Flayton Electronics Risk Management Plan

Introduction

The following risk management plan is designed for the case of Flayton Electronics. Currently, the company is in a crisis of a hacked system and information for more than 1500 of its customers was accessed illegally. It is not clear at what point the information was hacked, and the persons responsible and the affected portfolios. The company CEO, Brett is in the bid to get to the core of the matter. The CEO believes that the company is compliant with the Payment Card Industry (PCI) standards, and further, the company has employed competent Information Technology personnel. Data breach may have occurred along the system and at various stages; the cash register, the card reader, bank – card reader interface, company computers, and stores – bank link, and an inside job. At the technological level, the risk remains wide and the responsible person has not been found. According to Sergei Klein, uncharged of IT, the company is not fully compliant with the PCI. He approximates at 75% and there remain the challenge of matching the dynamics in technology with the standardized systems. Sergei also noted that a firewall that is linked to the automated inventory system was disabled without his knowledge.

Read also Case Study: Risk Management on a Satellite Development Project

In perspective, Flayton Electronics is currently at great risk, because the number of affected clients is increasing, and the company will have to inform other institutions, stakeholders and either the bank of the company will notify the customers. The impact of the risk is both at the technological and management level.

Project description

The Risk management plan puts into perspective the case that is highlighted in the introduction. The plan will take six months and its budget is $100,000.

The objectives of the risk management plan includes

  1. To determine the components, interfaces, and eternal sources that may affect security of information at Flayton Electronics
  2. To develop an organizational policy on information security and robust optimizationTo review the degree and criteria of compliance with the International standards of practice
  3. To develop a strategy of hiring employees and termination of their services without jeopardizing the security of the company.
  4. To invest resources in specific technologies that increase safety of data.
  5. To develop a model and paradigm of organizational culture on information security.

Read also Swiss Cheese Model and the Role of Risk Management in Preventing Accidents

Application of the atom process

The following ATOM process will be used for the Flayton Electronics risk management plan.

  • Initiation – Develop specific deliverables, assign responsibly to specific employees, time frame, provide requisite information, resources, and inform all the relevant authorities on specific issues of the plan.
  • Identification – The following items are identified as potential risks; dismissed employees, degree of compliance with the technology standards, interface between Layton Electronics and Union Century Bank, the interface between Union century Bank and Inventory system, the electronic transaction cards, stolen computers, and review of the standard risk checklist
  • Assessment
    • Organizational culture – honesty, trust, responsibility, commitment,
    • Service delivery – transaction security, searching the catalogues, and transactions
    • Human resource – recruitment, applicant tracking, employee reporting, induction training, competence of employees, job termination process, and disciplinary action
    • Software and systems – server supports, backup systems, database support, data interface, programming tool kit, documentation, application interfaces, and mobile/wireless technology support.
    • Inventory management – pricing and discount calculations, item data elements, automated inventory system, lot and serial number generation, monitoring of returns
    • Profiles of the vendor – time in business, financial records, custom software

Read also Super-Packs Company Risk Matrix – Project Risk Management Techniques

  • Response planning
    • Dismissed employees – to be investigated on whether they are linked to the current data breach. HRM to develop a model of recruitment and job relieve that will prevent employees form use of information against Flayton electronics.
    • Degree of compliance with the technology standards – Sergei and the IT department should point bout the specific issues that prevents Flayton from being PCI compliant.
    • Interface between Layton Electronics and Union Century Bank – to review the information shared during the transaction. There must be clarity on who owns the risk.
    • The interface between Union century Bank and Inventory system – the plan seals the possible redirection of the transaction details to a different computer. Possibilities of ciphered account details leak cannot be ignored.
    • The electronic transaction cards – the plan reviews the data stored in the cards and the possible uses of the data and the codes of the card. There must be clear information on the relationship between the card functionality and the PCI compliance.
    • Stolen computers – risk management plan investigated the safety of information of stolen computers and other hardware. The information in computers should be secure and when stolen related information strains and links should be changed immediately.

Read also Assessing Organizational Readiness – Case of Flayton Electronics

  • Reporting – this is done by the communications department, currently headed by Sally O’Connor. Timing, accuracy and the impact of the report should be determined.
  • Implementation– implementation will consider the objectives, initiation, identification, and response planning.
  • Review – review may be done by the top management of Flayton Electronics. The implementing team may also report to the CEO directly. Reviews may also be done by external regulators on the effectiveness of the system.
  • Post project review – the review will be subject to the objectives. The project ought to achieve the objectives or gain the tendency towards secure system.

Risk tools and techniques

Project sizing tool

The projects are categorized as small, medium, and large. Total scores are used to determine the size of the business. This is explained as follows,

≥ 75, large project

35 -74, medium projects

˂ 35, small project

Read also The New Uses And Limitations Of Risk Assessments For Risk Management Decision Making

See appendix 1: project sizing tool by Hillson and Simon (2007) provides the details against which the following case interpretation.

Criterion

Criterion value = 2, 4, 8, 16

score

Reason from the case study

Strategic importance The values that represent the four criteria values. They are linked to the characteristics of the project and the company in the case study – Flayton Electronics 6 Major contribution to business objectives

The money in the cards is protected by the issuing company. The effect of hacked information will affect the transactions if the hackers divert money from the customers’ account.

Commercial/ contractual complexity 4 Minor deviation from the existing commercial practices

The existing technology and customer service structures will not be overhauled. The company is already looking for a specific loophole that may have caused the breach of data. Therefore, fixing a specific issues will cause minor deviations on the commercial practices.

External constrains and dependencies 6 Key project objectives depend on external factors

The project depends on Secret service, the Technology regulators, the Banking sector, and the regulators in the banking sector

Requirement stability 4 Some requirement uncertainty, minor changes during the project

There will be changes in the training of new employees, compliance procedures, and the interface between the card reader – bank – inventory.

Technical complexity 4 Enhancement of the existing product/services

The company focused ensuring that the customers get better services compared with the services given by the competitors

Market sector regulatory 6 Challenging regulatory requirements

Flayton Electronics depends on the banking and technology companies. Each of the two industries have independent regulators.

Project value 2 Small project value (˂ $ 250)

The project budget is $ 100,000

Project duration 4 Duration 3 – 12 moths

The project will take six months

Project resources 8 Large project team including external contractors

More than 15% of the customers were affected. This means that the company serves thousands of clients, the project team must be large to cater for all the clients.

Technologies and banking services involve external entities

Post project liabilities 4 Acceptable exposure

This will depend with the way Flayton will communicate with the stakeholders and the company. The possibility of legal suites may also pose potential liabilities.

Total score 48

The total score = 48. This indicates that the company will undertake a medium project. The project value is $100,000 which rates it at small project. Therefore, the current allocation is less than the amount expected for the project.

Organization, roles, and responsibilities for risk management

Project sponsor

They are concerned with the overall effect of the risk to the business. In the case study the sponsors may be concerned with the stock in the stores, the capital assets, the security of money in Flayton Electronics account, and the brand. The sponsor looks at the comeback strategy and the rebranding process in case there is such a need. The sponsors authorize the release of management reserves funds to fund the project where necessary.

Project manager

Project managers will deal with the strategic and policy matters of the plan. The strategies and the policies help the management plan meet the objectives. Project managers oversee and supervise the work of the employees. Evaluate the risk situation of the company and report to the top management, stakeholders, and the sponsors. The project managers ensure that the project resources are available at the right time.

Read also Critical Review Of A Research Paper – Recruiting Project Managers

Risk champion

The person or the internal organ directly in charge of the risk project

Risk owner

This refers to person, the internal organ, and external institution that bear the responsibility of implementation and communication on the progress of the project.

Project team member

The employees and the investigative agency officer who are responsible for the tactical and the actual activities on the project risk management.

Risk Tools and Techniques

These are tools that have been empirically tested and found fit to assess the risk of an entity or processes. In the case of Flayton Electronics, the risk tools and techniques will guide the project implementation in the following aspects

Read also National Infrastructure Protection Plan and Risk Management Framework

Gather and represent data. Gathering data will help the company establish the trends of information risks and behaviors of suspected persons.

  1. Interviews – interviews can be structured or non-structured. They are carried out formally by engaging the employees in inquests and using the services of the security agencies. Interviews can also be done in groups and teams during the workshops and seminars on organizational security.
  2. Questionnaires – are used to gather data that is analyzed to establish the state of organizational risk. Questionnaires can also serve in getting information from the employees on the most effective ways to improve information security and general operations. Questionnaires are used to gather both qualitative and quantitative data.
  3. Monte Carlo simulation techniques – this is a special risk assessment model on quantitative variables. It generates a probabilistic costs and schedules on undertaking the project.

Qualitative and quantitative analysis

The following table will be used to analyze the risk levels of breached data in Flayton Electronics. The risk components are derived from the standard risk breakdown structure (Hillson and Simon, 2007). The interpretation of the risk components is explained in the Appendix 2

Definitions of probability and impacts

RBS level 1

Risk specification

Probability

Impact

Rationale

Technical risk Degree of compliance with the technology standards

interface between Layton Electronics and Union Century Bank,

The interface between Union century Bank and Inventory system,

The electronic transaction cards,

Breach of information from stolen computers

Medium

High

High

High

Low

High

Very High

Very High

Very High

Low

The customers use the electronic cards for transactions with the company. A risk on the cards affect the transaction, their banking information and this may also impact on their trust in the company.

Technical risk has high probability of creating unexpected effects because the company may not know how the criminals will use the data.

Management risk Dismissed employees

Standard risk checklist

Miscommunication

Medium

High

Medium

Medium

High

Medium

The probability of dismissed employees causing a risk can be minimized by monitoring and ensuring their departure is justified.
Commercial risk Competitors taking advantage of the situation

Number of the affected customers

Medium

Low

Medium

Low

Commercial risk is manifested in low number of customers using the company outlets. Since the money of the customers is safe, the company and the bank can put in place measures to counter possible use of  the information to divert money to other accounts.
External risk Legal suites

Failure by regulators

Low

Low

Low

Low

The risks arre functional failures, they affect the individual company more than the clients and the partners.

Probabilistic assessment of the risk, very high ≥ 90 %; high = 80 %; medium = 50 %; Low = 20 %; very low = ≤ 10 %

Impact of the risk, very high ≥ 10 % ; high = 8 % ; medium = 4 %; Low = 2%; Very low ≤ 1 %

Technical risk probability = 50, 80, 80, 80, 20; average = 310/5 = 62 %

Technical risk impact = 8, 10, 10, 10, 1; average = 39/5 = 7.8 %

Management risk probability = 50, 80, 50; average = 180/3 = 60 %

Management risk impact = 4, 8, 4; average = 16/3 = 5.3 %

Commercial risk probability = 50, 20; average = 70/2 = 35 %

Commercial risk impact = 4, 2; average = 6/2 = 4 %

External risk probability = 20, 20; average = 40/2 = 20 %

External risk impact = 2, 2; average = 4/2 = 2 %

The company has high risk in the technical and management portfolios.

Qualitative risk factors

They are descriptive. They explain the level of risk to the company. For statistical analysis, the qualitative information may be represented on a likert scale. The following risk factors are qualitative: failure by the regulators, bad reputation, legal suites, and competitors taking advantage of the situation, miscommunication, and dismissed employees

Quantitative risk factors

They are represented numerically. They can be assessed and assigned a probabilistic value. the following quantitative factors: the number of affected customers, the monetary cost of legal processes, number of electronic transactions, the interface between Union Century Bank and Inventory system, and the percentage of compliance with the technology standards.

Read also Quantitative and Qualitative Risk Assessment of the HFI Company’s Network

Response mechanism

Threats

Opportunities

Avoidable threats

Threats that affect the operations and organizational bank accounts

Data breach

Exploit

Trust of the customers

Employee competence

Brand name and competitive advantages

Transferrable threats

Threats coming from  failed regulators

Threats on contractual and outsourced services

Share
Threats to mitigate

Replacement of failed operating systems and devices

Enhance

The relationship with the security agencies

Read also Preparing A Risk management plan

You can order a unique paper at an affordable price.

Share with your friends
Order Unique Answer Now

Add a Comment