use the IT policy control framework developed in the previous assignment to add a risk assessment to your IT solution strategic plan. Once your risk reduction and control strategy are in place, provisions are to be made in system policies for quality assurance and management program.
Begin by categorizing potential vulnerabilities and risks that must be addressed by policies, standards, and procedures based on the risk matrix for your organization (if available) or created by you similar to the example in Figure 6.
Figure 6. Sample Risk Matrix. US gov [Public domain] Retrieved from https://upload.wikimedia.org/wikipedia/commons/b/b4/Risk_Matrix_Simple.jpg
Figure 6. Sample Risk Matrix. US gov [Public domain]
Plan to include the potential vulnerabilities and risks table as part of the introduction in your IT solution strategic plan.
Address provisions and processes for risk assessment and evaluation (at the network, operating system, data, and software layer).
You could use spreadsheet software to configure the matrix and levels of categorization for all layers:
network infrastructure risk criteria and tolerance levels
operating systems
database and application risk criteria for risk assessment and management.
Based on your scenario, identify and develop a risk register (sample is shown below), where you will identify potential risks and their severity level; then, present and discuss corrective measures to be taken by inserting provisions in policies, standards, and standard operating procedure.
Figure 7. Sample Risk Register. Retrieved from https://prince2.wiki/management-products/risk-register/
Figure 7. Sample Risk Register.
Retrieved from
Create an outline that describes the main policies and standards to be developed. Do not write the entire policy, create only an outline of the content each policy must have, specifically related to IT controls.
For each policy, outline the main control provisions based on your assessment and your risk categorization.
Include the risk matrix and risk register in your document, aligned with the network and applications to be assessed and controlled. You will submit 3 files, the paper, the risk matrix, and risk register.