INF80043: IS/IT Risk Management Report for Young Acorn Foundation
VerifiedAdded on 2022/09/29
|29
|6717
|25
Report
AI Summary
This report presents an IS/IT risk management analysis for the Young Acorn Foundation (ACORN), a non-profit organization focused on community development. The project involves the expansion of ACORN's Child Development Activities (CDA) through its Community Development Program (CDP) across multiple countries. The report begins with an executive summary, table of contents, and an introduction to ACORN's background, purpose, and scope. It then delves into risk management, including risk assessment using the ISO/IEC 27001 framework, identification of threats and vulnerabilities (electronic, physical, employee compliance, human errors, and managerial), control analysis, impact analysis using qualitative methods, and risk determination. The report also includes control recommendations, an overview of relevant laws and regulations, and a detailed risk mitigation analysis with recommendations. Finally, the report concludes with a summary of findings and recommendations for effective risk management strategies to address the identified risks within ACORN's CDP project.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: IS/ IT RISK MANAGEMENT
IS/ IT Risk Management Project: The Young Acorn Foundation
Name of the Student
Name of the University
Author’s Note
IS/ IT Risk Management Project: The Young Acorn Foundation
Name of the Student
Name of the University
Author’s Note
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1
IS/ IT RISK MANAGEMENT
Executive Summary
ACORN is a non-profit organization that was looking forward to extend and improve its
CDA or the Child Development Activities. Through the utilization of the Community
Development Program or CDP, the organization has been looking forward to the expansion
and operation of the business amongst the different countries. Through this, the organization
is trying to put forward the employment opportunities of the under-developed people as well
along with the business expansions. The operations would also involve the likelihood of the
competitive environment that the NFP organizations are in right-now, even with the threat of
the competitors. Now, since the area of operations is going to spread throughout different
countries, it is essential to identify that the project might have several risks that need to be
identified and mitigated at the same time. The following will be a detailed and demonstrated
if the project would have several associated risks where the information regarding the
provided project about CDP for ACORN would result into risks for the project. The salient
features about a Risk Mitigation Framework would be used for analysing the impending risks
along with the identification and analysis of the threats and vulnerabilities related to the
technical, operational and managerial risks. It would then continue through an impact
analysis of the threats with quantitative methods, thorough control assessment and likelihood
analysis relating to the critical vulnerabilities, and the understanding of the Legal and the
Regulatory requirement as well as the key environmental factors that have been affecting the
organization. In the end, the recommendations would also be made for the effective risk
mitigation strategies of the identified risks.
IS/ IT RISK MANAGEMENT
Executive Summary
ACORN is a non-profit organization that was looking forward to extend and improve its
CDA or the Child Development Activities. Through the utilization of the Community
Development Program or CDP, the organization has been looking forward to the expansion
and operation of the business amongst the different countries. Through this, the organization
is trying to put forward the employment opportunities of the under-developed people as well
along with the business expansions. The operations would also involve the likelihood of the
competitive environment that the NFP organizations are in right-now, even with the threat of
the competitors. Now, since the area of operations is going to spread throughout different
countries, it is essential to identify that the project might have several risks that need to be
identified and mitigated at the same time. The following will be a detailed and demonstrated
if the project would have several associated risks where the information regarding the
provided project about CDP for ACORN would result into risks for the project. The salient
features about a Risk Mitigation Framework would be used for analysing the impending risks
along with the identification and analysis of the threats and vulnerabilities related to the
technical, operational and managerial risks. It would then continue through an impact
analysis of the threats with quantitative methods, thorough control assessment and likelihood
analysis relating to the critical vulnerabilities, and the understanding of the Legal and the
Regulatory requirement as well as the key environmental factors that have been affecting the
organization. In the end, the recommendations would also be made for the effective risk
mitigation strategies of the identified risks.
2
IS/ IT RISK MANAGEMENT
Table of Contents
1. Introduction............................................................................................................................3
1.1 Background of the Organization......................................................................................3
1.2 Purpose.............................................................................................................................3
1.3 Scope................................................................................................................................4
2. Risk Management...................................................................................................................4
2.1 Risk Assessment...............................................................................................................4
2.1.1 System Characterization - Utilizing the salient features of the Risk Mitigation
Framework ISO/IEC 27001...............................................................................................5
2.1.2 Identification of the threats and vulnerabilities, threats and their impacts to the
Company............................................................................................................................6
2.1.3 Control Analysis measures........................................................................................7
2.1.3 Control Analysis........................................................................................................8
2.1.5 Impact Analysis by Qualitative Methods................................................................10
2.1.6 Risk Determination.................................................................................................12
2.1.7 Control Recommendation.......................................................................................18
2.1.8 Laws and Regulations.............................................................................................18
2.2. Risk Mitigation..............................................................................................................18
2.2.1 Risk Mitigation Analysis and Recommendation.....................................................20
3. Conclusion............................................................................................................................21
References................................................................................................................................23
IS/ IT RISK MANAGEMENT
Table of Contents
1. Introduction............................................................................................................................3
1.1 Background of the Organization......................................................................................3
1.2 Purpose.............................................................................................................................3
1.3 Scope................................................................................................................................4
2. Risk Management...................................................................................................................4
2.1 Risk Assessment...............................................................................................................4
2.1.1 System Characterization - Utilizing the salient features of the Risk Mitigation
Framework ISO/IEC 27001...............................................................................................5
2.1.2 Identification of the threats and vulnerabilities, threats and their impacts to the
Company............................................................................................................................6
2.1.3 Control Analysis measures........................................................................................7
2.1.3 Control Analysis........................................................................................................8
2.1.5 Impact Analysis by Qualitative Methods................................................................10
2.1.6 Risk Determination.................................................................................................12
2.1.7 Control Recommendation.......................................................................................18
2.1.8 Laws and Regulations.............................................................................................18
2.2. Risk Mitigation..............................................................................................................18
2.2.1 Risk Mitigation Analysis and Recommendation.....................................................20
3. Conclusion............................................................................................................................21
References................................................................................................................................23
3
IS/ IT RISK MANAGEMENT
1. Introduction
1.1 Background of the Organization
ACORN or Young Acorn Foundation is a tier 2 NFP organization. They are focused
on the community development within marginalized areas. ACORN is mainly operating in
the Asia and Pacific regions and has a presence in every major city of Australia, Asia and
Pacific countries for successful coordination of community development activities or CDA
and fund-raising campaigns. ACORN even launched a new CDP or community development
program for encouraging the under developed communities in working altogether within a
cooperative model and producing products like natural produce or crafts. They have been
operating in multiple countries, however is following Australian laws. It often becomes
difficult when the employees operating in the host country are needed to divulge confidential
information to the respective authority of the host country, which might be deemed as
incorrect under the laws of Australia.
1.2 Purpose
Risk management can be referred to as the procedure to identify, assess as well as
control different types of threats to the earnings and capital of an organization (Lam 2014).
These distinctive threats and risks can easily and promptly stem from a wider variety of
different sources like financial uncertainties, errors in strategic management, natural
disasters, legal liabilities and many more. A successful risk management plan can easily save
the consideration of several potential risks and threats as well as protection of the future of
that particular company (Hopkin 2018). The reason is that a robust risk management plan is
considered as quite helpful for the organization in establishment of processes and avoiding
potential threats to reduce the impacts efficiently.
IS/ IT RISK MANAGEMENT
1. Introduction
1.1 Background of the Organization
ACORN or Young Acorn Foundation is a tier 2 NFP organization. They are focused
on the community development within marginalized areas. ACORN is mainly operating in
the Asia and Pacific regions and has a presence in every major city of Australia, Asia and
Pacific countries for successful coordination of community development activities or CDA
and fund-raising campaigns. ACORN even launched a new CDP or community development
program for encouraging the under developed communities in working altogether within a
cooperative model and producing products like natural produce or crafts. They have been
operating in multiple countries, however is following Australian laws. It often becomes
difficult when the employees operating in the host country are needed to divulge confidential
information to the respective authority of the host country, which might be deemed as
incorrect under the laws of Australia.
1.2 Purpose
Risk management can be referred to as the procedure to identify, assess as well as
control different types of threats to the earnings and capital of an organization (Lam 2014).
These distinctive threats and risks can easily and promptly stem from a wider variety of
different sources like financial uncertainties, errors in strategic management, natural
disasters, legal liabilities and many more. A successful risk management plan can easily save
the consideration of several potential risks and threats as well as protection of the future of
that particular company (Hopkin 2018). The reason is that a robust risk management plan is
considered as quite helpful for the organization in establishment of processes and avoiding
potential threats to reduce the impacts efficiently.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4
IS/ IT RISK MANAGEMENT
1.3 Scope
It is required to maintain risk management plan for all types of IT or IS assets and
resources in a company. ACORN is a tier 2 not for profit organization and they have included
new aspects and features for their business. This report will be outlining a brief discussion on
the case study of ACORN that will discuss in details about the project that ACORN is taking
up as the CDP. The potential risks according to the Risk Mitigation Framework of ISO/IEC
27001 would be considered in this cane along with the segregation of the risks according to
the technical, operational and managerial aspects. The risk mitigation strategies would also be
identified along with the recommendations that the organizations would most likely be taking
up for having a solution to all the impending risks.
2. Risk Management
2.1 Risk Assessment
The primary problem that has been concerning ACORN has been the new Community
Development Program or CDP that ACORN is trying to achieve. This is going to aim at the
encouragement of the under-developed communities such that they can come forward and
work together for achieving a cooperative model. This was also because, with this
collaboration, the organization wanted to enable the manufacturing of certain products as
well as put forward the encouragement of the under-developed people. The program was
unique and it was operating for multiple countries. Therefore, as per the countries where the
project and the organization would operate in, there would be legislative variances for the
operations as well. The market is competitive enough in this particular area where NFPs are
trying to innovate strategies to bring forth the people who are less privileged in the society.
IS/ IT RISK MANAGEMENT
1.3 Scope
It is required to maintain risk management plan for all types of IT or IS assets and
resources in a company. ACORN is a tier 2 not for profit organization and they have included
new aspects and features for their business. This report will be outlining a brief discussion on
the case study of ACORN that will discuss in details about the project that ACORN is taking
up as the CDP. The potential risks according to the Risk Mitigation Framework of ISO/IEC
27001 would be considered in this cane along with the segregation of the risks according to
the technical, operational and managerial aspects. The risk mitigation strategies would also be
identified along with the recommendations that the organizations would most likely be taking
up for having a solution to all the impending risks.
2. Risk Management
2.1 Risk Assessment
The primary problem that has been concerning ACORN has been the new Community
Development Program or CDP that ACORN is trying to achieve. This is going to aim at the
encouragement of the under-developed communities such that they can come forward and
work together for achieving a cooperative model. This was also because, with this
collaboration, the organization wanted to enable the manufacturing of certain products as
well as put forward the encouragement of the under-developed people. The program was
unique and it was operating for multiple countries. Therefore, as per the countries where the
project and the organization would operate in, there would be legislative variances for the
operations as well. The market is competitive enough in this particular area where NFPs are
trying to innovate strategies to bring forth the people who are less privileged in the society.
5
IS/ IT RISK MANAGEMENT
2.1.1 System Characterization - Utilizing the salient features of the Risk Mitigation
Framework ISO/IEC 27001
This particular Risk Mitigation framework has several features that is used for
developing the risk mitigation strategies for the Information Security Management System or
ISMS that involves the procedures to analyse the legal, technical and physical controls during
the risk management process for an organization (Sweeting 2017). In the case for the
ACORN organization as well, there are several forms of the framework that would be
followed for the identification and the approach towards the risk mitigation plan, beginning
with the following:
Providing the definition for a security policy
Defining the scope for the ISMS utility in the CDP project
Conducting the risk assessment and the management of the identified risks
Selection of the Control Objectives that need to be implemented
Preparation of the statement of applicability
There are several features of the framework that need to be addressed in this case as
well, continuing with the sections including the following features:
Assessing the risk
Maintaining the security policy
IS for the organization
Management of asset
Securing the Human Resource
Ensuring the physical and environmental security during the CDP
Access Control
Acquisition of the information security
IS/ IT RISK MANAGEMENT
2.1.1 System Characterization - Utilizing the salient features of the Risk Mitigation
Framework ISO/IEC 27001
This particular Risk Mitigation framework has several features that is used for
developing the risk mitigation strategies for the Information Security Management System or
ISMS that involves the procedures to analyse the legal, technical and physical controls during
the risk management process for an organization (Sweeting 2017). In the case for the
ACORN organization as well, there are several forms of the framework that would be
followed for the identification and the approach towards the risk mitigation plan, beginning
with the following:
Providing the definition for a security policy
Defining the scope for the ISMS utility in the CDP project
Conducting the risk assessment and the management of the identified risks
Selection of the Control Objectives that need to be implemented
Preparation of the statement of applicability
There are several features of the framework that need to be addressed in this case as
well, continuing with the sections including the following features:
Assessing the risk
Maintaining the security policy
IS for the organization
Management of asset
Securing the Human Resource
Ensuring the physical and environmental security during the CDP
Access Control
Acquisition of the information security
6
IS/ IT RISK MANAGEMENT
Business Continuity Management
Compliance
2.1.2 Identification of the threats and vulnerabilities, threats and their impacts to the
Company
The threat and vulnerability identification would follow through several aspects of
ACRON and its business operation to fully understand the project, its operation and the
impact it would have on the business to identify the required risks for the CDP project on the
organization. Therefore, it is important to identify the following business aspects to clearly
identify the risks associated with the project for the business:
i) Identification of Threats: This is yet another vital and significant stage in the
respective information security risk management for any particular organization (Webb et al.
2014). The potential causes of information and assets would be identified and hence it would
be much easier for the company to identify their potential threats, related to information
security as well as information technology. It is also effective in reducing the impacts of
hacking and similar threats (Brustbauer 2016). The treats that have been identified in this
aspect for the ACORN organization lies as pointed out in the table as below:
Possible Threats Threat Assessment
1. Electronic Threats There might be electronic devices used for
the implementation of the project
procedures, that might have threats
regarding the information storage, capturing
and retrieval within the devices.
2. Physical Threats The occurrence of accidents due to the less
considerations of security during the project
might result into physical or mental harm to
the employees.
3. Employee Compliance Threats There might be occurrences that the people
involved in the project might not find it
difficult to or may be have misinterpreted
information about the legal compliances,
resulting into not following them altogether.
4. Human Errors General human errors also have a threat of
IS/ IT RISK MANAGEMENT
Business Continuity Management
Compliance
2.1.2 Identification of the threats and vulnerabilities, threats and their impacts to the
Company
The threat and vulnerability identification would follow through several aspects of
ACRON and its business operation to fully understand the project, its operation and the
impact it would have on the business to identify the required risks for the CDP project on the
organization. Therefore, it is important to identify the following business aspects to clearly
identify the risks associated with the project for the business:
i) Identification of Threats: This is yet another vital and significant stage in the
respective information security risk management for any particular organization (Webb et al.
2014). The potential causes of information and assets would be identified and hence it would
be much easier for the company to identify their potential threats, related to information
security as well as information technology. It is also effective in reducing the impacts of
hacking and similar threats (Brustbauer 2016). The treats that have been identified in this
aspect for the ACORN organization lies as pointed out in the table as below:
Possible Threats Threat Assessment
1. Electronic Threats There might be electronic devices used for
the implementation of the project
procedures, that might have threats
regarding the information storage, capturing
and retrieval within the devices.
2. Physical Threats The occurrence of accidents due to the less
considerations of security during the project
might result into physical or mental harm to
the employees.
3. Employee Compliance Threats There might be occurrences that the people
involved in the project might not find it
difficult to or may be have misinterpreted
information about the legal compliances,
resulting into not following them altogether.
4. Human Errors General human errors also have a threat of
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7
IS/ IT RISK MANAGEMENT
making several problematic situations that
might lead to immense risk in respecting the
integrity of the project information.
5. Managerial Threats The management threats might be
mismanagement of the people associated
with the project leading to further errors in
the overall management of the project
including all the information associated with
it.
Table 1: Threat Analysis Table
(Source: Created by the Author)
ii) Identification of Vulnerabilities: The system level as well as software
vulnerabilities are eventually putting the availability, integrity or confidentiality of each and
every identified asset at risk. It is required for successful identification of the deficiencies and
weaknesses in the organizational processes effectively and without much complexity.
Moreover, information compromising would be lowered and the organization would be
benefitted (Teller, Kock and Gemünden 2014). The information vulnerabilities that lie in this
regard for the business of ACORN related to the CDP project is the primary vulnerability of
the business.
2.1.3 Control Analysis measures
iv) Identification of Controls: The final stage in this process of information security
risk management would be successful identification of controls (Fenz et al. 2014). This type
of control directly addresses the identified threat and provides ways for mitigating it
successfully. It is generally done after reviewing each and every risk and also after cross
referencing the user directory of that specific company.
ACORN, being one of the most significant and popular charity organizations, is
required to maintain their information security and information technological management
practices properly, so that any threat or risk does not become vulnerable for them (Pritchard
and PMP 2014). These risks and threats comprise of a major negative impact on the
IS/ IT RISK MANAGEMENT
making several problematic situations that
might lead to immense risk in respecting the
integrity of the project information.
5. Managerial Threats The management threats might be
mismanagement of the people associated
with the project leading to further errors in
the overall management of the project
including all the information associated with
it.
Table 1: Threat Analysis Table
(Source: Created by the Author)
ii) Identification of Vulnerabilities: The system level as well as software
vulnerabilities are eventually putting the availability, integrity or confidentiality of each and
every identified asset at risk. It is required for successful identification of the deficiencies and
weaknesses in the organizational processes effectively and without much complexity.
Moreover, information compromising would be lowered and the organization would be
benefitted (Teller, Kock and Gemünden 2014). The information vulnerabilities that lie in this
regard for the business of ACORN related to the CDP project is the primary vulnerability of
the business.
2.1.3 Control Analysis measures
iv) Identification of Controls: The final stage in this process of information security
risk management would be successful identification of controls (Fenz et al. 2014). This type
of control directly addresses the identified threat and provides ways for mitigating it
successfully. It is generally done after reviewing each and every risk and also after cross
referencing the user directory of that specific company.
ACORN, being one of the most significant and popular charity organizations, is
required to maintain their information security and information technological management
practices properly, so that any threat or risk does not become vulnerable for them (Pritchard
and PMP 2014). These risks and threats comprise of a major negative impact on the
8
IS/ IT RISK MANAGEMENT
organizational customer base, specifically, when the risk has impacted the sensitive data. The
customers of the organization might be losing confidence and would not feel that the data is
safe and secured, which is quite vulnerable for the organization of ACORN as it is concerned
with charity services (Glendon and Clarke 2015). The impact of this risk is even tied to the
kind of data involved. Following would be a probable control the threats identified:
Threats Identified Control Measures
1. Electronic Threats Management of the monitoring of the
working for the devices
2. Physical Threats Monitoring the factors under which the
people have been working on and if they are
suitable according to the required project
works for ensuring the safety of the people.
3. Employee Compliance Threats Communicating feasibly to find out all the
business compliance information are
understood well by the employees.
4. Human Errors Monitor the work for the people according
to the set standardized plan for the project.
5. Managerial Threats Management monitoring to be done at set
intervals.
Table 2: Control Analysis Table
(Source: Created by the Author)
2.1.3 Control Analysis
Identified Threats Control Assessment Likelihood Analysis
Electronic Threats The issue related to electronic threats could
be effectively resolved by implementation
of security measures within these devices.
The easiest mode of security is
standardization of software, using network
protection measures, keeping software up
graded and updated and also bolstering
access control (Lavell and Maskrey 2014).
Furthermore, employees should also be
trained properly so that they are able to use
the electronic devices in a better manner.
Somewhat Likely
Physical Threats The respective physical threats of the
organization of ACORN are extremely
vulnerable for their IT IS or confidential
data (Gatzert and Martin 2015). These
should be eradicated effectively for
Very Likely
IS/ IT RISK MANAGEMENT
organizational customer base, specifically, when the risk has impacted the sensitive data. The
customers of the organization might be losing confidence and would not feel that the data is
safe and secured, which is quite vulnerable for the organization of ACORN as it is concerned
with charity services (Glendon and Clarke 2015). The impact of this risk is even tied to the
kind of data involved. Following would be a probable control the threats identified:
Threats Identified Control Measures
1. Electronic Threats Management of the monitoring of the
working for the devices
2. Physical Threats Monitoring the factors under which the
people have been working on and if they are
suitable according to the required project
works for ensuring the safety of the people.
3. Employee Compliance Threats Communicating feasibly to find out all the
business compliance information are
understood well by the employees.
4. Human Errors Monitor the work for the people according
to the set standardized plan for the project.
5. Managerial Threats Management monitoring to be done at set
intervals.
Table 2: Control Analysis Table
(Source: Created by the Author)
2.1.3 Control Analysis
Identified Threats Control Assessment Likelihood Analysis
Electronic Threats The issue related to electronic threats could
be effectively resolved by implementation
of security measures within these devices.
The easiest mode of security is
standardization of software, using network
protection measures, keeping software up
graded and updated and also bolstering
access control (Lavell and Maskrey 2014).
Furthermore, employees should also be
trained properly so that they are able to use
the electronic devices in a better manner.
Somewhat Likely
Physical Threats The respective physical threats of the
organization of ACORN are extremely
vulnerable for their IT IS or confidential
data (Gatzert and Martin 2015). These
should be eradicated effectively for
Very Likely
9
IS/ IT RISK MANAGEMENT
ensuring that security is being maintained
under every circumstance. One of the most
efficient solution for physical threat would
be locking the server rooms and placing
server room under surveillance. The
workstations should be secured properly
and a specific layer of security to the
portable devices should be added so that
there exists no scope for such threats
(Pulwarty and Sivakumar 2014). Moreover,
ACORN should improve their defence
against the physical security threats.
Technical threats are extremely common for
the organization and since they are dealing
in several countries, technical failure could
be quite common for dealing with these
issues, it is vital to ensure that each and
every system is upgraded on a periodical
basis and the respective contingencies are
being well monitored and evaluated under
every circumstance (Lundqvist 2015).
Furthermore, they would be able to deal
with these issues in future as well.
Compliance
Violations
The solution for any type of compliance
violation in the organization of ACRON
would be establishment of a stronger
foundation for the business. After getting
proper training, the employees would be
able to build a culture of integrity and
revaluation of the strategies (Teller, Kock
and Gemünden 2014). Thus, it would be
easier for them to reduce compliance
violations effectively in ACRON.
Somewhat Likely
Failure in
Infrastructures
Infrastructure failure issues can be resolved
by involving cloud storage in the business.
It is required to ensure that the data or other
organizational information is not dependent
on the systems and servers and should be
kept on virtual platform for better file
syncing and sharing of services so that these
are securely connected to the distributed
data sources (Meyer and Reniers 2016).
Implementation of an IT disaster recovery
planning is yet another important solution
for this issue.
Less Likely
Human Errors The issue of human error could be resolved
by providing periodical training to the
staffs. Access to the sensitive systems
Very Likely
IS/ IT RISK MANAGEMENT
ensuring that security is being maintained
under every circumstance. One of the most
efficient solution for physical threat would
be locking the server rooms and placing
server room under surveillance. The
workstations should be secured properly
and a specific layer of security to the
portable devices should be added so that
there exists no scope for such threats
(Pulwarty and Sivakumar 2014). Moreover,
ACORN should improve their defence
against the physical security threats.
Technical threats are extremely common for
the organization and since they are dealing
in several countries, technical failure could
be quite common for dealing with these
issues, it is vital to ensure that each and
every system is upgraded on a periodical
basis and the respective contingencies are
being well monitored and evaluated under
every circumstance (Lundqvist 2015).
Furthermore, they would be able to deal
with these issues in future as well.
Compliance
Violations
The solution for any type of compliance
violation in the organization of ACRON
would be establishment of a stronger
foundation for the business. After getting
proper training, the employees would be
able to build a culture of integrity and
revaluation of the strategies (Teller, Kock
and Gemünden 2014). Thus, it would be
easier for them to reduce compliance
violations effectively in ACRON.
Somewhat Likely
Failure in
Infrastructures
Infrastructure failure issues can be resolved
by involving cloud storage in the business.
It is required to ensure that the data or other
organizational information is not dependent
on the systems and servers and should be
kept on virtual platform for better file
syncing and sharing of services so that these
are securely connected to the distributed
data sources (Meyer and Reniers 2016).
Implementation of an IT disaster recovery
planning is yet another important solution
for this issue.
Less Likely
Human Errors The issue of human error could be resolved
by providing periodical training to the
staffs. Access to the sensitive systems
Very Likely
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
10
IS/ IT RISK MANAGEMENT
should be limited and a strong DR plan
should be developed to ensure that better
accessibility of data is possible without
getting indulged into such threats or risks
(Hayne and Free 2014). Identification of the
primary sources of inaccuracy is the second
significant and important solution of various
human errors. It could even be resolved by
involving special working force.
Unified business
policy for multi-
nation operation
This threat may lead to the failure of the
CDP project completely in one part of the
country and success of the project for
ACORN in another. A unified success can
never be achieved for ACORN.
Very Likely
Table 3: Likelihood Analysis Table
(Source: Created by the Author)
2.1.5 Impact Analysis by Qualitative Methods
Information security risk management is considered as one of the most important and
significant requirements in any business, even for the CDP project for ACORN. It helps in
successful management of risks and threats related to the confidential information or data as
well as the resources or assets that help in initiating the risk impact to a high level (Van
Staveren 2018). The 6 identified threats of ACORN are needed to be treated with the help of
proper standards, guidelines and frameworks. Following would be the analysis of the impact
of the identified threat with the help of the qualitative methods about the information
gathered regarding the project:
Identified threats Impact analysis
Electronic Threats The information storage and management system would be
hampered on the basis of the threats that might be implemented to
the project and the organization (Iqbal et al. 2015). Failure or risk
in the electronics used in the project would mean jeopardizing the
IS/ IT RISK MANAGEMENT
should be limited and a strong DR plan
should be developed to ensure that better
accessibility of data is possible without
getting indulged into such threats or risks
(Hayne and Free 2014). Identification of the
primary sources of inaccuracy is the second
significant and important solution of various
human errors. It could even be resolved by
involving special working force.
Unified business
policy for multi-
nation operation
This threat may lead to the failure of the
CDP project completely in one part of the
country and success of the project for
ACORN in another. A unified success can
never be achieved for ACORN.
Very Likely
Table 3: Likelihood Analysis Table
(Source: Created by the Author)
2.1.5 Impact Analysis by Qualitative Methods
Information security risk management is considered as one of the most important and
significant requirements in any business, even for the CDP project for ACORN. It helps in
successful management of risks and threats related to the confidential information or data as
well as the resources or assets that help in initiating the risk impact to a high level (Van
Staveren 2018). The 6 identified threats of ACORN are needed to be treated with the help of
proper standards, guidelines and frameworks. Following would be the analysis of the impact
of the identified threat with the help of the qualitative methods about the information
gathered regarding the project:
Identified threats Impact analysis
Electronic Threats The information storage and management system would be
hampered on the basis of the threats that might be implemented to
the project and the organization (Iqbal et al. 2015). Failure or risk
in the electronics used in the project would mean jeopardizing the
11
IS/ IT RISK MANAGEMENT
project information related to the employees and the under
privileged people.
Physical Threats The physical threats would impact on the device management that
would result into the threats related to the project information
related to the employees and the under privileged people
Compliance
Violations
The information security management within an organization
works under several compliances that need to be maintained
related to the information security systems (Grote 2015). Not
abiding by the compliances might bring about legal complications
in ACORN.
Failure in
Infrastructures
The failure in the infrastructure may eventually bring about
downfall of the entire project.
Human Errors The human errors in management of project information related to
the employees and the under privileged people might bring about
several problems about violation of confidential information
regulations.
Unified business
policy for multi-
nation operation
The compliance of the information security legislation in one
country for CDP project might be non-compliance of another
country (Lundqvist 2014). This may result into the failure of the
project in one country even if it is successful in others. An overall
success of the business project cannot be attained.
Table 4: Impact Analysis
(Source: Created by the Author)
IS/ IT RISK MANAGEMENT
project information related to the employees and the under
privileged people.
Physical Threats The physical threats would impact on the device management that
would result into the threats related to the project information
related to the employees and the under privileged people
Compliance
Violations
The information security management within an organization
works under several compliances that need to be maintained
related to the information security systems (Grote 2015). Not
abiding by the compliances might bring about legal complications
in ACORN.
Failure in
Infrastructures
The failure in the infrastructure may eventually bring about
downfall of the entire project.
Human Errors The human errors in management of project information related to
the employees and the under privileged people might bring about
several problems about violation of confidential information
regulations.
Unified business
policy for multi-
nation operation
The compliance of the information security legislation in one
country for CDP project might be non-compliance of another
country (Lundqvist 2014). This may result into the failure of the
project in one country even if it is successful in others. An overall
success of the business project cannot be attained.
Table 4: Impact Analysis
(Source: Created by the Author)
12
IS/ IT RISK MANAGEMENT
IS/ IT RISK MANAGEMENT
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
13
IS/ IT RISK MANAGEMENT
2.1.6 Risk Determination
2.1.6.1 Risk Level Matrix
Identified Risks Risk Level
Electronic Risk regarding the devices used for the project
implementation
Low
Physical Risks related to the accidents causing physical and mental
harm to the employees
High
Compliance Violations causing employees to not follow the usual
rules and regulations of the business and the general legislative
measures for the information capture, storage and retrieval
Medium
Failure in Infrastructures causing the failure to gather
information
Medium
Human Errors High
Failure in having a Unified business policy for multi-nation
operation
High
Table 5: Risk Level Matrix
(Source: Created by the Author)
2.1.6.2 Description of Risks
Following would the description of the risks according to the identified risks in the ACORN CDP project:
IS/ IT RISK MANAGEMENT
2.1.6 Risk Determination
2.1.6.1 Risk Level Matrix
Identified Risks Risk Level
Electronic Risk regarding the devices used for the project
implementation
Low
Physical Risks related to the accidents causing physical and mental
harm to the employees
High
Compliance Violations causing employees to not follow the usual
rules and regulations of the business and the general legislative
measures for the information capture, storage and retrieval
Medium
Failure in Infrastructures causing the failure to gather
information
Medium
Human Errors High
Failure in having a Unified business policy for multi-nation
operation
High
Table 5: Risk Level Matrix
(Source: Created by the Author)
2.1.6.2 Description of Risks
Following would the description of the risks according to the identified risks in the ACORN CDP project:
14
IS/ IT RISK MANAGEMENT
Risk Criteria Risk Identification Risk Association Risk Owner Analysis of Risk
a. Technical
Risk
Electronic Risk
regarding the
devices used for the
project
implementation
Integrity of the
information in the
project
System
Administrator
The second important and significant
type of risk or threat that could be
extremely vulnerable for the security
of IT IS within ACORN is electronic
threat (Rampini, Sufi and
Viswanathan 2014). This type of
threat in the organization would aim
at the compromising of the business-
related information, such as hacker
getting full access of the system, the
various IT systems getting infected
by computer viruses as well as the
staffs of ACORN falling as victims to
any type of fraudulent web site or
email. The organization deals with
the information of the employees in
the business as well as the
information related to the under-
privileged people, this is why it
would be more relatable to the
situation about the information
security. These types of threats are
mainly conducted by hackers and
respective products of the
Community Development Program
or CDP would be highly vulnerable
to such threats (Bromiley et al.
2015). The impact of these threats
could even be responsible for
affecting the networks of the
company and hence facilitation of
IS/ IT RISK MANAGEMENT
Risk Criteria Risk Identification Risk Association Risk Owner Analysis of Risk
a. Technical
Risk
Electronic Risk
regarding the
devices used for the
project
implementation
Integrity of the
information in the
project
System
Administrator
The second important and significant
type of risk or threat that could be
extremely vulnerable for the security
of IT IS within ACORN is electronic
threat (Rampini, Sufi and
Viswanathan 2014). This type of
threat in the organization would aim
at the compromising of the business-
related information, such as hacker
getting full access of the system, the
various IT systems getting infected
by computer viruses as well as the
staffs of ACORN falling as victims to
any type of fraudulent web site or
email. The organization deals with
the information of the employees in
the business as well as the
information related to the under-
privileged people, this is why it
would be more relatable to the
situation about the information
security. These types of threats are
mainly conducted by hackers and
respective products of the
Community Development Program
or CDP would be highly vulnerable
to such threats (Bromiley et al.
2015). The impact of these threats
could even be responsible for
affecting the networks of the
company and hence facilitation of
15
IS/ IT RISK MANAGEMENT
sales in the business would be
affected.
Another distinctive and noteworthy
type of threat, which might be quite
problematic for the IT and IS security
of ACORN would be technical threat.
It is yet another popular and
significant risk type, in which the
technical difficulties are extremely
high and could lead to complete
failure of the system (Sadgrove
2016). The most important examples
of these technical threats include
software bugs, crash of the system or
complete failure of the organizational
network. This type of technical
failure could be highly catastrophic
when the staff of this organization
cannot retrieve the data within a
failed hard drive and there is
absolutely no scope for backup copy
(McNeil, Frey and Embrechts 2015).
Although, ACORN has included a
proper backup strategy in their
business that provides backup in
every month. The backup of their
corporate data like operational data
from several countries, relevant
transactional data from the partners,
which are sales data of CDP,
transactional data from the donor, list
and information of the donors,
IS/ IT RISK MANAGEMENT
sales in the business would be
affected.
Another distinctive and noteworthy
type of threat, which might be quite
problematic for the IT and IS security
of ACORN would be technical threat.
It is yet another popular and
significant risk type, in which the
technical difficulties are extremely
high and could lead to complete
failure of the system (Sadgrove
2016). The most important examples
of these technical threats include
software bugs, crash of the system or
complete failure of the organizational
network. This type of technical
failure could be highly catastrophic
when the staff of this organization
cannot retrieve the data within a
failed hard drive and there is
absolutely no scope for backup copy
(McNeil, Frey and Embrechts 2015).
Although, ACORN has included a
proper backup strategy in their
business that provides backup in
every month. The backup of their
corporate data like operational data
from several countries, relevant
transactional data from the partners,
which are sales data of CDP,
transactional data from the donor, list
and information of the donors,
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
16
IS/ IT RISK MANAGEMENT
project information or data on a
monthly basis (Drennan, McConnell
and Stark 2014).
b. Operational Physical Risks
related to the
accidents causing
physical and mental
harm to the
employees
Loss of information
because of the
unavailability of the
employees to their
respective tasks
Trainers of the
system to the
employees before
the work is
contemplated to
the project
This type of threat eventually results
from the physical accessibility as
well as damages to the information
technology resources like the servers.
As they are serving in different
countries, it is extremely vital for
them to ensure that the physical
devices are absolutely safe and
secured from the threats (Aven
2016). However, it is being observed
that different countries have their
own distinctive methods to protect
the physical servers. The physical
threats mainly involve theft or
damages from flood or fire and even
any kind of unauthorized
accessibility to the confidential data
through the outsider or employee
(Chance and Brooks 2015). It is
considered as one of the most
common types of risk that can
increase chances of loss of data or
information to a high level.
Compliance
Violations causing
employees to not
follow the usual
rules and
regulations of the
Loss of
confidentiality,
integrity and
availability for
information
Employees
working for the
project
As they are doing their business in
multiple countries, each of these
countries comprise of their own
unique rules and standards, there can
be a high chance of compliance
violation. It is the major potential that
IS/ IT RISK MANAGEMENT
project information or data on a
monthly basis (Drennan, McConnell
and Stark 2014).
b. Operational Physical Risks
related to the
accidents causing
physical and mental
harm to the
employees
Loss of information
because of the
unavailability of the
employees to their
respective tasks
Trainers of the
system to the
employees before
the work is
contemplated to
the project
This type of threat eventually results
from the physical accessibility as
well as damages to the information
technology resources like the servers.
As they are serving in different
countries, it is extremely vital for
them to ensure that the physical
devices are absolutely safe and
secured from the threats (Aven
2016). However, it is being observed
that different countries have their
own distinctive methods to protect
the physical servers. The physical
threats mainly involve theft or
damages from flood or fire and even
any kind of unauthorized
accessibility to the confidential data
through the outsider or employee
(Chance and Brooks 2015). It is
considered as one of the most
common types of risk that can
increase chances of loss of data or
information to a high level.
Compliance
Violations causing
employees to not
follow the usual
rules and
regulations of the
Loss of
confidentiality,
integrity and
availability for
information
Employees
working for the
project
As they are doing their business in
multiple countries, each of these
countries comprise of their own
unique rules and standards, there can
be a high chance of compliance
violation. It is the major potential that
17
IS/ IT RISK MANAGEMENT
business and the
general legislative
measures for the
information capture,
storage and retrieval
the company might violate
regulations and laws (Bowers and
Khorakian 2014). These compliance
violations could be also termed as
responsible for increasing sensitivity
issues for both data storage and
source.
c. Managerial Failure in
Infrastructures
causing the failure
to gather
information
Loss of
confidentiality,
integrity and
availability for
information
Managerial body in
responsibility of
the system
administration
This is yet another popular type of
risk that is possible for the IT/ IS of
ACORN (Marcelino-Sádaba et al.
2014). The failure in infrastructure
like the loss of their Internet
connectivity and systems could
substantially interrupt on the business
and hence they would not be able to
deal with the issues in infrastructure
successfully and they would be in
huge financial losses. The main issue
that is common for this type of risk is
that since they are highly dependent
on the funds or resources, it
eventually becomes vital for them to
ensure that any type of issue is not
occurring for their fund collection
(Aven and Zio 2014). The impact of
infrastructure failure results in the
temporary loss of all essential
functionalities as well as services and
it could be extremely catastrophic for
the entire business.
Human Errors Loss of
confidentiality,
Employees related
to the project
Another vital and noteworthy type of
risk that can bring vulnerability to the
IS/ IT RISK MANAGEMENT
business and the
general legislative
measures for the
information capture,
storage and retrieval
the company might violate
regulations and laws (Bowers and
Khorakian 2014). These compliance
violations could be also termed as
responsible for increasing sensitivity
issues for both data storage and
source.
c. Managerial Failure in
Infrastructures
causing the failure
to gather
information
Loss of
confidentiality,
integrity and
availability for
information
Managerial body in
responsibility of
the system
administration
This is yet another popular type of
risk that is possible for the IT/ IS of
ACORN (Marcelino-Sádaba et al.
2014). The failure in infrastructure
like the loss of their Internet
connectivity and systems could
substantially interrupt on the business
and hence they would not be able to
deal with the issues in infrastructure
successfully and they would be in
huge financial losses. The main issue
that is common for this type of risk is
that since they are highly dependent
on the funds or resources, it
eventually becomes vital for them to
ensure that any type of issue is not
occurring for their fund collection
(Aven and Zio 2014). The impact of
infrastructure failure results in the
temporary loss of all essential
functionalities as well as services and
it could be extremely catastrophic for
the entire business.
Human Errors Loss of
confidentiality,
Employees related
to the project
Another vital and noteworthy type of
risk that can bring vulnerability to the
18
IS/ IT RISK MANAGEMENT
integrity and
availability for
information
IS/ IT of ACORN is human errors.
There is always a high chance that
the staffs or employees of the
organization might bring out
vulnerability to the systems or data
and the confidential data would be
lost forever (Weingarten et al. 2016).
Human errors are often considered as
the major threats and these could
occur either intentionally or
unintentionally and they could
become a failure in following the
major security processes properly.
Failure in having a
Unified business
policy for multi-
nation operation
Loss of
confidentiality and
integrity
Decision making
body
Since ACORN is trying to operate in
different countries all around the
world, there would be several risks
regarding the security and legal
policies within the organization. This
would be an impending problem as
the business policy would require the
embellishment in such a way that
there would be a unified company
policy that would be complying with
all the legal structures in different
countries. Without any proper
strategy, the business would face
several risks regarding the entire
business policy setup as the conduct
in one country might not be
acceptable at another.
IS/ IT RISK MANAGEMENT
integrity and
availability for
information
IS/ IT of ACORN is human errors.
There is always a high chance that
the staffs or employees of the
organization might bring out
vulnerability to the systems or data
and the confidential data would be
lost forever (Weingarten et al. 2016).
Human errors are often considered as
the major threats and these could
occur either intentionally or
unintentionally and they could
become a failure in following the
major security processes properly.
Failure in having a
Unified business
policy for multi-
nation operation
Loss of
confidentiality and
integrity
Decision making
body
Since ACORN is trying to operate in
different countries all around the
world, there would be several risks
regarding the security and legal
policies within the organization. This
would be an impending problem as
the business policy would require the
embellishment in such a way that
there would be a unified company
policy that would be complying with
all the legal structures in different
countries. Without any proper
strategy, the business would face
several risks regarding the entire
business policy setup as the conduct
in one country might not be
acceptable at another.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
19
IS/ IT RISK MANAGEMENT
Table 6: Identification and Analysis of Risk according to ISO/IEC 27001 Standard
(Source: Created by the Author)
IS/ IT RISK MANAGEMENT
Table 6: Identification and Analysis of Risk according to ISO/IEC 27001 Standard
(Source: Created by the Author)
20
IS/ IT RISK MANAGEMENT
2.1.7 Control Recommendation
The control recommendations would be suggested as per the following table:
Threats Identified Control Recommendations
1. Electronic Threats Monitoring the working of all the electronic
devices and discarding out any faulty
device.
2. Physical Threats Enlisting a policy for the Workers Health
and Safety according to the country
designated legislative measures.
3. Employee Compliance Threats Making a policy and communicating them
verbally, electronically and practically to all
the employees.
4. Human Errors Monitor the work for the people according
to the set standardized plan for the project.
5. Managerial Threats Management monitoring to be done at set
intervals.
Table 7: Risk Control Recommendation
(Created by the Author)
2.1.8 Laws and Regulations
Although, the six identified risks and threats are extremely vulnerable for the
organization, it is evident that these are needed to be eradicated on time (Stulz 2015). The
most effective and efficient solutions to the identified risks would be mitigated considering
the country legislations and also following the ISO/IEC 270001 standardized laws and
regulations that fall for the mitigation of the risks.
2.2. Risk Mitigation
Risk mitigation is one of the major methodologies or mechanism that is being carried
out in the entire process of development for successful identification, management and
controlling of risks that are evolved before and during this development process (Cole, Giné
and Vickery 2017). There are three types of risk management activities, which are as follows:
IS/ IT RISK MANAGEMENT
2.1.7 Control Recommendation
The control recommendations would be suggested as per the following table:
Threats Identified Control Recommendations
1. Electronic Threats Monitoring the working of all the electronic
devices and discarding out any faulty
device.
2. Physical Threats Enlisting a policy for the Workers Health
and Safety according to the country
designated legislative measures.
3. Employee Compliance Threats Making a policy and communicating them
verbally, electronically and practically to all
the employees.
4. Human Errors Monitor the work for the people according
to the set standardized plan for the project.
5. Managerial Threats Management monitoring to be done at set
intervals.
Table 7: Risk Control Recommendation
(Created by the Author)
2.1.8 Laws and Regulations
Although, the six identified risks and threats are extremely vulnerable for the
organization, it is evident that these are needed to be eradicated on time (Stulz 2015). The
most effective and efficient solutions to the identified risks would be mitigated considering
the country legislations and also following the ISO/IEC 270001 standardized laws and
regulations that fall for the mitigation of the risks.
2.2. Risk Mitigation
Risk mitigation is one of the major methodologies or mechanism that is being carried
out in the entire process of development for successful identification, management and
controlling of risks that are evolved before and during this development process (Cole, Giné
and Vickery 2017). There are three types of risk management activities, which are as follows:
21
IS/ IT RISK MANAGEMENT
i) Risk Identification: This is the first and the most important step in risk management
procedure that involves proper recognition of all types of potential risks, impacting the
products and services of ACORN and also documenting these services with the
characteristics (Bowers and Khorakian 2014). In this particular stage, the stakeholders and
clients collaborate as well as participate in the small sessions or brainstorming sessions for
making out of the probable set of threats that are related to the services of ACORN. Risks
identified are all specified as Electronic Threats, Physical Threats, Compliance Violations,
Failure in Infrastructures, Human Errors and failure to attain a Unified business policy for
multi-nation operation.
ii) Risk Analysis: The second step is risk analysis that helps in better assessment of
risks as well as prioritization of risks. Prioritization is done after assigning the high risks as
top most priority, however the low impacted risks are considered as the bottom most priority
(McNeil, Frey and Embrechts 2015). ACORN can easily prioritize their risks after
understanding the top priority and bottom priority risks related to their information security
and information technology. The feasible risk analysis is done by ISO/IEC 27001
standardizations for the project of CDP for ACORN.
iii) Risk Control: The final step is risk control, in which risks are managed and
controlled, on the basis of their priorities and achieving expected outcomes. The three sub
activities of risk control include risk management planning, risk resolution and risk
monitoring. An effective plan for dealing with the five types of risks in ACORN is required
to properly execute the plans and finally deploying appropriate actions, when necessary.
Thus, regular monitoring or tracking of the risks would be much easier for them.
The major opportunities of risk management activities in ACORN are as follows:
IS/ IT RISK MANAGEMENT
i) Risk Identification: This is the first and the most important step in risk management
procedure that involves proper recognition of all types of potential risks, impacting the
products and services of ACORN and also documenting these services with the
characteristics (Bowers and Khorakian 2014). In this particular stage, the stakeholders and
clients collaborate as well as participate in the small sessions or brainstorming sessions for
making out of the probable set of threats that are related to the services of ACORN. Risks
identified are all specified as Electronic Threats, Physical Threats, Compliance Violations,
Failure in Infrastructures, Human Errors and failure to attain a Unified business policy for
multi-nation operation.
ii) Risk Analysis: The second step is risk analysis that helps in better assessment of
risks as well as prioritization of risks. Prioritization is done after assigning the high risks as
top most priority, however the low impacted risks are considered as the bottom most priority
(McNeil, Frey and Embrechts 2015). ACORN can easily prioritize their risks after
understanding the top priority and bottom priority risks related to their information security
and information technology. The feasible risk analysis is done by ISO/IEC 27001
standardizations for the project of CDP for ACORN.
iii) Risk Control: The final step is risk control, in which risks are managed and
controlled, on the basis of their priorities and achieving expected outcomes. The three sub
activities of risk control include risk management planning, risk resolution and risk
monitoring. An effective plan for dealing with the five types of risks in ACORN is required
to properly execute the plans and finally deploying appropriate actions, when necessary.
Thus, regular monitoring or tracking of the risks would be much easier for them.
The major opportunities of risk management activities in ACORN are as follows:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
22
IS/ IT RISK MANAGEMENT
i) Risk Avoidance: One of the major opportunity of risk management activities in
ACORN would be risk avoidance. A proper avoidance of risks that could be avoided can
reduce huge utilization of resources and assets to a high level. As a result, there would be a
major scope for removing all types of unattended and low priority risks efficiently.
ii) Upgrading Information Technology: Another important opportunity of risk
management activities for this charity organization is up gradation of IT (Glendon and Clarke
2015). Since they are considering a larger scale of IT products and services, up gradation of
information technology would majorly lower the impacts of such risks to a high level.
iii) Industry Strategies: The third vital opportunity of risk management activities for
ACORN is implementation of certain industry strategies. They would be able to investigate
the feasibility of their products and services to a high level and hence risks would be easily
identified without much complexity.
iv) Risk Mitigation Strategy: ACORN should include a proper risk management
strategy and hence the identified risks like technical risks, infrastructure failure and many
more would be effectively eradicated successfully (Bromiley et al. 2015). Moreover, the
organizational IT resources and assets would also be secured from any type of risk.
2.2.1 Risk Mitigation Analysis and Recommendation
The security or data related risks of information technology as well as strategies of
risk management are often termed as the top priorities for all digital organizations. The entire
plan of risk management involves the major procedures of the organizations to successfully
identify and control the threats to the digitalized assets like personally identifiable
information or PII information, corporate data as well as intellectual properties in ACORN.
All the organizations and businesses eventually face the subsequent risk of harmful and
unexpected events, which could cost the organization money or could even cause it to
IS/ IT RISK MANAGEMENT
i) Risk Avoidance: One of the major opportunity of risk management activities in
ACORN would be risk avoidance. A proper avoidance of risks that could be avoided can
reduce huge utilization of resources and assets to a high level. As a result, there would be a
major scope for removing all types of unattended and low priority risks efficiently.
ii) Upgrading Information Technology: Another important opportunity of risk
management activities for this charity organization is up gradation of IT (Glendon and Clarke
2015). Since they are considering a larger scale of IT products and services, up gradation of
information technology would majorly lower the impacts of such risks to a high level.
iii) Industry Strategies: The third vital opportunity of risk management activities for
ACORN is implementation of certain industry strategies. They would be able to investigate
the feasibility of their products and services to a high level and hence risks would be easily
identified without much complexity.
iv) Risk Mitigation Strategy: ACORN should include a proper risk management
strategy and hence the identified risks like technical risks, infrastructure failure and many
more would be effectively eradicated successfully (Bromiley et al. 2015). Moreover, the
organizational IT resources and assets would also be secured from any type of risk.
2.2.1 Risk Mitigation Analysis and Recommendation
The security or data related risks of information technology as well as strategies of
risk management are often termed as the top priorities for all digital organizations. The entire
plan of risk management involves the major procedures of the organizations to successfully
identify and control the threats to the digitalized assets like personally identifiable
information or PII information, corporate data as well as intellectual properties in ACORN.
All the organizations and businesses eventually face the subsequent risk of harmful and
unexpected events, which could cost the organization money or could even cause it to
23
IS/ IT RISK MANAGEMENT
permanent shutting down (Aven and Zio 2014). This type of risk management even allows
the companies in attempting to prepare for the most unexpected events after reducing the
impacts of these risks and any type of extra cost, even before they are happening.
It is quite vital for ACORN to eventually ensure that high effectiveness and efficiency
and also creating a safe and secured work environment for the customers and employees. It
even increments the overall stability of different business operations during decreasing the
legal liabilities (Bowers and Khorakian 2014). Risk management plan also provides high
protection from the events, which are detrimental to both the environment and company and
also protects every involved asset or people from any type of potential harm. The
organizational risk analysis report should be submitted to the organizational senior executive.
The main purpose of this report is to identify every possible risk or threat, associated
to information security, IT and IS of the organization and to ensure that these are absolutely
safe and secured from these threats. The six identified types of risks that are vulnerable for
ACORN would be physical threats, electronic threats, infrastructure failure, technical threats,
human errors and compliance violations (Iqbal et al. 2015). These above mentioned risks can
be mitigated by undertaking proper risk management strategies and mitigation policies. With
successful implementation of these risk mitigation strategies, it would be easier for ACORN
to deal with the complexities related to CDP and other projects. Moreover, decision making
process would be improved successfully and the entire business would be highly benefitted in
this process.
3. Conclusion
Therefore, from the above discussion, it can be concluded that information security or
IS risk management is the subsequent procedure to manage various types of risks that are
related to the utilization of IT or information technology. It even includes identification,
IS/ IT RISK MANAGEMENT
permanent shutting down (Aven and Zio 2014). This type of risk management even allows
the companies in attempting to prepare for the most unexpected events after reducing the
impacts of these risks and any type of extra cost, even before they are happening.
It is quite vital for ACORN to eventually ensure that high effectiveness and efficiency
and also creating a safe and secured work environment for the customers and employees. It
even increments the overall stability of different business operations during decreasing the
legal liabilities (Bowers and Khorakian 2014). Risk management plan also provides high
protection from the events, which are detrimental to both the environment and company and
also protects every involved asset or people from any type of potential harm. The
organizational risk analysis report should be submitted to the organizational senior executive.
The main purpose of this report is to identify every possible risk or threat, associated
to information security, IT and IS of the organization and to ensure that these are absolutely
safe and secured from these threats. The six identified types of risks that are vulnerable for
ACORN would be physical threats, electronic threats, infrastructure failure, technical threats,
human errors and compliance violations (Iqbal et al. 2015). These above mentioned risks can
be mitigated by undertaking proper risk management strategies and mitigation policies. With
successful implementation of these risk mitigation strategies, it would be easier for ACORN
to deal with the complexities related to CDP and other projects. Moreover, decision making
process would be improved successfully and the entire business would be highly benefitted in
this process.
3. Conclusion
Therefore, from the above discussion, it can be concluded that information security or
IS risk management is the subsequent procedure to manage various types of risks that are
related to the utilization of IT or information technology. It even includes identification,
24
IS/ IT RISK MANAGEMENT
assessment as well as treating of different risks to CIA or confidentiality, integrity and
availability of the organizational assets or resources. The major objective of the procedure is
treating the risks as per the organizational risk tolerance. The different organizations should
not expect to eradicate each and every risk and they must seek in identification and
achievement of an acceptable level of risk for the company. The different stages of
information security risk management includes identification of assets, identification of
vulnerabilities, identification of threats and finally identification of controls. Risk
management is helpful to establish the insurance requirements of the company for saving on
unnecessary premium. They even incorporate different scope, goals and leadership. The
above provided report has clearly outlined a detailed analysis of the case study of ACORN
with relevant details related to risk management for their IT/ IS and information security
management practices along with its multi-nation operation, associated risks, mitigation
strategies and recommendations all with the ISO/IEC 27001 standardizations.
IS/ IT RISK MANAGEMENT
assessment as well as treating of different risks to CIA or confidentiality, integrity and
availability of the organizational assets or resources. The major objective of the procedure is
treating the risks as per the organizational risk tolerance. The different organizations should
not expect to eradicate each and every risk and they must seek in identification and
achievement of an acceptable level of risk for the company. The different stages of
information security risk management includes identification of assets, identification of
vulnerabilities, identification of threats and finally identification of controls. Risk
management is helpful to establish the insurance requirements of the company for saving on
unnecessary premium. They even incorporate different scope, goals and leadership. The
above provided report has clearly outlined a detailed analysis of the case study of ACORN
with relevant details related to risk management for their IT/ IS and information security
management practices along with its multi-nation operation, associated risks, mitigation
strategies and recommendations all with the ISO/IEC 27001 standardizations.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
25
IS/ IT RISK MANAGEMENT
References
Aven, T. and Zio, E., 2014. Foundational issues in risk assessment and risk
management. Risk Analysis, 34(7), pp.1164-1172.
Aven, T., 2016. Risk assessment and risk management: Review of recent advances on their
foundation. European Journal of Operational Research, 253(1), pp.1-13.
Bowers, J. and Khorakian, A., 2014. Integrating risk management in the innovation
project. European Journal of innovation management, 17(1), pp.25-40.
Bromiley, P., McShane, M., Nair, A. and Rustambekov, E., 2015. Enterprise risk
management: Review, critique, and research directions. Long range planning, 48(4), pp.265-
276.
Brustbauer, J., 2016. Enterprise risk management in SMEs: Towards a structural
model. International Small Business Journal, 34(1), pp.70-85.
Chance, D.M. and Brooks, R., 2015. Introduction to derivatives and risk management.
Cengage Learning.
Cole, S., Giné, X. and Vickery, J., 2017. How does risk management influence production
decisions? Evidence from a field experiment. The Review of Financial Studies, 30(6),
pp.1935-1970.
Drennan, L.T., McConnell, A. and Stark, A., 2014. Risk and crisis management in the public
sector. Routledge.
Fenz, S., Heurix, J., Neubauer, T. and Pechstein, F., 2014. Current challenges in information
security risk management. Information Management & Computer Security, 22(5), pp.410-
430.
IS/ IT RISK MANAGEMENT
References
Aven, T. and Zio, E., 2014. Foundational issues in risk assessment and risk
management. Risk Analysis, 34(7), pp.1164-1172.
Aven, T., 2016. Risk assessment and risk management: Review of recent advances on their
foundation. European Journal of Operational Research, 253(1), pp.1-13.
Bowers, J. and Khorakian, A., 2014. Integrating risk management in the innovation
project. European Journal of innovation management, 17(1), pp.25-40.
Bromiley, P., McShane, M., Nair, A. and Rustambekov, E., 2015. Enterprise risk
management: Review, critique, and research directions. Long range planning, 48(4), pp.265-
276.
Brustbauer, J., 2016. Enterprise risk management in SMEs: Towards a structural
model. International Small Business Journal, 34(1), pp.70-85.
Chance, D.M. and Brooks, R., 2015. Introduction to derivatives and risk management.
Cengage Learning.
Cole, S., Giné, X. and Vickery, J., 2017. How does risk management influence production
decisions? Evidence from a field experiment. The Review of Financial Studies, 30(6),
pp.1935-1970.
Drennan, L.T., McConnell, A. and Stark, A., 2014. Risk and crisis management in the public
sector. Routledge.
Fenz, S., Heurix, J., Neubauer, T. and Pechstein, F., 2014. Current challenges in information
security risk management. Information Management & Computer Security, 22(5), pp.410-
430.
26
IS/ IT RISK MANAGEMENT
Gatzert, N. and Martin, M., 2015. Determinants and value of enterprise risk management:
empirical evidence from the literature. Risk Management and Insurance Review, 18(1),
pp.29-53.
Glendon, A.I. and Clarke, S., 2015. Human safety and risk management: A psychological
perspective. Crc Press.
Grote, G., 2015. Promoting safety by increasing uncertainty–Implications for risk
management. Safety science, 71, pp.71-79.
Hayne, C. and Free, C., 2014. Hybridized professional groups and institutional work: COSO
and the rise of enterprise risk management. Accounting, Organizations and Society, 39(5),
pp.309-330.
Hopkin, P., 2018. Fundamentals of risk management: understanding, evaluating and
implementing effective risk management. Kogan Page Publishers.
Iqbal, S., Choudhry, R.M., Holschemacher, K., Ali, A. and Tamošaitienė, J., 2015. Risk
management in construction projects. Technological and Economic Development of
Economy, 21(1), pp.65-78.
Lam, J., 2014. Enterprise risk management: from incentives to controls. John Wiley & Sons.
Lavell, A. and Maskrey, A., 2014. The future of disaster risk management. Environmental
Hazards, 13(4), pp.267-280.
Lundqvist, S.A., 2014. An exploratory study of enterprise risk management: Pillars of
ERM. Journal of Accounting, Auditing & Finance, 29(3), pp.393-429.
Lundqvist, S.A., 2015. Why firms implement risk governance–Stepping beyond traditional
risk management to enterprise risk management. Journal of Accounting and Public
Policy, 34(5), pp.441-466.
IS/ IT RISK MANAGEMENT
Gatzert, N. and Martin, M., 2015. Determinants and value of enterprise risk management:
empirical evidence from the literature. Risk Management and Insurance Review, 18(1),
pp.29-53.
Glendon, A.I. and Clarke, S., 2015. Human safety and risk management: A psychological
perspective. Crc Press.
Grote, G., 2015. Promoting safety by increasing uncertainty–Implications for risk
management. Safety science, 71, pp.71-79.
Hayne, C. and Free, C., 2014. Hybridized professional groups and institutional work: COSO
and the rise of enterprise risk management. Accounting, Organizations and Society, 39(5),
pp.309-330.
Hopkin, P., 2018. Fundamentals of risk management: understanding, evaluating and
implementing effective risk management. Kogan Page Publishers.
Iqbal, S., Choudhry, R.M., Holschemacher, K., Ali, A. and Tamošaitienė, J., 2015. Risk
management in construction projects. Technological and Economic Development of
Economy, 21(1), pp.65-78.
Lam, J., 2014. Enterprise risk management: from incentives to controls. John Wiley & Sons.
Lavell, A. and Maskrey, A., 2014. The future of disaster risk management. Environmental
Hazards, 13(4), pp.267-280.
Lundqvist, S.A., 2014. An exploratory study of enterprise risk management: Pillars of
ERM. Journal of Accounting, Auditing & Finance, 29(3), pp.393-429.
Lundqvist, S.A., 2015. Why firms implement risk governance–Stepping beyond traditional
risk management to enterprise risk management. Journal of Accounting and Public
Policy, 34(5), pp.441-466.
27
IS/ IT RISK MANAGEMENT
Marcelino-Sádaba, S., Pérez-Ezcurdia, A., Lazcano, A.M.E. and Villanueva, P., 2014. Project
risk management methodology for small firms. International journal of project
management, 32(2), pp.327-340.
McNeil, A.J., Frey, R. and Embrechts, P., 2015. Quantitative Risk Management: Concepts,
Techniques and Tools-revised edition. Princeton university press.
Meyer, T. and Reniers, G., 2016. Engineering risk management. Walter de Gruyter GmbH &
Co KG.
Pritchard, C.L. and PMP, P.R., 2014. Risk management: concepts and guidance. Auerbach
Publications.
Pulwarty, R.S. and Sivakumar, M.V., 2014. Information systems in a changing climate: Early
warnings and drought risk management. Weather and Climate Extremes, 3, pp.14-21.
Rampini, A.A., Sufi, A. and Viswanathan, S., 2014. Dynamic risk management. Journal of
Financial Economics, 111(2), pp.271-296.
Sadgrove, K., 2016. The complete guide to business risk management. Routledge.
Stulz, R.M., 2015. Risk‐taking and risk management by banks. Journal of Applied Corporate
Finance, 27(1), pp.8-18.
Sweeting, P., 2017. Financial enterprise risk management. Cambridge University Press.
Teller, J., Kock, A. and Gemünden, H.G., 2014. Risk management in project portfolios is
more than managing project risks: A contingency perspective on risk management. Project
Management Journal, 45(4), pp.67-80.
Van Staveren, M., 2018. Uncertainty and ground conditions: a risk management approach.
CRC Press.
IS/ IT RISK MANAGEMENT
Marcelino-Sádaba, S., Pérez-Ezcurdia, A., Lazcano, A.M.E. and Villanueva, P., 2014. Project
risk management methodology for small firms. International journal of project
management, 32(2), pp.327-340.
McNeil, A.J., Frey, R. and Embrechts, P., 2015. Quantitative Risk Management: Concepts,
Techniques and Tools-revised edition. Princeton university press.
Meyer, T. and Reniers, G., 2016. Engineering risk management. Walter de Gruyter GmbH &
Co KG.
Pritchard, C.L. and PMP, P.R., 2014. Risk management: concepts and guidance. Auerbach
Publications.
Pulwarty, R.S. and Sivakumar, M.V., 2014. Information systems in a changing climate: Early
warnings and drought risk management. Weather and Climate Extremes, 3, pp.14-21.
Rampini, A.A., Sufi, A. and Viswanathan, S., 2014. Dynamic risk management. Journal of
Financial Economics, 111(2), pp.271-296.
Sadgrove, K., 2016. The complete guide to business risk management. Routledge.
Stulz, R.M., 2015. Risk‐taking and risk management by banks. Journal of Applied Corporate
Finance, 27(1), pp.8-18.
Sweeting, P., 2017. Financial enterprise risk management. Cambridge University Press.
Teller, J., Kock, A. and Gemünden, H.G., 2014. Risk management in project portfolios is
more than managing project risks: A contingency perspective on risk management. Project
Management Journal, 45(4), pp.67-80.
Van Staveren, M., 2018. Uncertainty and ground conditions: a risk management approach.
CRC Press.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
28
IS/ IT RISK MANAGEMENT
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.
Wiengarten, F., Humphreys, P., Gimenez, C. and McIvor, R., 2016. Risk, risk management
practices, and the success of supply chain integration. International Journal of Production
Economics, 171, pp.361-370.
IS/ IT RISK MANAGEMENT
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.
Wiengarten, F., Humphreys, P., Gimenez, C. and McIvor, R., 2016. Risk, risk management
practices, and the success of supply chain integration. International Journal of Production
Economics, 171, pp.361-370.
1 out of 29
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.