Amazon
Project 3 –Risk Management Strategy for an e-Commerce Company
Description
For this project, you will build upon the e-Commerce Risk Analysis performed in Project #2. For this project, you will construct a risk management strategy for your selected company which includes specific cybersecurity activities (as defined in the NIST Cybersecurity Framework Core) which will help the company mitigate the identified risks. Your strategy will include an “acquisition forecast” in which you identify and discuss the technologies, products, and services required to implement your recommended risk management strategy. (Note: you must use the same company as used in Project #2. You may expand upon your risk analysis if necessary.)
Don't use plagiarized sources. Get Your Custom Essay on
Risk Management Strategy for an e-Commerce Company
Just from $13/Page
Develop an Executive Summary
Since this is a separate deliverable, you will need to begin by identifying the selected company and providing an executive summary of the e-Commerce Risk Analysis that you presented in Project #2.
Develop and Document the Risk Mitigation Strategy
For this section of your project, you must identify and document a risk mitigation strategy for 10 separate risks. Your risk mitigation strategies must utilize at least three (3) of the five (5) NIST Cybersecurity Framework (CSF) Core Functions.
1. Begin by copying Table 1 from this file into a new file (for your assignment submission). This table will become your Risk Profile Table. (Delete the example text.)
2. Next, convert your list of risk factors (from Project #2) into a “Risk Profile” Each risk factor should be listed as a separate risk item with its own row in your Risk Profile. (Add a row to your table for each identified risk – one per row). For this step, you will fill in the information for the first two columns (Risk ID and Risk).
3. Next, consult the NIST Cybersecurity Framework (see Table 2: Framework Core) to identify the cybersecurity activities which can be used to control / mitigate the identified risks. Add this information to each row in your table. Note: you should paraphrase the information for the “Risk Mitigation Strategy (description)” column and the “Implementation: Required Technologies, Products, or Services” column.
4. Complete the final two columns of the table by entering the exact function, category, and sub-category identifiers and descriptions as listed in NIST CSF Table 2. See the example below.
CSIA 350: Cybersecurity in Business & Industry
Copyright © 2020 by University of Maryland Global Campus. All rights reserved.
Table 1. Risk Profile Table (example)
|
Risk ID
|
Risk
|
Risk Mitigation Strategy (description)
|
Implementation: Required Technologies, Products, or Services
|
NIST Cybersecurity Framework Category and Sub Category Identifier (e.g. ID.AM-1)
|
Sub-Category Description
|
|
001
|
Theft of customer information from online transactions
|
Encrypt all communications between customers and the company’s online ordering system.
|
Implement Transport Layer Security; purchase and deploy digital certificates to use for encrypting communications.
|
PR.DS-2
|
Data-in-transit is protected.
|
|
002
|
|
003
|
|
004
|
|
005
|
|
006
|
|
007
|
|
008
|
|
009
|
|
010
|
Develop an “
Acquisition Forecast
”
To complete your work, summarize the technologies which you are recommending that the company acquire (purchase) in order to mitigate risks; these technologies MUST appear in your risk profile table. Your acquisition forecast should identify and fully discuss a minimum of three categories or types of cybersecurity products or services which this company will need to purchase in order to appropriately mitigate the identified risks. Remember to include information about potential vendors or suppliers including how you can identify and qualify appropriate sources of technologies, products, and services. This information provides the justification or rationale for your recommendations.
Note: “qualifying” a producer / manufacturer, vendor or seller refers to the due diligence processes required to investigate the supplier and ensure that the products, services, and technologies acquired from it will meet the company’s needs and requirements. For cybersecurity related acquisitions, this many include testing the products and services to ensure that they can be trusted to deliver the required functionality and will not be a source of threats or harm.
Write
1. An executive summary which identifies the company being discussed and provides a brief introduction to the company including when it was founded and significant events in its history. This summary must also provide a high level overview of the company’s operations (reuse and adapt your narrative from Project #2) and the e-Commerce risks that the company must address and mitigate.
2. A separate section in which you present a Risk Management Profile. Begin with an introductory paragraph in which you summarize the risks and risk mitigation strategies. Your introduction should also explain the Risk Profile table (what is in it, how to use it).
3. Complete and then insert your Risk Profile Table at the end of this Risk Management Profile section. In-text citations are NOT required within the body of your Risk Profile Table but you must credit the sources of information used by listing / mentioning them in your introduction to this section.
4. A separate section in which you present your “Acquisition Forecast” in which you identify and discuss the products, services, and/or technologies which the company must purchase in the future to implement the recommended risk mitigation strategies. Remember to include information about potential vendors or suppliers including how you can identify and qualify appropriate sources of technologies, products, and services.
5. A closing section (Summary & Conclusions) which summarizes your risk management strategy and presents a compelling argument as to how your risk mitigation strategies (including the acquisition forecast) will reduce or control (mitigate) the identified “cyber” risks. Remember to address the five NIST Cybersecurity Framework Core Functions in your summation.
Submit for Grading
Submit your work in MS Word format ( x or file) using the Project #3 Assignment in your assignment folder. (Attach the file.)
Additional Information
1. Your 5-8 page Risk Management Strategy for an e-Commerce Company should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings to organize your paper. The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the “professional appearance” requirements. APA formatting guidelines and examples are found under Course Resources > APA Resources. An APA template file (MS Word format) has also been provided for your use CSIA_Basic_Paper_Template(APA_6ed,DEC2018) x.
2.
Your paper should use standard terms and definitions for cybersecurity.
3. You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s page count. (An example and template file are available in the LEO classroom.
4. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.
5. You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.). See direction under “Write” for how to cite sources used in your Risk Profile Table.
6. Consult the grading rubric for specific content and formatting requirements for this assignment.
Rubric
Executive Summary: Company Operations & Sources of Risk
10 points
Provided an excellent Executive Summary which identified the company being profiled and included a brief overview of the company and its e-Commerce operations. Identified and briefly discussed 5 or more distinct sources of cybersecurity related risks which the company must address. Appropriately used information from 3 or more authoritative sources. Reuse of narrative from Project #2 is allowed.
Risk Management Profile: Introduction
10 points
Provided an excellent introduction to the Risk Management Profile. Provided a summary of the risk management strategy and provided a clear and concise explanation of the risk profile table (what is in it, how it was developed, the benefits of using a risk profile to help manage risk). Appropriately used information from 3 or more authoritative sources.
Risk ID 001
5 points
Provided a complete, concise, and realistic entry (all table columns filled out) for a cyberspace or cybersecurity related risk relevant to the company’s e-Commerce operations. The entry included: Risk ID (001, 002, etc.), Risk (description or short title), Risk Mitigation Strategy (descriptive), Implementation: Required Technologies, Products, Services (named or described specific solutions), and the NIST CSF category and subcategory identifiers corresponding to the strategy. The identified risk and risk mitigation strategy are realistic and the strategy (including technologies, products, and services) can be used by the company to mitigate or control this risk.
Risk ID 002
5 points
Documented a second unique risk. Met all requirements for “excellent” as listed under Risk ID 001.
Risk ID 003
5 points
Documented a third unique risk. Met all requirements for “excellent” as listed under Risk ID 001.
Risk ID 004
5 points
Documented a fourth unique risk. Met all requirements for “excellent” as listed under Risk ID 001.
Risk ID 005
5 points
Documented a fifth unique risk. Met all requirements for “excellent” as listed under Risk ID 001.
Risk ID 006
5 points
Documented a sixth unique risk. Met all requirements for “excellent” as listed under Risk ID 001
Risk ID 007
5 points
Documented a seventh unique risk. Met all requirements for “excellent” as listed under Risk ID 001.
Risk ID 008
5 points
Documented a eighth unique risk. Met all requirements for “excellent” as listed under Risk ID 001.
Risk ID 009
5 points
Documented a ninth unique risk. Met all requirements for “excellent” as listed under Risk ID 001.
Risk ID 010
5 points
Documented a tenth unique risk. Met all requirements for “excellent” as listed under Risk ID 001.
Acquisition Forecast
10 points
Provided an excellent Acquisition Forecast which identified and then clearly, concisely, and thoroughly discussed three or more categories or types of cybersecurity products or services which this company will need to purchase in order to appropriately mitigate the identified risks. Discussed how the company could find and qualify appropriate sources of technologies, products, and services as part of its due diligence processes. Appropriately used information from 3 or more authoritative sources.
Summary and Conclusions
10 points
Provided an excellent Summary and Conclusions section which summarizes the documented risk management strategy and presents a compelling argument as to how the strategy (including the acquisition forecast) will reduce or control (mitigate) the identified cybersecurity related risks for the company’s e-Commerce operations. Addressed the five NIST Cybersecurity Framework Core Functions in the summary. Appropriately used information from authoritative sources.
Professionalism Part 1: Formatting for Citations and Reference List
5 points
Work contains a reference list containing entries for all cited resources. Reference list entries and in-text citations are formatted using a consistent and professional style for each type of resource.
Professionalism Part 2: Execution
5 points
No formatting, grammar, spelling, or punctuation errors. Appropriately used standard cybersecurity terms and definitions.
