CMGT 582 Week 3 Risk Management Paper 1
Risk Management
Christine A. Rosario
CMGT/582
3 November 4, 2014
Professor David Hatfield
Asset ID
Asset Name
Description
Asset Value
Priority
Threat Description
Controls in Place
ARO
Uncertainty
Risk Value
Controls Needed
Action Plan ID
1
IT Rep
Local IT presence
55000
Critical
Absence; skill short-coming; request overload
Alternates / CE: .8
.1
.05
1155
Addt’l training; addt’l backups
AA
2
Security Officers
Facility (& People) Security
75000
Critical
Absence; weapons; stealth
Reliability / Alternates / CE: .9
.001
.001
7.5075
N/A
BB
3
HR Rep
Human Resources
60000
High
Absence; unauthorized disclosures
Alternates / CE: .9
.001
.001
6.006
N/A
CC
4
Security Training
Required, annual, security process
10000
Medium
Lack of compliance
Tracking, Firewalls / CE: .9
.1
.25
125
Addt’l follow-up
DD
5
PeopleSoft
Payroll & employee data software
20000
High
Unauthorized access
User Authentication / CE: .9
.001
.005
2.01
N/A
EE
6
Servers
Hardware
8000
Vital
Unauthorized access; power outage
Anonymous; Secure Access / CE: .8
.05
.01
80.8
Improved network performance
FF
7
Customer Services DB
Database of service accounts
4000
Vital
Unauthorized access; user error
Training; User Authentication/ CE: .9
.05
.05
21
Increased scorecard weight
GG
8
EMS DB
Database of Employee Data
2000
High
Data integrity; user error
Access granted as needed / CE: .7
.1
.2
72
Clearly defined administrators and duties
HH
You may use annual rate of occurrence (ARO) ranges with the following values:
Very Low: .001
Low: .05
Medium: .1
High: .15
Very High: .2
You may use control effectiveness ranges with the following values:
Very Low: .25
Low: .5
Medium: .7
High: .8
Very High: .9
You may use the following ratings for designating priority:
Vital: The business cannot operate if it lost more than a day.
Critical: The business cannot operate if it lost 2 to 5 days.
High: There are major disruptions if the business lost more than a week, which affects parts of the
Christine A. Rosario
CMGT/582
3 November 4, 2014
Professor David Hatfield
Asset ID
Asset Name
Description
Asset Value
Priority
Threat Description
Controls in Place
ARO
Uncertainty
Risk Value
Controls Needed
Action Plan ID
1
IT Rep
Local IT presence
55000
Critical
Absence; skill short-coming; request overload
Alternates / CE: .8
.1
.05
1155
Addt’l training; addt’l backups
AA
2
Security Officers
Facility (& People) Security
75000
Critical
Absence; weapons; stealth
Reliability / Alternates / CE: .9
.001
.001
7.5075
N/A
BB
3
HR Rep
Human Resources
60000
High
Absence; unauthorized disclosures
Alternates / CE: .9
.001
.001
6.006
N/A
CC
4
Security Training
Required, annual, security process
10000
Medium
Lack of compliance
Tracking, Firewalls / CE: .9
.1
.25
125
Addt’l follow-up
DD
5
PeopleSoft
Payroll & employee data software
20000
High
Unauthorized access
User Authentication / CE: .9
.001
.005
2.01
N/A
EE
6
Servers
Hardware
8000
Vital
Unauthorized access; power outage
Anonymous; Secure Access / CE: .8
.05
.01
80.8
Improved network performance
FF
7
Customer Services DB
Database of service accounts
4000
Vital
Unauthorized access; user error
Training; User Authentication/ CE: .9
.05
.05
21
Increased scorecard weight
GG
8
EMS DB
Database of Employee Data
2000
High
Data integrity; user error
Access granted as needed / CE: .7
.1
.2
72
Clearly defined administrators and duties
HH
You may use annual rate of occurrence (ARO) ranges with the following values:
Very Low: .001
Low: .05
Medium: .1
High: .15
Very High: .2
You may use control effectiveness ranges with the following values:
Very Low: .25
Low: .5
Medium: .7
High: .8
Very High: .9
You may use the following ratings for designating priority:
Vital: The business cannot operate if it lost more than a day.
Critical: The business cannot operate if it lost 2 to 5 days.
High: There are major disruptions if the business lost more than a week, which affects parts of the
References: McCormick, C. (2012). CMGT 582: Read Me First Document. Retrieved from https://portal.phoenix.edu/classroom/coursematerials/cmgt_582/20121120/OSIRIS:43490197 Time Warner Cable Online. (2012). Corporate Responsibility. Retrieved from http://www.timewarnercable.com/content/twc/en/about-us/corporate-responsibility/overview.html