Enterprise IT Strategy Plan

Running head: PROJECT RISK MANAGEMENT PLAN 0

Enterprise Data Project Risk Management Plan

Sahaboob Yassin

ENT/586

July 10, 2017

Dr. Louay Chebib, PhD

Introduction

The costs of protecting and preserving enterprise data are increasing and as a result, an all-inclusive approach to data risk management is now of great necessity within organizations. It should be remembered that reliable and secure data may be misplaced either through a missing laptop or be destroyed by natural catastrophes which destroy data centers along with other electronic data storage amenities (Baltzan & Phillips, 2015). With that said, the pages below have described a data risk management which will enable Webtech Computer Maintenance Solutions to have a holistic risk understanding of the preserved data in order to highlight how undesired risks can be mitigated and how the desired risks could be leveraged. The plan has included a list of enterprise information and technology risks, evaluation of firms’ exposure to the identified risks, description of the highest priority risks, mitigation procedures and disaster recovery procedures.

Description of Webtech’s Information and Technology (IT) Risks

There are a number of information and technology data risks which the firm is exposed to and to protect itself from any external attacks, it is important to identify some of these risks. To begin, employees pose one of the greatest information and technology data risks, especially the disgruntled workers. Since not all employees may be satisfied with the nature in which activities may be run in the enterprise, they may be the biggest threats to firm’s data. Rogue workers especially those with IT knowledge as well as those with access to the firms’ data center, networks, and admin accounts would cause serious harm to the enterprises' data (Goodman & Ramer, 2007).

The other class of enterprise data risk is security and identity management which is caused by the increased use of mobile devices and social media sites. There has a random increase in the number of mobile devices such as iPads which have promoted telecommuting has introduced a new form of risks, as users log into the firms’ database remotely (Hansen et al., 2008). The danger is that these devices may be hacked and important information is either accessed by competitors or it gets destroyed. The other data risks which the firm would be exposed to would be caused by end user computing programs. Since these programs are susceptible to errors and as a result they would produce false or manipulated information such as financial statements.

Assessment of Webtech’s Enterprise Exposure to Risk

The assessment of firms’ exposure to risk will be conducted based on their significance, inherent likelihood of occurrence and effectiveness of risk mitigation. Each of the risks will be evaluated based on the mentioned dimensions.

IT Risk/Criteria	Significance	Inherent Likelihood Of Occurrence	Effectiveness Of Risk Mitigation
Disgruntled Employees	Internal attacks on firms’ database Loss of confidential information to competitors Frequent access to data centers and admin accounts	Unsatisfied employees may leak confidential information Risk is likely to occur at any time of operation It is not possible to identify rogue employees	The risk is highly manageable
Security and Identity Management	Loss of admin account passwords Increase in cost of complying to data management Failure to comply with data management policies attracts high penalties	Increased use of mobile devices among workers exposes them to hackers There are no existing measures to practically protect data Risk is only remotely probable to happen and it is a lower chance of occurring during the first six months of operation	There are no measures in place to prevent data loss Data management policies can be successfully enforced
End User Computing	Occurrence of errors in financial statements There would be cases of data corruption or loss The programs promote unverified decisions	Risk is less likely to occur since the users are trained End programs users may process unauthorized data There is a high possibility of users corrupting data or deliberately destroying the enterprise’s crucial information	There is a high possibility of mitigating the risk

Summary of Highest Priority Risks

End User Computing and Rogue employees are the most destructive risks in the enterprise.

End User Computing applications are statistical programs which are designed and maintained and used within business unit procedures, some of which include spreadsheets, databases or queries. Basically, End User Computing can be described as any program which is not controlled and created in an environment which uses vigorous Information and technology controls (Hill & Barnes, 2011). Since the firm will involve a lot of spreadsheet usage especially in financial processes, Webtech enterprise may be exposed to the following end user computing risks:

Errors: There are a number of studies which have found out that nearly 90% of spreadsheets comprised of than one hundred and fifty rows are characterized by errors. Other than date entry errors may occur when entering formulas or when linking the entries with external sources.

Poor Records: Files which are inaccurately recorded could be used mistakenly used after there is a replacement in the ownership of End User Computing programs, or generally get used within the firm. On the other hand, inaccurate data entry may give rise to involuntary and undetected errors.

Lack of security: Unprotected files can be easily exchanged among different users, which allow those users to change sections that should not be changed. This, therefore, can equally lead to errors and allow confidential data to be accessed by unauthorized users (Hill & Barnes, 2011).

Disgruntled or Rogue employees are considered as probable IT risks in the organization, especially those with IT expertise. Attacks on the firm’s data centers may be conducted by employees who may not be satisfied with the practices of the enterprise. These employees are mostly comprised of individuals within the information and technology departments, employees with access to data points and those holding passwords for major admin accounts. These employees may access confidential information and trade it to the firms’ competitors.

Procedures to Mitigate and Manage the Prioritized Risks

Data Risks management planning is required to be a continuous effort which should not be put on hold after the completion of risk evaluation or the development contingency levels. The designed data risk management plan has included a front-end design of how End User Computing Risks and data risks caused disgruntled employees will be both mitigated and managed. The mitigation and management process will involve the following steps (Grossi, 2005):

Describe the root causes of the two identified risks which may include employee dissatisfaction, lack of employee loyalty, lack of data management policies, inaccurate data entry, and sharing passwords of admin accounts
Conduct an assessment of risks interactions and mutual causes. This stage will focus on how the risks identified are associated with each other and whether the root causes of both risks are in any way associated. In this case, both End User Computing Risks and risk caused by disgruntled employees share a common root cause, which is the human resource.
Categorize other mitigation strategies and procedures for each of the prioritized data risks within the organization such as providing enough motivation to reduce rogue employees, limit access to data centers to few employees or install firewalls in the databases.
Evaluate and prioritize other substitute data mitigation processes. In this case, limiting the usage and access of firms’ passwords to only a few trusted individuals will reduce the risks of internal attacks.
Identify and commit the resources needed for data risk mitigation. As earlier mentioned, a few employees will be identified to keep the passwords and authorized to access the firm’s data centers and databases

Business Resumption and Disaster Recovery Planning

Failure to plan how the firm would recover from a data disaster would make the enterprise more vulnerable to future attacks and therefore it is important to have a business resumption plan. Below is a description of a resumption plan which will be applied after the data is destroyed (Freeman, 2002).

Resumption and recovery planning process

The resumption and recovery process will include the following stages:

Project Planning: the recovery plan is designed to address the restoration of the firm after the occurrence of risk in the enterprise. The plan has described the requirements, recovery strategies, emergency response, plan activation, recovery operations, and recovery plan maintenance.
Resumption Project Requirements: financial processes involving the application of End User Computing programs such as spreadsheets and databases, as well as data storage facilities including data centers and admin accounts will be of highest priority since they are the most vulnerable areas in the firm.
Recovery Strategies: a mock data center and a back-up for all the enterprise’s data which will be updated time after time to make sure that all information is included in the backup plan.
Emergency Response: after the data center or firm’s database is attacked, the affected system will be replaced with the new system of protected computers, and programs. The attacks will be identified when our competitors begin using some of our information for their own advantage.
Plan Initiation: Only the selected firm loyalists will be informed of the IT data attacks and evaluate their impacts and determine the mitigation procedure, whether is to ignore, avoid or accept it.
Resumption Operations: trusted employees will be selected and a communication passed to all the employees that only the identified workers will have access to sensitive and crucial information belonging to the firm.
Plan Monitoring: after the recovery plan is tested and the employees are trained on how the plan would be used, the resumption plan will be evaluated to identify additions needed to make it more effective and keep it up to date with the existing plan.

Conclusion

For the data risk management plan to be effective and sustainable, it is worth noting that the risk evaluation process is required to be modest, practical, and easily understandable. The success of the data project will be dependent on the firm’s commitment and availability of the required resources. In conclusion, risk management process must be completed by employees with the right skills reinforced by information and technology which is appropriately sized for those tasks.

References

Baltzan, P., & Phillips, A. (2015). Business driven information systems. (5th Ed).McGraw-Hill/Irwin.

Freeman, W. (2002). “Business Resumption Planning: A Progressive Approach”, SANS Institute, Accessed from: https://www.sans.org/reading-room/whitepapers/recovery/business-resumption-planning-progressive-approach-562

Grossi, P. (2005). Catastrophe modeling: a new approach to managing risk (Vol. 25). Springer Science & Business Media.

Goodman, S. E., & Ramer, R. (2007). Identify and mitigate the risks of global IT outsourcing.

Hansen, M., Schwartz, A., & Cooper, A. (2008). Privacy and identity management. IEEE Security & Privacy, 6(2).

Hill. M., C. & Barnes, W. A. (2011): "End-User Computing Applications." The CPA Journal 81.7 67-71., Retrieved from: http://digitalcommons.kennesaw.edu/cgi/viewcontent.cgi?article=2564&context=facpubs