Learning Objectives

1. Demonstrate knowledge of risk management concepts. Know how to mitigate risk through the use of controls.
2. Analyze the scenario.
3. Apply the knowledge in a scenario.

Instruction

XYZ Network Solutions provides network services and value-add communications to customers in several countries in Europe and North America.

The corporate headquarters is in Miami Florida with offices in Chicago, London, UK and Frankfurt, Germany. The company has a sales division with eight employees led by Andre Wisser, human resources with three employees led by Jane Aubin, Technical and Communications with 45 employees led by Peter ODay. Finance is led by Andrea Worth but most of the Payroll and Finance functions have been outsourced to a SaaS Cloud Provider.

1- Project Title *?

2- Andrea Worth, Manager, Finance has just asked you whether you have conducted a risk assessment on the Finance systems (payroll, accounts receivable, accounts payable, email, etc.). What is the difference between IT risk and business risk?

3- List some of the threats to an IT system that supports Finance.

4- What are the reasons to implement separation of duties and how can this be done?

5- An asset is worth $10,000. The likelihood of an attack is once every two years with an expected impact of 80% damage. The risk acceptance level is $2000. A control that would reduce the risk to $1000 per event is available at an annual cost of $4000. Should the company implement the control? Calculate SLE, ARO and ALE. Then calculate residual risk once the control is implemented.

6- XYZ Network Solutions has contractual agreements (Service Level Agreements) with its customers and regulatory requirements that require it to maintain certain levels of network and service availability. How should these factors be addressed in the risk assessment? Should this be calculated as an quantitative or qualitative risk assessment?