SOLUTION: Risk Assessment and Security Policy Evaluation for Organizations

Part 1: Questions and Answers

Concisely list in bullet point format the five actions you can use to reduce the risk once a risk assessment has been completed. Briefly describe how planning, staying on task, meeting deadlines, and utilizing feedback can each have a positive impact on reducing risk and promoting positive results in an organization.
Review the Website Security Policy in the scenario below. In a short table, match the five key areas of a good policy with the example below. Where does it match? Where can it be improved?

Website Security Policy Scenario

The following policy is included with the use of this website. This site collects personal information from you when you register, including a record of your email address. We also may collect IP addresses and domain names of users of this site to measure the number of visits and time spent on the site. We may occasionally ask you to complete surveys for research purposes.

“Cookies” may be used in connection with this website. A cookie is a small amount of data sent to your browser stored on your computer’s hard drive. Using cookies enables us to collect data without your express knowledge or approval. Most browsers are initially set to accept cookies, but you can change the setting to refuse to allow cookies.

We may provide the information we collect through this site to business partners. We may also use the information to inform you of new products, services, or promotions. We will not share personal information you submit to third parties unless ordered to do so by a legal authority.

Any questions regarding this policy should be directed to the management.

List the key roles of the personnel who should support and participate in the risk management process. As a CIO, discuss how you will promote reliability, accountability, and timeliness in a group work setting and why these should be included in a risk response plan.

Part 2: The National Institute of Science and Technology (NIST) offers free reports on best practices. Download and read the Guide for Conducting Risk Assessments and then complete the following.

Take a screen capture of Figure 5: “The Risk Assessment Process.”
Review the definitions of “threat” and “vulnerability” from the glossary in the NIST publication. From your readings and research, briefly identify the threats to security posed by employees. Include the vulnerability in the organization’s operation and the risk from the threat.

Reference

National Institute of Standards and Technology. (2012, September). Guide for conducting risk assessments. NIST Special Publication 800-30. U.S. Department of Commerce. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

ASSIGNMENT REQUIREMENT

Your paper should be 2–3 pages in length.

Written work should be free of spelling, grammar, and APA errors. Points deducted from the grade for each writing, spelling, or grammar error are at your instructor’s discretion.

Be sure to use in-text citations where relevant and a reference page. The title page and reference page are not included in the page count.

Please be sure to download the file “Writing With Integrity” from Academic Tools to assist you with meeting APA expectations.

Struggling with where to start this assignment? Follow this guide to tackle your assignment easily!

Step 1: Understand the Assignment

Your task is a 2–3 page APA-formatted paper covering two main parts:

Risk reduction, planning effectiveness, security policy evaluation, and risk management roles.
NIST-based risk assessment process, and analyzing threats, vulnerabilities, and risks posed by employees.

You must:

Use bullet points, a short table, and clear headings.
Include in-text citations and a reference page (not counted in the page limit).
Be clear, concise, and organized like a CIO would be when reporting to senior leadership.

Step 2: Draft Part 1 — Questions and Answers

A. Five Actions to Reduce Risk After an Assessment

Use bullet points like this:

Risk Avoidance – Eliminate activities that create risk.
Risk Mitigation – Implement controls to reduce impact/likelihood.
Risk Transfer – Shift risk to third parties (e.g., insurance, vendors).
Risk Acceptance – Acknowledge low-level risk when cost of control is higher than risk.
Risk Monitoring – Continuously track and reassess known risks.

Explain briefly how planning, staying on task, meeting deadlines, and using feedback reduce risk:

Planning: Ensures resources and contingencies are allocated to prevent unexpected issues.
Staying on Task: Reduces missed steps that could introduce new risks.
Meeting Deadlines: Prevents backlog and time pressure that often cause mistakes.
Using Feedback: Helps detect and correct weak points early, strengthening risk response strategies.

B. Website Security Policy Table

Key Area of Good Policy	Example in Scenario	Improvement Needed
Data Collection Disclosure	States collecting personal info, IPs, cookies	Should specify data retention period and purpose
Data Usage and Sharing	Mentions sharing with business partners	Needs explicit user consent and opt-out options
Data Protection & Security	Not addressed	Should explain encryption, access controls
User Rights & Control	Users can change cookie settings	Should add right to review/delete their own data
Accountability & Contacts	Questions directed to management	Should name a Data Privacy Officer or contact role

Cite example guidance: (NIST, 2012)

C. Key Risk Management Roles

Chief Information Officer (CIO): Oversees policy, funding, accountability.
Information Security Officer (ISO): Leads security controls implementation.
IT Administrators: Maintain systems and enforce controls.
Department Managers: Ensure staff follow risk-related procedures.
End Users/Employees: Follow security policies daily.
Legal/Compliance Officers: Ensure regulatory compliance.

As a CIO:

Promote reliability by setting clear SLAs and providing resources.
Promote accountability through role-based responsibilities and audits.
Promote timeliness by using project management tools and deadlines.
Include these in the risk response plan to ensure consistency, efficiency, and responsibility tracking.

Step 3: Draft Part 2 — NIST Risk Assessment Tasks

A. Include Figure 5 (Screen Capture)

Go to NIST SP 800-30r1 PDF
Locate Figure 5: The Risk Assessment Process
Take a screen capture (Snipping Tool or Print Screen) and paste it into your paper as a figure with a caption:

Figure 1
Risk Assessment Process (NIST, 2012)

B. Define Threat vs. Vulnerability (from NIST Glossary)

Threat: Any circumstance or event with the potential to adversely impact organizational operations through unauthorized access, destruction, disclosure, modification, or denial of service.
Vulnerability: A weakness in information systems, security procedures, internal controls, or implementation that could be exploited by a threat.

(NIST, 2012)

C. Identify Threats from Employees

Examples:

Threat: Negligence (accidental data leakage)
- Vulnerability: Lack of security awareness training
- Risk: Loss of sensitive data → reputational damage
Threat: Malicious insider (stealing data)
- Vulnerability: Excessive user privileges, poor access controls
- Risk: Data breaches, financial/legal penalties
Threat: Social engineering success
- Vulnerability: Weak phishing awareness and reporting procedures
- Risk: Credential theft, unauthorized network access

Step 4: Finalize Paper

Length: 2–3 pages (excluding title page, references).
APA Style: Include citations (e.g., NIST, 2012) and a reference list.
Proofread for grammar and flow.
Submit by your deadline.

Reference:
National Institute of Standards and Technology. (2012, September). Guide for conducting risk assessments (NIST SP 800-30 Rev. 1). U.S. Department of Commerce. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

The post Risk Assessment and Security Policy Evaluation for Organizations appeared first on Skilled Papers.