Please created the following, without any responses: using the notes5 multiple choice questions5 short answer questions
As if I am your student
introduction The first and most important element of Security Risk Management (SRM) is understanding and recording organizational objectives. In this context, the term “business integration” applies equally to not-for-profit organizations, government agencies, or for-profit corporations. It refers simply to the concept of business as an activity rather than as just a profit-motivated organization. SRMBOK operational competency areas Integrating Security Risk Management practices into an organization is a task that requires the commitment of appropriate resources, wide-spread participation, and active management support. To ensure longevity in what is, in many cases, a cultural shift, it is essential that Security Risk Management processes are recognized by an organization as value adding, not simply as an additional cost. An organization will derive the most significant value gains from Security Risk Management protocols that are integrated into an organization’s existing functional processes. In simple terms, Security Risk Management theory and practice should be observed as an adjunct to current processes. At the strategic level, integration can be achieved by identifying the following: Key performance goals The risks of not achieving those goals Any factors that may prevent those goals from being met These three questions will help to develop a contextual baseline. As each asset and resource is identified, a threat assessment should take place and risk treatments progressed to secure them. This process highlights the association between an organization’s operational risks and its strategic interests, which ensures that Security Risk Management is viewed as a value proposition. 7.1.2 Business Cases for Security A business case can be defined as a “structured proposal for business improvement that functions as a decision package for organizational decision makers. A business case includes an analysis of business process performance and associated needs or problems, proposed alternative solutions, assumptions, constraints, and risk-adjusted cost/benefit analysis.” 60 (U.S. GOVERNMENT ACCOUNTING OFFICE) 7.1.2.1 Return on Security Investment (ROSI). Business cases can be built for many different purposes. Some are built for decision-support purposes, whereas others are built for business-planning purposes, e.g., to understand the implications of an action on next year’s budgetary planning. The audience needs to understand clearly the case purpose to decide later, when they see the results, whether the case successfully meets the needs of those who must use the results. Once the business case purpose has been defined, metrics must be developed to determine whether subsequent recommendations are justified. Processes are then designed and implemented to collect information relevant to these metrics for analysis. Decision makers examine the outcomes of various measured processes and strategies and track the results to guide the company and provide feedback. Thus, the value of metrics is in their ability to provide a factual basis for defining the following attributes: Success or otherwise of the business case initiative Strategic feedback to show the present status of the organization from many perspectives for decision makers Diagnostic feedback into various processes to guide improvements on a continuous basis Trends in performance over time as the metrics are tracked Feedback around the measurement methods themselves, and which metrics should be tracked Quantitative inputs to forecasting methods and models for decision-support systems 7.1.2.2 The Rule of Threes. Understanding how and why business cases get funded can be determined by the following: Critical Success Factors Awareness Management commitment Funding How Conditioning Metrics and objectives Presentation Why Reduce costs Achieve profit/deliver on goals Compliance/legislative Additional guidance on ROSI is provided in the Guide to SRMBOK Application and Case Studies, as well as business case template examples. 7.1.3 General Management Practice Security Risk Management principles are difficult to institute from the ground up. Without a firm management commitment to funding and resourcing the administrative controls and physical barriers, the management of risk is an uphill battle. There is more to Security Risk Management than just funding and resourcing; The coordination of Security Risk Management practice areas (people, information, and physical) is also a key responsibility of management. Understanding and Leading the Security Risk Management Process A complete assessment of an organization’s context is a vital component of a well-structured and articulated design plan. Decision makers must be well versed in the internal and external machinations of their organization, which include how various tactical, operational, and strategic arms of their organization interface with clients, the community, legislative controls, and each other. To provide a balanced approach to the design of a new Security Risk Management program, a design team should be formed that represents elements of an organization that both effect and are affected by security reforms. It is important that an organization’s executive strata own the design process to ensure that support for Security Risk Management principles flow from the top down. This stratum, chaired by the head of an organization, should consist of, but not be limited to the following examples: Chief Security Officer (CSO) or Chief Risk Officer (CRO)-This position will lead the discussion on the development of new Security Risk Management practices and the procurement of applicable systems Public Relations Manager-This person will advise the group on public relations (PR) issues regarding the implementation of Security Risk Management practices and postevent PR-related business continuity concerns Chief Financial Officer (CFO)-This officer will provide guidance regarding the financial viability of new Security Risk Management reforms and acquisitions, as well as the costs of their ongoing maintenance. The CFO should also provide the design team with a value assessment of new Security Risk Management practices against the loss of key assets or the degradation of key processes protected by the new security measures Human Resources Manager-This person will lead the discussion, with advice from the CSO, Chief Security Officer on human security issues, in particular the instigation of security focus recruitment mechanisms and vetting procedures and their impact on staffing levels or business continuity Chief Information Officer (CIO)-This individual will lead the discussion, with advice from the CSA, on issues concerning the development or acquisition of technological security solutions that impact of the electronic flow of information in or out of an organization, and postevent business continuity planning for information technology (IT) service provision to the organization. New Ventures Manager-A new ventures manager will provide input and advice to the design team on the positive or negative impact of Security Risk Management reforms on the flexibility of an organization to take advantage of new opportunities. This position will also lead the discussion on the management of positive risk Chief Legal Officer (CLO)-The CLO should provide advice to the Security Risk Management advisory group regarding the legal frameworks that relate to the implementation of new security measures and the responsibilities of the organization to comply with existing legislation Operational Representatives-A representative/s from the operational arms of an organization should also be present to provide renewed operational contextual advice to the group.