Risk Management: Identifying and Assessing the Risks - Assignment Example

Question 1 Project Management Body of Knowledge (PMBoK) is a collection of knowledge areas and processes accepted generally within the discipline of project management as the best practice. (Haughey, 2011). PMBoK lays down the principles and fundamentals of managing projects irrespective of the project type whether the project is automotive, engineering, construction and software (to mention a few). There are five fundamental group processes and nine areas of knowledge recognised by PMBOK (Haughey, 2011). These group processes and areas of knowledge apply in all projects. The basic concepts apply to programs, projects and operations. The five process groups recognised by PMBOK include closing, controlling and monitoring, planning, initiating and executing. Throughout the phases of the project the interaction and overlapping of processes occur and this can be described by designs, plans and documents of the inputs; techniques and tools which comprise of applied inputs mechanisms; products and documents which comprise of the outputs. The nine areas of knowledge include project quality management, project scope management, project integration management, project cost management, human resource management of the project, project communication project, project integration management, project time management, project risk management and project procurement management. It is imperative to mention that each of the above areas of knowledge contains all the process of project management (Haughey, 2011). A significant part of PMBOK is unique to the management of the project. For example, structure of work breakdown and critical path. Some knowledge areas mentioned above may overlap with other disciplines of management such as staffing, organising, planning, controlling and executing the organisational operations. Planning techniques, organisational behaviour and financial forecasting are also similar. As stated above, management of project procurement is one of the nine areas of knowledge contained in PMBOK. Project procurement management comprises of the following processes; planning solicitation, selection of source, closeout of contract, administration of contract, planning of procurement and solicitation (Haughey, 2011). It is the part or process of project management in which services and products are purchased and acquired outside the prevailing base of employees for the project to be completed. The management of project procurement can also be viewed as the contract responsibility where the buyer involved in the project undertakes the duties of another seller. The contract is then placed between the party providing service and the responsible team bestowed with the task of project completion. In this respect, project procurement management involves a number of processes of project planning which includes making decision of what to be purchased or acquired. Question two SecSDLC can be defined as a method used to create new systems of security and improving on the systems of security that exists in the organisation (Barbara, 2011). SecSDLC comprises of different phases which include change and maintenance, investigation, logical deigns, physical design, implementation and analysis (Barbara, 2011). The analysis phase begins after the investigation phase. In the analysis phase, the process of formally listing down the risk factors in the information system of the organization begins. This phase also referred to as identification of risks involves the justification and identification of risk management controls (Barbara, 2011). In the risk identification stage, the professionals involved in the risk identification play a significant role in the process. The reason for this is that adequate protection must be provide to the organization’s information, procedure, data, software, people and equipment. In order to be successful the analysis phase must be funded and supported by the organizational management. The task of understanding the potential threats as part of the analysis phase involves a number or processes. The first process includes building defence layers in order to ensure that the enemy is deterred from breaking into the organization’s information system. Understanding potential threats helps to protect, prevent, recover and detect any possible attacks. The second process in understanding potential threats involved in the analysis phase is to understand the enemy and the organization. This involves understanding the weaknesses and the strengths of the organization in order to establish were the enemy can enter from into the organization’s information system. Understanding the enemy means prioritising threats in order to determine ways of managing and controlling such risks. Some of the true ways of understanding the enemy include categorising the potential threats according to main target area in the organization. For example, the potential threats or attacks can be categorised as follows, deliberate acts, inadvertent acts, technical failures, acts of God and failures of management (Barbara, 2011). The other true way of understanding the enemy is through assessment of the enemy in order to understand the impact of the enemy in the organizational processes. Some of the questions that can be asked in understanding the enemy include; the types of threats that presents immense danger to the assets of the organization and the cost of recovering from the enemy’s attacks. You can be sure you have covered all the bases when the answer to the above and many other questions are provided and all the organizational assets are secured from the enemy’s attacks. Question three Disaster recovery plan (DRP) is also referred to as a business continuity plan (BCP). It is a term that defines the methods the organization has in order to adequately deal with any disasters that may potentially affect the organizational processes (Devlen, 2003). A disaster in this context is any occurrence that makes it impossible for the organization to execute its processes as planned. The disaster recovery plan aims at restoring the normal functions of the organization when the disaster strikes or it underlines the measures to be taken in order to minimize the effect and the impacts of the disaster so that the functions of the organization can resume as planned. The disaster recovery plan should be a plan focussed on information technology because many critical processes in the business and many critical missions in the organization operate on technological infrastructure which comprises of data, information technology and applications hardware (Devlen, 2003). The disaster recovery plan comprises of different elements. The first element is regulatory requirement. In order to define the requirements for disaster recovery in the organization, the regulations set by regulatory agencies must be understood and documented. Hence, the organization must ensure that it achieves compliance with the regulations. The second element of a DRP is the policy and strategy. A policy for disaster recovery must be present in the organization. It should reflect business continuity objectives. The policy creator must have a thorough understanding of the limitations and expectations of the leadership of the organization. The third element is asset management. A proper and accurate asset data centre must be established in the DRP. This helps to determine what to recover when a disaster strikes. The fourth element is application analysis. Application interdependencies in the organization must be understood in addition to gathering application inventory that serve the organization. Understanding the person that maintains the applications and integrating them into team involved in disaster recovery process is imperative. The fifth element is risk assessment. This involves understanding the potential threats risks or enemies that face the organization. This helps in designing proper measures for mitigating against such risks and potential threats. Other elements include analysis of business impact, change management, response to emergencies, integration of data storage, maintaining, building and testing plans as well as business process (Devlen, 2003). One of the things that is missing in the list of these elements of a DRP is enhancing understanding of the people in the disaster recovery team through education or training of the team members. This would go along way into enhancing the disaster recovery process. Question four A good example of an enterprise information security policy is that developed by Harvard University whose purpose is to define the security practices for the devices, technological resources and communication associated with the processes at Harvard University (Harvard University, 2011). Enterprise information security policy can therefore be viewed as the process of protecting information and every other element associated with that information such as storage hardware and systems, process or use as well as the process through which the transmission of information is undertaken. The four main important aspects of the policy include confidential information storage policies, information on human subject, medical information that can be identified personally and the policy for obtaining confidential information regarding the university. Confidential information storage policy holds that Harvard community members are not permitted to store confidential information that can be categorised as high-risk information which is related to the activities at the University. The members are not permitted to store information on Harvard University related activities on a portable device or individual computer. Information categorised as confidential and high-risk which is stored in servers must protected. The information on human subject policy at the university which is part of an enterprise information security policy holds that the Harvard Institutional Review Board (IRB) must approve research activities including those on human subjects (Harvard University, 2011). Inappropriate or inadvertent disclosure of research information related to the human subjects must be prevented at all costs. The third policy which is part of the enterprise information security policy at Harvard University requires the medical information that can be identified to individuals to be subjected to Health Insurance Portability and Accountability Act (HIPAA) (Harvard University, 2011). When the medical information is stored or used Harvard University units it must be treated under HIPAA as covered entities. The fourth policy comprises of the requirements for obtaining confidential information related to Harvard University. One of the requirements is that the helpdesk of the university must be contacted. The helpdesk will provide the person responsible with services resource directory in which confidential information about individuals can be obtained. In order to access reporting applications and financial information at the university the Authorized Requester must be used to obtain such information as one of ways of enhancing security of information and resources at the university (Harvard University, 2011). The policy might be used as the platform for measuring the type of information that can be released to the public or researchers in the University and the type of information tat should be concealed from the researchers or Harvard community members. Question five One of the recent information security breaches involves Apple Inc. where security breach exposed more than 110,000 iPad owners. Among the people exposed include top politicians, military officials and Chief Executive Officers in different companies. Such users were exposed to malicious hacking and spam marketing (Kenneth, 2010). This occurred after an iPhone prototype was lost by one of the company employees in a bar. The other information security breach occurred in CardSystem Solution Company where more than 30 million cardholders were at risk of losing funds or losing important information after the company’s computers were invade by a Trojan virus. In the process more than 200,000 cardholders were affected and their funds were stolen. This information security breach occurred the card data was improperly stored in the company’s computer systems (Schwartz, 2011). The purpose was to undertake a research on the transactions involving the company’s cards. However, leaving the data encrypted paved way for the Trojan virus to find its way into the computer systems. The third security breach occurred in Nasqad OMX Group in 2011 where the company’s server was breached (Schwartz, 2011). Suspicious files which were not related in any way to the company’s trading activities were detected and later eliminated from the system. However, the security breach had not interfered or affected customer information. The main target was the Director’s Desk itself which comprises of key information regarding the company’s operations. From the above three security breaches, it is evident that the main targets were large firms and companies such as Apple Inc, NASDAQ OMX Group and the CardSystem Solutions Company. The financial industry seems to be the main target because the enemy realizes that by infiltrating into the customers’ information then funds can be accessed and withdrawn using the same customer information. The main purpose of hacking and other methods of information theft is to steal important and confidential customer information which can be used to profit the hackers (Dimattia, 2001). Breaches at smaller companies are also likely to occur but not as lily to make the news. The first reason for this is that the smaller companies might not be known by a large segment of the population (Dimattia, 2001).For example, a pharmaceutical company in California might not be known in New York and hence any security breach in this company might not attract the attention of the media. Second, such a company might have a few customers as compared to companies such as Apple Inc. which serve millions of customers worldwide. Works Cited Barbara, A. Risk Management: Identifying and Assessing the Risks, 2011.http://tc.templejc.edu/dept/cis/BCarpenter/itsy1342/chapter4notes.html Devlen A. 12 key elements of Enterprise-Wide Disaster Recovery Plan, 2003. http://archive.itmanagementnews.com/articles/0310ad.html Dimattia, S. Planning for Continuity. Library Journal, 2001, 32-34. Haughey, D. The Project Management Body of Knowledge (PMBOK), 2011. http://www.projectsmart.co.uk/pmbok.html Harvard University. Information Security and Privacy, 2011. Available from http://www.security.harvard.edu/heisp Kenneth, L. Business Continuity Planning", A Step-by-Step Guide with Planning Forms on CDROM, 2010. Schwartz, M. 2011. NASDAQ Confirms Servers Breach. Available from http://www.informationweek.com/news/security/attacks/229201276 Read More