Project Risk Management Strayer University Dr. Shah Jamali April of 2013 The one that I believe to be the best solution to address the issues faced by Flayton Electronics is that of James E. Lee. I would definitely use his recommendations because it shows all the key areas that are crucial in a risk response plan.
Lee’s suggestions are typical of contingency planning; according to Heldman (2005), contingency planning is a form of acceptance because if the risk occurs, you are willing to accept the consequences and devise a plan to deal with those consequences.
He is likely to act with urgency by pointing the affected parties, as the longer it takes for the company to do this will make then appear less credible. Lee also recommended that once the risk is appeared, timing is a very key element in implementing a risk response plan to minimize damages.
This has to be in the form of a prompt public disclosure once adequate information has been gathered; brand restoration should be initiated through public statements to help improve the company’s image; toll-free hotlines should be set up to address customers concerns; loyalty incentives in the form of discounts and sales should be given to compensate those customers that still stay loyal to Flayton’s; releasing a formal public relations statement to acknowledge the breach and to assure the public that the matter is being taken care of; finally handling secondary risks that may have occurred as a result of the situation i.
e. logs, social media, faulty media reports, etc. Lee debated that if Brett Flayton and his team can mitigate the effects of the damage to their brand and reputation, they will be able to rise above the situation despite the fact that it may take them several years to recoup. MEMORANDUM FOR SECURITY RESPONSE TO: Brett Flayton Chief Executive Officer Flayton Electronics 1 Technology Parkway Houston, TX 77004 SUBJECT: Customer Data Security Breach Mr. Flayton, It has come to the attention of the Security & Loss Prevention department that the security of some of our customer’s credit card information has been compromised.
In addition, Law Enforcement and the Secret Service are also aware of the situation and have advised us not to notify the public as yet until they have had a chance to apprehend the perpetrators. Through the counsel of Mr. James E. Lee, Senior VP of Public & Consumer Affairs, ChoicePoint, and he had a few recommendations as to our best approach. 1. Make a formal public statement once you have obtained sufficient information in order to reassure the affected parties, address their concerns and also to let them know that we are working with law enforcement to identify the violator(s).
I believe we should do this quickly given that a media personality is also a victim. The longer we wait to inform the parties we run the risk of them hearing about this from external sources, which will diminish our credibility. Delaying information could also result in more fraudulent charges to the accounts of affected customers and give the impression that we either do not care or are hiding something. 2. Set up toll free lines for customers to call in and get additional information that will help to reassure them that the situation is under control.
There should also be recordings that give customers instructions on how to proceed if they have found unauthorized charges on their accounts, and also provide internal contacts information for them to report the matter to. 3. Loyalty incentives should be offered in the form of special discounts, sales, gift cards and reward cash as an incentive to keep customers coming back. In an article by Associated Press reporter, Robertson (2011) despite the prevalence of data breaches, customers still entrust their personal information to retailers.
It is understandable that we may lose some customers, however we should compensate all parties for their loss and also give extra incentives to the customers that still stay loyal to us. 4. Handle secondary risks that will arise from the incident, these can be faulty media reports, blogs and social media reports with inaccurate information. Given the far reaching effect these media channels can have, we should have our Public Relations and department Legal department handle this by doing damage control in order to reduce the likelihood of additional lawsuits.
These recommendations will help to bolster the company’s image and maintain the integrity of the brand as well as restore the trust that our customers once had for our entity. V/R, Security Management The data breach that Flayton Electronics experienced may have stemmed from several loopholes cited in the case. It may have been caused by someone hacking into the stores card reader system or from the fact that customer’s credit card information was being stored on the company’s computers and showing up on reports when this should not have happened.
In order to mitigate these situations, the Security Director at Flayton’s should have a system set up to conduct weekly checks of their security systems to ensure there are no weak areas for hackers to tap into and promptly address any issue that raises a red flag. Also if customer’s credit card numbers are showing up on reports unnecessarily, then IT should have been alerted to help find a fix for that problem, so that the information does not get into the wrong hands. Another possible cause could have been the employees that were terminated from the company.
In order to prevent a situation where a former employee could misuse the privileges they once had with sensitive data, it is prudent to cut off all access to the systems by changing access codes and also blocking the person from coming back to the premises. All employees should sign a data confidentiality waiver and if they are ever found to be in breach of it, then legal action should be pursued against them. Finally, the breach could also have been caused by the firewall that was disabled for some time and went unnoticed.
I would address this problem first by firing Sergei who was responsible for making sure that the software was operational at all times and failed to address the problem with urgency or notify senior personnel of it. I would also ensure that the IT department conducts daily checks of the system to ensure that the company is protected fully from hackers. A communication system would be set up so that all daily/weekly security checks are turned in to the manager who will compile a report that will then be turned in at the end of each week to the new CIO (that will replace Sergei).
This report would then be presented at the weekly meetings Brett has with his directors to keep him abreast of what is going on within the company. In order to effectively manage the data security of Flayton’s Electronics, it should be treated like a project in itself, the personnel will consist of the staff from the IT and Security departments. Once the PM has been identified and the scope, objectives and budget have been determined, the PM should seek the approval from the key stakeholders to initiate the project.
He/she should then set a meeting with the key stakeholders in order to do a risk assessment, identify critical risks, their potential impact and plan contingencies to address them. Milestones should be set for the project with dates in order to track progress. An example of these milestones can be to install a new firewall to correct the breach once the project is initiated, the second milestone can be to conduct a test of the system to ensure that the firewall is working effectively.
In addition to setting milestones, the PM should also get with the senior team members and create a Work Breakdown Structure (WBS) where responsibilities are assigned to smaller teams. A communications plan should be set up to address what information should be documented and who, when and how this information will be shared. This will help to avoid certain data risks, as certain levels of information would not be shared with lower level staff. The project should be monitored closely to make sure that it is progressing as planned and each time changes are made that deviate from the baseline plan, it should be documented.
The project manager should supervise all the team members involved to ensure they are performing at the required level. An audit should be conducted to evaluate the team and the quality of the work done. According to (Kloppenborg, Shriberg & Venkatraman, 2003), a project audit can occur at any time during a project and may even be done earlier in order to provide a measuring stick to see how the project is doing and if necessary make recommendations for changes.
Finally, the project manager should also include lessons learned as a task in the project, as this will help other team members in having a guide when embarking on future security projects. References Hillson, D. , & Simon P. , (2007) Practical Project Risk Management: The Atom Methodology. Management Concepts Kloppenborg, T. , Shriberg, A. , Venkatraman, J. (2003) Project Leadership Robertson, J. , (2011). Customers stay despite high profile breaches. Retrieved 06/05/2012 from http://www. pewinternet. org/Media-Mentions/2011/Customers-stay-despite-highprofile-data-breaches. aspx
Cite this Boss, I Think Someone Stole Our Customer Data
Boss, I Think Someone Stole Our Customer Data. (2016, Oct 14). Retrieved from https://graduateway.com/boss-i-think-someone-stole-our-customer-data/