2. CODE GALORE THE PROBLEM Using figure 2.4, you need to modify the qualitative risk analysis that you performed six months ago to take into account the risks related to Skyhaven Software. The major risks identified during this risk analysis are shown in figure 2.1. igure 2.1-Major Risks Overall Risk Risk Event Probability Impact Rating Laptop or mobile device with proprietary data lost or stolen High Medium-loss of competitive advantage, negative media Medium high exposure Internal network break-in from outside Medium Medium high-disruption, systems restoration needed, Medium high possible negative media exposure Virus, worm or Trojan infections High Medium-disruption, systems restoration needed, Medium high unauthorised capture of data, productivity loss Source code stolen by external attacker or insider Medium low Medium-loss of competitive advantage, possible negative Medium media exposure Denial of service attackis) Medium Medium-disruption, productivity loss, possible systems Medium restoration needed, possible negative media exposure Data security breach for personal, financial andfor customer data Medium low Medium high-negative media exposure, potential loss of Medium customers, potential lawsuits, regulatory punishments Prolonged IT outage Low High-disruption, major productivity loss, systems Medium restoration needed, possible negative media exposure Pirated software, music or movies used within Code Galore Low Medium high to high-major reputational loss, potential loss Medium of customers, large fine Attack against others initiated by Code Galore employee Low Medium high-negative media exposure, potential loss of Medium low customers, potential lawsuits Data extrusion through interception of wireless signals Medium Low-policy forbids using wireless for sending proprietary Medium low information Sabotage of source code Medium low Medium low-loss of productivity (maximum of one to two Medium low days to revert to last known good version You must not only head this effort, but for all practical purposes, you will be the only person from Code Galore who works on this effort. The Need to Make a Decision Your revision of the last risk analysis will not only bring Code Galore up to date concerning its current risk landscape, but will also provide the basis for your requesting additional resources to mitigate new, serious risks and previously unmitigated or unsuitably mitigated risks. Additionally, you may find that some risks are lower in severity than before, possibly to the point that allocating further resources to mitigate them would not be appropriate. You may, thus, optimise your risk mitigation investments. To the degree that you realistically and accurately identify new and changed risks, you will modify the direction of your information security practice in a manner that, ideally, lowers the level of exposure of business processes to major risks and facilitates growth of the business. Failure to realistically and accurately identify new and changed risks will result in blindness to relevant risks that will lead to unacceptable levels of unmitigated risk. Background of the Decision Maker You have 10 years of experience as an information security manager, five of which as a CSO, but you have no previous experience in the software arena. You also have four years of experience as a junior IT auditor. You have an undergraduate degree in management information systems and have earned many continuing professional education credits in information security, management and audit areas. Five years ago, you earned your CISM certification. Decision to Be Made You must revise the most recent risk analysis, not only by reassessing all the currently identified major risks, but also by adding at least three risks that were not previously identified. You must also provide a clear and complete rationale for the risks and their likelihood and impacts (outlined in the Alternative With Pros and Cons of Each section). 2010 ISACA. ALL RIGHTS RESERVED. 15