PP Risk Assessment Exercise—Possible Guidelines This Documen ✓ Solved

PP Risk Assessment Exercise--Possible guidelines This document is meant

This document is meant to help you go through the steps required for Stage 1 of your project. Use it as needed or when needed. IDENTIFICATION 1- What are the components of the [ORGANIZATION NAME] system (assets)? a. Identify and assess value, (at this early stage, we don't need to worry about $$$ details), b. classify and, c. prioritize them (create a table). Possible questions you need to be asking at this point: · Which information asset is the most critical to the success of [ORGANIZATION NAME]? · Which information asset generates the most revenue? · Which the most profitability? · Which is the most expensive to replace? (don’t limit yourself into thinking in terms of $$ only: time, loss productivity, etc.) · Which would be the most expensive to protect? · Which would be the most embarrassing or cause greatest liability (think of all those bad lawyers) if revealed? · Does data need to be classified? Do users need a different security clearance (examples of users: office staff, local nationals, lab monitors, librarian, students, faculty, etc.) 2- What are the threats these components face? a. Identify threats (you can use the web and find current threats or even think of some other possible threats), b. Prioritize threats (again, table format works) Possible questions at this point (think in terms of danger to the company v. to the information): · Which threats are the most dangerous to [ORGANIZATION NAME'S] assets in the given environment? · Which are the most dangerous to the information? · What would cost to recover from an attack? (non-detailed estimation of time and loss productivity), · Which are the most expensive to prevent? 3- What are the vulnerabilities the [ORGANIZATION NAME] system has? a. Create a list of weaknesses you think the system has (i.e., human error, theft, etc.) RISK ASSESSMENT 1- Likelihood: chance that a specific vulnerability will be exploited(number them (for example, 0.1 low and 1.0 high). 2- Valuation of Information assets (we have these findings earlier on (2))(assign weight (any form of scale would do). 3- Create a list of current controls (don't limit yourself to technical ones). 4- Identify possible controls to implement. 5- Document the results of risk assessment (a table format will do) Extra credit: Are data confidentiality, integrity and availability protected? PP Risk Assessment Exercise--Possible guidelines This document is meant to help you go through the steps required for Stage 1 of your project. Use it as needed or when needed. IDENTIFICATION 1- What are the components of the [ORGANIZATION NAME] system (assets)? a. Identify and assess value, (at this early stage, we don't need to worry about $$$ details), b. classify and, c. prioritize them (create a table). Possible questions you need to be asking at this point: · Which information asset is the most critical to the success of [ORGANIZATION NAME]? · Which information asset generates the most revenue? · Which the most profitability? · Which is the most expensive to replace? (don’t limit yourself into thinking in terms of $$ only: time, loss productivity, etc.) · Which would be the most expensive to protect? · Which would be the most embarrassing or cause greatest liability (think of all those bad lawyers) if revealed? · Does data need to be classified? Do users need a different security clearance (examples of users: office staff, local nationals, lab monitors, librarian, students, faculty, etc.) 2- What are the threats these components face? a. Identify threats (you can use the web and find current threats or even think of some other possible threats), b. Prioritize threats (again, table format works) Possible questions at this point (think in terms of danger to the company v. to the information): · Which threats are the most dangerous to [ORGANIZATION NAME'S] assets in the given environment? · Which are the most dangerous to the information? · What would cost to recover from an attack? (non-detailed estimation of time and loss productivity), · Which are the most expensive to prevent? 3- What are the vulnerabilities the [ORGANIZATION NAME] system has? a. Create a list of weaknesses you think the system has (i.e., human error, theft, etc.) RISK ASSESSMENT 1- Likelihood: chance that a specific vulnerability will be exploited(number them (for example, 0.1 low and 1.0 high). 2- Valuation of Information assets (we have these findings earlier on (2))(assign weight (any form of scale would do). 3- Create a list of current controls (don't limit yourself to technical ones). 4- Identify possible controls to implement. 5- Document the results of risk assessment (a table format will do) Extra credit: Are data confidentiality, integrity and availability protected? The following is the scenario you are to use for your individual analysis assignment and your team project. Joan Wilson was hurriedly leaving the office of Raymond Pressly, the Chairman and CEO of MailPress Corporation. As the newly hired CIO she had not expected her second meeting with Mr. Pressly would be so soon or under such disturbing circumstances. Mr. Pressly had been waiting for her arrival in this morning with the news of the fire at End Point, Inc. last week. End Point provided web hosting services for a number of companies in the Pittsburgh area including the local Steel City Arena Football Team to which Mr. Press had an ownership stake. The fire had been devastating, turning the 75 servers in the web hosting data center into a mass of melted plastic and metal. “It has been seven days and the Steel City’s website is still down and so are our opening day ticket sales.†Mr. Press had stated in the call that brought Joan to the 8:00 am meeting. “What would we do if something like that happened here?†he asked. Joan Wilson had asked her Executive Assistant to grab a copy of the company’s Business Recovery Plan so she could bring it to her meeting with Mr. Pressly. It only took about two minutes for Mr. Pressly to realize that the plan was written before the merger with Flair Mail Marketing three years ago, which had more than doubled the size of MailPress. Not only did it fail to cover the company in full but the changes to the business practices and support systems, in particular the move to the Internet and World Wide Web, were not even discussed. Further, while the plan was strong on Disaster Recovery for situations such as that at End Point, it was almost silent on Business Continuity. The one advantage to being on the job for four weeks was she was not the focus of Mr. Pressly’s ire. On the other hand she quickly realized that she was not knowledgeable enough of the company’s operations to update this plan without significant involvement from the various departments in the company. MailPress Corporation is a mail marketing /web advertising company operating seven different facilities in four states. The company has over 2000 clients of varying sizes and portfolios. Mail marketing involves mailing and distribution of advertising as well as promotional products ordered through the mail, television or Internet. Net income last year exceeded 100 million dollars for the first time in spite of the economic situation. There are currently about 6200 employees, with 800 headquartered in Pittsburgh, Pennsylvania. Its largest operations are in Canton, Ohio and Baltimore, Maryland with 3100 and 1800 employees in each area respectively. The merger with Flair Mail occurred 27 months ago. Although financial data has been directed to the headquarters datacenter, operational data is still retained at three locations in Canton, Baltimore and Pittsburgh. Each facility is supported by the geographically closest data center with three in Ohio, two in Maryland and two in Pennsylvania. Over the past two years the major focus of the IT department has been to standardize the IT infrastructure and software across the company. Human Resources, Accounting and Payroll have been centralized in Pittsburgh as have been all of the web server operations. Marketing and Operations have been standardized but data are unique at each hub location where data centers reside. Select data for the Corporate MIS is automatically fed from the hubs. Although there were a few hurdles in implementing the current environment, for the past three months things have been working quite smoothly which probably in part resulted in Wilson’s predecessor’s decision to retire. Joan Wilson had been looking to further consolidate Marketing and Operations before this latest discussion with Mr. Pressly who highlighted a much more pressing issue, the disaster recovery planning. At the 2 PM Executive Council Meeting, this became the number one issue on Mr. Pressly’s agenda. Wilson was asked what she needed to make this happen. Wilson would assign her sharpest project manager to lead a focus group to update the Company’s Disaster Recovery Plan and to develop an effective Business Continuity Plan given the current and projected future operational environment and needs. She highlighted the need for the executives of each department to assign a knowledgeable expert to assist in this effort. She made it clear that these individuals will need to be empowered to obtain the support necessary from their counterparts anywhere in the organization. Mr. Pressly endorsed Wilson’s initiative and informed the Council that next month’s key agenda item would be to review the completed plan for implementation costs and schedule. GRADING RUBRIC: Phase Full Points Partial Points No points Possible Points Phase 1 Risk Assessment Part I Individual Part II Group Analysis identifies key risks for each business area completing the template for each element, demonstrating understanding of course concepts, analysis and critical thinking. Analysis is incomplete either by lack of critical risk areas and/or lacks definitions and/or explanations / weightings for each; and may indicate a lack of understanding of course concepts, analysis, and/or critical thinking. Analysis not included, or does not identify any requirements. Part I - 15 points Part II - 15 points Phase 2 Draft DRP/BCP The plans incorporate the key elements identified in Phase I, complete with mitigation strategies demonstrating understanding of course concepts, analysis and critical thinking. The plans are partially appropriate and/or partially explained. It may only partially address critical aspects associated with DR or BC planning. No technology solution provided. 15 points Phase 3 Execute the BCP/DRP 2 elements – plan and the evaluation The plans successfully address the test scenario and effectively protect the business operations to the extent possible. The evaluation by the testing group provides the rationale for noted findings and any recommendations for improvement. The plans are not sufficiently well defined or appropriate to successfully address the scenario. May be lacking in demonstration of understanding of course concepts, analysis, and/or critical thinking. Evaluations fail to adequately justify any finding or shortcoming in the plan. The BCP/DRP does not address any element to enable successfully addressing the scenario. Evaluation does not add value in any respect to the plan, regardless of test outcome. 10 points for the plan 5 points for the evaluation Phase 4 Final DRP/BCP The final plans submission include graphics and references, rationale on recommendations that were or were not incorporated, and observations and lessons learned through the prior three phases. Elements are missing or only partially explained or substantiated. Inappropriately cited or missing references. No changes from the draft plan submitted in Phase 2. 10 points TOTAL Points 70 Sheet1 Project Name Prepared By Date Problem Area or Activity Key Processes Accounting and Payroll Payroll Contracts Travel Reporting/Compliance