Risk Workshop and Risk Register- Flayton Electronics

Risk Workshop and Risk Register- Flayton Electronics

Risk Workshop and Risk Register- Flayton Electronics

Introduction

Flayton Electronics is a small electronic retailer that is beginning to emerge into a larger business. They value their customers and are known to be straight up and honest. Flayton Electronics has faced a severe risk that can jeopardize the integrity of the business leaving it open to lawsuits from either customers, banks, or investors. The customer database of the company has been breached leaving countless amount of fraudulent credit card usage that has been detected by Union Century Bank. There have been several risks that have arisen from the breach of information that has left the top management of company baffled. For this reason it is essential that the company set up a risk workshop in order to discuss the risks that might be involved in the operations of the company as well as identify risks that have led to the data breach. It is also essential that the project leader of this crisis fills out a risk register. A risk register is a risk management tool that is most commonly used in project management and organizational risk assessments.

Scope and Objectives of the Report

The main scope of this paper is to portray the current position of the risks that have been identified in the Flayton security breach. It will take into consideration that various parties that can be affected by the risks such as the stakeholders as well as the integrity of the business. The paper will provide the top five threats that are being an obstacle for Flayton electronics. The risks are determined using the case study, “Boss, I Think Someone Stole Our Customer Data”. It will also include the current position of the risks, the owners for which the risk is responsible for, the actions that are in need of being taken in order to minimize or eliminated the risks. The paper will also identify three opportunities that can come about from the risks. The purpose of this report is to implement a redefined strategy for the company by first understanding the risks or threats that involved in the company from this situation. This can be easily accomplished by first setting up a workshop with the top management and the employees that are involved in the security operations of the company to better understand the risks that have threatened the company. A Two Day Risk Workshop will be set up for this purpose. The workshop will attempt to highlight the needed activities or steps needed to minimize the risks for the threats that have arisen from the case study. The Risk Workshop Agenda will be attached to the report in a separate section. The scope and the objectives of this risk assessment paper are outlined below in the work shop agenda as well as the pre-workshop activities that need to be conducted.

Pre-Workshop Agenda

Identify the top five threats that are being considered a risk.

Justify the assessment probabilities and impacts that come from each of the threat that is identified.

Identify the top three opportunities that arise from the risks and threats

Justify the probability and impacts for each of the opportunities that have been identified.

There are several risks that have been classified and evaluated in this report. Each risk will be assigned to a risk owner as well as the risk minimization plans will be established for each of the owners that will include the actions that need to be taken. Flayton Electronics has contained many risks in the main categories of Technical, Management, Commercial and External which can end up destabilizing the company and putting its integrity at risk (Hillson & Simon, 2007)

Project Status Summary

Currently the report has assessed the organization readiness of Flayton Electronics as well as created a risk management plan that needs to be implemented in order to allow the company to come out of the situation will a clean slate which can minimize the risk and threat components that have been identified. The project has suggested changes that need to be made in terms of educating the security personnel and communication strategy. The main issue that the company is facing is that the scope or the main course of action is not clear to the top management. There are also several risks of informing or communicating to stakeholders, making the proper decision, tackle the issue of the security breach which includes investigating its causes and then coming up with solutions, as well a political risk that involves being sued for not communicating to customers. By doing a thorough analysis of the case study, it seems that the company has not yet attempted to solve the majority of its risks which is raising concerns as well as threats that are hindering the success of the company.

Overall Risk Status

According to Gary & Larson (2008), when the project scope is clearly defined then the foundations for developing the project plan can be firmly established. Having a definitive scope for any project including one for crisis management is crucial for the overall success of the company as the project that is being carried out is rooted or has a more well defined purpose that can initiate the project. Without a proper scope, the team that Flayton management has developed will be struggling with completing the project without having a clear purpose or path to follow. This is the reason that the project scope is so important. It is the interlocking process that brings together all the other elements of the project’s plan.

A well developed risk analysis if also crucial for the project’s success. The process is crucial as it will aid the team in avoiding performing blind spots through the course of the crisis mitigation project as they would have been unprepared for what may happen, as a result it will impact the project scope, the expense, and its schedule. In addition to this, the IT infrastructure and the actual causes of the security breach are still vague and a key factor in the uprising risks and threats that are jeopardizing the company. The concerned parties that are involved in the situation are somewhere along the line going to misunderstand the causes as they have not experienced such a situation before, which will, in the end, lead many customers, banks, or even investors to file lawsuits which will cause the company a great deal of expense.

Flayton Electronics Company sees that the main factor of risk is the unknown causes of security breach which resulted from not developing the company IT infrastructure properly. According to the case study, Flayton had aggressive strategy, to meet the obligations of a rapidly developing larger business. They continuously develop new solutions to serve its clients better than their other competitors. This aggressive strategy is good if the company wants to take a big market share as it is possible. But, if a company is continuously developing its systems, they also needs to develop the infrastructure, staff training and administration to be able to deal with continuously developing solutions. Since the company didn’t think about deploying the new technologies, other requirement for development and risk assessment, they have failed. Aggressively growing was achieved in such a short amount of time that there was not enough time or effort put into adequately building up its IT infrastructure.These were the main factors that had caused a risk in scope definition and a greater potential in scope creep.

There was also very little effort put in project management process which also caused project management processes risks, these include: initiation, planning, execution, and control/validation of the company. The company was not fully PCI certified which may also be a cause in the breach of the system. In order to make sure that the company complies with the PCI standards a list of the details is given later.

The PCI Specifics and Six Major Objectives for Compliance

In order for Flayton to become PCI compliant the need to follow the standards as stated below.

Secure network needs to be maintained in which the transactions can be conducted. This criterion involves that use of firewalls that are effective without causing unwarranted inconvenience to the cardholders and the vendors.

The information of cardholders needs to be protected no matter where it is stored. Certain repositories like vital data such as date of birth, mother’s maiden name, social security numbers, phone numbers, and mailing addresses should be secure against breach of any kind of hacking.

All systems should be protected against the activities of malicious hackers by using anti-virus, anti-spyware, and other anti-malware solutions, these should also be updated on a daily basis or frequently. All applications that are used by the company should be free of any kinds of bugs or other vulnerabilities that might open the door to exploit cardholder data that can be altered or even stolen.

Access to system information and operations need to restricted of access and controlled. The cardholders should not have to provide information to business unless those businesses must know the information to protect them and effectively carry out a transaction.

Networks of the company need to be constantly monitored and regularly tested to make sure that all the security measures and processes are in place as well as functioning appropriately and is kept up-to-date.

The company also needs a formal information security policy that is well defined, maintained, and followed at all times and by all the entities that are participating. There also needs to be enforcement measures in place for audits and penalties for non-compliance are also imperative and necessary.

Top Risks, Actions and Owners

Risk Assessment Agenda

Opportunities from the Risk Register

From the risks that have been identified the main risks lie in the causes of the security breach. Once the causes have been identified the company’s crisis management team and the top management can work together to fill in any gaps to make sure that this does not occur again. The company is getting an opportunity to bring up to speed the IT infrastructure that it is lacking in. The next opportunity is that the company is able to understand where it is lacking in the PCI standards which can be updated and improved. The third opportunity that the company can receive from these risks and threats is that personnel, including top management can become educated in the cyber security that is needed to protect the information of its customers and business which can increase the integrity of the business as a whole.

References

Government of South Australia. (n. d.). DECD Procedure- ICT Security Risk Assessment. Retrieved from http://www.decd.sa.gov.au/docs/documents/1/DecsProcedureIctSecurityR.pdf

Gray, C. F. & Larson, E. W. (2008). Project Management: The Managerial Process. Boston, MA: McGraw-Hills Companies, Inc.

Hillson, D & Simon, P. (2007). Practical Project Risk Management: The ATOM Methodology, Vienna, VA: Management Concepts, Inc.

McNulty, E. (2007). Boss, I think someone stole our customer data. Harvard Business Review Case Study, p. 1-9. Retrieved from http://www.scis.ulster.ac.uk/~sandra/com717/HBR_Casestudy.pdf