Project 3 – CS Report

Adapted from ISACA Educational Resources

1

I. Title: Risk Assessment & Management

II. Introduction During your last semester and with graduation just months away, you’re thrilled to have been hired as an Information Systems Risk Analyst by the well-established firm XYZZY Consulting, in Largo, MD. You’ve had a few years of work experience in information assurance and are studying for the Risk and Information Systems Control (CRISC) certification offered by ISACA. At the end of your third month at XYZZY Consulting, you are assigned to your first independent customer engagement. You will be conducting a risk assessment for PridePoint Bank & Trust. Eager to get started, you ask your supervisor, Sheryl Shapiro, to provide you with background information on PridePoint. Sheryl says “PridePoint, a mid-sized regional bank with 2,150 employees and 700 contractors went public one month ago. Before going public, the bank implemented cost-cutting strategies and growth in its customer base. Because resources are limited, chief information officers (CIOs) need to know which risk most urgently requires attention. As a reminder, probability is quantitative, thus if the consequence of an event is quantifiable, the associated risk is therefore also quantitative. The results of this risk assessment can be used to prioritise risks so that the most urgent risk is given attention before less urgent risks. Time and other resources are always limited!” Further, Sheryl says, “you will be in direct communication with Jeff Kurtz, he’s the lead CIO at PridePoint. Jeff will not give you access to PridePoint information systems. So, I encourage you to ask questions of the employees and contractors within Jeff’s department. Be sure to review the network diagrams and policies associated with all aspects of technology at PridePoint. You will submit your report directly to Jeff; it should be well developed with clearly supported recommendations. I will send you more information about the client via email (see appendices).” Competencies: 1) Communication: Demonstrate the ability to communicate clearly both orally and in writing. Actively listen and effectively deliver information in multiple formats tailored to the intended audience. 2) Decision-making: Objectively identify and critically assess issues and use professional judgment to develop appropriate decision models, identify and analyze the costs and benefits of alternative courses of action and recommend optimal solutions.

3) Ethical conduct: Study and behave in accordance with the UMGC’s Philosophy of Academic Integrity, in a manner bound by ethical principles for the protection of society, and in accordance with professional and ethical standards of the AICPA and other accounting organizations.

4) Professional behavior: Demonstrate a work ethic of timeliness, respect for diversity, and continuous learning consistent with high professional standards set by the AICPA and other accounting associations.

 

 

Adapted from ISACA Educational Resources

2

5) Project management: Plan and manage individual and team work flow through effective utilization of time and other resources to accomplish objectives.

6) Reporting: Identify the appropriate content and communicate clearly and objectively to the intended audience the work performed and the results as governed by professional standards, required by law or dictated by the business environment.

7) Research: Identify, access, and apply relevant professional frameworks, standards, and guidance, as well as other information for analysis and making informed decisions.

8) Risk assessment, analysis, and management: Assess, analyze, and manage risk using appropriate frameworks, professional judgment and skepticism for effective business management. 9) System and process management: Identify the appropriate businesses processes and system(s), related frameworks, and controls to assist in the design and use of systems for efficient and effective operations. 10) Technology and tools: Identify and utilize relevant technology and tools to analyze data, efficiently and effectively and support other competencies.

 

III. Steps to Completion

1. Prepare a network diagram based on your interviews, reflecting your understanding of the PridePoint network in its current state. Include:

a. Zone boundaries b. Connection points and links c. Known security capabilities

2. Review the list of risk identified by the Director of Technology Operations. For

each risk, based on your interviews: a. Estimate the difficulty in detecting the threat event given current

capabilities. b. Identify a vulnerability that aligns with the threat event. c. Summarise a possible consequence associated with the risk.

3. Select the most serious risk based on your assessment and your understanding

of the enterprise risk appetite.

4. Based on the work that you have done in this case, how would you summarise the overall level of IT risk in your report to the CIO?

5. What are the benefits of providing an overall level of IT risk? Are there any downsides?

 

 

 

Adapted from ISACA Educational Resources

3

IV. Deliverables

• Submit a WORD document, which will contain the final and Cybersecurity Risk Management Report for PPP Manufacturing.

V. Helpful Hints

• There will be discussion forums dedicated to discussing this project.

• Read the grading rubric before beginning the project to fully understand the requirements; ask questions about the requirements if needed.

• Prepare a draft version of your description before its due.

• Ask a classmate, friend, or family member to read your description and offer feedback

• Submit your work to the graduate writing tutors if needed.

• Submit the deliverable on or before the due date.

• Review the penalty for late submissions, which is posted in the syllabus.

• Ask your professor questions as needed.

VI. Rubric

You will find a rubric in LEO under Content>Course Resources>Projects & Rubrics.

 

 

 

Adapted from ISACA Educational Resources

4

Appendix A Risk Management & Assessment

Risk management refers to the co-ordinated activities taken by an enterprise to direct and control activities pertaining to risk. Risk management is an active process, not simply a form of elaborate observation. ‘Control’, when used as a verb in the context of risk management, is often used as a synonym for ‘measure’. However, the results of measurement must be used as the basis for directing actions and activities. Comprehensive risk management includes four steps:

▪ Identification ▪ Assessment ▪ Mitigation (response) ▪ Ongoing monitoring and reporting

Risk assessment is a process used to evaluate risk on the basis of its probability and the impact of consequences upon operations. Probability is a function of two inputs:

▪ Threat, which is anything that is capable of acting against an asset that can result in harm; and

▪ Vulnerability, which is a weakness that allows effects upon a system exposed to a threat.

Risk scenarios identify risk on the basis of threats. Risk assessment establishes difficulty of detection and whether a corresponding vulnerability may exist.

 

 

 

 

Adapted from ISACA Educational Resources

5

Appendix B Bank Profile

PridePoint is the dominant bank across three states with 92 branch locations.

Number of Branches

92 Branch locations

Customers Customers include both individual consumers and regionally established businesses. Most account holders have been with PridePoint since at least a year before it went public. Largest business customers average revenues in excess of $57 million per year.

Board of Directors

A five-person board of directors with a non-executive chairman. The Board is pleased with PridePoint profitability but is concerned about controlling risks. To address this concern, the CEO has mandated that risk assessments be completed across the enterprise, as follows:

▪ The CFO has directed Operational Risk Management to lead the assessment of consumer and commercial banking.

▪ The SVP of Administration has tasked Physical Security with assessment of facility and workforce risks.

▪ The COO has directed the CIO to identify risks associated with information technology and systems.

Financials ▪ Total assets of $3.6 billion ▪ Non-interest income is 19.2% of total revenue 84.1% loan-to-deposit ratio

Primary Business Goal

Increase profitability in anticipation of an initial public offering (IPO) in five years.

Strategy The strategy for meeting the primary business goal is two-fold: 1) Increase non-interest-bearing deposits; and 2) Reduce operating costs. PridePoint has so far retained most of its pre- merger customers, and their continued retention is considered essential to the business strategy.

PridePoint’s Competition

Miners Bank is PridePoint’s largest competitor. It is a privately held bank with total assets of $2.6 billion and 57 branches. Up until six months ago, PridePoint had been steadily taking market share from Miners by focusing on marketing the advantages of banking with a regional giant. Miners recently unveiled a marketing message that customers’ money is safer with a privately held bank.

 

 

 

Adapted from ISACA Educational Resources

6

 

Appendix C Organizational Chart

 

▪ The CEO has three direct reports:

o Chief financial officer (CFO) o Chief operating officer (COO) o Senior vice president (SVP) of Administration

▪ Technology Operations and Information Security report to the COO through the CIO. ▪ Facilities and Physical Security report to the SVP, Administration through Human

Resources. ▪ Procurement oversees contractors and reports to the CFO. ▪ Operational Risk and Internal Audit report to the CFO.

 

 

Adapted from ISACA Educational Resources

7

Appendix D Risks Identified

 

Category Threat Event Targeted Asset or Resource

IT Risk Category

Architecture Regional event affecting connectivity and/or power

Physical Infrastructure, IT Infrastructure

Operations/Service

Architecture Consolidation into a single-zone network

Physical Infrastructure, IT Infrastructure

Benefit/Value, Project Delivery

Environmental Loss of cooling capacity within a data centre

Physical or IT Infrastructure: Data centre 3

Operations/Service

Information Customer data accessed without permission

Information Operations/Service

IT Expertise & Skills

Key knowledge lost due to employee departures

Applications, IT Infrastructure

Operations/Service

Logical Attacks External parties direct cyber- attacks against the network

Applications, IT Infrastructure

Operations/Service

Program/Project Life Cycle Management

IT projects cost more or take longer than planned

People and Skills, Process

Project Delivery

Staff Operations Data transaction processed on wrong system

Information, Applications Operations/Service

Save time and excel in your essays and homework. Hire an essay writer for the best price for the top-notch grade you deserve.
275 words per page

You essay will be 275 words per page. Tell your writer how many words you need, or the pages.

12 pt Times New Roman

Unless otherwise stated, we use 12pt Arial/Times New Roman as the font for your paper.

Double line spacing

Your essay will have double spaced text. View our sample essays.

Any citation style

APA, MLA, Chicago/Turabian, Harvard, our writers are experts at formatting.

We Accept
Image 3