Introduction:
In managing risks in an organization, professionals in the information technology (IT)
department conduct research to identify threats, vulnerabilities, and threat/vulnerability pairs.
Then, the IT professionals determine the likelihood of each threat occurring. The IT
professionals present this information to IT management, whose role in risk management is to
determine and recommend approaches to manage these risks. IT management then presents
these recommendations to the senior management, whose role is to allocate resources,
specifically money and employees, to prepare for and respond to identified threats and
vulnerabilities appropriately.
This activity allows you to fulfill the role of IT professionals in a small business tasked with
identifying threats, vulnerabilities, and threat/vulnerability pairs; estimating the likelihood of
these threats occurring; and present this information to IT management.
Scenario:
YieldMore is a small agricultural company, which produces and sells fertilizer products. The
company headquarters is in a small town in Indiana. Outside its headquarters, there are two
large production facilities—one in Nebraska and other in Oklahoma. Furthermore, YieldMore
employs salespersons in every state in the U.S. to serve its customers locally.
The company has three servers located at its headquarters—Active Directory server, a Linux
application server, and an Oracle database server. The application server hosts YieldMore’s
primary software application, which is a proprietary program managing inventory, sales, supply-
chain, and customer information. The database server manages all data stored locally with
direct attached storage.
All three major sites use Ethernet cabled local area networks (LANs) to connect the users
Windows 7 workstations via industry standard managed switches.
The remote production facilities connect to headquarters via routers T-1 LAN connections
provided by an external Internet service provider (ISP), and share an Internet connection
through a firewall at headquarters.
Case Scenario: YieldMore -Task 1
© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 2
Individual salespersons throughout the country connect to YieldMore’s network via virtual
private network (VPN) software through their individual Internet connections, typically in a home
office.
Case Scenario: YieldMore -Task 1
© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 3
Task 1:
You will be assigned to a team where you need to assume the roles of IT professionals
assigned by YieldMore’s IT management to conduct the following risk management tasks:
1. Some of the possible roles that could be fulfilled by the team members are: server
manager, network manager, database manager, and security manager. You as a team
have to decide for which functional area each of you will be responsible and who will be
the team leader.
2. Identify threats to the seven domains of IT within the organization.
3. Identify vulnerabilities in the seven domains of IT within the organization.
4. Identify threat/vulnerability pairs to determine threat actions that could pose risks to the
organization.
5. Estimate the likelihood of each threat action.
6. Prepare a brief report or presentation of your findings for IT management to review.
Rubric:
1. Did the team establish an appropriate functional area for each member and pick a
leader?
2. Did the team identify all of the threats in the organization?
3. Did the team identify all of the vulnerabilities in the organization?
4. Did the team identify the threat/vulnerability pairs and use them to determine threat
actions that could pose risks to the organization?
5. Were the team’s estimates the likelihood of each threat action logical and plausible?
6. Did the team create a professional, well-developed report with proper grammar, spelling,
and punctuation?
Case Scenario: YieldMore -Task 1
© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 4
Introduction:
In an environment of compliancy laws, regulations, and standards, information technology (IT)
departments in organizations must develop comprehensive organizational policies to support
compliance. One specific area in which they must develop policies is the governance of
fiduciary responsibility (check the Sarbanes-Oxley law).
Scenario:
As changes occur in compliancy laws, regulations, and standards regularly, IT management of
YieldMore has decided to evaluate the governance of fiduciary responsibility within the
organization as it pertains to the IT department.
Your team has been assigned the task of evaluating how the governance of fiduciary
responsibility affects the organization’s risk.
Task 2:
You are asked to identify the relationship between fiduciary responsibility and organizational
risk, and present this information to the IT management of YieldMore.
1. Identify key stakeholders, their roles and responsibilities, and the impact of fiduciary
responsibility on each.
2. Determine the relationships among these stakeholders, the relationship between
fiduciary responsibility, and organizational risk for each.
3. Distinguish the identified relationships as they relate to strategic, operational, and
compliancy goals for the organization.
4. Develop an appropriate plan to govern fiduciary responsibility for the organization.
5. Prepare a brief report or presentation of your findings for IT management to review.
Rubric:
1. Did the team correctly identify key stakeholders, their roles and responsibilities, and the
impact of fiduciary responsibility on each?
2. Did the team correctly determine the relationships among these stakeholders, the
relationship between fiduciary responsibility, and organizational risk for each.
Case Scenario: YieldMore -Task 1
© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 5
3. Did the team correctly distinguish the identified relationships as they relate to strategic,
operational, and compliancy goals for the organization.
4. Did the team correctly develop an appropriate plan to govern fiduciary responsibility for
the organization.
5. Did the team create a professional, well-developed report with proper grammar, spelling,
and punctuation?
Case Scenario: YieldMore -Task 1
© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 6
Introduction:
Quantitative risk assessment techniques are valuable tools for organizations. They provide
management with solid numerical data regarding the value and potential loss of assets.
This activity allows you to use quantitative risk assessment techniques for YieldMore.
Scenario:
In order to help make better decisions regarding risk assessment data, senior management at
YieldMore has requested quantitative information relating to key information technology (IT)
assets.
Task 3:
Your team, as employees of YieldMore, has been given a task of providing quantitative risk
assessment information to senior management.
1. Estimate the value of at least five key IT assets in the organization.
2. Be sure you consider direct and indirect financial and business impact of the IT assets.
3. Calculate the single loss expectancy (SLE) of the IT assets. (For this exercise, you will
need to estimate this value.)
4. Calculate the annual rate of occurrence (ARO) for risk associated with the IT assets.
(For this exercise, you will need to estimate this value.)
5. Calculate the annual loss expectancy (ALE) of the IT assets.
6. Create a professional document to present your findings to senior management.
Rubric:
1. Did the team correctly identify and estimate the value of at least five key IT assets in the
organization?
2. Did the team correctly consider the direct and indirect financial and business impact of
the IT assets?
3. Did the team correctly calculate the single loss expectancy (SLE) of the IT assets and
was their estimate reasonable?
4. Did the team correctly calculate the annual rate of occurrence (ARO) for risk associated
with the IT assets and was their estimate reasonable?
5. Did the team correctly calculate the annual loss expectancy (ALE) of the IT assets.
Case Scenario: YieldMore -Task 1
© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 7
6. Did the team create a professional, well-developed report with proper grammar, spelling,
and punctuation?
Case Scenario: YieldMore -Task 1
© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 8
Introduction:
Risk management is critical to protect organizational assets and to ensure compliance with laws
and regulations. Many individuals and departments in organizations are involved in risk
management; this is especially true when creating a risk management plan.
Your team, as employees of YieldMore, is asked to create a risk management plan for the
organization.
Scenario:
In order to help protect the company and ensure it maintains compliance with laws and
regulations, senior management at YieldMore has decided to develop a formal risk
management plan.
As employees of YieldMore, your team has been given the task of creating a risk management
plan for the organization.
Task 4:
Your team will have a meeting to discuss YieldMore’s risk management plan. In this meeting
you will:
1. Review the responsibilities associated with your assigned role on the team.
2. Explain the specific responsibilities of your assigned role within the project.
3. Explain your role and the roles of the other team members to senior management. To
accomplish this you will write a short report explaining who your team is and what
function and responsibility each of you has on the team.
4. Create a Risk Management Plan that covers all of the requirements addressed in the
previous tasks you have performed and those covered in the course text and submit that
plan.
Rubric:
1. Did the report adequately explain the roles of the team members to senior
management?
Case Scenario: YieldMore -Task 1
© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 9
2. Did the team create a professional, well-developed Risk Management Plan that covers
all of the requirements addressed in the previous tasks and those covered in the course
text with proper grammar, spelling, and punctuation?