Purpose
This assignment is intended to help you learn to do the following:
Develop a comprehensive set of IT risk scenarios based on available information to determine the potential impact to business objectives and operations.
Identify key stakeholders for IT risk scenarios to help establish accountability.
Establish an IT risk register to help ensure that identified IT risk scenarios are accounted for and incorporated into the enterprise-wide risk profile.
Analyze risk scenarios based on organizational criteria such as organizational structure, policies, standards, technology, architecture, controls to determine the likelihood and impact of an identified risk.
Evaluate and categorize risk with respect to technology; with respect to individuals, and in the enterprise, and recommend appropriate responses. [NSA SRA 3]
The Equifax Incident
This paper centers on the Equifax incident of 2017. Here is an excerpt:
“On September 7, 2017, US credit reporting company Equifax publicly announced that it had been the target of a cyberattack and that the personal information of over 145 million customers – including Social Security Numbers, driver’s license numbers, email addresses, and credit card numbers – had been stolen. The announcement sparked a massive backlash, as consumers and public officials questioned how a company that managed sensitive personal information for over 800 million individuals could have allowed such a breach to happen. It became apparent that Equifax had been criticized for a lack of cybersecurity preparedness.
The case discusses the events leading up to the massive data breach at Equifax, one of the three U.S. credit reporting companies, the organizational and governance issues that contributed to the breach, and the consequences of the breach. The case supplement provides details of how Equifax recovered from the breach and changes the company made. On September 7, 2017, Equifax announced that the personal information of over 140 million consumers had been stolen from its network in a catastrophic data breach, including people’s Social Security numbers, driver’s license numbers, email addresses, and credit card information. The announcement sparked a massive backlash, as consumers and public officials questioned how a company that managed sensitive personal information about over 800 million individuals could have such insufficient security measures. It came to light that Equifax had been aware of critical faults in its cybersecurity infrastructure, policies, and procedures for years but had failed to address them. Equifax’s public response also received criticism. CEO Richard Smith and numerous other executives resigned, and Equifax was left facing dozens of lawsuits, government investigations, and the potential for new regulation.”1
1 Srinivasan, Suraj, Quinn Pitcher, and Jonah S. Goldberg (2017, revised 2019). “Data Breach at Equifax.”
(Links to an external site.)
Harvard Business School Case 118-031.
Overview
Read the Equifax Case Study. Given your knowledge of the Equifax case, develop a risk scenario accounting for threat agent, threat, vulnerability, and possible event characteristics, such as possible time, location, and other circumstances. Feel free to make up additional data if you choose, but ensure you have already exhausted information from the Equifax case. Ensure your paper addresses the following questions:
Who are the stakeholders affected by this risk scenario?
What approach did you use to develop the scenario, top-down or bottom-up? Choose only one and justify your choice.
Which of the following did your scenario address: asset, process, or organizational structure? You can address one, two, or all of them.
Evaluate and categorize risk with respect to technology; with respect to individuals, and in the enterprise, and recommend appropriate responses. [NSA SRA 3]
Your paper must be APA-formatted, 1200 to 1500 words, double-spaced, 12-point font size in Times New Roman.
Action Items
Read the case study Data Breach at Equifax
(Links to an external site.)
.
Write your paper according to the directions in the overview.
Submit your assignment. Your work will automatically be checked by Turnitin.
Review your Submission Details and access your Turnitin report. Revise your work as needed based on the feedback.
By the due date indicated, re-submit the final version of your work.
Submission Instructions
By the due date indicated, upload your work.
Grading Criteria
Read the assignment rubric to understand how your work will be assessed.
This assignment is also used to assess a Cybersecurity Program Learning Outcome (PLO) through the rubric. The PLO assessment will appear as a separate row within the rubric; it will not contribute points to the assignment.
For your information, the following PLO is being assessed:
PLO 3: Employ quantitative and qualitative means to analyze risk in information systems.
