Response Paper3
Response Paper3
Risk Management
Scenario
Although not all of the OIT management agreed with your top five (5)
threat categories and accompanying attack vectors recommendation1, the CIO was
impressed with your research as well as your newly revised policies2. Top management now
wants you to join the WMU InfoSec Initiative team to help in the next major phase of the
project: risk management.
The risk management process is comprised of three major areas:
1. risk identification
2. risk assessment
3. risk treatment and control
In this paper, you will delve into each as we work to help WMU minimize risk to its most
valuable assets.3
Task Components
Please include the following sections as major paper headings. Implement sub-section
headings as appropriate when appropriate.
This paper will require a great deal of analysis and support so organization and
presentation is extremely important.
Part1: Identification
Asset identification may require you to assume certain items about WMU because we do not
have detailed information about all human resource roles, equipment, etc. However you can
make some assumptions using material found on WMU websites as well as articles
from other higher education assessments4. Even extending some of your own
organizational knowledge would help here.
By previously identifying the major threats, you have already completed part of the process of
threat assessment. You may change your initial threat analysis, use partial components, etc.
However, make sure to discuss threat categories and attack vectors you deem the most
important to guard against.
1 Response Paper1
2 Response Paper2
3 If you would like to use your place of work instead of WMU and have authorization to share
organizational details with me alone, please contact me via email or Teams to discuss it.
4 https:
www.educause.edu/focus-areas-and-initiatives
Response Paper 3 1 of 2
https:
www.educause.edu/focus-areas-and-initiatives
Once you have identified assets and discussed vulnerabilities, create a TVA worksheet
(table or embedded spreadsheet) to illustrate and support your discussion.
If necessary, include tables and/or worksheets in appendices. Do make sure to discuss the
TVA findings in your analysis.
Please note: For Part1 there is no expectation that we can cover every WMU asset against
every potential threat. Work to na
ow your focus to a particular area (e.g., computer labs) or
category (e.g., data) and state the constraints.
Part2: Assessment
In terms of risk assessment make sure to explain WMU’s risk appetite and determine the
isk cost for your top three (3) TVA-ranked items at a minimum. This will require you to
perform a quantitative analysis using your best “guesstimates” although you can find
some preliminary costs online.
Part3: Treatment and Control
Using your TVA and risk assessment, assign and discuss risk treatment and control
strategies for each identified asset associated with a risk cost. Make sure to justify your
ationale. A major part of this rational needs to be a cost benefit analysis using accepted
quantitative approaches. For example:
CBA = ALE(pre-control) – ALE(post-control) - ACS
If quantitative feasibility analyses are not sufficient—and many times they are not—add
other feasibility methods such as behavioral, operational, organizational, political, and
technical.
Please Note
If you want to reference and follow industry standard models such as OCTAVE, NIST, or
ISO 27005 you can, but make sure the sections used support your approach.
Do include an Executive Summary and a Conclusion section for this paper.
Deliverable
Make sure to follow the Response Paper Guidelines posted in eLearning. Your paper should
e turned in to the eLearning dropbox with the filename:
yourClassID>ResponsePaper3
efore the due date and time.
Response Paper 3 2 of 2