk Analysis
Decision Tree
24
Creating Procedures – Starting Block
A decision tree is a graph that uses a branching method to illustrate every possible outcome of a decision. Decision trees can be drawn by hand or created with a graphics program or specialized software.
Informally, decision trees are useful for focusing discussion when a group must make a decision
25
Decision Tree – Decision Paths
26
Decision Tree – Evaluate Options & Outcomes
27
Decision Tree – Calculation of Uncertain Outcome Nodes
28
| 0.4 (probability good outcome) x $1,000,000 (value) = | $400,000 |
| 0.4 (probability moderate outcome) x $50,000 (value) = | $20,000 |
| 0.2 (probability poor outcome) x $2,000 (value) = | $400 |
| TOTAL | $420,400 |
Decision Tree –Calculate Value of Decision Nodes
29
Decision Tree –Calculate Value of Decision Nodes
30
Assignments
Chapter 8 (IT Managers Handbook)
Homework 3: IT Policy Management
Project 1:
Part A: Create an IT Governance Matrix
Part B: Create a Governance Charter for Enterprise Security Committee
Part C: Write a Information Security Policy for Data Classifications
31
Homework # 5 Risk Determination & Decision Tree Analysis
1. Review Module-5 Lecture Notes and Chapter Readings
2. Use the Risk Determination Excel Workbook and complete the following worksheets:
a. Corporate Assets Risk Summary - Tab
i. Use the Reference Tab in the workbook to select the appropriate values from the respective tables and complete Columns B, C, D, & E
ii. Column F (Risk Score) is a calculated field already formatted
iii. Column H (Possible Safeguards) provide the safeguards you would put in place to mitigate the threat (e.g., controls, policies, etc.)
b. Occupation Analysis - Tab
i. Use the Risk Level Table and assign the appropriate value for each occupation and the corresponding threats outlined in Columns B, C, D, &E
ii. Column F (Total) is a calculated filed already formatted
iii. Complete the occupational analysis; answer the four questions after completing your occupational vulnerability assessment
c. Decision Tree Analysis - Tab
i. Examine the Decision Tree Analysis for enterprise CRM solution approach
ii. Complete the corresponding tables for both paths and individual branches referencing the values in the decision tree diagram.
iii. Some of the data is already populated
iv. Total fields, Branch Total fields, and Value Fields are calculated fields and are already formatted
v. Answer the question regarding which options provides the best overall value
vii. Hint : Only one of the value fields should have a negative value when finished
3. Complete the Risk Determination Worksheets (M.S. Excel Document not PDF) and upload the file using the designated link on Moodle on or before the assignment due date.
Corpoarate Assets Risk Summary
| Asset Under Review: Customer Realtionship Management System | Financial Loss | Legal Impacts | Embarrassment | Probability - Impact | Risk Score | Possible Safeguards | Safeguard Cost | ||
| Unauthorized Disclosure | 0 | 0 | 0 | 0 | 0 | ||||
| Unauthorized Modification | 0 | 0 | 0 | 0 | 0 | ||||
| Unavailability | 0 | 0 | 0 | 0 | 0 | ||||
| Unauthorized Destruction | 0 | 0 | 0 | 0 | 0 | ||||
| Unauthorized Access | 0 | 0 | 0 | 0 | 0 | ||||
| Asset Under Review: Supply Chain Management System | Financial Loss | Legal Impacts | Embarrassment | Probability - Impact | Risk Score | Possible Safeguards | Safeguard Cost | ||
| Unauthorized Disclosure | 0 | 0 | 0 | 0 | 0 | ||||
| Unauthorized Modification | 0 | 0 | 0 | 0 | 0 | ||||
| Unavailability | 0 | 0 | 0 | 0 | 0 | ||||
| Unauthorized Destruction | 0 | 0 | 0 | 0 | 0 | ||||
| Unauthorized Access | 0 | 0 | 0 | 0 | 0 | ||||
| Asset Under Review: Employee Training System | Financial Loss | Legal Impacts | Embarrassment | Probability - Impact | Risk Score | Possible Safeguards | Safeguard Cost | ||
| Unauthorized Disclosure | 0 | 0 | 0 | 0 | 0 | ||||
| Unauthorized Modification | 0 | 0 | 0 | 0 | 0 | ||||
| Unavailability | 0 | 0 | 0 | 0 | 0 | ||||
| Unauthorized Destruction | 0 | 0 | 0 | 0 | 0 | ||||
| Unauthorized Access | 0 | 0 | 0 | 0 | 0 | ||||
| Asset Under Review: Enterprise Data Center | Financial Loss | Legal Impacts | Embarrassment | Probability - Impact | Risk Score | Possible Safeguards | Safeguard Cost | ||
| Fire | 0 | 0 | 0 | 0 | 0 | ||||
| Water Damage | 0 | 0 | 0 | 0 | 0 | ||||
| Production Environment Unavailability | 0 | 0 | 0 | 0 | 0 | ||||
| Development Environment Unavailability | 0 | 0 | 0 | 0 | 0 | ||||
| Loss of Facilities Power | 0 | 0 | 0 | 0 | 0 | ||||
| Primary Network Area Storage Device Unavailabity | 0 | 0 | 0 | 0 | 0 | ||||
| Theft of Computing Equipement | 0 | 0 | 0 | 0 | 0 | ||||
| Unauthorized Access into EDC | 0 | 0 | 0 | 0 | 0 | ||||
| Complete a qualitiative risk assessment for the each of the corpoarate assets using the predefined risk tables above and cooresponding refernce table on the reference tab in the workbook. |
Occupation Analysis
| Asset Under Review: Corporate Financial Data | Vulnerability | Total | ||||
| Occupation | Unauthorized Access | Unauthorized Modification | Unauthorized Disclousure | Distruction | ||
| Chief Executive Officer | 0 | |||||
| Chief Financial Officer | 0 | |||||
| Chief Information Systems Officer | 0 | |||||
| Chief Technology Officer | 0 | |||||
| Executive Secretary | 0 | |||||
| Director of Engineering | 0 | |||||
| VP Finance & Accounting | 0 | |||||
| VP Human Resources | 0 | |||||
| Senior Accountatnts -CPA | 0 | |||||
| Junior Accountants | 0 | |||||
| Director of Telecommunications | 0 | |||||
| Director of Enterprise Applications | 0 | |||||
| Senior Application Developer | 0 | |||||
| Junior Application Devloper | 0 | |||||
| Database Administrator | 0 | |||||
| Network Administrator | 0 | |||||
| Production Supervisor | 0 | |||||
| Manager of Facilities Maintenance | 0 | |||||
| Helpdesk Technician | 0 | |||||
| Shipping Clerk | 0 | |||||
| Risk Level | Value | |||||
| Greatest Risk | 6 | |||||
| Great Risk | 5 | |||||
| Moderate Risk | 4 | |||||
| Limited Risk | 3 | |||||
| Low Risk | 2 | |||||
| No Risk | 1 | |||||
| Completet the occupation analysis Table above and then evaluate the results and answer the quetsions below | ||||||
| How is this analysis Useful? | ||||||
| Which occupations pose the highest risks to unauthorized modification to corpoarte financial data? | ||||||
| Which occupations pose the least risks to unauthorized modification to corpoarte financial data? | ||||||
| What safegauards would you implement to help prevent the unauthorized authorization of corporate finainical data? | ||||||
Decision Tree
| CRM Decision Tree Diagarm | |||||||||||||
| Examine the decisoon treet diagarem above; next complete each of the decision trree branch analysis using the tables below; evaluate the final results and answer the question as to your recommnedation for the best option | |||||||||||||
| Custom Development | |||||||||||||
| Branch 1 | Cost | High | Moderate | Low | Branch Total | Value | |||||||
| In-House Development | Probability | Value | Total | Probability | Value | Total | Probability | Value | Total | ||||
| $10,000,000 | 0.10 | $12,000,000 | $1,200,000 | $10,000,000 | $0 | 0.70 | $0 | $1,200,000 | -$8,800,000 | ||||
| Branch 2 | Cost | High | Moderate | Low | |||||||||
| Outsource Development | Probability | Value | Total | Probability | Value | Total | Probability | Value | Total | ||||
| $9,700,000 | $0 | 0.60 | $0 | $6,000,000 | $0 | $0 | -$9,700,000 | ||||||
| COTS | |||||||||||||
| Branch 1 | Cost | High | Moderate | Low | Branch Total | Value | |||||||
| On-Premise COTS | Probability | Value | Total | Probability | Value | Total | Probability | Value | Total | ||||
| $7,500,000 | $15,000,000 | $0 | $0 | 0.20 | $0 | $0 | -$7,500,000 | ||||||
| Branch 2 | Cost | High | Moderate | Low | |||||||||
| Hosted COTS | Probability | Value | Total | Probability | Value | Total | Probability | Value | Total | ||||
| $6,500,000 | 0.80 | $0 | $0 | 0.10 | $0 | $0 | -$6,500,000 | ||||||
| Which option would provide the best overall value and why? | |||||||||||||
| * Note: one of the branch values should resullt in a negative number. |
References
| Financial Loss | Valuation Score | Threat Vulnerability Work Table | ||||||
| Less than $2,000 | 1 | Impact | ||||||
| Between $2K and $20K | 2 | Low | Medium | High | ||||
| Between $20K and $50K | 3 | Probability | High | 3 | 6 | 9 | ||
| Between $50K and $100K | 4 | Medium | 2 | 5 | 8 | |||
| Between $100K and $300K | 5 | Low | 1 | 4 | 7 | |||
| Between $300K and $500K | 6 | |||||||
| Between $500K and $1M | 7 | |||||||
| Between $1M and $5M | 8 | |||||||
| Between $5M and $10M | 9 | |||||||
| Between $10M and $30M | 10 | |||||||
| Between $30M and $100M | 11 | |||||||
| Greater Than $100M | 12 | |||||||
| Legal Implication | Valuation Score | |||||||
| Under $5K | 1 | |||||||
| Between $5K and $10K | 4 | |||||||
| Between $10K and $50K | 5 | |||||||
| Between $50K an $1M and/or CIO liable for prosecution | 8 | |||||||
| Over $1M and/or Officers and/or Directors Liable | 10 | |||||||
| Enterprise Embarrassment | Valuation Score | |||||||
| Embarrasment restricted to within the project of work site | 1 | |||||||
| Embarrassment spread to other work areas of operating group or division | 2 | |||||||
| Embarrassment spread throughout the enterprise | 3 | |||||||
| Public made aware thorugh local press | 5 | |||||||
| Adverse national press | 7 | |||||||
| Stcok proce impacted | 10 | |||||||
| Priority | Score | |||||||
| Low | 1 | |||||||
| Low to Medium | 2 | |||||||
| Medium | 3 | |||||||
| Medium to High | 4 | |||||||
| High | 5 | |||||||
| Annual Loss Multiplier Table | ||||||||
| Occurrence Frequency | Multplier | |||||||
| Never | 0.000 | |||||||
| Once in 300 Years | 0.003 | |||||||
| Once in 200 Years | 0.005 | |||||||
| Once in 100 Years | 0.010 | |||||||
| Once in 50 Years | 0.020 | |||||||
| Once in 25Years | 0.040 | |||||||
| Once in 10 Years | 0.100 | |||||||
| Once in 5 Years | 0.200 | |||||||
| Once in 2 Years | 0.500 | |||||||
| Yearly | 1.000 | |||||||
| Twice a Year | 2.000 | |||||||
| Once a Month | 12.000 | |||||||
| Once a Week | 52.000 | |||||||
| Once a Day | 365.000 | |||||||
Get help from top-rated tutors in any subject.
Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com