Cism Final

NAME:

ABDUL RAUF

REG # FC/MSBA/92 Q: 1

(i) what are the different sources of implementing Risk? (ii) How would you address with application of appropriate strategy?

What is Risk? Risk management is an increasingly important business driver and stakeholders have become much more concerned about risk. Risk may be a driver of strategic decisions, it may be a cause of uncertainty in the organization or it may simply be embedded in the activities of the organization. An enterprise-wide approach to risk management enables an organization to consider the potential Impact of all type of risks on all processes, activities, stakeholders, products and services. Implementing a comprehensive approach will result in an organization benefiting from what is often referred to as the ‗upside of risk‘

Benefits of risk management:

For all types of organizations, there is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward. Organizations need to understand the overall level of risk embedded within their processes and activities. It is important for organizations to recognize and priorities significant risks and identifies the weakest critical controls. When setting out to improve risk management performance, the expected benefits of the risk management initiative should be established in advance. The outputs from successful risk management include compliance, assurance and enhanced decision-making. These outputs will provide benefits by way of improvements in the efficiency of operations, effectiveness of tactics (change projects) and the efficacy of the strategy of the organization.

Risk management principles: Risk management is a process that is under- pinned by a set of principles. Also, it needs to be supported by a structure that is appropriate to the organization and its external environment or context. A successful risk management initiative should be proportionate to the level of risk in the organization (as related to the size, nature and complexity of the organization), aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by CORPORATE INFORMATION SYSYTEM

1

being responsive to changing circumstances. A summary of the risk management requirements that should be in place in order to ensure good standards of risk governance are presented by way of following:

1. Nature and impact of risk Risks can impact an organization in the short, medium and long term. These risks are related to operations, tactics and strategy, respectively. Strategy sets out the long-term aims of the organization, and the strategic planning horizon for an organization will typically be 3, 5 or more years. Tactics define how an organization intends to achieve change. Therefore, tactical risks are typically associated with projects, mergers, acquisitions and product developments. Operations are the routine activities of the organization.

Definition of risk: It is ―Effect of uncertainty on objectives‖. In order to assist with the application risk is often described by an event, a change in circumstances or a consequence.

Recording risk assessments: Risk assessment involves the identification of risks followed by their evaluation or ranking. It is important to have a template for recording appropriate information about each risk.

Risk classification systems: An important part of analyzing a risk is to determine the nature, source or type of impact of the risk. Evaluation of risks in this way may be enhanced by the use of a risk classification system. Risk classification systems are important because they enable an organization to identify accumulations of similar risks. A risk classification system will also enable an organization to identify which strategies, tactics and operations are most vulnerable.

2: Principles of risk management Risk management is a central part of the strategic management of any organization. It is the process whereby organizations methodically address the risks attached to their activities. A successful risk management initiative should be proportionate to the level of risk in the organization, aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances. CORPORATE INFORMATION SYSYTEM

2

Risk management should be a continuous process that supports the development and implementation of the strategy of an organization. It should methodically address all the risks associated with all of the activities of the organization. In all types of undertaking, there is the potential for events that constitute opportunities for benefit (upside), threats to success (downside) or an increased degree of uncertainty. The risk management process can be presented as a list of co-ordinate activities. The 7 Rs and 4Ts of (hazard) risk management: 1. Recognition or identification of risks 2. Ranking or evaluation of risks 3. Responding to significant risks (i)Tolerate, (ii) Treat, (iii) Transfer, (iv) Terminate 4. Resourcing controls 5. Reaction planning 6. Reporting and monitoring risk performance 7. Reviewing the risk management

3: Achieving the benefits of ERM: The key stages in the process are represented as risk assessment & treatment. Risk assessment: Risk identification establishes the exposure of the organization to risk and uncertainty. This requires an intimate knowledge of the organization, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as an understanding of strategic and operational objectives. The result of the risk analysis can be used to produce a risk profile that gives a rating of significance to each risk and provides a tool for prioritising risk treatment efforts. This ranks the relative importance of each identified risk. The risk analysis activity assists the effective and efficient operation of the organization by identifying those risks that require attention by management.

Risk treatment: Risk treatment is the activity of selecting and implementing appropriate control measures to modify the risk. Risk treatment includes as its major element, risk control (or mitigation), but extends further to, for example, risk avoidance, risk transfer and risk financing. Any system of risk CORPORATE INFORMATION SYSYTEM

3

treatment should provide efficient and effective internal controls. Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the proposed control measures. The cost- effectiveness of internal control relates to the cost of implementing the control compared to the risk reduction benefits achieved.

4: Planning and designing: There are a number of factors that should be considered when designing and planning an ERM initiative. Details of the risk architecture, strategy and protocols should be recorded in a risk management policy for the organization. Many organizations issue an updated version of their risk management policy each year. This ensures that the overall risk management approach is in line with current best practice. It also gives the organization the opportunity to focus on the intended benefits for the coming year, identify the risk priorities and ensure that appropriate attention is paid to emerging risks.

A risk management policy should include the following sections:  Risk management and internal control objectives (governance)  Statement of the attitude of the organization to risk (risk strategy)  Description of the risk aware culture or control environment  Level and nature of risk that is acceptable (risk appetite)  Risk management organization and arrangements (risk architecture)  Details of procedures for risk recognition and ranking (risk assessment)  List of documentation for analyzing and reporting risk (risk protocols)  Risk mitigation requirements and control mechanisms (risk response)  Allocation of risk management roles and responsibilities  Risk management training topics and priorities  Criteria for monitoring and benchmarking of risks  Allocation of appropriate resources to risk management  Risk activities and risk priorities for the coming year

5: Implementing and benchmarking: Risk assessment is a fundamentally important part of the risk management process. In order to achieve a comprehensive risk management approach, an organization needs to undertake suitable and sufficient risk assessments. CORPORATE INFORMATION SYSYTEM

4

A range of the most common risk assessment techniques is set out are: Establish risk assessment procedures Risk assessment will be required as part of the decision-making processes intended to exploit business opportunities. One way of ensuring that risk is part of business decision-making is to ensure that a risk assessment is attached to all strategy papers presented to the Board. Likewise, risk assessment of all proposed projects should be undertaken and further risk assessments should be undertaken throughout the project.

Risk assessment techniques: 

Questionnaires and checklists Use of structured questionnaires and checklists to collect information to assist with the recognition of the significant risks.



Workshops and brainstorming Collection and sharing of ideas and discussion of the events that could impact the objectives, stakeholder expectations or key dependencies



Inspections and audits Physical inspections of premises and activities and audits of compliance with established systems and procedures.



Flow charts and dependency Analysis of processes and operations within the analysis organization to identify critical components that are key to success.



HAZOP and FMEA approaches Hazard and Operability studies and Failure Modes Effects Analysis are quantitative technical failure analysis techniques.



SWOT and PESTLE analyses Strengths Weaknesses Opportunities Threats (SWOT) and Political Economic Social Technological Legal Environmental (PESTLE) analyses offer structured approaches to risk recognition.

6: Measuring and monitoring:

Monitoring and measuring extends to the evaluation of culture, performance and preparedness of the organization. The scope of activities covered by monitoring and measuring also includes monitoring of risk improvement recommendations and evaluation of the embedding of risk management activities in the organization, as well as routine monitoring of risk performance indicators. Any monitoring and measuring process should also determine whether:  The measures adopted achieved the intended result

CORPORATE INFORMATION SYSYTEM

5

 The procedures adopted were efficient  Sufficient information was available for the risk assessment.  Improved knowledge would have helped to reach better decisions.  Lessons can be learned for future assessments and controls.

7: Learning and reporting: Completing the feedback loop on the risk management process involves the important steps of learning from experience and reporting on performance. In order to learn from experience, an organization needs to review risk performance indicators and measure the contribution that enterprise risk management has made to the success of the organization. External reporting should provide useful information to stakeholders on the status of risk management and the actions that are being taken to ensure continuous improvement in performance. Risk reporting provides information on historical losses and trends. However, risk disclosure is a more forward-looking activity that anticipates emerging risks. There is a clear difference between measuring and monitoring risk performance and undertaking steps to learn from experience to improve the risk management process and framework. Important lessons can be learned that will assist with improving the design of the support framework and the implementation framework.

CORPORATE INFORMATION SYSYTEM

6

NAME: SAAD AMEER REG # FC/MSBA/110 Q.NO: 2 Business Model Revenue, Cost and Asset options Key Resource:Key resources are the strategic assets you need in place, and you need in place to a greater or more targeted degree than your competitors. The Business Model Canvas proposes that there are three core business types: product, scope, and infrastructure. These tend to have similar types of Key Resources. Product-driven businesses have a differentiated product of some sort. the company that makes the popular app Angry Birds, is such a company. Key resources in product-driven businesses are typically key talent in critical areas of expertise and accumulated intellectual property related to their offering. Scope-driven businesses create some synergy around a particular Customer Segment. For example, if you started a business that would take care of all the IT needs for law firms, that would be a scope-driven business. These businesses typically have key knowledge about their segment, a repeatable set of processes, and sometimes infrastructure, like service centers. Infrastructure-driven businesses achieve economies of scale in a specific, highly repeatable area. Telecommunications is traditionally an infrastructure business Revenue stream (Pricing): What the Market Will Bear In markets where there is little or no competition, companies can employ a pricing strategy that optimizes profits. It is often called a What The Market Will Bear (WTMWB) price. This strategy sets the price based on the maximum price the market will pay for the product. On the one hand, the company wants to realize the highest profits possible in the shortest amount of time to help recoup high start-up costs, such R&D (research and development), production, and marketing costs.

CORPORATE INFORMATION SYSYTEM

7

On the other, it may not want its profits to be so attractive as to competition to enter the market within the time window it needs to build market share and establish a leadership position. This strategy typically works because those likely to buy a new product – the Innovators and Early Adopters – are not particularly price sensitive. If there is considerable uniqueness and desirability built into the product brand, your company can employ a WTMWB strategy. If not, you might consider other effective pricing strategies. Gross Profit Margin Target In almost all cases, pricing strategies should begin with a Gross Profit Margin Targets (GPMT) strategy. Companies typically know the gross profit margin they need to pay back their expenses and generate positive net income and cash flow. Once your company knows the cost of sales (cost of goods and services sold) of a particular product and the Gross Profit Margin Target. Most Significant Digit Pricing For products that will be sold to consumers, most companies employ a Most Significant Digit (MSD) pricing strategy. Why? Studies and experience show that sales will be significantly higher if a product is priced at say Rs.29.95 or Rs29.99 instead of Rs30. Most humans focus on the most significant digit – the ―2‖ in this case. To them Rs29.95 or Rs29.99 seems a lot less than Rs30 even though it is only 1 to 5Paisa less. Even expensive homes in Beverly Hills might sell for Rs7,995,000 rather than 8 million. There are exceptions. In upscale restaurants, it is usually a mistake to price an entrée at Rs31.95. Instead it will be priced at Rs32-. For some reason, people do not think the food is as good if MSD pricing is used in a high-end restaurant. Combining all three If a product is positioned as unique, smart marketing companies will typically use all three of these strategies in combination. Depending on the amount of memory the buyer chooses, Apple has priced its new i-Phone 5S at $199, $299, and $399 for those that opt for a two-year contract. Apple is using a MSD strategy in addition to a WTMWB strategy because the i-Phone has uniqueness built-in since Apple controls the platform. It also aims for a GPMT, which is not officially published, but which is in the 30 to 50% GPM range of well-positioned products in competitive markets. When Johnson & Johnson launched a margarine developed in Finland that lowers cholesterol, it priced a tub of this margarine at between $5.79 and $5.99. At the same time, a tub of

CORPORATE INFORMATION SYSYTEM

8

regular margarine sold for 99¢. Based on this pricing, which used MSD and WTMWB strategies, many speculated that J&J priced the product at 8C, which gave it a GPMT of roughly 87.5%.

Pricing your products When you are pricing your products, what gives you control over the price is the uniqueness built into your positioning, or branding, strategy. If you have created a product image that is impossible, or very difficult, to copy, you can employ a WTMWB price that will give you a good GPM that enables you to achieve your desired GPMT. And, if you sell your product in a consumer market, it would be a good idea to also employ an MSD pricing strategy. For example, if you are a manufacturer that is targeting a GPM of 50% and your cost of sales is Rs15, you might consider selling the product for Rs29.95 – a nickel less than the price of 2C.

CORPORATE INFORMATION SYSYTEM

9

NAME: MUBEEN AHMED REG # FC/MSBA/95 Q.NO 3: What security principles will you apply on RD services’ CRM system? And why? How would you manage incidents after occurrence? Security policies for CRM system CRM is a fertile ground for security breaches. By their nature, most CRM applications involve mobile devices, such as notebook computers that employees bring into the field, and many applications use wireless connections to talk to the server. As a general rule, any mobile device is more

vulnerable

to

security

breaches,

ranging

from

attacks

against

communication links to simply having the device stolen.

Here are five tips that can greatly enhance the security of your CRM system. 1. Encrypt your remote data. 2. Watch your wireless connections. 3. Consider role-based security 4. . Educate your staff. 5. Beware of phishing

1. Encrypt your remote data. Encryption is the process of encoding messages (or information) in such a way that third parties cannot read it, but only authorized parties can. Encryption doesn't prevent hacking but it prevents the hacker from reading the data that is encrypted

CORPORATE INFORMATION SYSYTEM

10

1)

Do you encrypt data on laptops and other mobile devices? As a first line of defense, all confidential data on mobile devices should be encrypted. Consider using software to encrypt everything on your notebooks. At the very least, business-critical information should be protected by encryption.

2)

Do you have password protection on all mobile devices? Do you require strong passwords and frequent changes? Many organizations use combinations of numbers and letters at least six characters long and have users change them every 30 to 60 days.

3)

Alternatively, do you use other, more secure, authentication methods in place of passwords? More secure authentication methods can involve separate physical keys, such as USB drives, which need to be plugged into a computer to make files accessible. This is more secure if you keep the key separate from the computer, as on a key chain in your pocket or purse — not in the computer case.

4)

Do you have an independent firewall on your mobile products? Although Windows XP and Vista both come with firewalls, many experts recommend adding a more secure third-party product, especially if you're using a wireless connection.

Firewall is software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on applied rule set. Firewalls can be defined in many ways according to your level of understanding. 2. Watch your wireless connections. Data is at its most exposed when it is in transit. This is especially true if you use wifi or other wireless connections to transmit your data to the home office. 1.

Do you use the appropriate level of wifi encryption? Wifi communications can be encrypted with WPA (Wifi Protected Access) or 802.11i (IEEE 802.11i is an IEEE 802.11 amendment used to facilitate secure end-to-end communication for wireless local area networks (WLAN)) standards to make interception much more difficult. The older WEP (Wired Equivalent Privacy) standard is much less secure.

2.

Do you turn off the wifi client when you're not using it? If your wifi client is left on an intruder can try to use it to break into your computer. Turning off wifi when you don't need it is an easy way to prevent unauthorized access.

CORPORATE INFORMATION SYSYTEM

11

3.

Do you verify SSIDs (service set identifier, it is used to uniquely identify any given wireless network) before using them? Setting up a fake SSID is one way to access a wifi session. Essentially, this involves setting up an access point on top of another wifi hot spot in such a way that there is at least an equal chance that anyone logging in through the hot spot will connect through the phony access point — which will then read and record the entire session.

4.

Do you keep file and printer sharing disabled on your laptop? File and printer sharing are useful, but they also open dangerous vulnerabilities. If you aren't using them, disable them.

5.

Do you use VPNs (Virtual Private Networks) when available? A VPN is just what it sounds like: a private connection between your remote system and your server running over the public network. VPNs are more secure than a conventional connection. It's not always possible to have VPN, but if your configuration allows for one, it's a good idea to use it. You may want to consider a policy of never using ―open‖ (non password protected) wifi hot spots in airports, coffee shops and other public places to transact business.

3. Consider role-based security. Role-based security refers to establishing a series of finely grained classifications of your employees, each with a specific bundle of access and other privileges. Employees assigned to a classification only have access to the privileges associated with that role. 1)

Are your roles carefully chosen? In designing roles you should consider what employees actually do, not their position in the organization.

2)

Do you use the least-access principle in defining and assigning roles? Each role should give employees the privileges they need to do their job and no more. 4. Educate your staff.

1)

Do you keep employees up to date on security best practices? All the hardware in the world won't help if staff doesn‘t understand enough to take basic precautions to prevent systems from being compromised.

2)

Do you have an ongoing security education program? Are your people made aware of the dangers of sharing, writing down passwords, etc.?

3)

Are your people trained not to open attachments from unknown sources?

CORPORATE INFORMATION SYSYTEM

12

4)

Are they taught not to add ―gray ware,‖ such as unauthorized file sharing applications to their systems?

5. Beware of phishing. Phishing and its variants are a major source of security breaches. Most people know that phishing involves sending phony email messages with the aim of getting the victim to submit confidential information such as credit card numbers or account details. However, many people aren't aware of the specific danger signs of phishing emails. For example, government agencies or banks willnever ask you to submit confidential information in an email. While the idea of phishing is common knowledge, it still succeeds because organizations don't make a point of alerting their employees to the dangers. You should have a policy for dealing with suspicious emails and make sure your employees are aware of what constitutes a ―suspicious‖ email.

Remote desktop A remote desktop is a separate program or feature found on most operating systems that allows a user to access an operating computer system's desktop. The access occurs via the Internet or through another network in another geographical location and allows users to interact with that system as if they were physically at their own computer. USB devices with the ability to recreate a remote user‘s desktop are commonly called secure portable offices. How secure is Windows Remote Desktop? Remote Desktop sessions operate over an encrypted channel, preventing anyone from viewing your session by listening on the network. However, there is vulnerability in the method used to encrypt sessions in earlier versions of RDP. This vulnerability can allow unauthorized access to your session using a man-in-the-middle attack. Remote Desktop can be secured using SSL/TLS in Windows Vista, Windows 7, and Windows Server 2003/2008. While Remote Desktop is more secure than remote administration tools such as VNC that do not encrypt the entire session, any time Administrator access to a system is granted remotely there are risks. The following tips will help to secure Remote Desktop access to both desktops and server that you support.

CORPORATE INFORMATION SYSYTEM

13

Basic Security Tips for Remote Desktop 1. Use strong passwords Use a strong password on any accounts with access to Remote Desktop. This should be considered a required step before enabling Remote Desktop. Refer to the campus password complexity guidelines for tips. 2. Update your software On advantage of using Remote Desktop rather than 3rd party remote admin tools is that components are automatically updated to the latest security fixes in the standard Microsoft patch cycle. Make sure you are running the latest versions of both the client and server software by enabling and auditing automatic Microsoft Updates. If you are using Remote Desktop clients on other platforms, make sure they are still supported and that you have the latest versions. Older versions may not support high encryption and may have other security flaws. 3. Restrict access using firewalls Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389). Using an RDP Gateway is highly recommended for restricting RDP access to desktops and servers (see discussion below). As an alternative to support off-campus connectivity, you can use the campus VPN software to get a campus IP address, and add the campus VPN network address pool to your RDP firewall exception rule. 4. Enable Network Level Authentication Windows Vista, Windows 7, and Windows Server 2008 also provide Network Level Authentication (NLA) by default. It is best to leave this in place, as NLA provides an extra level of authentication before a connection is established. You should only configure Remote Desktop servers to allow connections without NLA if you use Remote Desktop clients on other platforms that don't support it..

CORPORATE INFORMATION SYSYTEM

14

5. Limit users who can log in using Remote Desktop By default, all Administrators can log in to Remote Desktop. If you have multiple Administrator accounts on your computer, you should limit remote access only to those accounts that need it. If Remote Desktop is not used for system administration, remove all administrative access via RDP and only allow user accounts requiring RDP service. For Departments that manage many machines remotely, remove the local Administrator account from RDP access at and add a technical group instead. 1. Click Start-->Programs-->Administrative Tools-->Local Security Policy 2. Under Local Policies-->User Rights Assignment, go to "Allow logon through Terminal Services." Or ―Allow logon through Remote Desktop Services‖ 3. Remove the Administrators group and leave the Remote Desktop Users group. 4. Use the System control panel to add users to the Remote Desktop Users group. A typical MS operating system will have the following setting by default as seen in the Local Security Policy:

The problem is that ―Administrators‖ is here by default, and your ―Local Admin‖ account is in administrators. Although a password convention to avoid identical local admin passwords on the local machine and tightly controlling access to these passwords or conventions is recommended, CORPORATE INFORMATION SYSYTEM

15

using a local admin account to work on a machine remotely does not properly log and identify the user using the system. It is best to override the local security policy with a Group Policy Setting.

To control access to the systems even more, using ―Restricted Groups‖ via Group Policy is also helpful.

CORPORATE INFORMATION SYSYTEM

16

If you use a ―Restricted Group‖ setting to place your group e.g. ―CAMPUS\LAW-TECHIES‖ into ―Administrators‖ and ―Remote Desktop Users‖, your techies will still have administrative access remotely, but using the steps above, you have removed the problematic ―local administrator account‖ having RDP access. Going forward, whenever new machines are added in the OU under the GPO, your settings will be correct.

6. Set an account lockout policy By setting your computer to lock an account for a period of time after a number of incorrect guesses, you will help prevent hackers from using automated password guessing tools from gaining access to your system (this is known as a "brute-force" attack). To set an account lockout policy: 1. Go to Start-->Programs-->Administrative Tools-->Local Security Policy 2. Under Account Policies-->Account Lockout Policies, set values for all three options. 3 invalid attempts with 3 minute lockout durations are reasonable choices.

CORPORATE INFORMATION SYSYTEM

17