The most significant written assignment in this course is the Risk Assessment Project. There are 2 deliverables with this assignment: Risk Assessment Proposal; and Risk Assessment Project. The first thing you need to do is pick a business or public organization that you want to focus on and the key to remember is that the risk assessment will focus on information systems. So, you want to pick an organization that handles sensitive and confidential data. Some good examples are healthcare or financial organizations and online eCommerce businesses. I have had students in the past pick organizations like NBA teams that make the assignment very difficult to write.
The assessment should follow a strong framework, like the one presented and explained in our OER NIST SP800-30r1. While you do not need to know the specific information systems architecture (hardware, software, communications) at the organization, you do need to be able to discuss what sensitive data they capture, store, manipulate, and transfer.
I have created and attached a template for the final Risk Assessment Project to assist with the process. We will continue to focus on this assignment, and feel free to ask any questions you may have using the Questions for the Instructor Discussion or via email.
The objective of this project is to develop a Risk Assessment Report for a company, government agency, or other organization. The analysis will be conducted using only publicly available information (that is, information obtainable on the Internet (using a browser), company reports, news reports, journal articles, etc.). The risk analysis should consider legitimate, known threats that pertain to the subject organization. Based on the information gathered, presumed vulnerabilities of the company or organization&amp;amp;amp;rsquo;s computing and networking infrastructure will be identified. Then, based on the identified threats and vulnerabilities you will describe the risk profile for the subject organization and suggest recommendations to mitigate the risks. The students will demonstrate in the Research Paper project their ability to communicate clearly and acquisition, application and integration of knowledge skills. We will have rubrics to evaluate risk analysis subject matter competency and communications and knowledge competencies.
You will submit a brief proposal (page and half long, double-spaced) in session 4. The proposal should include description of the organization you are proposing to analyze, scope (e.g., entire organization, key business area, major system, etc.) for the risk assessment, research methods to be used and preliminary list of research information sources and references. Your instructor will provide feedback on the suitability of the proposed subject organization and the scope, as well as the suitability of the proposed research methods and information sources.
The final output is a paper 12 pages (double-spaced) long, exclusive of cover, title page, table of contents, endnotes and bibliography. The paper must use APA formatting and reference citations (i.e. Stone, 2019, para. 4) with the exception that tables and figures can be inserted at the appropriate location rather than added at the end. This report is due during the 11th week of the course.
Hopefully by now you have identified the organization and business sector you will be focusing your Risk Assessment Project on. As you are working thorough your risk assessment, it is very important to understand that this assignment is focused on Cyber Risk Analysis, not business processes. Risk analysis can be viewed through either the IT/Cyber lens or the business lens. The difference is that the business focus is the bottom line of operations, in other words how will risk effect profit?
The Cyber Risk Analysis is focused on how will risk effect our information assurance? So, as you use the NIST documentation to format your Risk Assessment, be sure to focus on IT resources, and address the questions of how can the organization be hacked? and what is the potential cost of not fixing vulnerabilities? Both questions are focused on the vulnerabilities and threats to information systems you identify. In other words, the report should not focus on other businesses processes, like finance, accounting, manufacturing, sales, etc.
Your steps should be to identify a specific organization (e.g., Mayo Clinic), identify the sector (e.g., healthcare), use the information from the NIST guidelines to identify information systems (much of this is assumed to be a guess), and justify the risk assessment based on known breaches of other organizations in this sector (e.g., Medical Records Service Pays $100,000 to Settle HIPAA Breach).
**** The final output is a paper 12 pages (double-spaced) long, exclusive of cover, title page, table of contents, endnotes and bibliography.