Questions
Scenario 1 – TJMAXX Case Study: Please read the attached case study and answer the below questions.
1) Using risk management principles for creating an organization-wide cyber risk program, create the following items:
a. An enterprise-wide cyber risk management policy for all members of the workforce
b. A brief accountability chart that demonstrates who is responsible for which parts of the enterprise risk management process (you may make assumptions about roles if you don’t know exactly what roles TJMAXX has).
c. Give 2 case-specific examples of how to integrate your new risk management process into organization processes (account for resource availability in your response)
d. Identify 2 case-specific communication and reporting mechanisms you would use to actively encourage support, accountability, and ownership of risk.
Scenario 2 – A Risk Audit of a Very Small Business: Please read the attached case study and answer the below questions.
1) Based on all the methodologies and frameworks explored this semester, what approach would you choose to implement for this organization? Provide a case-specific justification for your selection that specifies how your choice fits and is appropriate for this organization.
2) Assume that you have selected a qualitative approach to risk management. You have created a heat map and risk register that prioritize risks. You present the heat map and risk register and are met with the following questions. How would you respond based on the case study?
a. I don’t understand why I need to do risk management – I have a very small business and I don’t find this useful. Why should I spend time and potentially money on this?
b. This risk about vulnerabilities associated with my website and shopping cart says it is red and 20. How is this useful information to my organization, and what can I do with it?
Non-Scenario Questions
1) Please describe the merits and drawbacks of OCTAVE Allegro, NIST, and FAIR. Describe 1 merit and 1 drawback for each method/framework.
2) When would you recommend using each of the above methods/frameworks? Give at least two recommendation criteria for each method/framework.
3) When looking at risk management and cyber security for any given organization or company, how do you know when you have “enough security”? What pushback might you receive on your response from the first part of this question, and how would you respond to it?
