1. Red Clay Renovations specializes in the renovation and rehabilitation of residential buildings and dwellings using smart home and Internet of Things (IoT) technologies while maintaining period correct architectural characteristics. The company is headquartered in Wilmington, Delaware, with field offices in Baltimore, MD, and Philadelphia, PA and an operations center in Owings Mills, MD. As the company looks to consolidate all information technology (IT) and IT related resources under the company’s central management, consideration must be given to the development of a risk management strategy across all corporate operations.
The Department of Homeland Security (DHS) defines risk management as “the process for identifying, analyzing, and communicating risk and accepting, avoiding, transferring, or controlling it to an acceptable level considering associated costs and benefits of any actions taken” (Department of Homeland Security, 2010). The DHS risk management process includes seven phases including (a) defining the context, (b) identifying the risk, (c) assess the risk, (d) developing alternatives, (e) implementing risk management strategies, (f) evaluation and monitoring, and (g) risk communications. For Red Clay Renovations, there are two options to consider when developing a company risk management plan: an overarching plan that takes into account all business lines and potential risk areas, or individualized plans tailored for each aspect such as an IT risk management plan.
One of the benefits of developing an overarching risk management plan is that it “facilitate(s) the ability to compare risks, as required, across the organization and provide reasonable assurance that risk management can be conducted coherently” (Department of Homeland Security, 2011). Additionally, a company-wide risk management policy will allow managers to view and mitigate risk at an enterprise level. Those responsible for day-to-day operations at say the field office level, are not necessarily aware of key risks that may affect the company from a strategic perspective.
In contrast to an enterprise-wide risk management strategy, some organizations develop business unit level risk policies, such as an IT Risk Management Policy, or an Operations Risk Management Policy. Development of these, more specific risk policies may allow the organization to focus on a key aspect, and identify critical risk and controls for those risks. It may also provide organizational leadership tactical level detail of a business unit’s operations, risks, and controls, allowing for more focused decision making. However, as stated previously, there individual risk plans do not necessarily take into account the strategic risks face across the organization, and would require careful communication and evaluation at the enterprise level.
The use of training and doctrine as a risk management strategy will facilitate the development of a risk management culture within Red Clay Renovations. Risk management doctrine, such as that developed by the DHS, the U.S. Military and numerous private organizations provides strategic guidelines for identifying risk, developing controls, and mitigating risk. According to (The Public Risk Management Association, 2010) “The outputs from successful risk management include compliance, assurance and enhanced decision-making” and “will provide benefits by way of improvements in the efficiency of operations, effectiveness of tactics (change projects) and the efficacy of the strategy of the organization.” Once doctrine has been established, training managers and employees about the policies and processes contained in the doctrine to ensure consistency across the organization and to empower employees at all levels to identify and manage corporate risk.
Department of Homeland Security. (2010). DHS Risk Lexicon. Washington, DC: Department of Homeland Security.
Department of Homeland Security. (2011). Risk management Fundementals. Washingotn, DC: Department of Homeland Security.
The Public Risk Management Association. (2010). A strustured approach to enterprise risk management (ERM) and the requirements of ISO 31000. Alexandria, VA: The Public Risk Management Association.
As the world of information technology grows, so does the threats that exist within the cyber domain. These threats come in many different forms. From innocent users to criminals looking to exploit their next victim. No one is safe in today’s world and it is important for any and every user to fully understand the repercussions.
The DoD has decided to start holding people accountable essentially. While they handle classified information that can be a threat against the national security of the United States, the basic principles remain. That is to hold people accountable for their actions. Red Clay Renovations stores and transmits data that falls under the Privacy Act of 1947 along with HIPAA information. These forms of information are all PII and if in the hands of the wrong people, could cause detrimental harm to those persons.
“There is often a lack of recognition and, in some cases, denial that human error may have been the root cause for a successful network intrusion in the first place. The failure to recognize this cause and effect relationship leads to individuals to sometimes place personal convenience ahead of operational security or to regard information systems with less care and caution than they would a kinetic weapon system” (DoD, 2015). This paragraph summarizes the mentality people have in today’s world. They feel protected by the systems rather than contributing to their protection.
At Red Clay Renovations, the risk management strategy selected by the DoD; to essentially hold people accountable for their actions could apply here as well. The results will have both numerous positive and negative impacts. A few positive impacts include isolating the problems and ultimately making people more aware of their actions.
If individuals are more aware of their actions and the potential effect, then the result will be beneficial. When people are in fear of losing their job or better yet going to jail then they tend to think a bit longer about their actions. Some negative impacts include legitimate accidents. Not everyone is tech savvy and mistakes will happen, that is just the nature of the beast. However, if we hold everyone to the same standard then some innocent people may get in trouble for simple mistakes.
As a risk management strategy it works well in an environment that handles classified information and honestly it absolutely has to because of the information being shared. However, in a regular enterprise environment this is something that would need a few tweaks prior to implementation. We need to maintain the high standards as depicted but need to have some leniency as well. The need to put responsibility on the end users is important but the brunt of the weight still needs to rely on the cybersecurity experts.
DoD. (2015, September) Department of Defence Cybersecurity Culture and Compliance Initiative (DC3I). Retrieved from http://www.defense.gov/Portals/1/Documents/pubs/OSD011517-15-RES-Final.pdf
DoD program manager’s guidebook for integrating the Cybersecurity Risk Management Framework (RMF) into the system acquisition lifecycle. (2015). Version 1.0.
Langer, L., Skopik, F., Smith, P., & Kammerstetter, M. (2016). From old to new: Assessing cybersecurity risks for an evolving smart grid. Computers & Security, 62165-176. doi:10.1016/j.cose.2016.07.008