1. Assume that you are buying ServiceNow software and deployment services for service desk management. This is for the IT department only, but it affects the whole company in how services from IT will be provided. You have licensing on a subscription basis each year and consulting services to pay for in being able to roll out the software to the IT department.
2. Include a Word document with a paragraph for each of the ways to identify risk management aspects of this contract. Document how you would satisfy risk management for this contract.

The following (starting from an organization's policy on IT...) are the ways to identify risk management aspects of this contract (as mentioned in the textbook)

exchange, it is very vulnerable to security risks. The following list provides a high level guide on identifying areas of increased security risk. I An organization's policy on IT use and personnel security Some of the factors that can be assessed for possible security risks are system inventory, system development life cycle, monitoring and risk management, addressing an issue, security training, privacy policy, etc. I Provisions made in the contract Contract provisions should be carefully assessed, especially for contracts that involve handling, access to or These primarily apply to contract that transportation of sensitive information. In allows use of contractor system or such cases, it is very important to clearly application, which should meet the capture the roles and responsibilities of required security standards. the system owners and IT systems security Certification and accreditation officer. Contracts where an organization is System, data and device inventory - providing IT system or application asset management containing official information,certication and accreditation checks are even more important. In such cases, only authorized people must be allowed to access the systems and use of the systems should be closely monitored. I Risk management through continuous monitoring Contract where an organization is allowing use of its computer systems and applications that contains company information or if it performs an outsourced business processing service, continuous monitoring alone can ensure that risks are minimized. I Handling issues Where an organization is allowing use of its company computers and application containing o'icial information, it should have a formal issue handling capability. The contract should state the party and its nominated resource responsible for tracking arising issues and addressing them. I Security training Security training should ideally apply to all contracts, irrespective of its purpose. While unscrupulous elements will breach security for personal gains, security risks more often arise from users who are not completely aware of the functionalities of the system or application they use. Many are not aware of their responsibilities and legal obligations. SeCurity training will be (9 effective when they are reinforced through regular training