Beruflich Dokumente
Kultur Dokumente
Bahria University
Lahore, Pakistan
PREPARED BY:
MR SHAWAZ BALUCH
MR. SYED TOUSEEF ALI
MR. DANYAL AHMED
MS (PM) II
DEPARTMENT OF MANAGEMENT SCIENCES
BAHRIA UNVERSITY, LAHORE, PAKISTAN
Role:
Recipient Name:
Department:
Recipients Director Name:
Recipients Manager Name:
Signature:
Dated:
Page# 2
Document Details
Document Title: RADIX Security System
Document Sub-Title: Risk Management Plan
Document No: RMP 001
Prepared By: TSD Consultancy (Pvt) Ltd
Submitted To: MSB Training Consultancy
Dated: November 15th, 2014
Author(s) Details
Mr. Shawaz Baluch
Technical Consultant
Technical Consultant
Technical Consultant
MS (PM) II
MS (PM) II
Pakistan
Pakistan
Pakistan
Advisor Details
Prof. Mr M. Salman Bilal
PE, PMP, PMI-ACP, PMI-RMP, PMI-SP, ASQ CSSGB
Ph. D. Scholar (Engineering Management)
M. Sc. Engineering Management (Project Risk Management)
M. Sc. Electrical Engineering (Power Electronics)
B. Sc. Electrical Engineering (Electronics & Telecommunication)
Page# 3
Version History
The table below used to provide the information on how the development and distribution of the
document is being controlled and tracked. It provides the version number, the author implementing the
version, the date of the version, the name of the person approving the version, the date that particular
version was approved, and a brief description of the reason for creating the revised version.
Version Implemented
Revision
Approved
Approval
Number
By
Date
By
Date
th
1.0
TSD
Mr. Risk Manager 14 Nov, 2014
1.1
TSD
15th Nov, 2014 Mr. Project Manager 18th Nov, 2014
Description of
Change
-
Page# 4
Document Authorization - I
This section of the document introduces you the authorization of the document. It clearly gives you an
idea about those who have received the copy of this document and who have approved the content of
this document.
Authorization
Role: Sponsor
Signature:
Signature:
Signature:
Signature:
Copy To
1- Sponsor
2- Prof. Mr Salman Bilal
3- Project Manager
4- Risk Manager
5- Project Departments
Page# 5
Document Authorization - II
This section of the document introduces you the authorization of the document. It clearly gives you an
idea about those who have received the copy of this document and who have approved the content of
this document.
Authorization
Role: Sponsor
Signature:
Signature:
Signature:
Signature:
Copy To
1- Sponsor
2- Prof. Mr Salman Bilal
3- Project Manager
4- Risk Manager
5- Project Departments
Page# 6
Abstract
Managing risk is an essential component of an Information Security System. Risk management is
fundamental to effectively securing information, IT assets, and critical business processes. Risk
management is also a challenge to get right. With numerous risk management frameworks and
standards available, it can be difficult for practitioners to know where to start, and what methodologies
to employ.
The document has been designed by a group of two students from the Department of Management
Sciences at Bahria University, Lahore, Pakistan. Both of the students has been registered in Spring-2014
session and pursuing their Master degree, Second semester as Master in Science of Project
Management.
In this document we have designed a Risk Management Plan for the RADIX Security System under the
lines of PMBOK 5th Edition and with the guidance of Prof. Mr. Salman Bilal. The document will give you
deep insight about the constituents of Risk Management Plan which is an output of first process of Plan
Risk Management and it describes how risk management activities will be structured and performed.
Page# 7
Table of Content
Page# 09
2- Introduction
Page# 10
3- Methodology
Page# 11
Page# 17
5- Budgeting
Page# 18
6- Timing
Page# 19
7- Risk Categories
Page# 21
Page# 22
Page# 23
Page# 24
Page# 25
12- Tracking
Page# 26
13- References
Page# 28
Page# 29
Page# 8
Page# 9
Introduction
In this document we are designing a Risk Management Plan for a University RADIX Security System.
RADIX is a system which shows the personal and educational profile of student(s) along with ones result
and the course(s) one has passed or taking in the pursuing semester.
By implementing the security system we need to make sure that there shouldnt be any intrusion or
unauthorized access to the secure layer of the system. Below you can find the depiction of system layer,
we are developing Risk Management Plan only for the Encryption layer which will make us secure from
any hacking related matter.
Page# 10
Methodology
Defines the approaches, tools, and data sources that will be used to perform risk management on RADIX
Security System. We shall be following PMBOK 5th edition for Risk Management Cycle
Because circumstances change and initial responses may not be effective, regular review is an important
part of managing risk. We can show it graphically that Risk management is an invoked process not an
event;
The term methodology means an organized set of principles and rules that drive action in a particular
field of knowledge. A methodology does not describe specific methods; nevertheless it does specify
several processes that need to be followed. These processes constitute a generic framework. They may
be broken down in sub-processes, they may be combined, or their sequence may change. However, any
risk management exercise must carry out these processes in one form or another; below image shows
the Risk Management Process, according to ISO Standard 13335;
Page# 11
Risk Management is a recurrent activity that deals with the analysis, planning, implementation, control
and monitoring of implemented measurements and the enforced security policy. On the contrary, Risk
Assessment is executed at discrete time points (e.g. once a year, on demand, etc.) and until the
performance of the next assessment - provides a temporary view of assessed risks and while
parameterizing the entire Risk Management process. This view of the relationship of Risk Management
to Risk Assessment is depicted in figure
Page# 12
As the document is for RADIX Security System which is completely related to IT field Risk Management
then it is necessary for us to get to know about the relationship between the Risk elements as depicted
in figure below;
Page# 13
1- Risks List
2- Risk Analysis
Risk Management Plan
Bahria University, Lahore, Pakistan
Page# 14
3- Risk Details
Page# 15
Diagraming Method:
As per the guidelines of PMBOK 5th edition 11.2.2.5.1 we have Ishikawa or Fishbone Diagraming method
to identify and explain the Risks. We will imply the very discussed Diagraming method. For describing
the problem in summarized way, we have shown below;
And for the matter of discussing things in detail we shall be using the below mentioned format
Page# 16
Role
Responsibilities
Business/ Functional
Team
Risk Manager
Integrated Project
Team
The IPT is responsible for identifying the risks, the dependencies of the
risk within the project, the context and consequence of the risk. They
are also responsible for determining the impact, timing, and priority of
the risk as well as formulating the risk statements.
Risk Owner(s)
Risk Action owner will ensure the actions for certain Risks assessed and
evaluated by the Risk Owner.
Risk Auditor
Risk Auditor will perform the Audit actions during the Project
Management Process irrespective of Risk occurrence.
Page# 17
Budgeting
This section of the document Estimates funds needed, based on assigned resources, for inclusion in the
cost baseline and establishes protocols for application of contingency and management reserves.
There are three steps involved in Risk Budgeting;
1- We need to come up with a target risk level for our Project
2- Calculate an estimate of total Project risk and build a project document that matches your target risk
3- Manage the project to maintain the risk level close to the target level
Risk Category
Sub-Categories
Tactical
Cost
US $
5,000
10,000
25,000
10,000
95,000
Administrative
Academic Data-source
Environmental Risks
Infrastructure
Technological
Risk Category
Sub-Categories
Schedule
Hours
2
5
48
96
120
Operational
Cost
US $
20,000
30,000
5,000
5,000
No Risk
Schedule
Hours
5
10
1
1
Null
Schedule
Hours
240
20
48
100
10
Regulatory
Cost
US $
No Risk
40,000
45,000
5,000
70,000
Schedule
Hours
Null
10
1
1
2
People
Cost
US $
Academic Data-source
Administrative
Environmental Risks
Infrastructure
Technological
50,000
10,000
30,000
90,000
10,000
Budget Summary:
RADIX Security System is a nine (09) million project which is intended to be completed in eight (08)
months. Below you may please find the summary of the budget; we have been allocated by management
for 5% of the total budget as contingency reserve and Risk management activities.
Product
Risk
Contingency
*We will discuss about budgeting in detail when our Risk Register is completed, as of yet its tentative
plan. For details please refer to Document: RMP-002; Risk Register and Cost Management Plan
Page# 18
Timing
Defines when and how often the risk management processes will be performed throughout the project
life cycle, establishes protocols for application of schedule contingency reserves, and establishes risk
management activities for inclusion in the project schedule.
To establish and perform Risk Management Processes/ Protocols we need to identify risks which shall
cause a potential loss and for that matter following are to be identified;
Assets, primary (i.e. Business processes and related information) and supporting (i.e. hardware,
software, personnel, site, organization structure)
Threats
Vulnerabilities
Consequences
Page# 19
The below depiction is showing, how we will be keeping track of each Risk and it also tells you that when
there is a need of Risk management processes update
Frequency of Risk Management activities/ reports will be performed/ documented after every 15 days.
Schedule Summary:
We will perform Risk management process for timely Risk schedule, RADIX Security System is a nine (09)
million project which is intended to be completed in eight (08) months. Below you may please find the
summary of reserves;
1- One (01) month Risk Activity
2- Fifteen (15) days Contingency reserve in schedule
You may please refer to Document: RMP-001; Section: Budgeting; Summary Budget in reference of
Schedule contingency reserve. For details please refer to Document: RMP-002; Risk Register and Schedule
Management Plan
Page# 20
Risk Categories
The risks faced by our organization during the project RADIX Security System is categorized in relation to
what the organization does. There are a number of categories which help to group risks according to the
various aspects of the organization and its activities which you need to consider. The main categories of
the risks are for the macroscopic view for the Risks identified and Sub-categories are microscopic view of
Risks understood and identified.
Macroscopic Level Risks
Tactical:
Tactical:
This allows you to look at external risks, which may affect our organization such as changes in the
environment in which you operate. It also lets you look at setting organizational objectives and ensuring
you set the right ones and then meets them
Operational:
Operational:
This looks at the risks, which arise from the services you deliver or the activities you carry out
People:
Review risks associated with both the employment of staff and the involvement of volunteers and
students
Regulatory:
This category looks at the legislative framework within which our organization operates
Microscopic Level Risks
Sub Categories:
There are some sub-categories of risk which are solely aligned to our project under discussion, as
mentioned below
1.
2.
3.
4.
5.
Administrative
Academic Data-source
Environmental Risks
Infrastructure
Technological
Page# 21
Impact
Negligible
Minor
Moderate
Major
Catastrophic
Color Scheme
Impact
Probability Definition
Unlikely / Low
Possible / Moderate
Likely / High
Color Scheme
Controls Definition
These are actions that are intended to manage risk by reducing its impact, its likelihood of occurrence, or
both. They should be genuine, practicable and realistic. The possible effects of Controls are to:
1. Avoid Risk
2. Seek Risk
3. Modify Risk
4. Transfer Risk
5. Retain Risk
Page# 22
Threats
Opportunity
0.90
0.05
0.09
0.18
0.36
0.54
0.54
0.36
0.18
0.09
0.05
0.70
0.04
0.07
0.14
0.28
0.42
0.42
0.28
0.14
0.07
0.04
0.50
0.03
0.05
0.10
0.20
0.30
0.30
0.20
0.10
0.05
0.03
0.30
0.02
0.03
0.06
0.12
0.18
0.18
0.12
0.06
0.03
0.02
0.10
0.005
0.01
0.02
0.04
0.06
0.06
0.04
0.02
0.01
0.05
0.20/
Moderate
0.40/
Major
0.60/
Catastrophic
0.60/
Almost
Certain
0.40/
Likely
0.20/
Possible
0.10/
Unlikely
0.05/
Rare
0.05 /
Negligible
0.10/
Minor
Relative scale
0.05/ Very Low
0.10/ Low
0.20/ Moderate
Moderate
0.40/ High
Cost
Insignificant
Cost Increase
10 20% cost
increase
20 40% cost
increase
Time
Insignificant
Time Increase
Less than 5%
time increase
5 10% time
increase
10 20% time
increase
Scope
Scope
Decreased
barely
noticeable
Minor areas of
scope affected
Minor areas of
scope affected
Scope reduction
unacceptable to
sponsor
Quality
Quality
degradation
barely
noticeable
Only very
demanding
applications are
affected
Quality
reduction
requires
sponsor
approval
Quality
reduction
unacceptable to
sponsor
Page# 23
Page# 24
Reporting Format
This section will give you the format of reports which will be used during the Project Life Cycle. Moreover,
the reports will be in descriptive, tabular and graphical format. Below mentioned are four modes of
reports;
1- On Demand
2- Deliverable based
3- Monthly Reports
4- Quarterly Reports
Page# 25
Tracking
This section of the document will give you overview about how risk activities will be recorded for the
benefit of the current project and how risk management processes will be audited. We can track risk by
making some flow diagram which shall be showing impact along-with it, for example
Moreover, we will add some reporting format which will be used for Risk Management process audit;
Page# 26
In order to deal with Risk Audit, Risk Auditor will audit every single risk bi-weekly and submit the report to
the following;
1- Project Manager
Risk Auditor will have the authority to hold meeting after every single audit and above said will be the
required participants of that meeting. Risk Auditor should use the attached reporting format for
documenting Risk Audit activity.
Page# 27
References
PMBOK 5th Edition 11th Chapter
www.google.com
www.wikipedia.com
http://www.mitre.org/publications
http://www.opengroup.org/subjectareas/security/risk
Page# 28
Attached Documents
Sr. No
Document No
Document Title
RMP 002
Risk Register
RMP 003
RMP 004
RMP 005
RMP 006
System Generated No
RiskNav Output
Page# 29