Anthony Redhead
Grantham University Project Management Integration Framework (BA 647)
Introduction
Project risk management helps on risk identification and assessment to see which ones can be mitigated or corrected, and how to monitor if there is a probability of occurrence. In the case of outsourcing resources, risk mitigation is needed in order to look and review efficiency and cost of the services and equipment that will be outsourced. However, to be able to use the risk assessment matrix it is essential to ensure that risk is accurately measured. The project will evaluate the suitability and potential of outsourcing human capital, Information …show more content…
Technology (IT), and the company’s equipment.
Briargrove Computer System Failure Fix Plan
Risk Analysis Matrix
Risk
Probability (1-5)
Severity (1-5)
Score (P x S)
Action to Prevent/Manage Risk
Slippage due to using outsourced IT
3
4
12
Ensure good communication between all parties and robust project plan for all development
Failure to integrate outsourced Staff, IT, or contracted equipment
2
4
8
Compile recommendation report as project output
External technical issues
2
5
10
Ensure full support from KB+ and Serials Solutions Provide workarounds
Internal technical issues
2
4
8
Include appropriate staff in project team
Provide workarounds
Outsourcing IT services allows business managers to concentrate on core goals and objectives.
Some managers may have to split their energies between activities that engage prospective customers and concerns with operations outside of the core business objectives (Leung, et al, 2013). Outsourcing alleviates this necessity, and the business managers can focus their energies where their competencies lie. Businesses that must rely on an outside service run the risk of downtime during critical system failures, leading to potential loss of productivity. It may take days before a busy IT contractor can devote attention on the business problem and resolve the issues. This may leave workers idle and cause hundreds to thousands of dollars in lost revenue. An in-house network administrator becomes intimately familiar with the eccentricities and unique characteristics of the network he manages (McWherter & Gowell, 2012). Because of this, he or she is able to deliver results more efficiently, quickly and personally. IT outsourcing can never provide a personal touch that comes close to that of an in-house IT specialist. Many companies reject the thought of giving this up, even though they can save money by …show more content…
outsourcing.
Businesses that outsource IT services must investigate whether or not the vendor that will be used employs security measures protecting them (Leung, et al, 2013). This is especially important when dealing with offshore companies that run out from a foreign country. While these often have strong security protocols, a risk of one of the outsourcing company employees breaching security always exists. Since foreign countries may not have laws protecting intellectual property or other private data, businesses may find it difficult to prosecute.
If a business or organization does not choose the right partner for outsourcing, the common issues of stretched delivery time frames, sub-standard quality output and unmet needs will occur. It is easier to regulate these factors inside one’s own business or organization rather than with an outsourced partner. Even though outsourcing most of the times is cost-effective, there are those hidden costs involved in signing a contract while signing a contract with a foreign organization that may pose a serious threat. Therefore, outsourcing must be from local vendors Briargrove chooses. Also, an outsourced vendor may be catering to the expertise-needs of multiple organizations at a time. In such situations vendors may lack complete focus on your organization’s tasks and equipment needs.
Conclusion
Through risk mitigation and analysis, organizations can benefit of outsourcing to become a strategic management practice that can help hold down costs, improve customer satisfaction, and ensure the smooth operation of facilities. Through risk assessment, risk response and mitigation strategies can be expressed. The business can take advantage or risk assessment by making better informed decisions based on supporting data. However, we must remember that to be able to use the risk assessment matrix, it is essential to ensure that risk is accurately measured as risk is assessed on severity and probability or occurrence. To receive the full benefits that outsourcing can provide, firms must be prepared for the risks and potential downfalls involved when creating the outsourcing relationship.
References
Kendrick, T.
PMP. (2009). Identifying and Managing Project Risk 2ed. New York, NY: AMACOM.
Leung, H., Popescu, E., Cao, Y., Lau, R. W. & Nejdl, W. (2011, December). Advances in Loshin, P. (2013). Simple Steps to Data Encryption: A Practical Guide to Secure Computing. Newnes.
McWherter, J. & Gowell, S. (2012). Professional Mobile Application Development. New York, NY: John Wiley &
Sons.
The bug in GE Energy 's XA/21 system was discovered in an intensive code audit conducted by GE and a contractor in the weeks following the blackout, according to FirstEnergy Corp., the Ohio utility where investigators say the blackout began. "It had never evidenced itself until that day," said spokesman Ralph DiNicola. "This fault was so deeply embedded, it took them weeks of poring through millions of lines of code and data to find it." The flaw was responsible for the alarm system failure at FirstEnergy 's Akron, Ohio control center that was noted in a November report from the U.S.-Canadian task force investigating the blackout. The report blamed the then-unexplained computer failure for retarding FirstEnergy 's ability to respond to events that led to the outage, when quick action might have limited the blackout 's spread. "Power system operators rely heavily on audible and on-screen alarms, plus alarm logs, to reveal any significant changes in their system 's conditions," the report noted. FirstEnergy 's operators "were working under a significant handicap without these tools. However, they were in further jeopardy because they did not know that they were operating without alarms, so that they did not realize that system conditions were changing." The cascading blackout eventually cut off electricity to 50 million people in eight states and Canada. The blackout occurred at a time when the Blaster computer worm was wreaking havoc across the Internet. The timing triggered some speculation that the virus may have played a role in the outage -- a theory that gained credence after SecurityFocus reported that two systems at a nuclear power plant operated by FirstEnergy had been impacted by the Slammer worm earlier in the year. Instead, the XA/21 bug was triggered by a unique combination of events and alarm conditions on the equipment it was monitoring, DiNicola said. When a backup server kicked-in, it also failed, unable to handle the accumulation of unprocessed events that had queued up since the main system 's failure. Because the system failed silently, FirstEnergy 's operators were unaware for over an hour that they were looking at outdated information on the status of their portion of the power grid, according to the November report. The root cause of the outage was linked to a variety of factors, including FirstEnergy 's failure to trim back trees encroaching on high-voltage power lines. FirstEnergy says its problems were some of many issues destabilizing power flow in the northeast that day, and that its role in the outage is overstated in the interim report. On Tuesday, the North American Electric Reliability Council (NERC), the industry group responsible for preventing blackouts in the U.S. and Canada, approved a raft of directives to utility companies aimed at preventing a recurrence of the outage. One of them gives FirstEnergy a June 30th deadline to install any known patches for its XA/21 system. FirstEnergy says it already patched the blackout bug last fall, when GE made a fix available, and is in the process of replacing the XA/21 with a competing system -- a changeover that was planned before the blackout. NERC spokesperson Ellen Vancko said the organization would release a more comprehensive list of recommendations next month that would likely instruct all U.S. and Canadian electric companies using GE 's XA/21 system to install the patch. "That blackout report will go into much greater detail and will more broadly address the entire industry, whereas this particular report addressed the specific actors involved in the blackout, as well as some specific actions NERC had to take," Vancko said. GE Energy declined repeated requests for comment on the bug.
#1: Back up early and often
The single most important step in protecting your data from loss is to back it up regularly. How often should you back up? That depends—how much data can you afford to lose if your system crashes completely? A week 's work? A day 's work? An hour 's work?
You can use the backup utility built into Windows (ntbackup.exe) to perform basic backups. You can use Wizard Mode to simplify the process of creating and restoring backups or you can configure the backup settings manually and you can schedule backup jobs to be performed automatically.
There are also numerous third-party backup programs that can offer more sophisticated options. Whatever program you use, it 's important to store a copy of your backup offsite in case of fire, tornado, or other natural disaster that can destroy your backup tapes or discs along with the original data.
#2: Use file-level and share-level security
To keep others out of your data, the first step is to set permissions on the data files and folders. If you have data in network shares, you can set share permissions to control what user accounts can and cannot access the files across the network. With Windows 2000/XP, this is done by clicking the Permissions button on the Sharing tab of the file 's or folder 's properties sheet.
However, these share-level permissions won 't apply to someone who is using the local computer on which the data is stored. If you share the computer with someone else, you 'll have to use file-level permissions (also called NTFS permissions, because they 're available only for files/folders stored on NTFS-formatted partitions). File-level permissions are set using the Security tab on the properties sheet and are much more granular than share-level permissions.
In both cases, you can set permissions for either user accounts or groups, and you can allow or deny various levels of access from read-only to full control.
#3: Password-protect documents
Many productivity applications, such as Microsoft Office applications and Adobe Acrobat, will allow you to set passwords on individual documents. To open the document, you must enter the password. To password-protect a document in Microsoft Word 2003, go to Tools | Options and click the Security tab. You can require a password to open the file and/or to make changes to it. You can also set the type of encryption to be used.
Unfortunately, Microsoft 's password protection is relatively easy to crack. There are programs on the market designed to recover Office passwords, such as Elcomsoft 's Advanced Office Password Recovery (AOPR). This type of password protection, like a standard (non-deadbolt) lock on a door, will deter casual would-be intruders but can be fairly easily circumvented by a determined intruder with the right tools.
You can also use zipping software such as WinZip or PKZip to compress and encrypt documents.
#4: Use EFS encryption
Windows 2000, XP Pro, and Server 2003 support the Encrypting File System (EFS). You can use this built-in certificate-based encryption method to protect individual files and folders stored on NTFS-formatted partitions. Encrypting a file or folder is as easy as selecting a check box; just click the Advanced button on the General tab of its properties sheet. Note that you can 't use EFS encryption and NTFS compression at the same time.
EFS uses a combination of asymmetric and symmetric encryption, for both security and performance. To encrypt files with EFS, a user must have an EFS certificate, which can be issued by a Windows certification authority or self-signed if there is no CA on the network. EFS files can be opened by the user whose account encrypted them or by a designated recovery agent. With Windows XP/2003, but not Windows 2000, you can also designate other user accounts that are authorized to access your EFS-encrypted files.
Note that EFS is for protecting data on the disk. If you send an EFS file across the network and someone uses a sniffer to capture the data packets, they 'll be able to read the data in the files.
#5: Use disk encryption
There are many third-party products available that will allow you to encrypt an entire disk. Whole disk encryption locks down the entire contents of a disk drive/partition and is transparent to the user. Data is automatically encrypted when it 's written to the hard disk and automatically decrypted before being loaded into memory. Some of these programs can create invisible containers inside a partition that act like a hidden disk within a disk. Other users see only the data in the "outer" disk.
Disk encryption products can be used to encrypt removable USB drives, flash drives, etc. Some allow creation of a master password along with secondary passwords with lower rights you can give to other users. Examples include PGP Whole Disk Encryption and DriveCrypt, among many others.
#6: Make use of a public key infrastructure
A public key infrastructure (PKI) is a system for managing public/private key pairs and digital certificates. Because keys and certificates are issued by a trusted third party (a certification authority, either an internal one installed on a certificate server on your network or a public one, such as Verisign), certificate-based security is stronger.
You can protect data you want to share with someone else by encrypting it with the public key of its intended recipient, which is available to anyone. The only person who will be able to decrypt it is the holder of the private key that corresponds to that public key.
#7: Hide data with steganography
You can use a steganography program to hide data inside other data. For example, you could hide a text message within a .JPG graphics file or an MP3 music file, or even inside another text file (although the latter is difficult because text files don 't contain much redundant data that can be replaced with the hidden message). Steganography does not encrypt the message, so it 's often used in conjunction with encryption software. The data is encrypted first and then hidden inside another file with the steganography software.
Some steganographic techniques require the exchange of a secret key and others use public/private key cryptography. A popular example of steganography software is StegoMagic, a freeware download that will encrypt messages and hide them in .TXT, .WAV, or .BMP files.
#8: Protect data in transit with IP security
Your data can be captured while it 's traveling over the network by a hacker with sniffer software (also called network monitoring or protocol analysis software). To protect your data when it 's in transit, you can use Internet Protocol Security (IPsec)—but both the sending and receiving systems have to support it. Windows 2000 and later Microsoft operating systems have built-in support for IPsec. Applications don 't have to be aware of IPsec because it operates at a lower level of the networking model.
Encapsulating Security Payload (ESP) is the protocol IPsec uses to encrypt data for confidentiality. It can operate in tunnel mode, for gateway-to-gateway protection, or in transport mode, for end-to-end protection. To use IPsec in Windows, you have to create an IPsec policy and choose the authentication method and IP filters it will use. IPsec settings are configured through the properties sheet for the TCP/IP protocol, on the Options tab of Advanced TCP/IP Settings.
#9: Secure wireless transmissions
Data that you send over a wireless network is even more subject to interception than that sent over an Ethernet network. Hackers don 't need physical access to the network or its devices; anyone with a wireless-enabled portable computer and a high gain antenna can capture data and/or get into the network and access data stored there if the wireless access point isn 't configured securely.
You should send or store data only on wireless networks that use encryption, preferably Wi-Fi Protected Access (WPA), which is stronger than Wired Equivalent Protocol (WEP).
#10: Use rights management to retain control
If you need to send data to others but are worried about protecting it once it leaves your own system, you can use Windows Rights Management Services (RMS) to control what the recipients are able to do with it. For instance, you can set rights so that the recipient can read the Word document you sent but can 't change, copy, or save it. You can prevent recipients from forwarding e-mail messages you send them and you can even set documents or messages to expire on a certain date/time so that the recipient can no longer access them after that time.
To use RMS, you need a Windows Server 2003 server configured as an RMS server. Users need client software or an Internet Explorer add-in to access the RMS-protected documents. Users who are assigned rights also need to download a certificate from the RMS server.
Purpose
The purpose of this Guideline is to instruct users on appropriate use of Administrator Access to Carnegie Mellon University (“University”) computing and information resources and to aid in the interpretation of requirements set forth in the University Computing Policy.
Applies To
This Guideline applies to all University system and application administrators and any other personnel who are provided with Administrator Access to University computing and information resources.
Definitions
Administrator Access is defined as a level of access above that of a normal user. This definition is intentionally vague to allow the flexibility to accommodate varying systems and authentication mechanisms. In a traditional Microsoft Windows environment, members of the Power Users, Local Administrators, Domain Administrators and Enterprise Administrators groups would all be considered to have Administrator Access. In a traditional UNIX or Linux environment, users with root level access or the ability to sudo would be considered to have Administrator Access. In an application environment, users with ‘super-user’ or system administrator roles and responsibilities would be considered to have Administrator Access. In theory, this guidance applies to any user account in that utilization of access rights is reserved solely for the intended business purpose.
Non-public Information is defined as any information that is classified as Restricted Information (both Moderately Sensitive and Highly Sensitive) according to the University Guidelines for Data Classification. Access to Restricted Data must be approved by the designated Data Owner (Data Steward) as defined in the University Information Security Policy under Roles and Responsibilities.
Guidelines
The University Computing Policy provides a framework for appropriate and inappropriate use of University computing and information resources. More specifically, the University Computing Policy prohibits, “Using a computer system without proper authorization granted through the University, college or department management structure.” It further prohibits attempts to “...circumvent system security without the explicit permission of the owner of that system.” System administrators and other University personnel with Administrator Access to computing and information resources are entrusted to use such access in an appropriate manner. The following provides high-level guidance on what constitutes appropriate and inappropriate use of Administrator Access.
Appropriate Use of Administrator Access
Administrator Access to University computing resources should only be used for official University business. While the University Computing Policy permits reasonable personal use of computing resources, this is restricted to non-administrative activities. Use of Administrator Access should be consistent with an individual’s role or job responsibilities as prescribed by management. When an individual’s role or job responsibilities change, Administrator Access should be appropriately updated or removed. In situations where it is unclear whether a particular action is appropriate, and within the scope of current job responsibilities, the situation should be discussed with management.
Inappropriate Use of Administrator Access
In addition to those activities deemed inappropriate in the University Computing Policy, the following constitute inappropriate use of Administrator Access to University computing resources unless documented and approved by management:
Circumventing user access controls or any other formal University security controls
Circumventing bandwidth limits or any other formal University computing controls
Circumventing formal account activation/suspension procedures
Circumventing formal account access change request procedures
Circumventing any other University procedures that are in written form and/or approved by some level of management
The following constitutes inappropriate use of Administrator Access to University computing resources under any circumstances, regardless of whether there is management approval:
Accessing Non-public Information that is outside the scope of specific job responsibilities
Exposing or otherwise disclosing Non-public Information to unauthorized persons
Using access to satisfy personal curiosity about an individual, system, practice, or other type of entity.