final assessment for ITC 596 is to deliver an IT Risk Assessment Case
Study in support of a significant technology decision that is to be
taken by a fictional company called Aztek that operates in the
Australian Financial Services sector.
Senior executives in both
business and technology divisions within Aztec have collected a
portfolio of projects from their respective strategists that could be
potentially funded for deployment. The portfolio includes projects such
• Allowing employees to bring their own devices (laptops,
tablets and mobile phones for example) into the workplace to be used as
their main or sole devices in achieving their work tasks.
• Migrating business-critical applications and their associated data sources to an external Cloud hosting solution.
• Outsourcing key IT functionality such as the network, desktop management or application development to a third party.
Upgrading or introducing a major technology such as mobile platforms
and applications, migrating to an improved networking technology (such
as IPv6), creating a corporate-wide email archive for compliance
purposes, or upgrading applications and desktop operating systems.
of these potential projects carries significant IT risks which will
need to be managed to support the business case as to whether the
project should go forward. In this case study, you are the IT Risk
Assessment lead at Aztek, and your role is to be the interface between
business stakeholders and technologists, translating potential technical
difficulties into risk language to facilitate effective decision-making
For the Aztek case study you will need to select
one of the projects from the list above for a thorough IT Risk
Assessment. You may select another project beyond those listed above
with the approval of the subject coordinator, and you may wish to select
a project that is relevant to your workplace for example.
deliverable for this ITC 596 Case Study is an IT Risk Assessment report,
written for the intended audience of Aztek management providing a risk
assessment of the project you have selected to consider.
report must be a Microsoft Word document, 15 – 25 pages in length at 12
point font and single spacing. The report must address the following
• An Executive Summary at the beginning of the report
which provides a clear statement of the IT technology project that is
being assessed, and an overview of your recommendations to Aztek
management as to the merits of the project based on your risk assessment
(2 – 3 pages in length).
• A review of the project with respect
to the Financial Services sector, which would include any relevant
government or industry regulation or compliance, and any established
best practices (2 – 3 pages in length).
• A review of the project
impact on the current security posture of Aztec, as expressed by its
current maturity against IT Security policies and procedures (3 – 5
pages in length).
• A risk assessment based on threats,
vulnerabilities and consequences derived from an IT control framework
and any existing industry risk recommendations for the project. For
example, there are several consortia for Cloud Computing that have
created IT Risk Assessments for this technology (4 – 10 pages in
• Specially address risks for Data Security from the
viewpoint in the project of what data will be used, who will have access
to the data and where will the data flow (2 – 4 pages in length).
assess that the student has a holistic grasp of IT Risk Assessment
techniques and issues, which can then be applied to produce valuable
support for decision-makers.
- Develop an IT Risk Assessment
opinion from both a bottom-up perspective of assessing controls, threats
and vulnerabilities, and translate these findings into business risk
- Deliver an IT Risk Assessment based on a proposed business project that required technical risk to be assessed and managed.
|Completeness, purpose, meaning, formatting, grammar||The
report addresses all the stated sections in detail, with a common
meaning and purpose flowing through the sections, leading to an
authoritative conclusion, in a well-formatted document written without
|The report addresses all the stated sections
in detail, a common meaning and purpose flowing through the sections,
leading to a convincing conclusion, in a well-formatted document written
without grammatical errors.
|The report addresses all the stated sections in detail, leading to a convincing conclusion, in a well-formatted document.||The report addresses all the stated sections, leading to a plausible conclusion.||The report does not or limited addresses all the stated sections, leading to a plausible conclusion.|
(15%) Executive Summary – clear risk-based opinions that business
stakeholders understand and can be used directly for decision-support
(15%) Financial Services sector review – clear perspective to business
stakeholders on similar projects in their sector, and any relevant
• (20%) Security posture review – clear assessment of
the project’s impact on current security posture in terms of changes to
the posture and the required mitigation actions to remain at an
• (30%) Threats, vulnerabilities and
consequences assessment – demonstrate that the specific changes
introduced by the project have been assessed systematically assessed
according to lists and frameworks for threats, vulnerabilities and
• (20%) Data Security – demonstrate the data flows
associated with the project have been identified, assessed against
policies and any risks mitigated.
are required to be submitted in either Word format (.doc, or .docx),
Open Office format (.odf), Rich Text File format (.rtf) or .pdf format.
Each assignment must be submitted as a single document.
should be typed using 10 or 12 point font. APA referencing style should
be used. A reference list should be included with each assessment item.
diagrams that are required should be inserted into the document in the
appropriate position. Diagrams that are submitted in addition to the
assignment document will not be marked.