CIS 349 Organizational Risk Appetite and Risk Assessment

Strayer CIS 349 Information Technology Audit and Control, Assignment 2: Organizational Risk Appetite and Risk Assessment 5 pages, 907 words, Graded A for Auditing IT Infrastructures for Compliance. Imagine that a software development company has just appointed you to lead a risk assessment project. The Chief Information Officer (CIO) of the organization has seen reports of malicious activity on the rise and has become extremely concerned with the protection of the intellectual property and highly sensitive data maintained by your organization. The CIO has asked you to prepare a short document before your team begins working. She would like for you to provide an overview of what the term ”risk appetite” means and a suggested process for determining the risk appetite for the company. Also, she would like for you to provide some information about the method(s) you intend to use in performing a risk assessment.
1. Analyze the term “risk appetite”. Then, suggest at least one (1) practical example in which it
applies.
2. Recommend the key method(s) for determining the risk appetite of the company.
3. Describe the process of performing a risk assessment.
4. Elaborate on the approach you will use when performing the risk assessment.
5. Use at least three (3) quality resources in this assignment.


Download Now
(sent via email)



Discussion one:

Per the text, audit findings focus on four (4) areas: criteria, circumstance,
cause, and impact. Determine the area that you believe might be the most
difficult to complete. Justify your response. Then, propose a method to
address the difficulties you identified.
I am going to have to go with Impact on this one. Knowing the full extent of the impact
of a circumstance is a time consuming process that may never be 100% accurate
because of the continuously changing number and types of threats. A circumstance
may present no serious impact today, but could present a critical one 30 days from
now due to a newly emerging threat.
How does one address such difficulties? To start, we would need to understand all
assets directly affected or involved with the circumstance and the impact to the
business should they be compromised or unavailable … would direct breach be
possible, or would all productivity cease? Once those factors are understood, we can
work down the branches of the infrastructure and operations hierarchy to determine
other systems or processes that could be impacted and what those impacts may be.