MIK6_MTIG

Overview

Risk assessment plans hinge on the estimated importance attached to risks that have been identified. This importance is established in one of two ways: qualitatively or quantitatively.

For this activity, you will:

1. Read the scenario.

2. Utilize qualitative and quantitative risk assessment (RA) processes.

3. Provide qualitative and quantitative estimates to inform management of the risks and costs associated with the project.

Prompt

Imagine that you work for a company as a network administrator. Your company has just won a large contract with the United States government, and you have been given the responsibility to plan and implement the project. The project involves expanding an existing computer network. Your company has never worked with the U.S. government at this level. Therefore, this is your chance to prove yourself in the company.

In meetings, you have explained the architecture, new enterprise-level firewall, additional requirements for network monitoring, need for an additional system administrator, and risks of not complying with Federal Information Security Management Act (FISMA) regulations for securely working with the U.S. government.

The National Institute of Standards and Technology (NIST) outlines nine steps toward compliance with FISMA:

1. Categorize the information to be protected.

2. Select minimum baseline controls.

3. Refine controls using a risk assessment procedure.

4. Document the controls in the system security plan.

5. Implement security controls in appropriate information systems.

6. Assess the effectiveness of the security controls once they have been implemented.

7. Determine agency-level risk to the mission or business case.

8. Authorize the information system for processing.

9. Monitor the security controls on a continuous basis.

It is expected that the implementation of the project will have a total cost of $3 million to bring it to full operation, including full compliance with the FISMA standards, in approximately six months. Your tasks in this project are to develop, test, and bring into production a network with these requirements in a short time frame.

This project, if executed properly, is likely to have an annual income of $30 million USD for your company. This income is a 20% premium to other sources of income, amounting to $90 million. Your company is expected this revenue in the current year, and it will greatly contribute to the company’s bottom line.

Based on the service level agreement with the U.S. government, service delivery requirements are expected to be on time and within the specified quality parameters of +/- 1% of the time with specified deliverables scheduled for every other Friday afternoon at the end of the day. For each month the project is late, a 5% reduction per month in the overall contract price will be imposed. If this reduction reaches 20%, the contract will be transferred to another company that was part of the original bidding process.

There is a lot at stake in this project. Therefore, it’s imperative that you execute an effective and accurate RA. These are your tasks:

1. Estimate the qualitative and quantitative risks of bringing the project to completion:

· On time

· One month early

· Two months late

2. Estimate the qualitative risks of bringing the project to completion:

· On time, but not with the required security

· One month early with the required security requirements

· Two months late, without the required security requirements

3. Estimate the qualitative and quantitative risks of bringing the project to completion on time, with the required security requirements, within/on budget, but not meeting the required contractual commitment for service.

Guidelines for Submission

Produce a brief RA report of 1–2 pages, double spaced and submitted as a Word document. You can use tables or other organizational features in Word to clearly communicate the recommendation and assessed risks.

Resources are not required, but any resources used must be appropriately cited using APA style. Your submission must completely address all of the tasks and requirements in the Prompt section.

Ref:

https://learning.oreilly.com/library/view/managing-risk-in/9781284055955/19_ch10.xhtml