5 What would you do?
You are the CFO of a midsized manufacturing firm. You have heard nothing but positive
comments about the new CIO you hired three months ago. As you watch her outline what
needs to be done to improve the firm’s computer security, you are impressed with her
energy, enthusiasm, and presentation skills. However, your jaw drops when she states
that the total cost of the computer security improvements will be $300,000. This seems
like a lot of money for security, given that your firm has had no major incident. Several
other items in the budget will either have to be dropped or trimmed back to accommodate
this project. In addition, the $300,000 is above your spending authorization and will
require approval by the CEO. This will force you to defend the expenditure, and you are
not sure how to do this. You wonder if this much spending on security is really required.
How can you sort out what really needs to be done without appearing to be micromana-
ging or discouraging the new CIO?
Read “What would you do?” #5 on page 120 of the text. Put yourself in the CIO position. Write a 2 – 3 page paper formulating a risk assessment plan that you think would justify a $300,000 investment even though your firm has never had a major incident.
Your paper should include the following:
Consider all the data that must be secure.
What types of data are at risk?
Research IT security threats and risks.
Research risk assessment templates and tools.
Your paper must follow these guidelines:
Double-spaced
12 point Times font
1 inch margins
Quotes over 3 lines, Reference page, and title page do not count in page total
At least 3 references used (textbook and two Internet resources)
APA format (title page, citations, Reference page)
Correct spelling, grammar, and punctuation
