Diversity and Commonality
January 7, 2020
Health Information Exchange Organization
January 7, 2020

Case Scenario

Case Scenario

Introduction:

In managing risks in an organization, professionals in the information technology (IT)

department conduct research to identify threats, vulnerabilities, and threat/vulnerability pairs.

Then, the IT professionals determine the likelihood of each threat occurring. The IT

professionals present this information to IT management, whose role in risk management is to

determine and recommend approaches to manage these risks. IT management then presents

these recommendations to the senior management, whose role is to allocate resources,

specifically money and employees, to prepare for and respond to identified threats and

vulnerabilities appropriately.

This activity allows you to fulfill the role of IT professionals in a small business tasked with

identifying threats, vulnerabilities, and threat/vulnerability pairs; estimating the likelihood of

these threats occurring; and present this information to IT management.

Scenario:

YieldMore is a small agricultural company, which produces and sells fertilizer products. The

company headquarters is in a small town in Indiana. Outside its headquarters, there are two

large production facilities—one in Nebraska and other in Oklahoma. Furthermore, YieldMore

employs salespersons in every state in the U.S. to serve its customers locally.

The company has three servers located at its headquarters—Active Directory server, a Linux

application server, and an Oracle database server. The application server hosts YieldMore’s

primary software application, which is a proprietary program managing inventory, sales, supply-

chain, and customer information. The database server manages all data stored locally with

direct attached storage.

All three major sites use Ethernet cabled local area networks (LANs) to connect the users

Windows 7 workstations via industry standard managed switches.

The remote production facilities connect to headquarters via routers T-1 LAN connections

provided by an external Internet service provider (ISP), and share an Internet connection

through a firewall at headquarters.

Case Scenario: YieldMore -Task 1

© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 2

Individual salespersons throughout the country connect to YieldMore’s network via virtual

private network (VPN) software through their individual Internet connections, typically in a home

office.

Case Scenario: YieldMore -Task 1

© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 3

Task 1:

You will be assigned to a team where you need to assume the roles of IT professionals

assigned by YieldMore’s IT management to conduct the following risk management tasks:

1. Some of the possible roles that could be fulfilled by the team members are: server

manager, network manager, database manager, and security manager. You as a team

have to decide for which functional area each of you will be responsible and who will be

the team leader.

2. Identify threats to the seven domains of IT within the organization.

3. Identify vulnerabilities in the seven domains of IT within the organization.

4. Identify threat/vulnerability pairs to determine threat actions that could pose risks to the

organization.

5. Estimate the likelihood of each threat action.

6. Prepare a brief report or presentation of your findings for IT management to review.

Rubric:

1. Did the team establish an appropriate functional area for each member and pick a

leader?

2. Did the team identify all of the threats in the organization?

3. Did the team identify all of the vulnerabilities in the organization?

4. Did the team identify the threat/vulnerability pairs and use them to determine threat

actions that could pose risks to the organization?

5. Were the team’s estimates the likelihood of each threat action logical and plausible?

6. Did the team create a professional, well-developed report with proper grammar, spelling,

and punctuation?

Case Scenario: YieldMore -Task 1

© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 4

Introduction:

In an environment of compliancy laws, regulations, and standards, information technology (IT)

departments in organizations must develop comprehensive organizational policies to support

compliance. One specific area in which they must develop policies is the governance of

fiduciary responsibility (check the Sarbanes-Oxley law).

Scenario:

As changes occur in compliancy laws, regulations, and standards regularly, IT management of

YieldMore has decided to evaluate the governance of fiduciary responsibility within the

organization as it pertains to the IT department.

Your team has been assigned the task of evaluating how the governance of fiduciary

responsibility affects the organization’s risk.

Task 2:

You are asked to identify the relationship between fiduciary responsibility and organizational

risk, and present this information to the IT management of YieldMore.

1. Identify key stakeholders, their roles and responsibilities, and the impact of fiduciary

responsibility on each.

2. Determine the relationships among these stakeholders, the relationship between

fiduciary responsibility, and organizational risk for each.

3. Distinguish the identified relationships as they relate to strategic, operational, and

compliancy goals for the organization.

4. Develop an appropriate plan to govern fiduciary responsibility for the organization.

5. Prepare a brief report or presentation of your findings for IT management to review.

Rubric:

1. Did the team correctly identify key stakeholders, their roles and responsibilities, and the

impact of fiduciary responsibility on each?

2. Did the team correctly determine the relationships among these stakeholders, the

relationship between fiduciary responsibility, and organizational risk for each.

Case Scenario: YieldMore -Task 1

© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 5

3. Did the team correctly distinguish the identified relationships as they relate to strategic,

operational, and compliancy goals for the organization.

4. Did the team correctly develop an appropriate plan to govern fiduciary responsibility for

the organization.

5. Did the team create a professional, well-developed report with proper grammar, spelling,

and punctuation?

Case Scenario: YieldMore -Task 1

© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 6

Introduction:

Quantitative risk assessment techniques are valuable tools for organizations. They provide

management with solid numerical data regarding the value and potential loss of assets.

This activity allows you to use quantitative risk assessment techniques for YieldMore.

Scenario:

In order to help make better decisions regarding risk assessment data, senior management at

YieldMore has requested quantitative information relating to key information technology (IT)

assets.

Task 3:

Your team, as employees of YieldMore, has been given a task of providing quantitative risk

assessment information to senior management.

1. Estimate the value of at least five key IT assets in the organization.

2. Be sure you consider direct and indirect financial and business impact of the IT assets.

3. Calculate the single loss expectancy (SLE) of the IT assets. (For this exercise, you will

need to estimate this value.)

4. Calculate the annual rate of occurrence (ARO) for risk associated with the IT assets.

(For this exercise, you will need to estimate this value.)

5. Calculate the annual loss expectancy (ALE) of the IT assets.

6. Create a professional document to present your findings to senior management.

Rubric:

1. Did the team correctly identify and estimate the value of at least five key IT assets in the

organization?

2. Did the team correctly consider the direct and indirect financial and business impact of

the IT assets?

3. Did the team correctly calculate the single loss expectancy (SLE) of the IT assets and

was their estimate reasonable?

4. Did the team correctly calculate the annual rate of occurrence (ARO) for risk associated

with the IT assets and was their estimate reasonable?

5. Did the team correctly calculate the annual loss expectancy (ALE) of the IT assets.

Case Scenario: YieldMore -Task 1

© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 7

6. Did the team create a professional, well-developed report with proper grammar, spelling,

and punctuation?

Case Scenario: YieldMore -Task 1

© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 8

Introduction:

Risk management is critical to protect organizational assets and to ensure compliance with laws

and regulations. Many individuals and departments in organizations are involved in risk

management; this is especially true when creating a risk management plan.

Your team, as employees of YieldMore, is asked to create a risk management plan for the

organization.

Scenario:

In order to help protect the company and ensure it maintains compliance with laws and

regulations, senior management at YieldMore has decided to develop a formal risk

management plan.

As employees of YieldMore, your team has been given the task of creating a risk management

plan for the organization.

Task 4:

Your team will have a meeting to discuss YieldMore’s risk management plan. In this meeting

you will:

1. Review the responsibilities associated with your assigned role on the team.

2. Explain the specific responsibilities of your assigned role within the project.

3. Explain your role and the roles of the other team members to senior management. To

accomplish this you will write a short report explaining who your team is and what

function and responsibility each of you has on the team.

4. Create a Risk Management Plan that covers all of the requirements addressed in the

previous tasks you have performed and those covered in the course text and submit that

plan.

Rubric:

1. Did the report adequately explain the roles of the team members to senior

management?

Case Scenario: YieldMore -Task 1

© 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 9

2. Did the team create a professional, well-developed Risk Management Plan that covers

all of the requirements addressed in the previous tasks and those covered in the course

text with proper grammar, spelling, and punctuation?