Module 5: Procurement and Policies

Introduction

Procurement is the action of obtaining or procuring of inventory and/or materials and/or

services. There are many facets that the procurement professional should be trained in
as it pertains to information security. Procurement is done not only for products sold for
an organization, but also for the organization itself in order to maintain the facilities for
their employees. Some examples of procurement that are not directly related to what a
company might be selling are coffee purchased for break rooms, toiletries for lavatories,
office supplies, office furniture and even the facilitys HVAC system.

A business must be mindful of the security of their customers and their suppliers when
entering into agreements that may involve network connectivity. It is one thing to only
have to worry about a closed network. It is an entirely different thing when customers
and/or suppliers initiate connectivity for efficiency, or cost decrease where outsourcing
may be involved.

An organization that chooses to outsource job functions within their organization should
also realize that they are extending security responsibilities to any third parties involved.
Therefore, it is critical to properly examine the security practices within the third party,
as well as, extend their own security practice requirements to whom they contract.
Figure 1 displays an example of a vendor rating sheet often used in procurement
practices.

Figure 1: Statement of Work Templates, Vendor Ratings (Ivanwalsh.com, CC-BY 3.0)

 Class Activity #1

Click the link below to watch the video on information security:

http://youtu.be/Jor_3d89S2I

Discussion:

1. What was suggested as best options to offer an organization defense in small,

medium and large organizations from insider threats?

2. What does the speaker say is the more common reason for a security events
statistically?

3. What percentage of enterprise users does the speaker say use the same
credentials (i.e. passwords) for their social networking as they do for the
enterprise? Does this surprise you? Why or why not?

4. What are some options that you can suggest to help a business of any size
defend against insider threats? How do you feel that these would be effective
and for mitigating risk in what way?

5.1 Procurement Process

The procurement professional is directly involved in supply chain and their security
requirements. Supply chain involves mainly two facets: customers and vendors. A
procurement professional must be keenly aware of both sides of the chain and how their
organization is directly involved in ensuring security for customers and vendors. The
procurement professional is directly responsible for ensuring that due diligence is
done with respect to ensuring secure third party relationships. [1] This role must identify
and remove all risks within the entire supply chain for their organization.
There are two sides to procurement, a customer and a supplier. Each side involves
different operational handling procedures and assumptions about how, what, when, and
why things are done. Procurement happens throughout an organization, not just via the
purchasers/ buyers. Business personnel procure new applications and/or services from
their IT department. IT may procure a new service or connection from HR or marketing.
HR may decide to outsource payroll or benefits handling. Marketing may decide to
outsource their annual catalog creation to a 3 rd party. The list is virtually endless. A
business must have a solid procedure in place from step 1 in order to avoid risk and
also avoid unnecessary or unjustified costs. Step 1 should be that any purchase
whether it is internal or external should require an Expenditure Justification Request
form. [2] The Expenditure Justification Request is defined as a form used in an
organization to justify and detail a capital expenditure request. The fields on the form
may vary, but some fields should be required like the justification for the expenditure
and the ROI estimation and any potential risks. ROI is the return on investment.

It is important that any known risks for the purchase of a good or service are identified
up front via a risk assessment process. Therefore, a preliminary risk assessment should
be completed and any identified threats or risks should be documented and mitigation
for said threats or risks needs to be factored into the overall requirements of a
purchase. [3]

One of the activities the procurement professional will be involved in is contractual

negotiations with customers and suppliers. Typically, a Request for Proposal is given
to vendors to start the bidding process. An RFP is well known in business as the
document that will detail the project or product requirements. The wording of the RFP
just like other documents is important. Risks identified should be included in an RFP as
part of the core requirements. The wording of the contracts is critical to ensure that all
parties involved in the contractual agreement understand where security requirements
are implemented and how enforcement is expected. Also, liability in the event of a
problem should be outlined. This is true for all procurement related documents such as
contracts, statements of work, request for proposals, and vendor agreements. Each of
these document types should have security considerations included.

The RFP is normally accompanied by a document that is commonly known as a

specification of requirements, or a spec. The spec spells out in explicit legal terms and
the precise contractual actions that are required for the product, including all of the
requisite security requirementsIn addition to the functional requirements, the spec
should also document the assumptions that went into their development, including an
itemization of the risks that have been identified as well as the recommended mitigation
strategies. [4] The spec should include non-functional business and assurance
requirements. [5] In this case, this assurance is to make sure that the company will
continue to uphold proper operating methods and practices to for successful operations
even with the new product or service added to its portfolio.

Procurement processes can apply to outsourcing work or job functions. In this case, the
company is hiring a 3rd party to handle a portion of their services that was either once
done in-house or is new and is just being outsourced for simplicity or any number of
reasons. It is usually easier to get approval for a temporary contractor than it is to get
approval to hire a new person permanently. So, temps are brought in to do work for
companies all the time in all departments, including IT. Each area of an organization has
different priority concerns for security, including information security.

In contractual negotiations, legal should be involved and approve final contracts for
appropriate wording and safeguards that will protect all parties involved in an
agreement. Also, when outsourcing is considered, proper vetting of any external parties
is crucial. An organization needs to research any firm where they are outsourcing work.
They should also ensure proper vetting procedures are in place for any staffers that the
3rd party organization may be allocating as resources for the work. It is critical that 3 rd
parties are conducting the appropriate screening procedures. The acquiring
organization should extend its onboarding process requirements to any accepted 3 rd
party that will be hiring humans as part of a solution. This is true unless they have better
screening processes in place than the organization. All too often breaches occur from
sub-contractors of a contracted supplier. Many companies assume that good practice is
in place for contractors and never ask the questions as to how they go about screening
and hiring. This has proven to be a detrimental mistake in many circumstances.

Suppliers aka vendors will deliver bids or proposals in response to an RFP, usually by a
specified deadline. The suppliers are aware of the selection criteria that an organization
is using as part of the RFP (supporting functional and specification documents may
accompany it). Suppliers use the documents to create their proposal and outline their
approach to service delivery. It should include testing and acceptance procedures for
pre-determined steps within the project. These steps of acceptance testing are by
nature to serve as the identified security requirements for the product/service. Specific
test cases need to be outlined and who will be performing what tests and with what
data. All of which is part of the proposal from a supplier. The supplier knows what is
available for use to create a testing and acceptance process because it should have
been provided in the functional / specification documentation.

As part of this process, it is important to understand and document all constraints that
may be involved with the acquisition of the service or product. A constraint is defined
as something that limits or restricts something or someone. Time can be a big constraint
in terms of project success. If a timeline is too stringent or aggressive, a product or
service may be delivered without the proper controls and testing to offer the assurance
needed. 3rd party bidders must be truthful in the time it takes to meet all requirements in
an RFP and spec document, they should not feel pressured to skimp on testing. If a
company is willing to give up some assurance to get faster to market, that should be
documented in a legally binding way to protect the 3 rd party from liability. It would seem
silly that a company would accept such a thing. However, if the acquiring organization
has not fully analyzed and documented all risks, they could make this mistake and
agree to cut corners.
Once all constraints have been identified, they must be put against each other in a
process of finding a balance between them all that will be optimal to the solution. An
example of this is perhaps, that the best security solution is too hard for the users. The
constraint may be that the best possible security should be implemented. Another
constraint may be that it must be easy to use. A common ground between these two
must be hashed out and agreed to by both the acquiring organization and vendor in a
contractual form. Each constraint identified must be addressed in this way and signed
off by both parties.

Contracts in the end are the legal agreement between the two parties. A contract needs
to include all the required sections such as cost, who is doing what and the timelines,
ownership of product, warranty and any licensing that may be relevant. It is important
that any organization or person entering into a legally binding contract implement a
clause that allows for change and outlines how changes must be documented and
handled. Also, if timeline is very important, it may be worthwhile to place penalties for
failing to meet required deadlines as incentive for a vendor to stay on task. In this case,
the milestones defined as check points must be clear and agreed to by both parties
prior to implementation.

Once a project is agreed to and signed between acquirer and supplier, the project
commences. Regular joint meetings should be held for such things as addressing any
issues that may have been discovered once the work started, identifying any changes
necessary and just to aid in giving assurance as to the project and work being done.
This gives the purchaser visibility into the project and its progress. They have an
opportunity to raise any concerns during these joint meetings.

Much of modern technical work is done through a chain of suppliers rather than by a
sole developer. There are, frequently, levels of subcontract work, form individual units all
the way to integrated modules of units, which are prepared by organizations other than
the primary contractor. An unvetted supply chain introduces a number of potential risks
into the subcontracting process, because undesirable or even malicious elements can
be inserted at the subcontractor level at any point in the supply chain. Consequently,
it is important in the management of any acquisition project to have a mechanism for
rigorously monitoring and controlling the production of the software at all levels in the
supply chain.

Shoemaker, Dan, WM. Arthur Conklin; Cybersecurity The Essential Body of

Knowledge 2012; p363

In order to be sure that any supplier involved in a project is secure, the acquirer should
have a standard profile of best security practice requirements that any supplier can
reference to make sure any outsiders brought into a project are meeting the needs for
assurance. It also allows the acquirer to vet the chosen supplier as meeting their require
security needs prior to the start of any project.
So, the next few sections talk about specific departments within a medium to large
organization and how they could allow a company breach or experience liability issues
unnecessarily. These sections highlight some possible scenarios for consideration and
enforce the notion that every department plays a role in security and therefore should
take risk assessment and mitigation seriously.

[1] Shoemaker, Dan, WM. Arthur Conklin; Cybersecurity The Essential Body of
Knowledge 2012; p145

[2] Shoemaker, Dan, WM. Arthur Conklin; Cybersecurity The Essential Body of
Knowledge 2012; p352

[3] Shoemaker, Dan, WM. Arthur Conklin; Cybersecurity The Essential Body of
Knowledge 2012; p353

[4] Shoemaker, Dan, WM. Arthur Conklin; Cybersecurity The Essential Body of
Knowledge 2012; p354

[5] Shoemaker, Dan, WM. Arthur Conklin; Cybersecurity The Essential Body of
Knowledge 2012; p354

5.1.1 Human Resources and Procurement

Human resources has the most stringent requirements when it comes to laws and
regulations as weve seen several Acts that specifically pertain to PII. And what is
human resources if not all things P or Personal. Human resources has to ensure all
privacy rights of all employees is maintained at all times. An inside or outside breach
could lead to negative consequences.

For example, lets say they hire a temp to answer phones for their department for the
week that the regular receptionist is out. Does the temp need any special training? Yes,
they certainly do. Or the access and authority of the temp should be limited to not
exceed more than what is absolutely necessary to man the station while the regular
associate is out. Otherwise, this temp may be given access to personnel files. Lets say
they stumble upon a salary file and read it. This is a problem that they have access to it.
However, sometime managers are tempted to just say give them all the authority that
the regular temp has so that they can handle the job. The regular temp is obviously
more trained and may hold more roles secondarily than just receptionist. He/she may
also be level 1 support for payroll questions. Now, should a temp be given the right to
do this information? To be safe, the answer should be no. But, for the sake of the story,
we will say that is what happened.
The manager insisted that they get the same authority and this person finds and reads
the payroll file. OK some background - the temp hired is a young male still in college
doing some part time work to make extra spending money. The young man goes to the
community dining hall that this company has for their associates to enjoy lunch and not
have to leave the building. Some female account representatives see him and realize
he is new and invite him to sit with them. As they begin to talk, he comments that he
didnt realize that their jobs paid so well. And they, stopped in their tracks but do not
dare let him know that he has brought up a taboo subject, say what do you mean? He
says Well, it looked like you all make about 65,000, right? They quickly become angry
and mask it and ask Oh, where did you see that? The youth in him does not allow him
to see the red flags he is raising. He said from the payroll fileI have to use it to
answer level 1 payroll questions. Both women know that they only make 45,000 and
that there are only 5 people in their department. The other 3 people are males. So, they
make a lot more money than the females.

This can set result in the filing of an unfair lawsuit for exorbitant amounts of money,
harassment could commence within the workplace, employees could demand more
money or else. It quickly becomes an HR departments nightmarehearing from a
manager my associate told me that the temporary HR receptionist said that the
employees in their department make 65,000 a year! And the associates that told me this
only make 45,000!

What kind of screening was done for this temporary brought in by the 3 rd part consulting
firm? What was in the job description for the procurement order for this temporary, was
it clear and concise enough? What verbiage and screening should have been done?
What training should have been given to the temp and what should have been
emphasized on confidentiality? More than likely HR would figure out a way to calm the
waters than face a lawsuit.

An easy solution to this would be to not allow the temp access to anything confidential,
it is a risk that is too great to take for a temporary to have access to such sensitive data.
A more sophisticated temp could have stolen and sold the information on the internet. If
it is payroll data, it has PII in it, including social security numbers. This part of the job
could have been delegated temporarily to an actual associate versus a temp that really
is just in to answer the phones and take messages if it was critical to have coverage for
that task.

Another risky area for HR could be in the software that they purchase to manage their
associates. If there are vulnerabilities in the software that are not caught through a
properly handled procurement process, this could expose thousands of associates PII,
which could result in steep fines. While HR systems should be isolated and
disconnected from the rest of a companys network with all access limited to just HR
associates, IT should be involved to participate in the testing and acceptance process to
help catch and fix any vulnerabilities prior to anything making it to a production
environment.
 Figure 2: Human Resources (Ricky Martin, CC-BY 3.0)

5.1.2 Buyers, Marketing and Procurement

Buyers at companies mainly work with suppliers to negotiate the best possible pricing
for their companys customers. They work with a multitude of suppliers some of which
may offer the same products. It is the buyers job to buy the best-priced items across
the board. So, at any given time a buyers laptop or even email (that could be on their
phone) may contain several spreadsheets with supplier pricing and their own pricing for
a list of inventory products. These lists are confidential for several reasons. If a
customer happened to get their hands on another customers price sheet and see that
they are getting charged 10% more for a product than that customer, this could cause a
price change that would cost the company selling the product forecasted money. So,
this could create a problem internally for a company that could directly impact their
bottom line. And it could be done by a simple mistake. Say the buyer thinks he/she is
sending a message to one customer and really sends it to another. The email just
happens to contain the wrong customers price sheet in it. If the file is not password
protected, it is there for the viewing of any eyes that get it. Perhaps, it should not be
something emailed at all. Rather, a secure file exchange location could be set up with
built in access control for the working on of such files between customers and the
organization instead. Likewise, the buyer could send the wrong supplier price sheet to
another supplier. This supplier would realize that they need to sell different priced items
and steal business from another supplier.

Now, another thing that could happen is a competitor could via spear phishing or some
other attempt gain access to a buyers computer and have all the access that said buyer
has. In a short amount of time, critical data could be stolen. The competitor could do
some analysis and identify new target customers. They may steal customers that could
account for millions of dollars in sales annually for an organization, just by offering to
sell the same products for 5% or 10% less.
5.1.3 Information Technology (IT) and Procurement

Below are some examples where proper procurement policies and procedures should
be in place to avoid liability problems.

A large supplier of electrical equipment and supplies wants to reduce their overhead by
hiring out a distributor to handle all the delivery and storage of the products that they
sell to its customers. In order to successfully and efficiently outsource such work,
systems will ideally be connected within the two organizations. Anytime two companies
decide to connect their networked technologies, there are several things that should be
done before any connections are implemented. Sound execution of such connections is
a must. For example, a risk assessment should be done on all existing equipment for
both parties before any changes are implemented. This will outline any areas of concern
that need to be patched prior to any connections being put in place.

Why do they need to connect their systems you may ask? Good question, it is
becoming more of a common thing to do actually as it offers a great deal of benefit in
streamlining operations. Organizations can automate transactions so that all systems
are current without having to have a person manually enter information in separate
systems to keep them up to date. Humans make mistakes and this would also obviously
not be real time like automated connections. So, a product that is out of stock may be
oversold if records are not up-to-the-minute current. This is even more important when
you think about electronic commerce systems. Connected systems also allow for the
supplier to know when supply is at the reorder point instead of having to send someone
out to check inventory or call and ask for a report. Since the latter process involves
humans, again mistakes can be made and delays are inherent.

Commonly today, companies connect their IT systems that handle such tasks to
automate and streamline their operations. Before doing this though, it is important for
both organizations to conduct risk assessments on existing systems. Any risks identified
should be mitigated before proceeding with any connectivity of the two networks and/or
systems.

To Do Activity #2
 Click the link below to read the article titled "Stolen Credit Cards Go for
$3.50 at Amazon-Like Online Bazaar."

http://www.bloomberg.com/news/2011-12-20/stolen-credit-cards-go-for-3-50-each-at-
online-bazaar-that-mimics-amazon.html

Discussion:

1. Criminals searching for credit cards to utilize on the site CVV2s, look for what
attributes, specifically in the banks?

2. _____ is stolen in a year?

3. Discuss the methodology and background of at least two hackers or related

affiliates mentioned in the article? How do they operate/what is their way of
hacking?

To optimize timelines and save costs, it is very tempting to hire temporary experts to
assist with finite projects within IT. For example, an applications manager may need to
migrate several SQL databases and their applications to a virtualized environment. An
applications manager usually is not an expert DBA. A DBA, also known as a database
administrator, is a specialized professional that works in all things related to database
management including incorporating efficiencies, normalizing databases,
troubleshooting and repairing corruptions and migrating and upgrading databases when
necessary to new platforms and hardware. Databases contain all the data that is used
for displaying, reporting and transacting with front-end applications. They contain all
sorts of data some of which may be proprietary internal only information, PII such as
social security numbers and addresses and birthdates, as well as, salary. Additionally,
product information details including buy cost as well as specific sale cost to specific
customers. Remember, not all customers pay the same price for the same product
when you are talking about large million dollar contracts between suppliers and
distributors and customers.

For example, if a DBA is hired to do migrations for an organization or upgrades of

databases, special restrictions should be in place to safeguard that the information
stays where it should be and is not duplicated or copied when it shouldnt be. In todays
world, a temporary IT person can work from anywhere in the world and does not
necessarily need to come to a corporate office to perform outsourced work. If the DBA is
not going to be brought on site with restricted equipment and monitored by an actual
employee, procedures can be put in place for auditing the work of the DBA. This way
the company can be sure their information is not being duplicated and taken when it
shouldnt be. For example, the logon time allowed for the contract DBA should be
restricted to only work times. The usage logs of the servers that DBA has access too,
should be monitored daily. With the intelligence of systems today, the logging utilities
could be set up to send notices when the DBA logs on and off of the server as part of
the tracking. If the DBA is just supposed to be upgrading a database, do not allow them
to do perform copy operations. Least privilege rights should be given and no more.
Depending on the company, it might be beneficial to require that two people are
present, an actual associate and the contractor, for all work that is performed. These are
just some examples of how risks can be minimized for this particular type role. An
alternative to having a DBA work remotely would be to minimally require they connect to
the organizations systems via the use of a VPN. A VPN is a virtual private network
whereby traffic is encrypted and isolated from the regular internet traffic.

In each IT role there are unique things involved. Each role plays a different part in an
organization and therefore has different access to different information much of which is
proprietary.

Data warehouses are very large consolidations of data from several areas of a
companys business combined for reporting and analytical reasons. They allow an
organization to slice and dice their data in any way desired related to their operations,
customers, associates and suppliers. They are used to figure out such things as
commissions earned for the salesforce, profit and loss statements and highest
performing associates in sales and more. These are typically internal only databases.
And as such, some security may be lacking as opposed to that implemented on
databases that support ecommerce applications, which live in what is known as the
DMZ of a companys network infrastructure. A DMZ is a demilitarized zone that sits
between a companys internal network and the external Internet. It does not have as
much restrictions of access from the internet as an internal server does because of the
public facing applications that are set up in it.
 Figure 3: Database Plan (tec_estromberg, CC-BY 3.0)

The security in a DMZ is a different than that inside a network. The DMZ sits on the
outside of the main firewall for an organization. Special rules are put in place for every
server that is in the DMZ to restrict what kind of traffic can flow inside the actual internal
network through the firewall. It is important that these rules be carefully implemented so
as not to leave gaps whereby an intruder can use a DMZ server to worm their way
inside the main network. Servers behind the main firewall do not have as many traffic
blocks as those in the DMZ specifically set up on the servers themselves. The data
warehouse may not be considered as mission critical or as important. This is a very bad
mistake as the name describes it is a virtual warehouse full of all kinds of information
that if somehow ended up in a competitors hands could be detrimental to a company
and/or its associates. It is not enough to just have a data warehouse live inside the main
network behind the main firewall. It should be very well secured and considered mission
critical for things like DR and risk due to the vast amount of information housed in it.

To Do Activity #3

Click the link to read the article titled What can identity thieves
do with stolen personal information?

https://www.fcbresource.com/SecurityCenter/What-can-identity-thieves-do-with-stolen-
personal-.aspx
Discussion:

1. Provide an extreme example of a way in which someone can utilize your information
after it is stolen?

2. How would an individual use identity theft to avoid legal trouble?

5.2 Outsourching IT Risks

The section, 5.2, focuses on Risk Management. To view content for section 5.2, click
the link below. A solid Risk Management process is a large part of implementing a
secure procurement process.

Risk Management: http://en.wikipedia.org/wiki/Risk_management

Risk Management is the identification, assessment, and prioritization of risks followed

by coordinated and economical application of resources to minimize, monitor, and
control the probability and/or impact of unfortunate events or to maximize the realization
of opportunities. [1] Risk management is a critical component to a company
understanding their playing field and all the potential pitfalls or mines that could
negatively impact their business and/or operations. The above link gives an in-depth
look at types of risk management approaches and also outlines the different types of
risks specific types of businesses may face.

An organization must do a thorough review of all of their assets in order to properly

identify the potential risks to their organization. Once they have identified their assets,
each should be in depth analyzed for potential and probable risks. They should
determine how likely each risk is to occur. This will help with prioritization of risk
mitigation. After this, they should identify all ways to reduce or avoid any identified risk
at a high level. You dont want to dig too deep into risk avoidance measures until you
have prioritized the risks. This way you wont spend time and resources on risks that are
prioritized low. Rather, you would want to prioritize all identified risks and then start with
handling the highest priority risks first.
Risk management is the identification, assessment, and prioritization of risks (defined in ISO
31000 as the effect of uncertainty on objectives) followed by coordinated and economical
application of resources to minimize, monitor, and control the probability and/or impact of
unfortunate events[1] or to maximize the realization of opportunities. Risk managements
objective is to assure uncertainty does not deflect the endeavor from the business goals.[2]

Risks can come from various sources including uncertainty in financial markets, threats from
project failures (at any phase in design, development, production, or sustainment life-cycles),
legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack from an
adversary, or events of uncertain or unpredictable root-cause. There are two types of events i.e.
negative events can be classified as risks while positive events are classified as opportunities.
Several risk management standards have been developed including the Project Management
Institute, the National Institute of Standards and Technology, actuarial societies, and ISO
standards.[3][4] Methods, definitions and goals vary widely according to whether the risk
management method is in the context of project management, security, engineering, industrial
processes, financial portfolios, actuarial assessments, or public health and safety.

Strategies to manage threats (uncertainties with negative consequences) typically include

avoiding the threat, reducing the negative effect or probability of the threat, transferring all or
part of the threat to another party, and even retaining some or all of the potential or actual
consequences of a particular threat, and the opposites for opportunities (uncertain future states
with benefits).

Certain aspects of many of the risk management standards have come under criticism for having
no measurable improvement on risk; whereas the confidence in estimates and decisions seem to
increase.[1] For example, it has been shown that one in six IT projects experience cost overruns of
200% on average, and schedule overruns of 70%.[5]

Contents
1 Introduction

o 1.1 Method

o 1.2 Principles of risk management

2 Process

o 2.1 Establishing the context

o 2.2 Identification

o 2.3 Assessment

3 Risk options
 o 3.1 Potential risk treatments

o 3.2 Implementation

o 3.3 Review and evaluation of the plan

4 Limitations

5 Areas

o 5.1 Enterprise

o 5.2 Medical device

o 5.3 Project management

o 5.4 Megaprojects (infrastructure)

o 5.5 Natural disasters

o 5.6 Information technology

o 5.7 Petroleum and natural gas

o 5.8 Pharmaceutical sector

6 Risk communication

7 See also

8 References

Introduction
A widely used vocabulary for risk management is defined by ISO Guide 73:2009, "Risk
management. Vocabulary."[3]

In ideal risk management, a prioritization process is followed whereby the risks with the greatest
loss (or impact) and the greatest probability of occurring are handled first, and risks with lower
probability of occurrence and lower loss are handled in descending order. In practice the process
of assessing overall risk can be difficult, and balancing resources used to mitigate between risks
with a high probability of occurrence but lower loss versus a risk with high loss but lower
probability of occurrence can often be mishandled.

Intangible risk management identifies a new type of a risk that has a 100% probability of
occurring but is ignored by the organization due to a lack of identification ability. For example,
when deficient knowledge is applied to a situation, a knowledge risk materializes. Relationship
risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue
when ineffective operational procedures are applied. These risks directly reduce the productivity
of knowledge workers, decrease cost-effectiveness, profitability, service, quality, reputation,
brand value, and earnings quality. Intangible risk management allows risk management to create
immediate value from the identification and reduction of risks that reduce productivity.

Risk management also faces difficulties in allocating resources. This is the idea of opportunity
cost. Resources spent on risk management could have been spent on more profitable activities.
Again, ideal risk management minimizes spending (or manpower or other resources) and also
minimizes the negative effects of risks.

According to the definition to the risk, the risk is the possibility that an event will occur and
adversely affect the achievement of an objective. Therefore, risk itself has the uncertainty. Risk
management such as COSO ERM, can help managers have a good control for their risk. Each
company may have different internal control components, which leads to different outcomes. For
example, the framework for ERM components includes Internal Environment, Objective Setting,
Event Identification, Risk Assessment, Risk Response, Control Activities, Information and
Communication, and Monitoring.

Method

For the most part, these methods consist of the following elements, performed, more or less, in
the following order.

1. identify, characterize threats

2. assess the vulnerability of critical assets to specific threats

3. determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on
specific assets)

4. identify ways to reduce those risks

5. prioritize risk reduction measures

Principles of risk management

The International Organization for Standardization (ISO) identifies the following principles of
risk management:[6]

Risk management should:

create value resources expended to mitigate risk should be less than the consequence of
inaction
 be an integral part of organizational processes

be part of decision making process

explicitly address uncertainty and assumptions

be a systematic and structured process

be based on the best available information

be tailorable

take human factors into account

be transparent and inclusive

be dynamic, iterative and responsive to change

be capable of continual improvement and enhancement

be continually or periodically re-assessed

Process
According to the standard ISO 31000 "Risk management Principles and guidelines on
implementation,"[4] the process of risk management consists of several steps as follows:

Establishing the context

This involves:

1. identification of risk in a selected domain of interest

2. planning the remainder of the process

3. mapping out the following:

o the social scope of risk management

o the identity and objectives of stakeholders

o the basis upon which risks will be evaluated, constraints.

4. defining a framework for the activity and an agenda for identification

5. developing an analysis of risks involved in the process

 6. mitigation or solution of risks using available technological, human and organizational resources

Identification

After establishing the context, the next step in the process of managing risk is to identify
potential risks. Risks are about events that, when triggered, cause problems or benefits. Hence,
risk identification can start with the source of our problems and those of our competitors
(benefit), or with the problem itself.

Source analysis[citation needed] Risk sources may be internal or external to the system that is the
target of risk management (use mitigation instead of management since by its own definition
risk deals with factors of decision-making that cannot be managed).

Examples of risk sources are: stakeholders of a project, employees of a company or the weather
over an airport.

Problem analysis[citation needed] Risks are related to identified threats. For example: the threat of
losing money, the threat of abuse of confidential information or the threat of human errors,
accidents and casualties. The threats may exist with various entities, most important with
shareholders, customers and legislative bodies such as the government.

When either source or problem is known, the events that a source may trigger or the events that
can lead to a problem can be investigated. For example: stakeholders withdrawing during a
project may endanger funding of the project; confidential information may be stolen by
employees even within a closed network; lightning striking an aircraft during takeoff may make
all people on board immediate casualties.

The chosen method of identifying risks may depend on culture, industry practice and
compliance. The identification methods are formed by templates or the development of templates
for identifying source, problem or event. Common risk identification methods are:

Objectives-based risk identification[citation needed] Organizations and project teams have objectives.
Any event that may endanger achieving an objective partly or completely is identified as risk.

Scenario-based risk identification In scenario analysis different scenarios are created. The
scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of
forces in, for example, a market or battle. Any event that triggers an undesired scenario
alternative is identified as risk see Futures Studies for methodology used by Futurists.

Taxonomy-based risk identification The taxonomy in taxonomy-based risk identification is a

breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a
questionnaire is compiled. The answers to the questions reveal risks. [7]

Common-risk checking[citation needed] In several industries, lists with known risks are available. Each
risk in the list can be checked for application to a particular situation. [8]
 Risk charting [9] This method combines the above approaches by listing resources at risk,
threats to those resources, modifying factors which may increase or decrease the risk and
consequences it is wished to avoid. Creating a matrix under these headings enables a variety of
approaches. One can begin with resources and consider the threats they are exposed to and the
consequences of each. Alternatively one can start with the threats and examine which resources
they would affect, or one can begin with the consequences and determine which combination of
threats and resources would be involved to bring them about.

Assessment

Main article: Risk assessment

Once risks have been identified, they must then be assessed as to their potential severity of
impact (generally a negative impact, such as damage or loss) and to the probability of
occurrence. These quantities can be either simple to measure, in the case of the value of a lost
building, or impossible to know for sure in the case of an unlikely event, the probability of
occurrence of which is unknown. Therefore, in the assessment process it is critical to make the
best educated decisions in order to properly prioritize the implementation of the risk
management plan.

Even a short-term positive improvement can have long-term negative impacts. Take the
"turnpike" example. A highway is widened to allow more traffic. More traffic capacity leads to
greater development in the areas surrounding the improved traffic capacity. Over time, traffic
thereby increases to fill available capacity. Turnpikes thereby need to be expanded in a
seemingly endless cycles. There are many other engineering examples where expanded capacity
(to do any function) is soon filled by increased demand. Since expansion comes at a cost, the
resulting growth could become unsustainable without forecasting and management.

The fundamental difficulty in risk assessment is determining the rate of occurrence since
statistical information is not available on all kinds of past incidents and is particularly scanty in
the case of catastrophic events, simply because of their infrequency. Furthermore, evaluating the
severity of the consequences (impact) is often quite difficult for intangible assets. Asset valuation
is another question that needs to be addressed. Thus, best educated opinions and available
statistics are the primary sources of information. Nevertheless, risk assessment should produce
such information for senior executives of the organization that the primary risks are easy to
understand and that the risk management decisions may be prioritized within overall company
goals. Thus, there have been several theories and attempts to quantify risks. Numerous different
risk formulae exist, but perhaps the most widely accepted formula for risk quantification is:
"Rate (or probability) of occurrence multiplied by the impact of the event equals risk
magnitude."[vague]

Risk options
Risk mitigation measures are usually formulated according to one or more of the following major
risk options, which are:
 1. Design a new business process with adequate built-in risk control and containment measures
from the start.

2. Periodically re-assess risks that are accepted in ongoing processes as a normal feature of
business operations and modify mitigation measures.

3. Transfer risks to an external agency (e.g. an insurance company)

4. Avoid risks altogether (e.g. by closing down a particular high-risk business area)

Later research[citation needed] has shown that the financial benefits of risk management are less
dependent on the formula used but are more dependent on the frequency and how risk
assessment is performed.

In business it is imperative to be able to present the findings of risk assessments in financial,

market, or schedule terms. Robert Courtney Jr. (IBM, 1970) proposed a formula for presenting
risks in financial terms. The Courtney formula was accepted as the official risk analysis method
for the US governmental agencies. The formula proposes calculation of ALE (annualized loss
expectancy) and compares the expected loss value to the security control implementation costs
(cost-benefit analysis).

Potential risk treatments

Once risks have been identified and assessed, all techniques to manage the risk fall into one or
more of these four major categories:[10]

Avoidance (eliminate, withdraw from or not become involved)

Reduction (optimize mitigate)

Sharing (transfer outsource or insure)

Retention (accept and budget)

Ideal use of these risk control strategies may not be possible. Some of them may involve trade-
offs that are not acceptable to the organization or person making the risk management decisions.
Another source, from the US Department of Defense (see link), Defense Acquisition University,
calls these categories ACAT, for Avoid, Control, Accept, or Transfer. This use of the ACAT
acronym is reminiscent of another ACAT (for Acquisition Category) used in US Defense industry
procurements, in which Risk Management figures prominently in decision making and planning.

Risk avoidance

This includes not performing an activity that could carry risk. An example would be not buying a
property or business in order to not take on the legal liability that comes with it. Another would
be not flying in order not to take the risk that the airplane were to be hijacked. Avoidance may
seem the answer to all risks, but avoiding risks also means losing out on the potential gain that
accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss
also avoids the possibility of earning profits. Increasing risk regulation in hospitals has led to
avoidance of treating higher risk conditions, in favor of patients presenting with lower risk.[11]

Risk reduction

Risk reduction or "optimization" involves reducing the severity of the loss or the likelihood of
the loss from occurring. For example, sprinklers are designed to put out a fire to reduce the risk
of loss by fire. This method may cause a greater loss by water damage and therefore may not be
suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive
as a strategy.

Acknowledging that risks can be positive or negative, optimizing risks means finding a balance
between negative risk and the benefit of the operation or activity; and between risk reduction and
effort applied. By an offshore drilling contractor effectively applying HSE Management in its
organization, it can optimize risk to achieve levels of residual risk that are tolerable.[12]

Modern software development methodologies reduce risk by developing and delivering software
incrementally. Early methodologies suffered from the fact that they only delivered software in
the final phase of development; any problems encountered in earlier phases meant costly rework
and often jeopardized the whole project. By developing in iterations, software projects can limit
effort wasted to a single iteration.

Outsourcing could be an example of risk reduction if the outsourcer can demonstrate higher
capability at managing or reducing risks.[13] For example, a company may outsource only its
software development, the manufacturing of hard goods, or customer support needs to another
company, while handling the business management itself. This way, the company can
concentrate more on business development without having to worry as much about the
manufacturing process, managing the development team, or finding a physical location for a call
center.

Risk sharing

Briefly defined as "sharing with another party the burden of loss or the benefit of gain, from a
risk, and the measures to reduce a risk."

The term of 'risk transfer' is often used in place of risk sharing in the mistaken belief that you can
transfer a risk to a third party through insurance or outsourcing. In practice if the insurance
company or contractor go bankrupt or end up in court, the original risk is likely to still revert to
the first party. As such in the terminology of practitioners and scholars alike, the purchase of an
insurance contract is often described as a "transfer of risk." However, technically speaking, the
buyer of the contract generally retains legal responsibility for the losses "transferred", meaning
that insurance may be described more accurately as a post-event compensatory mechanism. For
example, a personal injuries insurance policy does not transfer the risk of a car accident to the
insurance company. The risk still lies with the policy holder namely the person who has been in
the accident. The insurance policy simply provides that if an accident (the event) occurs
involving the policy holder then some compensation may be payable to the policy holder that is
commensurate with the suffering/damage.

Some ways of managing risk fall into multiple categories. Risk retention pools are technically
retaining the risk for the group, but spreading it over the whole group involves transfer among
individual members of the group. This is different from traditional insurance, in that no premium
is exchanged between members of the group up front, but instead losses are assessed to all
members of the group.

Risk retention

Involves accepting the loss, or benefit of gain, from a risk when it occurs. True self insurance
falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring
against the risk would be greater over time than the total losses sustained. All risks that are not
avoided or transferred are retained by default. This includes risks that are so large or catastrophic
that they either cannot be insured against or the premiums would be infeasible. War is an
example since most property and risks are not insured against war, so the loss attributed by war
is retained by the insured. Also any amounts of potential loss (risk) over the amount insured is
retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost
to insure for greater coverage amounts is so great it would hinder the goals of the organization
too much. Risk retention or acceptance is common type of risk response on treats and
opportunities.

Risk Management plan

Select appropriate controls or countermeasures to measure each risk. Risk mitigation needs to be
approved by the appropriate level of management. For instance, a risk concerning the image of
the organization should have top management decision behind it whereas IT management would
have the authority to decide on computer virus risks.

The risk management plan should propose applicable and effective security controls for
managing the risks. For example, an observed high risk of computer viruses could be mitigated
by acquiring and implementing antivirus software. A good risk management plan should contain
a schedule for control implementation and responsible persons for those actions.

According to ISO/IEC 27001, the stage immediately after completion of the risk assessment
phase consists of preparing a Risk Treatment Plan, which should document the decisions about
how each of the identified risks should be handled. Mitigation of risks often means selection of
security controls, which should be documented in a Statement of Applicability, which identifies
which particular control objectives and controls from the standard have been selected, and why.

Implementation
Implementation follows all of the planned methods for mitigating the effect of the risks. Purchase
insurance policies for the risks that have been decided to be transferred to an insurer, avoid all
risks that can be avoided without sacrificing the entity's goals, reduce others, and retain the rest.

Review and evaluation of the plan

Initial risk management plans will never be perfect. Practice, experience, and actual loss results
will necessitate changes in the plan and contribute information to allow possible different
decisions to be made in dealing with the risks being faced.

Risk analysis results and management plans should be updated periodically. There are two
primary reasons for this:

1. to evaluate whether the previously selected security controls are still applicable and effective

2. to evaluate the possible risk level changes in the business environment. For example,
information risks are a good example of rapidly changing business environment.

Limitations
Prioritizing the risk management processes too highly could keep an organization from ever
completing a project or even getting started. This is especially true if other work is suspended
until the risk management process is considered complete.

It is also important to keep in mind the distinction between risk and uncertainty. Risk can be
measured by impacts x probability.

If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses
that are not likely to occur. Spending too much time assessing and managing unlikely risks can
divert resources that could be used more profitably. Unlikely events do occur but if the risk is
unlikely enough to occur it may be better to simply retain the risk and deal with the result if the
loss does in fact occur. Qualitative risk assessment is subjective and lacks consistency. The
primary justification for a formal risk assessment process is legal and bureaucratic.

Areas
As applied to corporate finance, risk management is the technique for measuring, monitoring and
controlling the financial or operational risk on a firm's balance sheet, a traditional measure is the
value at risk (VaR), but there also other measures like profit at risk (PaR) or margin at risk. The
Basel II framework breaks risks into market risk (price risk), credit risk and operational risk and
also specifies methods for calculating capital requirements for each of these components.

In Information Technology, Risk management includes "Incident Handling", an action plan for
dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related
events. According to the SANS organization,[14] it is a six step process: Preparation,
Identification, Containment, Eradication, Recovery, and Lessons Learned.

Enterprise

Main article: Enterprise Risk Management

In enterprise risk management, a risk is defined as a possible event or circumstance that can have
negative influences on the enterprise in question. Its impact can be on the very existence, the
resources (human and capital), the products and services, or the customers of the enterprise, as
well as external impacts on society, markets, or the environment. In a financial institution,
enterprise risk management is normally thought of as the combination of credit risk, interest rate
risk or asset liability management, liquidity risk, market risk, and operational risk.

In the more general case, every probable risk can have a pre-formulated plan to deal with its
possible consequences (to ensure contingency if the risk becomes a liability).

From the information above and the average cost per employee over time, or cost accrual ratio, a
project manager can estimate:

the cost associated with the risk if it arises, estimated by multiplying employee costs per unit
time by the estimated time lost (cost impact, C where C = cost accrual ratio * S)

This article uses abbreviations that may be confusing or ambiguous. There might be a
discussion about this on the Talk page. Please improve this article if you can. (September
2016)

the probable increase in time associated with a risk (schedule variance due to risk, Rs where Rs =
P * S):

o Sorting on this value puts the highest risks to the schedule first. This is intended to cause
the greatest risks to the project to be attempted first so that risk is minimized as quickly
as possible.

o This is slightly misleading as schedule variances with a large P and small S and vice versa
are not equivalent. (The risk of the RMS Titanic sinking vs. the passengers' meals being
served at slightly the wrong time).

the probable increase in cost associated with a risk (cost variance due to risk, Rc where Rc = P*C
= P*CAR*S = P*S*CAR)

o sorting on this value puts the highest risks to the budget first.
 o see concerns about schedule variance as this is a function of it, as illustrated in the
equation above.

Risk in a project or process can be due either to Special Cause Variation or Common Cause
Variation and requires appropriate treatment. That is to re-iterate the concern about extremal
cases not being equivalent in the list immediately above.

Medical device

For medical devices, risk management is a process for identifying, evaluating and mitigating
risks associated with harm to people and damage to property or the environment. Risk
management is an integral part of medical device design and development, production processes
and evaluation of field experience, and is applicable to all types of medical devices. The
evidence of its application is required by most regulatory bodies such as FDA. The management
of risks for medical devices is described by the International Organization for Standardization
(ISO) in ISO 14971:2007, Medical DevicesThe application of risk management to medical
devices, a product safety standard. The standard provides a process framework and associated
requirements for management responsibilities, risk analysis and evaluation, risk controls and
lifecycle risk management.

The European version of the risk management standard was updated in 2009 and again in 2012
to refer to the Medical Devices Directive (MDD) and Active Implantable Medical Device
Directive (AIMDD) revision in 2007, as well as the In Vitro Medical Device Directive (IVDD).
The requirements of EN 14971:2012 are nearly identical to ISO 14971:2007. The differences
include three "(informative)" Z Annexes that refer to the new MDD, AIMDD, and IVDD. These
annexes indicate content deviations that include the requirement for risks to be reduced as far as
possible, and the requirement that risks be mitigated by design and not by labeling on the
medical device (i.e., labeling can no longer be used to mitigate risk).

Typical risk analysis and evaluation techniques adopted by the medical device industry include
hazard analysis, fault tree analysis (FTA), failure mode and effect analysis (FMEA), hazard and
operability study (HAZOP), and risk traceability analysis for ensuring risk controls are
implemented and effective (i.e. tracking risks identified to product requirements, design
specifications, verification and validation results etc.). FTA analysis requires diagramming
software. FMEA analysis can be done using a spreadsheet program. There are also integrated
medical device risk management solutions.

Through a draft guidance, FDA has introduced another method named "Safety Assurance Case"
for medical device safety assurance analysis. The safety assurance case is structured argument
reasoning about systems appropriate for scientists and engineers, supported by a body of
evidence, that provides a compelling, comprehensible and valid case that a system is safe for a
given application in a given environment. With the guidance, a safety assurance case is expected
for safety critical devices (e.g. infusion devices) as part of the pre-market clearance submission,
e.g. 510(k). In 2013, FDA introduced another draft guidance expecting medical device
manufacturers to submit cybersecurity risk analysis information.
Project management

Main article: project risk management

Project risk management must be considered at the different phases of acquisition. In the
beginning of a project, the advancement of technical developments or the response to threats
presented by a competitors projects, may cause a risk or threat assessment and subsequent
evaluation of alternatives (see Analysis of Alternatives). Selection of a response presented by
technology options, or competitor threats are important applications of risk management. Once a
decision is made, and the project begun, more familiar project management applications can be
used:[15][16][17]

An example of the Risk Register for a project that includes 4 steps: Identify, Analyze, Plan Response,
Monitor and Control.[18]

Planning how risk will be managed in the particular project. Plans should include risk
management tasks, responsibilities, activities and budget.

Assigning a risk officer a team member other than a project manager who is responsible for
foreseeing potential project problems. Typical characteristic of risk officer is a healthy skepticism.

Maintaining live project risk database. Each risk should have the following attributes: opening
date, title, short description, probability and importance. Optionally a risk may have an assigned
person responsible for its resolution and a date by which the risk must be resolved.

Creating anonymous risk reporting channel. Each team member should have the possibility to
report risks that he/she foresees in the project.

Preparing mitigation plans for risks that are chosen to be mitigated. The purpose of the
mitigation plan is to describe how this particular risk will be handled what, when, by whom
and how will it be done to avoid it or minimize consequences if it becomes a liability.

Summarizing planned and faced risks, effectiveness of mitigation activities, and effort spent for
the risk management.

Megaprojects (infrastructure)

Megaprojects (sometimes also called "major programs") are large-scale investment projects,
typically costing more than US$1 billion per project. Megaprojects include major bridges,
tunnels, highways, railways, airports, seaports, power plants, dams, wastewater projects, coastal
flood protection schemes, oil and natural gas extraction projects, public buildings, information
technology systems, aerospace projects, and defense systems. Megaprojects have been shown to
be particularly risky in terms of finance, safety, and social and environmental impacts.[19] Risk
management is therefore particularly pertinent for megaprojects and special methods and special
education have been developed for such risk management.[20]

Natural disasters

It is important to assess risk in regard to natural disasters like floods, earthquakes, and so on.
Outcomes of natural disaster risk assessment are valuable when considering future repair costs,
business interruption losses and other downtime, effects on the environment, insurance costs, and
the proposed costs of reducing the risk.[21] There are regular conferences in Davos to deal with
integral risk management.

Information technology

Main article: IT risk management

IT risk is a risk related to information technology. This is a relatively new term due to an
increasing awareness that information security is simply one facet of a multitude of risks that are
relevant to IT and the real world processes it supports.

ISACA's Risk IT framework ties IT risk to enterprise risk management.

Petroleum and natural gas

For the offshore oil and gas industry, operational risk management is regulated by the safety case
regime in many countries. Hazard identification and risk assessment tools and techniques are
described in the international standard ISO 17776:2000, and organisations such as the IADC
(International Association of Drilling Contractors) publish guidelines for HSE Case development
which are based on the ISO standard. Further, diagrammatic representations of hazardous events
are often expected by governmental regulators as part of risk management in safety case
submissions; these are known as bow-tie diagrams. The technique is also used by organisations
and regulators in mining, aviation, health, defence, industrial and finance.

Pharmaceutical sector

The principles and tools for quality risk management are increasingly being applied to different
aspects of pharmaceutical quality systems. These aspects include development, manufacturing,
distribution, inspection, and submission/review processes throughout the lifecycle of drug
substances, drug products, biological and biotechnological products (including the use of raw
materials, solvents, excipients, packaging and labeling materials in drug products, biological and
biotechnological products). Risk management is also applied to the assessment of
microbiological contamination in relation to pharmaceutical products and cleanroom
manufacturing environments.[22]
Risk communication
Risk communication is a complex cross-disciplinary academic field related to core values of the
targeted audiences.[23][24] Problems for risk communicators involve how to reach the intended
audience, how to make the risk comprehensible and relatable to other risks, how to pay
appropriate respect to the audience's values related to the risk, how to predict the audience's
response to the communication, etc. A main goal of risk communication is to improve collective
and individual decision making. Risk communication is somewhat related to crisis
communication.

5.3 Acceptable Use Policies

To view content for section 5.3 (Whitepaper - Reading Room SANS - Global Information
Assurance Certification Paper), please follow the link below.

AUP

Acceptable use policies should exist in every organization that has computing
equipment in use for employees. Acceptable use policies are general in nature unlike
secure use procedures. There is little effort required in the development and deployment
of an acceptable use policy other than the time it takes to write it and distribute. An
acceptable use policy is typically one of the documents that is contained in a new hire
packet for a new employee. It is critical that all employees sign the acceptable use
policy, thereby giving their consent or agreement to the policy. These policies exist to
not only protect employers, but also the employees.

An AUP or Acceptable use policy helps the organization fulfill its duty of care to
provide a nonhostile working environment. [1] Duty of care means that a person or
company is legally required to not create unreasonable risk or harm to others by acts or
omissions which can be reasonably foreseen. The acceptable use policy lets employees
know what the rules are basically for using any computers or other smart devices
owned by the company. Compliance must be enforced with an AUP by every employee
of an organization. They should be written in clear concise language that is not easily
confused or misinterpreted.
 Class Activity #4

Click the link below to review the template for an example of an Acceptable Use Policy.

http://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy

[1] Volonino, Linda, Stephen R. Robinson, Principles and Practice of Information

Security; p80

5.4 Secure Use Policies

To view content for section 5.4 (Whitepaper - Reading Room SANS -

Information Security Policy - A Development Guide for Large and Small Companies),
please click the link below.

SUP: http://www.sans.org/reading_room/whitepapers/policyissues/information-security-
policy-development-guide-large-small-companies_1331

Secure use policies are mainly intended to help an organization avoid internal risks.
Almost every company at some time or another experiences the disgruntled employee,
for example. This employee can wreak havoc to an organization by sending malicious
emails, stealing company owned assets and giving them to competitors, etc. It is
important to note that these procedures arent intended solely to protect against a
disgruntled employee. Mistakes can be made by employees without the proper controls
in place to help keep them in the lines of what they should be doing. Even the best
system administrator can make mistakes. Many cyber attacks couldnt succeed without
some inside help. So, it is critical to implement secure use procedures to mitigate as
much risk as possible. These procedures are much more specific than AUPs. They are
written with specifics unlike an AUP. Training is just as important as having a secure
use policy. Otherwise, it may end up as shelfware never to be used.

One example of a secure use policy may be a new hire procedure that tells the system
administrators exactly how to set up a new employees account, what security they get
in all systems, what rights they get on any computers they may be given, etc. Another
example would be a termination procedure that dictates exactly how to remove a user
from all systems and when to remove them, what to save of the employees, etc. The
linked document gives several examples of SUPs.

Class Activity #5 - Discussion

Research what the steps are if your social security number has been
stolen personally or professionally by a company breach. What are you supposed to do
to report the theft and mitigate any problems for the victims of the theft? Put your
answers in the discussion area of the course.

Secondly, what are the steps to go about reporting and mitigating possible damages
from credit card theft? Is it better to use a credit card or debit card when making online
purchases?

Discussion:

Put your answers in the discussion area of the course.

Students should work in teams of 2 or 4 (at most) for one hour. A short 3 5 slide
presentation should be prepared outlining the answers.

Be sure to cite any articles or books or web sites where you obtain the information you
are sharing with the class.
For more information visit the following links:

The Privacy Act of 1974

http://www.justice.gov/opcl/privacyact1974.htm

The Health Insurance Portability and Accountability Act - 1996 (HIPAA)

http://www.gpo.gov/fdsys/pkg/CRPT-104hrpt736/pdf/CRPT-104hrpt736.pdf

Computer Fraud and Abuse Act

http://energy.gov/sites/prod/files/cioprod/documents/ComputerFraud-AbuseAct.pdf