Propose and Discuss Risk Management Measures


As a first step, CISO asks you, one of the Security Managers, to review the security breach incidents experienced by other organisations globally for the last two (2) years. Then, based on this information you will need to identify the ‘top five (5) threats’ globally and prepare a report to communicate the information to the CISO. The report will:


  • Inform Emirates about the current global risks and how they could potentially impact their IT Security and Information management. Hence, your report must clearly indicate how the potential risks/threats could impact the organisation (Emirates).
  • Propose and discuss risk management measures (including technical and administrative controls) that would enable the company to be proactive and take the necessary steps to handle and overcome those threats.
  • Make a list of recommendations to secure the organisation’s information assets and overall information security management of Emirates.
  • Be presented in a professional report format for the Chief Information Security Officer, including appropriate

referencing and acknowledgement of all sources.




Title: The front page of your report, professionally presented, with a title, date, author, affiliation and who the report is written for.

Table of contents: Lists sections and subsections in the report with corresponding page numbers. If relevant include a list of tables and figures. If the subheadings are indented in the report, they will typically follow the same indentation in the table of contents.


Executive Summary: Provide a brief synopsis of the report indicating what the report is about and who it might benefit. The summary should be concise and self-sufficient which means it will have enough information that the reader can understand

the information without having to read the whole report. It will describe the purpose, methods, results and recommendations. The summary usually does not contain numbers and symbols, or information that is too technical. The Executive summary is written last even though it appears at the front of the report. The Executive Summary will be no more than one A4 page. The report follows on the next page.


Introduction: Generally informs the reader about what information will be provided in the document and how it will be covered. Thus it is important to consider who your target audience is, which for the purpose of the assessment, will also include the lecturer. The introduction involves a ‘descriptive’ writing style and requires three parts:

‒     Purpose of the report: describes to the reader why the report is being produced (the context, background and aims).

‒     Limitations: describes any limitations encountered in the production of the report that may affect the results of the


‒     The scope of the report: summarises what the report covers, how information will be presented in the report, where the information for the report comes from and how it will be gathered (for example, questionnaires or other research methods). An introduction does not reproduce the table of contents, it provides an overview or summary of the important elements.


The body of the report:


‒     A short literature review to describe the context and purpose of the report. This must include references to scholarly information to validate the currency, validity and reliability of your information.

‒     Analyse the five threats and identify the risks to this global organisation to determine the preparedness of this organisation to handle a posing threats.

‒     Propose ways to overcome under-preparedness to assist management in their future policy development.

‒     Use scholarly information to support your ideas. If you are unsure how to do this please access the . You could also write about possible other interpretations – drawing on the views of authors in the literature review. Point out any limitations of your research which will then lead into your conclusion

Conclusion: Summarise the key elements of the report. State the implication of the findings: ‘What do the findings mean?’ Ensure the conclusion is consistent with the outline given in the introduction.


Reference: Adhere to Harvard referencing guidelines



  • You will be given a feedback rubric that will help you to identify what you have done well and what you might need to revise.
  • The rubric will be completed by the marker to provide you with feedback about what you did do well and what you might need to focus on in subsequent submissions.

                                                                                                   Assessment feedback

INFS  5055-Information Security Management M



Assessment 1 – Individual Report: RISK ASSESSMENT AND POLICY DEVELOPMENT (15 %)

Key components of this assessment

Comment by marker


Executive summary


    Summary of the presentation/paper

      What is covered in the presentation/paper including some findings or issues


1 mark





    What is covered in the report

    Aim/purpose of the report

    Background of the report


2 marks



Security management plan (supported with appropriate integration of academic references)

    Identification and explanation of five risks

      Assessments and Impact of the risks on the given scenario discussed

    Risk management measures proposed

    List of recommendations to the management


9 marks





    Summary of the key elements of the report

    States implication of the findings and analysis


2 marks



•   Clear structure and appropriate subheadings

•   Adheres to formatting requirements

•   Uses academic language, spelling, grammar

•   References appropriately (Harvard)




Summary comment: