The final assessment for ITC 596 is to deliver an IT Risk Assessment Case Study in support of a significant technology decision that is to be taken by a fictional company called Aztek that operates in the Australian Financial Services sector.
Senior executives in both business and technology divisions within Aztek have collected a portfolio of projects from their respective strategists that could be potentially funded for deployment. The portfolio includes projects such as:
- Allowing employees to bring their own devices (laptops, tablets and mobile phones for example) into the workplace to be used as their main or sole devices in achieving their work tasks.
- Migrating business-critical applications and their associated data sources to an external Cloud hosting solution.
- Outsourcing key IT functionality such as the network, desktop management or application development to a third party.
- Upgrading or introducing a major technology such as mobile platforms and applications, migrating to an improved networking technology (such as IPv6), creating a corporate-wide email archive for compliance purposes, or upgrading applications and desktop operating systems.
Each of these potential projects carries significant IT risks which will need to be managed to support the business case as to whether the project should go forward. In this case study, you are the IT Risk Assessment lead at Aztek, and your role is to be the interface between business stakeholders and technologists, translating potential technical difficulties into risk language to facilitate effective decision-making by stakeholders.
For the Aztek case study you will need to select one of the projects from the list above for a thorough IT Risk Assessment.
Your deliverable for this ITC 596 Case Study is an IT Risk Assessment report, written for the intended audience of Aztek management providing a risk assessment of the project you have selected to consider.
The report must address the following criteria:
- An Executive Summary at the beginning of the report which provides a clear statement of the IT technology project that is being assessed, and an overview of your recommendations to Aztek management as to the merits of the project based on your risk assessment.
- A review of the project with respect to the Financial Services sector, which would include any relevant government or industry regulation or compliance, and any established best practices.
- A review of the project impact on the current security posture of Aztec, as expressed by its current maturity against IT Security policies and procedures.
- A risk assessment based on threats, vulnerabilities and consequences derived from an IT control framework and any existing industry risk recommendations for the project. For example, there are several consortia for Cloud Computing that have created IT Risk Assessments for this technology.
- Specially address risks for Data Security from the viewpoint in the project of what data will be used, who will have access to the data and where will the data flow.
This assignment is for students to meet the following learning outcomes.
- be able to justify the goals and various key terms used in risk management and assess IT risk in business terms;
- be able to apply both quantitative and qualitative risk management approaches and to compare and contrast the advantages of each approach;
- be able to critically analyse the various approaches for mitigating security risk, including when to use insurance to transfer IT risk;
- be able to critically evaluate IT security risks in terms of vulnerabilities targeted by hackers and the benefits of using intrusion detection systems, firewalls and vulnerability scanners to reduce risk.