Can anyone help me to answer the first and second questions, please?

Risk-Based Decision

We have been talking about risk-based decisions since your first day in this course. You heard it in Module 2, given that it is one of the twelve principles. So, what are these things called risk-based decisions?

Well, this first discussion topic provides you an opportunity to provide just that, making a risk-based decision. You are provided a scenario and need to respond to the question based on the information provided in the scenario.

Risk-Based Decision Scenario:

You work for a mid-to-large auto financial Firm located in the Dallas/Fort Worth Metroplex providing vehicle loans to prospective customers seeking to purchase new, used, or leased vehicles from local car dealerships within the greater Dallas/Fort Worth Metroplex. You are the lead systems security engineer leading a team of young talented security engineers responsible for maintaining the Firm's loan origination, processing, approval, and loan payment platforms. Essentially, your team is responsible for the number one critical business process within the Firm generating between 5-10 million dollars in transactions per day.

The business process has platforms connected to the Internet where potential customers can view different loans, make an application for a loan, make monthly loan payments, or chat with a customer service representative. These Internet-facing systems have back-end connections to the Firm's Production network. Communications between the Internet-facing applications and the back-end systems are through a vendor-provided complex series of applications specifically developed to ensure no one can directly access the Firm's Production network. Several financial firms use this vendor-provided complex series of specifically developed applications, ensuring no one can directly access those financial firms' Production networks.

Your boss has asked you to drive to San Antonio and attend a Cyber Security conference and meet with a potential new vendor offering machine learning user behavioral capabilities that your boss believes can enhance the Firm's cybersecurity capabilities. Your boss insists this is your priority over everything else, including tasking from the business you support.

Upon arrival in San Antonio, you have set up a meeting with this potential new firm. The potential new vendor is only in San Antonio for Day one of the conference and then is off to Japan for a month-long exhibition marketing their new product.

Several of your team members are on vacation or out of the office on other business. You are the only one on your team who knows how to perform maintenance on the vendor-provided complex series of applications.

You travel to San Antonio and arrive early at the conference at about 7 AM. Your meeting with the potential new vendor will not occur at noon.

You just received a phone call at 7:30 AM from your business counterpart informing you that a critical flaw has been found in the vendor-provided complex series of applications allowing someone from the Internet to access back-end production networks containing sensitive and personal information. Additionally, you see a CNN news Flash stating that several financial firms have reported being breached by some unknown organization.

Your business counterpart informs you that the vendor responsible for these applications has a fix for their application and that your business counterpart has the fix and is ready for you to perform the necessary updates on their system. The fix takes about 30 minutes to perform from start to finish.

You inform your business counterpart that you are in San Antonio attending a conference that your boss asked you to meet with a potential vendor. Your business counterpart informs you that you have a ticket on the first flight from San Antonio to DFW taking off in 90 minutes and that they have a car waiting for you at DFW upon your arrival.

You call your boss and explain the situation, and they inform you in a rather stern tone that your number one priority is to meet with the potential new vendor over all other priorities.

Risk-Based Decision Scenario Question:

What course of action do you take, stay, and talk to the vendor, catch the flight from San Antonio to DFW and fix the application, or do something else stating what you would do? You must provide a supporting rationale for your decision.

Risk Decision Scenario:

You are the Chief Information Security Officer (CISO) and report to the Chief Operating Officer (COO), the Business Leader. You have recently updated a risk assessment on one of the COO's business-critical applications. Your risk assessment indicates that the risk associated with this business-critical application could be material to the organization. Material used in this context is defined as:

"A concept that defines why and how certain issues are important for a company or a business sector. A material issue can have a major impact on the financial, economic, reputational, and legal aspects of a company, as well as on the system of internal and external stakeholders of that company." (Reference: https://www.datamaran.com/materiality-definition/Links to an external site.)

You discuss this risk with the COO's line of business leader who manages the application, getting additional context regarding the application in question and what options may be available to reduce the risk associated with this business-critical application. You agree that the COO should be aware of this potential material risk and get on the COO's calendar. You both present the results of the risk assessment and options available for reducing the potential risk to the COO. The COO asks several questions, which are answered to their satisfaction. The COO decides to accept the risk that is within their authority as established by organizational policy.

Risk Decision Scenario Question:

2. What do you do (e.g., accept their decision, ask for clarification on their decision, go over their head to the Chief Executive Officer), and why and how did you arrive at this course of action? You must provide supporting rational for your decision.