Section 1. Define the topic “Managing Risk” and explain the importance of it in the field of project management. Complete a literature survey describing state of the art now in project management.
Section 2. Examples of projects where risk management went wrong. Describe in detail where the mistakes were made.
Section 3. Examples of projects where risk management was key to success and did not cost mishaps.
Category: Risk Management
Risk assessment and mitigation
Risk assessment and mitigation are critical parts of an enterprise risk management plan. Review information from the NIST article and write a 750 words with APA-formatted paper summarizing the article. Focus your paper on the following key areas:
Risk tolerance and risk appetite
Impacts of threats and vulnerabilities on enterprise assets
The creation of risk registers outlining the likelihood and impact of various threats
Risk response and monitoring
Article:
How risk management programs operate within health care organizations.
The purpose of this assignment is to gain real-world insight into how risk management programs operate within health care organizations.
Select a local health care organization where you can conduct an interview with an employee who is involved in risk management processes. This organization can be your current employer or a different health care facility in your community. Acute care, urgent care, large multi‐provider private medical clinics, assisted living facilities, and community/public health clinical facilities are all ideal options to complete the requirements of this assignment. Select an individual who can provide sufficient information regarding how their organization manages risk within its facility to answer the questions below.
In your interview, address the following:
Risk management strategies used in the organization’s risk control program, along with specific examples.
How the facility’s educational risk management program addresses key professional, legal, and ethical issues, such as prevention of negligence, malpractice litigation, and vicarious liability.
Policies the facility has implemented that address how to manage emergency triage in high‐risk areas of health care service delivery (e.g., narcotics inventories, declared pregnancy policies, blood-borne disease sector, etc.).
Challenges the organization faces in managing and controlling high-risk health care (e.g., infectious diseases, nuclear medicine, abortion, class 4 narcotics/opioids, etc.).
Strategies the facility utilizes to monitor, evaluate, and maintain compliance within its risk management program.
An incident response plan
Consider this scenario: A cyber-attack occurred in a healthcare organization, resulting in significant data loss. You have been called as an information security management consultant to recommend an incident response plan for this incident and will need to present it to the executive board of the healthcare organization.
Develop a 10- to 12-slide multimedia-rich presentation of your recommended incident response plan to mitigate or reduce the impact on the organization, and do the following:
Define the incident response plan goal and scope for this cyber-attack.
Analyze the impact and severity of the cyber-attack by applying a business impact analysis (BIA) to the organization, including mission performance, regulatory requirements, and compliance.
Identify the communication requirements, including criteria for escalation and organization reporting and regulatory requirements.
Explain the process for responding to this incident.
Describe the relationship with other organizational processes and methods, such as BCP/DR.
Recommend prioritization, resource requirements, and any opportunity created by the event.
Use appropriate images and charts where applicable.
Understanding Digital or Cryptocurrency: Benefits and Risks
Overview: Digital or cryptocurrency has become increasingly popular over the years, with its use extending to various sectors, including business, investment, and finance. As a student in a global business class, it is crucial to have a good understanding of digital or cryptocurrency, its benefits, and risks. In this assignment, you will explore digital or cryptocurrency and provide an analysis of the benefits and risks associated with investing in it or using it.
Instructions:
Define Digital or Cryptocurrency: Explain what digital or cryptocurrency is and how it differs from traditional currency. Provide examples of digital or cryptocurrencies.
Benefits of Investing in Digital or Cryptocurrency: Describe the advantages of investing in digital or cryptocurrency. Highlight how digital or cryptocurrency can provide an alternative investment option for investors.
Risks of Investing in Digital or Cryptocurrency: Identify the potential risks associated with investing in digital or cryptocurrency. Explain how digital or cryptocurrency poses a risk to investors.
Benefits of Using Digital or Cryptocurrency: Describe the benefits of using digital or cryptocurrency in transactions. Highlight how digital or cryptocurrency can provide a faster, more efficient, and secure method of transactions.
Risks of Using Digital or Cryptocurrency: Identify the potential risks associated with using digital or cryptocurrency. Explain how digital or cryptocurrency poses a risk to users.
Conclusion: Summarize the main points discussed in the assignment. Provide an overall assessment of digital or cryptocurrency’s benefits and risks.
Risk Management and a Review of the Financial Crisis
Prior to beginning work on this discussion forum, read the following sections of Chapter 1: The Goals and Activities in the Foundations of Financial Management textbook:
Risk Management and a Review of the Financial Crisis
Corporate Governance
Goals of Financial Management
In addition, read the articles listed here:
What is the Dodd-Frank Wall Street Reform ActLinks to an external site.
What the Dodd-Frank Act Did (and How It’s Changed)Links to an external site.
The Dodd-Frank Act ExplainedLinks to an external site.
Sarbanes-Oxley SummaryLinks to an external site.
Initial Response:
Ethical behavior can be viewed at a personal level, as well as a corporate level. In business, personal ethics is often tied to the agency theory and at the corporate level tied to corporate social responsibility.
For this discussion forum,
First, identify one real-life example of personal ethics and one real-life example of corporate social responsibility in the financial field from the last five years (no Enron or WorldCom examples, as these are too old). The example can be positive or negative. Note: When possible, select a different example than those already posted by a fellow classmate.
Next, explain each ethical example and what might have been done differently, as well as what you learned from the example.
Finally, select one financial business regulation (e.g., Sarbanes-Oxley Act of 2002, Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, etc.) and debate how it does or does not promote ethical behavior.
IT Security Risk Assessment
You are employed with Government Security Consultants, a subsidiary of Largo Corporation. As a
member of IT security consultant team, one of your responsibilities is to ensure the security of assets as
well as provide a secure environment for customers, partners and employees. You and the team play a
key role in defining, implementing and maintaining the IT security strategy in organizations.
A government agency called the Bureau of Research and Intelligence (BRI) is tasked with gathering and
analyzing information to support U.S. diplomats.
In a series of New York Times articles, BRI was exposed as being the victim of several security breaches.
As a follow up, the United States Government Accountability Office (GAO) conducted a comprehensive
review of the agency’s information security controls and identified numerous issues.
The head of the agency has contracted your company to conduct an IT security risk assessment on its
operations. This risk assessment was determined to be necessary to address security gaps in the
agency’s critical operational areas and to determine actions to close those gaps. It is also meant to
ensure that the agency invests time and money in the right areas and does not waste resources. After
conducting the assessment, you are to develop a final report that summarizes the findings and provides
a set of recommendations. You are to convince the agency to implement your recommendations.
This learning activity focuses on IT security which is an overarching concern that involves practically all
facets of an organization’s activities. You will learn about the key steps of preparing for and conducting
a security risk assessment and how to present the findings to leaders and convince them into taking
appropriate action.
Understanding security capabilities is basic to the core knowledge, skills, and abilities that IT personnel
are expected to possess. Information security is a significant concern among every organization and it
may spell success or failure of its mission. Effective IT professionals are expected to be uptodate
on
trends in IT security, current threats and vulnerabilities, stateoftheart
security safeguards, and
security policies and procedures. IT professionals must be able to communicate effectively (oral and
written) to executive level management in a nonjargon,
executive level manner that convincingly
justifies the need to invest in IT security improvements. This learning demonstration is designed to
strengthen these essential knowledge, skills, and abilities needed by IT professionals.
31
- Steps to Completion
Your instructor will form the teams. Each member is expected to contribute to the team agreement
which documents the members’ contact information and sets goals and expectations for the team.
1) Review the Setting and Situation
The primary mission of the Bureau of Research and Intelligence (BRI) is to provide multiplesource
intelligence to American diplomats. It must ensure that intelligence activities are consistent with U.S.
foreign policy and kept totally confidential. BRI has intelligence analysts who understand U.S. foreign
policy concerns as well as the type of information needed by diplomats.
The agency is in a dynamic environment in which events affecting foreign policy occur every day. Also,
technology is rapidly changing and therefore new types of security opportunities and threats are
emerging which may impact the agency.
Due to Congressional budget restrictions, BRI is forced to be selective in the type of security measures
that it will implement. Prioritization of proposed security programs and controls based on a sound risk
assessment procedure is necessary for this environment.
The following incidents involving BRI’s systems occurred and reported in the New York Times and other
media outlets:
• BRI’s network had been compromised by nationstatesponsored
attackers and that attacks are
still continuing. It is believed that the attackers accessed the intelligence data used to support
U.S. diplomats.
• The chief of the bureau used his personal email
system for both official business purposes and
for his own individual use.
• A software defect in BRI’s human resource system – a web application – improperly allowed
users to view the personal information of all BRI employees including social security numbers,
birthdates, addresses, and bank account numbers (for direct deposit of their paychecks). After
the breach, evidence was accidently destroyed so there was no determination of the cause of
the incident or of its attackers.
• A teleworker brought home a laptop containing classified intelligence information. It was stolen
during a burglary and never recovered.
• A disgruntled employee of a contractor for BRI disclosed classified documents through the
media. He provided the media with, among other things, confidential correspondence between
U.S. diplomats and the President that were very revealing.
32
• Malware had infected all of the computers in several foreign embassies causing public
embarrassment, security risks for personnel and financial losses to individuals, businesses and
government agencies including foreign entities.
These reports prompted the U.S. Government Accountability Office to conduct a comprehensive review
of BRI’s information security posture. Using standards and guidance provided by the National Institute
of Standards and Technology and other parties, they had the following findings:
Identification and Authentication Controls
• Controls over the length of passwords for certain network infrastructure devices were set to less
than eight characters.
• User account passwords had no expiration dates.
• Passwords are the sole means for authentication.
Authorization Controls
• BRI allowed users to have excessive privileges to the intelligence databases. Specifically, BRI did
not appropriately limit the ability of users to enter commands using the user interface. As a
result, users could access or change the intelligence data.
• BRI did not appropriately configure Oracle databases running on a server that supported
multiple applications. The agency configured multiple databases operating on a server to run
under one account. As a result, any administrator with access to the account would have access
to all of these databases; potentially exceeding his/her job duties.
• At least twenty user accounts were active on an application’s database, although they had been
requested for removal in BRI’s access request and approval system.
Data Security
• BRI does not use any type of data encryption for dataatrest
but protects dataintransit
using
VPN.
• A division data manager can independently control all key aspects of the processing of
confidential data collected through intelligence activities.
• One employee was able to derive classified information by “aggregating” unclassified databases.
• Hackers infiltrated transactional data located in a single repository and went ahead and
corrupted it.
33
System Security
• Wireless systems use the Wired Equivalent Privacy (WEP) standard for ensuring secure
transmission of data.
• The agency permitted the “Bring Your Own Device” (BYOD) concept and therefore users can
utilize their personal mobile devices to connect to the agency network freely.
• In the event of a network failure due to hacking, the data center manager has his recovery plan
but has not shared it with anyone in or out of the center. He was not aware of any requirement
to report incidents outside of the agency.
• There has never been any testing of the security controls in the agency.
• Processes for the servers have not been documented, but in the minds of the system managers.
• Patching of key databases and system components has not been a priority. Patching systems
have either been late or not performed at all. Managers explained that it takes time and effort
to test patches on its applications.
• Scanning devices connected to the network for possible security vulnerabilities are done only
when the devices are returned to inventory for future use.
• System developers involved with financial systems are allowed to develop code and access
production code.
Physical Security
• An unauthorized personnel was observed “tailgating” or closely following an official employee
while entering a secure data center.
• The monthly review process at a data center failed to identify a BI employee who had separated
from BRI and did not result in the removal of her access privileges. She was still able to access
restricted areas for at least three months after her separation.
End User Security
• Users even in restricted areas are allowed to use social media such as Facebook. The argument
used is that is part of the public outreach efforts of the agency.
• Users receive a 5minute
briefing on security as part of their orientation session that occurs
typically on their first day of work. There is no other mention of security during the course of
employment.
• Users are allowed to use public clouds such as Dropbox, Box, and Google Drive to store their
data.
34
• BRI has not performed continual background investigations on employees who operate its
intelligence applications (one investigation is conducted upon initial employment).
• There is no policy regarding the handling of classified information.
An internal audit report indicated that the organization needed several security programs including a
security awareness and training program, a privacy protection program and a business
continuity/disaster recovery programs. These programs will need special attention.
2) Examine Background Resources
This learning demonstration focuses on the National Institute of Standards and Technology’s (NIST)
“Guide for Conducting Risk Assessments”
(http://csrc.nist.gov/publications/nistpubs/80030rev1/
sp800_30_r1.pdf). See Pg. 23 to view the
description of the risk management process.
Throughout this learning activity, feel free to use other references such as:
Other NIST publications (http://csrc.nist.gov/publications/PubsSPs.html),
SANS Reading Room (http://www.sans.org/readingroom/),
USCERT
(https://www.uscert.
gov/securitypublications),
CSO Magazine (http://www.csoonline.com/),
Information Security Magazine (http://www.infosecuritymagazine.
com/whitepapers/),
Homeland Security News Wire (http://www.homelandsecuritynewswire.com/topics/cybersecurity)
Other useful references on security risk management include:
https://books.google.com/books?id=cW1ytnWjObYC&printsec=frontcover&source=gbs_ge_summary_r
&cad=0#v=onepage&q&f=false
https://books.google.com/books?id=FJFCrP8vVZcC&printsec=frontcover&source=gbs_ge_summary_r&c
ad=0#v=onepage&q&f=false
3) Prepare the Risk Assessment Plan
Using the NIST report as your guide, address the following items:
• Purpose of the assessment,
• Scope of the assessment,
• Assumptions and constraints, and
• Selected risk model and analytical approach to be used.
Document your above analysis in the “Interim Risk Assessment Planning Report.” (An interim report will
be consolidated to a final deliverable in a later step.)
35
All interim reports should be at least 500 words long and include at least five references for each report.
These reports will eventually be presented to management for their review.
4) Conduct the Assessment
Again, use the NIST report to address the following:
1) Identify threat sources and events
2) Identify vulnerabilities and predisposing conditions
3) Determine likelihood of occurrence
4) Determine magnitude of impact
5) Determine risk
You are free to make assumptions but be sure to state them in your findings.
In determining risk, include the assessment tables reflect BRI’s risk levels. Refer to Appendix I. on risk
determination in Special Publication 80030.
Document your analysis from this step in the “Interim Risk Assessment Findings Report.” Be sure to
include the final risk evaluations in this report.
5) Identify Needed Controls and Programs
Research and specify security controls needed to close the security gaps in BRI.
Also, be sure to include a description of the following programs for securing BRI:
• Security Awareness and Training Program (i.e., communications to employees regarding
security)
• Privacy Protection Program
• Business Continuity/Disaster Recovery Program
You should justify the need for the agency to invest in your recommendations.
Document your findings and recommendations from this step in the “Interim Security
Recommendations Report.”
6) Communicate the Overall Findings and Recommendations
Integrate of your earlier interim reports into a final management report. Be sure to address:
• Summary of the Current Security Situation at BRI (from Step 1)
• Risk Assessment Methodology (from Step 2)
• Risk Assessment Plan (from Step 3)
• Risk Assessment Findings (from Step 4)
36
• Security Recommendations Report (from Step 5)
• Conclusions
Also provide a presentation to management. The presentation should consist of 1520
slides. It should
include audio narration (directions are found at: https://support.office.com/enau/
article/Addnarrationtoapresentation0b9502c65f6c40aeb1e7e47d8741161c).
The narration should also be
captured in the slide notes.
Prepare a peer evaluation report. - Deliverables
• Final Management report (as described in Step 6)
• PowerPoint Presentation
Except
Disaster recovery.
In paragraph form, define and describe disaster recovery. Define and describe business continuity. Discuss the threats posed by disgruntled employees and how to mitigate those threats. Identify and cite a real-world example of an organization put at risk by a disgruntled employee.
Hybrid task crisis intervention model
- Please thoroughly introduce the case with demographics, pertinent details. To demonstrate how well you have learned the Hybrid task crisis intervention model, write a personal narrative description of how you might use the model to help Rita during the initial session you have scheduled with her. Please organize your paper as follows.
- What are the presenting and IMMEDIATE problems that need to be addressed? Also list additional problems that should be addressed after immediate needs.
- What are the crisis intervention steps that need to take place? Be specific. *Phone call, intake assessment, safety protocols, Mental health, Domestic violence, food stamps, etc.
- What are the resources that she needs? What are the resource recommendations? *Mental health, Domestic violence, food stamps, etc.
- Are there any treatment recommendations/referrals that need to be considered? *Mental health, Domestic violence support groups, protection orders, food stamps, etc.
- Was this assignment hard for you and why?
Rita is a 35-year-old businesswoman. She is a graduate of high school and a post–high school vocational-technical institute. She holds a certificate in auto mechanics. She has never been to a counselor before and has come to the crisis worker at the suggestion of a close friend who is a school counselor. Rita owns and operates an automobile tune-up and service shop. She employs and supervises a crew of mechanics, tune-up specialists, and helpers. She works very hard and keeps long hours but maintains some flexibility by employing a manager. Rita’s husband, Jake, is a college-educated accountant. They have two children: a daughter who is 13, and a son who is 8. The family rarely attends church, and they don’t consider themselves religious, but they are church members. Their close friends are neither from their church nor from their work. Rita’s problem is complex. She constantly feels depressed and unfulfilled. She craves attention but has difficulty getting it in appropriate ways. For diversion, she participates in a dance group that practices three nights a week and performs on many Friday and Saturday evenings. Rita, Jake, and their children spend most Sundays at their lake cottage, which is an hour-long drive from their home. Their circle of friends is mainly their neighbors at the lake.
Rita’s marriage has been going downhill for several years. She has become sexually involved with Sam, a wealthy wholesaler of used automobiles. She met him through a business deal in which she contracted to do the tune-up and service work on a large number of cars for Sam’s company. Sam’s contracts enable Rita’s business to be very successful. Rita states that the “chemistry” between her and Sam is unique and electrifying. She says she and Sam are “head over heels in love with each other.” While she still lives with Jake, she no longer feels any love for him. According to Rita, Sam is also unhappily married, and Sam and his current wife have two small children. Rita states that she and Sam want to get married, but she doesn’t want to subject her two children to a divorce right now. She is very fearful of her own mother’s wrath if she files for a divorce. Sam fears his wife will “take him to the cleaners” if he leaves her for Rita right now. Lately, Sam has been providing Rita with expensive automobiles, clothing, jewelry, and trips out of town. Also, Sam has been greatly overpaying Rita’s service contracts, making her business flourish. Jake doesn’t know the details of Rita’s business dealings with Sam, but he is puzzled, jealous, frustrated, impulsive, and violent. Jake used to slap Rita occasionally. In the last few months, he has beaten Rita several times. Last night he beat her worse than he ever has. Rita has no broken bones, but she has several bruises on her body, legs, and arms. The bruises do not show as long as she wears pantsuits. Rita has told her problems only to her school counselor friend. She fears that her boyfriend would kill her husband if he found out about the beatings. Rita is frustrated because she cannot participate with the dance group until her bruises go away. Rita is feeling very guilty and depressed. She is not particularly suicidal, however. She is feeling a great deal of anger and hatred toward Jake, and she suffers from very low self-esteem. She is feeling stress and pressure from her children, from her mother, from Jake, and even from Sam, who wants to spend more and more time with her. Recently, Rita and Sam have been taking more and more risks in their meetings. Rita’s depression is getting to the point where she doesn’t care. She has come to the crisis worker in a state of lethargy—almost in a state of emotional immobility.
Rita has decided to share her entire story with the worker because she feels she is at her “wit’s end,” and she wouldn’t dare talk with her minister, her physician, or other acquaintances. Rita has never met the crisis worker, and she feels this is the best approach, even though she is uncomfortable sharing all of this with a stranger.
Case Study: Dealing with Risk and Uncertainty
Select a company or organization of your choice that has been dealing with risk and uncertainty within the last six months. Then you will determine solutions to organizational problems that take into account principles of risk management to improve operations and profitability.
Instructions
Write a 6–8 page paper in which you:
- Evaluate a selected company or organization recent (within the last six months) actions dealing with risk and uncertainty.
- Recommend advice for improving risk management and provide justification for the recommendation.
- Examine an adverse selection problem the company/organization is facing, and recommend how it should minimize the negative impact of adverse selection on transactions.
- Determine the ways the company/organization is dealing with the moral hazard problem, and suggest best practices used in the industry to deal with moral hazard.
- Describe a principal-agent problem in the company/organization, and evaluate the tools the company/organization uses to align incentives and improve profitability/efficiency.
- Examine the organizational structure of the company/organization, and suggest changes to improve the overall profitability/efficiency. Explain why those changes would result in an improvement to profitability.