o Due Date: The exact due date for the assignment will be announced in class/lab. Instructions: In this Case Study Lab Assignment there is ONE case study. Read the CASE carefully (the opening and closing scenario) and answer ALL the Case Discussion Questions at the end of the case). Please state cach question and then follow it with the answer. o Each question must be answered completely and you must give detailed explanation of your answer to receive full credit. o The complete answer to the case study i.e. the answers to all the Case Discussion Questions) must NOT be less than 500-words in length. Please note that you may have to do research on the net to help you analyze the case and answer the questions completely. Please remember that you CANNOT copy from the net and ALL your work must be in your own words. Case Opening Scenario Risk Identification and Assessment Iris Majwabu and Mike Edwards sat side by side on the short flight to the nearby city where the Random Widget Works, Inc. (RWW) board of directors audit committee was meeting that afternoon. The two had been invited to present RWW's information technology (IT) risk management program to the committee. The board's concerns stemmed from a recent briefing by the National Association of Corporate Directors, which focused on trends affecting the potential liability of board members in the areas of InfoSec in general and risk management in particular. After the plane leveled off, Mike pulled out his copy of the presentation he planned to give that afternoon. He and Iris had been working on it for the past two weeks, and each knew the slides by heart, Iris was along to assist with the question-and-answer period that would follow Mike's presentation "They're not going to be happy campers when you're done," Iris said. "No, they're not," Mike said. "The CEO is worried about how they'll respond and about what might come up at the full board meeting next month. I'm afraid the disconnect between IT and Internal Audit may have some unexpected consequences." Iris considered what she knew about the weaknesses of the Internal Audit Department's approach to the company's non-IT assets. Where Mike and Iris had built a sound, fact-based approach to estimating and controlling IT risk, some of the other company divisions used less empirical methods "I think we should come out of this okay," Iris told Mike. "After all, the main concern of the audit committee members is the new perception of their liability for IT security and the impact that IT risk has on the issues surrounding privacy. We have a solid risk management plan in place that's working well, in my opinion." Mike looked up from his notes and said, "It's not us I'm worried about. I'm afraid we may create some discomfort and unwanted attention for our peers after the board sees the wide Case Closing Scenario variety of risk management approaches used in other divisions." Mike and Iris were flying home from the meeting. The audit committee's reaction had not been what they expected "I'm glad they understood the situation." Mike said, "I'd like you to start revising our risk management documentation to make it a little more general. It sounds like the board will want to take our approach company-wide soon." Iris nodded and pulled out her notepad to make a to-do list. 1. What will Iris have on her to-do list? 2. What resources can Iris call on to assist her? Case Discussion Questions