analyze an organization’s tolerance for risk and develop an appropriate security policy to address risk.
Part 1:
Using the assigned reading and your own research, write a 500-word paper that defines the three levels of risk tolerance (risk-averse, risk-neutral, and risk-seeking). Include the following in your discussion.
Provide a real-world organization that is an example of each level of risk tolerance. Include the company name and industry for each. Include an explanation of whether the company is risk-averse, risk-neutral, or risk-seeking.
Summarize the advantages and disadvantages each organization faces while engaging in the form of risk tolerance it exhibits.
Using one of the three organizations profiled, explain how the pillars of information security (confidentiality, integrity, and availability) influenced the risk tolerance perspective of the organization in your discussion, consider the regulations the organization must adhere to, relationships with third-party organizations with remote access, customer expectations of security, and the level of availability the organization must sustain.
Part 2:
Using the “Information Security Policy Template,” complete the policy in alignment with one of the three organizations you explored in Part 1 of the assignment. Ensure you design the policy in accordance with the risk tolerance of the organization. Include the following in your design:
Identify 20 potential risks, defining both threat (condition) and impact (consequence). Review Chapter 1 in Information Security Risk Assessment Toolkit: Practical Assessments Through Data Collection and Data Analysis when completing this portion of the assignment.
Define a policy to monitor (risk-seeking), control (risk-neutral), or remove (risk-averse) the risk.
Submit the 500-word paper and completed “Information Security Policy Template.”
Sample Solution
