Task:
For this project, you will investigate and then summarize key aspects of risk and risk management for acquisitions or procurements of cybersecurity products and services. The specific questions that your acquisition risk analysis will address are:
1. What types of risks or vulnerabilities could be transferred from a supplier and/or imposed upon a purchaser of cybersecurity related products and/or services?
2. Are suppliers liable for harm or loss incurred by purchasers of cybersecurity products and services? (That is, does the risk transfer from seller to buyer?)
3. How can governance frameworks be used by both suppliers and purchasers of cybersecurity related products and services to mitigate risks?
For this assignment, your “purchaser” will be the same company that you researched in Project #2. You should reuse relevant information from your risk assessment and risk profile (especially your recommended security controls).
Begin by reviewing your selected company’s needs or requirements for cybersecurity (this information should have been collected your earlier projects in this course). What information and/or business operations need to be protected? What are the likely sources of threats or attacks for each type of information or business operation? What technologies, products, or services did you identify and discuss in your risk management strategy / acquisition forecast?
Next, you will research how operational risk during the manufacturing, development, or service delivery processes can affect the security posture (integrity) of products and services listed in your acquisition forecast. You will then explore the problem of product liability and/or risk transference from supplier to purchaser as products or services are delivered, installed, and used. You will also need to examine the role that IT governance frameworks and standards can play in helping purchasers develop and implement risk mitigation strategies to compensate for potential risk transfer by suppliers.
Once you have completed your research and analysis, you will summarize your findings in an acquisition risk analysis for cybersecurity products and services. This analysis should be suitable for use by the company’s senior managers in developing a company-wide risk management strategy for acquisition and procurement activities which could impact the company’s cybersecurity posture.
1. Review your work for projects 1, 2, and 3.
2. Review your previous work as to the role of IT Governance standards in helping businesses identify and manage risks arising from the purchase of IT related products and services.
3. Review the course readings relating to the Cybersecurity industry and sources of products and services.
If you have not previously done so, identify three or more categories of cybersecurity products or services which your selected company is likely to purchase. Investigate the characteristics of these products / services. You should also identify possible vendors or sources from whom these can be purchased or acquired (e.g. open source software is acquired rather than bought or “purchased”). You should focus on products which can help reduce risks associated with e-Commerce and protection of customer information, protection of online ordering systems, etc.