Assignment Revision
| Question | If yes, page number | If no, justification |
| Policy | ||
| Does a policy that addresses the need for risk management exist? | A policy that addresses the need for risk management does not exist. This determination comes from the Executive Summary (pg 4) that addresses when the program SHGTS was created, the boards that need to now review the risk assessment did not exist.
In reviewing the documentation on page 10, there is no current risk management policy. According to the ISO 27002, in section 0.3 Selecting controls, the risk management policy is an approach used as guiding principles to the assessment, communication, treatment, monitoring and review (ISO, 2013, p. 7). |
|
| Is the acceptable risk posture for the organization included in the policy? | An acceptable risk posture is first outlined in the Conduct Risk Assessment portion of the report (Pg 11-13) The levels of risk is explained in this section. Each area that is addressed in the report has their risk level shown all together in Appendix A, pages 25-27. Each risk itself is addressed throughout the report and what is needed to remove or reduce the risk to an acceptable level. | |
| Does the policy include details about a risk assessment? | The policy does include details about the risk assessment, first explained on page 7 and 8 in the scope area. The report then goes more into detail about the risk assessment in section 2 Risk Assessment Approach on pages 9 – 13. | |
| Is there a section in the policy that includes multi-perspectives on risk including the following:
• Threat • Asset • Vulnerability space • Business impact assessment |
There is a section in the policy that explains their multi-perspective testing. This section is explained in area 5. Findings on page 19. This area explains that each risk that was assessed addresses the threat, the vulnerability, it’s impact and the asset being the software, the data, and the hardware the program runs on. | |
| Is there a section in the policy that includes reporting results of risk assessments? | The Threat Statement of section 4 starting on page 17 includes the reporting results of the risk assessments. This sections is from page 17 through page 24. The appendix A. Risk Assessment Management on pages 25-27 contains a table view of the results. | |
| Is there a section in the policy that includes a remediation analysis report based on risk assessments (i.e., how to reduce risk or increase security posture)? | The risk assessment management matrix of appendix a on pages 25-27 includes the countermeasures needed to be taken in this section. The previous section, The Threat Statement starting on page 17 through 24 includes a more detailed area of each threat and the action needed. | |
| Procedures | ||
| Is there a procedure in existence that describes how to implement and enforce risk management policies? | There is no procedure in existence that describes how to implement and enforce risk management policies. Implementation and enforcement of the risk management policy is done through the company (Ungerman, 2005). | |
| Does the procedure include a breadth of scope? Does the breadth of scope include the following:
• Threat • Asset • Vulnerability space • Business impact assessment |
The procedure does include a breath of scope. This scope is defined in section 2 Risk Assessment Approach on page 9. This scope includes the threat vulnerability, the impact, and the asset impacted with each vulnerable area when the assessment was completed. | |
| Does the procedure include depth of scope? Does the depth of scope include the following:
• Interviews (asking) • Verification (seeing) • Validation (hands-on) |
The procedure does include depth of scope that included Interviews, Verification, and Validation. This process is explained in section 2.2.1 Interviews and section 2.2.2 Site Visit on page 10. This procedure included talking with management and personnel, visiting the site, and then conducting the assessment. | |
| Practice | ||
| Does the organization practice the procedures described above? | The organization does indeed practice the procedures above. Their findings for their process starts in section 4 Threat Statement on page 17 and ends after Appendix A on page 27. |
B. Two additional question categories
| Compliance Management | ||
| Is there currently documentation for compliance management for the threats found in the risk assessment? | Currently there is no documentation
For compliance management addressing the risks found in the assessment. This question is needed due to the Threats that were found, some being of high risk and needs to be addressed. A policy needs to be created That will address the levels of risk and how the risk will be mitigated, documentation kept and who is in charge of documentation. |
| Business Continuity | ||
| Is there currently documentation addressing business continuity? | There is no documentation in regarding business continuity for the SHGTS program, the JINX server, or a DRP. This policy needs to be created to address the threats if the server were to become unavailable and the program would be offline. A secondary hosting server or other solutions would need to be addressed to keep the data available. |
Needs help with similar assignment?
We are available 24x7 to deliver the best services and assignment ready within 3-4 hours? Order a custom-written, plagiarism-free paper
Get Answer Over WhatsApp
Order Paper Now
