RMP Final

NOVEMBER 22ND, 2014
Bahria University
Lahore, Pakistan
RADIX SECURITY SYSTEM

RISK MANAGEMENT PLAN
PREPARED BY:
MR SHAWAZ BALUCH
MR. SYED TOUSEEF ALI
MR. DANYAL AHMED
MS (PM) II
DEPARTMENT OF MANAGEMENT SCIENCES
BAHRIA UNVERSITY, LAHORE, PAKISTAN
RADIX Security System
TSD (Pvt) Ltd
Document Receipt Acknowledgement

The document is confidential and sole property of organization. No content of this document can be
shared with anyone outside or inside organization without any prior approval or acknowledgement to
the concerned party or person.
This is to validate the formal acknowledgement that undersigned recipient has received the document
on said date. Please take the receipt off from the document and hand-over the document to the
undersigned.
Role:
Recipient Name:
Department:
Recipients Director Name:
Recipients Manager Name:
Signature:
Dated:
Risk Management Plan

Bahria University, Lahore, Pakistan
Page# 2
TSD (Pvt) Ltd
Document Details
Document Title: RADIX Security System
Document Sub-Title: Risk Management Plan
Document No: RMP 001
Prepared By: TSD Consultancy (Pvt) Ltd
Submitted To: MSB Training Consultancy
Dated: November 15th, 2014
Author(s) Details
Mr. Shawaz Baluch
Mr. Syed Touseef Ali
Mr. Danyal Ahmed
Technical Consultant
TSD Consultancy (Pvt) Ltd MS

(PM) II
TSD Consultancy (Pvt) Ltd
TSD Consultancy (Pvt) Ltd
MS (PM) II
MS (PM) II
Bahria University Lahore
Pakistan
Pakistan
Pakistan
Advisor Details
Prof. Mr M. Salman Bilal
PE, PMP, PMI-ACP, PMI-RMP, PMI-SP, ASQ CSSGB
Ph. D. Scholar (Engineering Management)
M. Sc. Engineering Management (Project Risk Management)
M. Sc. Electrical Engineering (Power Electronics)
B. Sc. Electrical Engineering (Electronics & Telecommunication)

Page# 3
TSD (Pvt) Ltd
Version History
The table below used to provide the information on how the development and distribution of the
document is being controlled and tracked. It provides the version number, the author implementing the
version, the date of the version, the name of the person approving the version, the date that particular
version was approved, and a brief description of the reason for creating the revised version.
Version Implemented
Revision
Approved
Approval
Number
By
Date
By
Date
th
1.0
TSD
Mr. Risk Manager 14 Nov, 2014
1.1
TSD
15th Nov, 2014 Mr. Project Manager 18th Nov, 2014

Description of
Change
-
Page# 4
TSD (Pvt) Ltd
Document Authorization - I
This section of the document introduces you the authorization of the document. It clearly gives you an
idea about those who have received the copy of this document and who have approved the content of
this document.
Authorization
Role: Sponsor
Role: Project Manager
Name: Bahria University, Lahore
Name: Mr. Shawaz Balouch
Dated: 14th Nov, 2014
Signature:
Signature:
Role: Risk Manager
Role: Risk Auditor
Name: Mr. Syed Touseef Ali
Name: Mr. Danyal Ahmed
Signature:
Signature:
Copy To
1- Sponsor
2- Prof. Mr Salman Bilal
3- Project Manager
4- Risk Manager
5- Project Departments

Page# 5
TSD (Pvt) Ltd
Document Authorization - II
This section of the document introduces you the authorization of the document. It clearly gives you an
idea about those who have received the copy of this document and who have approved the content of
this document.
Authorization
Role: Sponsor
Role: Project Manager
Name: Bahria University, Lahore
Name: Mr. Shawaz Balouch
Signature:
Signature:
Role: Risk Manager
Role: Risk Auditor
Name: Mr. Syed Touseef Ali
Name: Mr. Danyal Ahmed
Signature:
Signature:
Copy To
1- Sponsor
2- Prof. Mr Salman Bilal
3- Project Manager
4- Risk Manager
5- Project Departments

Page# 6
TSD (Pvt) Ltd
Abstract
Managing risk is an essential component of an Information Security System. Risk management is
fundamental to effectively securing information, IT assets, and critical business processes. Risk
management is also a challenge to get right. With numerous risk management frameworks and
standards available, it can be difficult for practitioners to know where to start, and what methodologies
to employ.
The document has been designed by a group of two students from the Department of Management
Sciences at Bahria University, Lahore, Pakistan. Both of the students has been registered in Spring-2014
session and pursuing their Master degree, Second semester as Master in Science of Project
Management.
In this document we have designed a Risk Management Plan for the RADIX Security System under the
lines of PMBOK 5th Edition and with the guidance of Prof. Mr. Salman Bilal. The document will give you
deep insight about the constituents of Risk Management Plan which is an output of first process of Plan
Risk Management and it describes how risk management activities will be structured and performed.

Page# 7
TSD (Pvt) Ltd
Table of Content
1- Risk Management Plan
Page# 09
2- Introduction
Page# 10
3- Methodology
Page# 11
4- Roles & Responsibilities
Page# 17
5- Budgeting
Page# 18
6- Timing
Page# 19
7- Risk Categories
Page# 21
8- Definition of Risk Probability and Impact
Page# 22
9- Risk Probability and Impact Matrix
Page# 23
10- Revised Stakeholder's Tolerance
Page# 24
11- Reporting Format
Page# 25
12- Tracking
Page# 26
13- References
Page# 28
14- Attached Documents
Page# 29

Page# 8
TSD (Pvt) Ltd

The Risk Management Plan is a component of the Project Management Plan and describes how risk
management activities will be structured and performed. The risk management plan includes the
following:
1. Methodology
2. Roles and responsibilities
3. Budgeting
4. Timing
5. Risk categories
6. Definitions of risk probability and impact
7. Probability and impact matrix
8. Revised stakeholders tolerances
9. Reporting formats
10. Tracking

Page# 9
TSD (Pvt) Ltd
Introduction
In this document we are designing a Risk Management Plan for a University RADIX Security System.
RADIX is a system which shows the personal and educational profile of student(s) along with ones result
and the course(s) one has passed or taking in the pursuing semester.
By implementing the security system we need to make sure that there shouldnt be any intrusion or
unauthorized access to the secure layer of the system. Below you can find the depiction of system layer,
we are developing Risk Management Plan only for the Encryption layer which will make us secure from
any hacking related matter.

Page# 10
TSD (Pvt) Ltd
Methodology
Defines the approaches, tools, and data sources that will be used to perform risk management on RADIX
Security System. We shall be following PMBOK 5th edition for Risk Management Cycle
Because circumstances change and initial responses may not be effective, regular review is an important
part of managing risk. We can show it graphically that Risk management is an invoked process not an
event;
The term methodology means an organized set of principles and rules that drive action in a particular
field of knowledge. A methodology does not describe specific methods; nevertheless it does specify
several processes that need to be followed. These processes constitute a generic framework. They may
be broken down in sub-processes, they may be combined, or their sequence may change. However, any
risk management exercise must carry out these processes in one form or another; below image shows
the Risk Management Process, according to ISO Standard 13335;

Page# 11
TSD (Pvt) Ltd
Risk Management is a recurrent activity that deals with the analysis, planning, implementation, control
and monitoring of implemented measurements and the enforced security policy. On the contrary, Risk
Assessment is executed at discrete time points (e.g. once a year, on demand, etc.) and until the
performance of the next assessment - provides a temporary view of assessed risks and while
parameterizing the entire Risk Management process. This view of the relationship of Risk Management
to Risk Assessment is depicted in figure

Page# 12
TSD (Pvt) Ltd
As the document is for RADIX Security System which is completely related to IT field Risk Management
then it is necessary for us to get to know about the relationship between the Risk elements as depicted
in figure below;
Data sources for Risk Management:

We shall be having following data sources to identify, assess and manage risks;
1- Key Stakeholders
2- Project Manager
3- Risk Management Team
4- General Public

Page# 13
TSD (Pvt) Ltd
Risk Management Tool; RiskNav

RiskNav is a well-tested tool developed by MITRE to facilitate the risk process and help program
managers handle their risk space. RiskNav lets you collect, analyze, prioritize, monitor, and visualize
risk information in a collaborative fashion. This tool provides three dimensions of information
graphically-risk priority, probability, and mitigation/management status. Below you may please have a
quick look over the tools interface for example purpose;
1- Risks List
2- Risk Analysis
Page# 14
TSD (Pvt) Ltd
3- Risk Details

Page# 15
TSD (Pvt) Ltd
Diagraming Method:
As per the guidelines of PMBOK 5th edition 11.2.2.5.1 we have Ishikawa or Fishbone Diagraming method
to identify and explain the Risks. We will imply the very discussed Diagraming method. For describing
the problem in summarized way, we have shown below;
And for the matter of discussing things in detail we shall be using the below mentioned format

Page# 16
TSD (Pvt) Ltd
Roles and Responsibilities

This section of the document Defines the lead, support, and risk management team members for each
type of activity in the risk management plan, and clarifies their responsibilities;
Role
Responsibilities
Business/ Functional
Team
The BSME assists in identifying and determining the context,

consequence, impact, timing, and priority of the risk.
Project Manager (PM)
The Project Manager or PM is a member of the Integrated Project Team

(IPT). PM administer the Risk and Risk management team. Project
Manager will provide the assistance to Risk Manager for better Risk
Management.
Risk Manager
The Risk Manager is a member of the Integrated Project Team (IPT).

The Risk Manager determines if the Risk is unique, identifies risk
interdependencies across projects, verifies if risk is internal or external
to project and assigns risk classification and tracking number. During
the life of the project, they continually monitor the projects for
potential risks. Moreover, Risk Manager will work on Risks and take the
responsibility in-coordination with Project Manager.
Integrated Project
Team
The IPT is responsible for identifying the risks, the dependencies of the
risk within the project, the context and consequence of the risk. They
are also responsible for determining the impact, timing, and priority of
the risk as well as formulating the risk statements.
Risk Owner(s)
The risk owner determines which risks require mitigation and

contingency plans, he/she generates the risk mitigation and
contingency strategies and performs a cost benefit analysis of the
proposed strategies. The risk owner is responsible for monitoring and
controlling and updating the status of the risk throughout the project
lifecycle. The risk owner can be a member of the project team.
Risk Action Owner(s)
Risk Action owner will ensure the actions for certain Risks assessed and
evaluated by the Risk Owner.
Risk Auditor
Risk Auditor will perform the Audit actions during the Project
Management Process irrespective of Risk occurrence.
Other Key Stakeholders
The other stakeholders assist in identifying and determining the

context, consequence, impact, timing, and priority of the risk.

Page# 17
TSD (Pvt) Ltd
Budgeting
This section of the document Estimates funds needed, based on assigned resources, for inclusion in the
cost baseline and establishes protocols for application of contingency and management reserves.
There are three steps involved in Risk Budgeting;
1- We need to come up with a target risk level for our Project
2- Calculate an estimate of total Project risk and build a project document that matches your target risk
3- Manage the project to maintain the risk level close to the target level
Risk Category
Sub-Categories
Tactical
Cost
US $
5,000
10,000
25,000
10,000
95,000
Administrative
Academic Data-source
Environmental Risks
Infrastructure
Technological
Risk Category
Sub-Categories
Schedule
Hours
2
5
48
96
120
Operational
Cost
US $
20,000
30,000
5,000
5,000
No Risk
Schedule
Hours
5
10
1
1
Null
Schedule
Hours
240
20
48
100
10
Regulatory
Cost
US $
No Risk
40,000
45,000
5,000
70,000
Schedule
Hours
Null
10
1
1
2
People
Cost
US $
Administrative
Environmental Risks
Infrastructure
Technological
50,000
10,000
30,000
90,000
10,000
Budget Summary:
RADIX Security System is a nine (09) million project which is intended to be completed in eight (08)
months. Below you may please find the summary of the budget; we have been allocated by management
for 5% of the total budget as contingency reserve and Risk management activities.
Product
Risk
Contingency
Budget/ Reserve Schedule

US $
Months
8,400,000
6.5
555,000
1
45,000
0.5
*We will discuss about budgeting in detail when our Risk Register is completed, as of yet its tentative
plan. For details please refer to Document: RMP-002; Risk Register and Cost Management Plan

Page# 18
TSD (Pvt) Ltd
Timing
Defines when and how often the risk management processes will be performed throughout the project
life cycle, establishes protocols for application of schedule contingency reserves, and establishes risk
management activities for inclusion in the project schedule.
To establish and perform Risk Management Processes/ Protocols we need to identify risks which shall
cause a potential loss and for that matter following are to be identified;
Assets, primary (i.e. Business processes and related information) and supporting (i.e. hardware,
software, personnel, site, organization structure)
Existing and planned security measures
Threats
Vulnerabilities
Consequences
Related Business Processes
The output of every process is made up of;

1. List of asset and related business processes to be risk managed with associated list of threats,
existing and planned security measures
2. List of vulnerabilities unrelated to any identified threats
3. List of incident scenarios with their consequences

Page# 19
TSD (Pvt) Ltd
Risk Management Life Cycle

The depiction below clearly shows the life cycle which is easy to understand that after identifying risk we
need to analyze it and its a complete improving process in order to make vulnerabilities certain
The below depiction is showing, how we will be keeping track of each Risk and it also tells you that when
there is a need of Risk management processes update
Frequency of Risk Management activities/ reports will be performed/ documented after every 15 days.
Schedule Summary:
We will perform Risk management process for timely Risk schedule, RADIX Security System is a nine (09)
million project which is intended to be completed in eight (08) months. Below you may please find the
summary of reserves;
1- One (01) month Risk Activity
2- Fifteen (15) days Contingency reserve in schedule
You may please refer to Document: RMP-001; Section: Budgeting; Summary Budget in reference of
Schedule contingency reserve. For details please refer to Document: RMP-002; Risk Register and Schedule
Management Plan

Page# 20
TSD (Pvt) Ltd
Risk Categories
The risks faced by our organization during the project RADIX Security System is categorized in relation to
what the organization does. There are a number of categories which help to group risks according to the
various aspects of the organization and its activities which you need to consider. The main categories of
the risks are for the macroscopic view for the Risks identified and Sub-categories are microscopic view of
Risks understood and identified.
Macroscopic Level Risks
Tactical:
Tactical:
This allows you to look at external risks, which may affect our organization such as changes in the
environment in which you operate. It also lets you look at setting organizational objectives and ensuring
you set the right ones and then meets them
Operational:
Operational:
This looks at the risks, which arise from the services you deliver or the activities you carry out
People:
Review risks associated with both the employment of staff and the involvement of volunteers and
students
Regulatory:
This category looks at the legislative framework within which our organization operates
Microscopic Level Risks
Sub Categories:
There are some sub-categories of risk which are solely aligned to our project under discussion, as
mentioned below
1.
2.
3.
4.
5.
Administrative
Environmental Risks
Infrastructure
Technological
For details please refer to Document: RMP-002; Risk Register

Page# 21
TSD (Pvt) Ltd
Definitions of risk probability and impact

The quality and credibility of the risk analysis requires that different levels of risk probability and impact
be defined that are specific to the project context. General definitions of probability levels and impact
levels are tailored to the individual project during the Plan Risk Management process for use in
subsequent processes.
Impact Definition
Impact No
Impact
Negligible
Minor
Moderate
Major
Catastrophic
Color Scheme
Likelihood/ Probability Definition

Impact No
Impact
Probability Definition
Rare / Very Low
>5% likely to happen
Unlikely / Low
Possible / Moderate
Likely / High
Almost Certain / Very High
Color Scheme
Controls Definition
These are actions that are intended to manage risk by reducing its impact, its likelihood of occurrence, or
both. They should be genuine, practicable and realistic. The possible effects of Controls are to:
1. Avoid Risk
2. Seek Risk
3. Modify Risk
4. Transfer Risk
5. Retain Risk

Page# 22
TSD (Pvt) Ltd
Probability and Impact Matrix

Each risk is rated on its probability of occurrence and impact on an objective if it does occur. The
organization will determine which combinations of probability and impact result in a classification of
high risk, moderate risk, and low risk.
Probability
Threats
Opportunity
0.90
0.05
0.09
0.18
0.36
0.54
0.54
0.36
0.18
0.09
0.05
0.70
0.04
0.07
0.14
0.28
0.42
0.42
0.28
0.14
0.07
0.04
0.50
0.03
0.05
0.10
0.20
0.30
0.30
0.20
0.10
0.05
0.03
0.30
0.02
0.03
0.06
0.12
0.18
0.18
0.12
0.06
0.03
0.02
0.10
0.005
0.01
0.02
0.04
0.06
0.06
0.04
0.02
0.01
0.05
0.20/
Moderate
0.40/
Major
0.60/
Catastrophic
0.60/
Almost
Certain
0.40/
Likely
0.20/
Possible
0.10/
Unlikely
0.05/
Rare
0.05 /
Negligible
0.10/
Minor
Defined Conditions for Impact Scales of a Risk on Major Project Objectives

Project
Objectives
Relative scale
0.05/ Very Low
0.10/ Low
0.20/ Moderate
Moderate
0.40/ High
0.60/ Very High
Cost
Insignificant
Cost Increase
Less than 10%

cost increase
10 20% cost
increase
20 40% cost
increase
More than 40%

cost increase
Time
Insignificant
Time Increase
Less than 5%
time increase
5 10% time
increase
10 20% time
increase
More than 20%

time increase
Scope
Scope
Decreased
barely
noticeable
Minor areas of
scope affected
Minor areas of
scope affected
Scope reduction
unacceptable to
sponsor
Project end item is

effectively useless
Quality
Quality
degradation
barely
noticeable
Only very
demanding
applications are
affected
Quality
reduction
requires
sponsor
approval
Quality
reduction
unacceptable to
sponsor
Project end item is

effectively useless

Page# 23
TSD (Pvt) Ltd
Revised Stakeholders tolerance

Stakeholders tolerances, as they apply to this project, may be revised in the Plan Risk Management
process. Stakeholders tolerance can be revised upon the revision of Risk Controls. Risk Tolerance level of
the sponsor is 25% of contingency reserve as provided.
Controls in Place
Indicates the extent to which the Controls have been implemented:
A. Implemented and operating effectively
B. Identified and being implemented
C. Not yet identified, incomplete or not operating effectively
Use of Controls
This provides a Sense Check of the reliance on Controls based on the size of the difference between
Initial and Residue Risk Scores;
L < 25%
25% - Reliance on Controls is not excessive
M >= 25%
25% - Controls should be checked to ensure that they are realistic and in place
H >= 35%
35% - Controls should be reviewed urgently to ensure that they are realistic and functioning
properly.
So as per agreed upon criteria with reference to our document section Document: RMP-001; Section:
Budgeting; Summary Budget, it is imply that if the Risk amount is less than US $ 138,750 then there is no
need to revise and have emergency meeting with the board of directors and stakeholders. Otherwise, call
the emergency meeting at the forth hour.
After reviewing of Controls we will revise the stakeholder tolerance level for each risk mentioned above in
Document: RMP-001; Section: Budgeting; Summary Budget and for details please refer to Document:
RMP-002; Risk Register

Page# 24
TSD (Pvt) Ltd
Reporting Format
This section will give you the format of reports which will be used during the Project Life Cycle. Moreover,
the reports will be in descriptive, tabular and graphical format. Below mentioned are four modes of
reports;
1- On Demand
2- Deliverable based
3- Monthly Reports
4- Quarterly Reports
Sample reports are attached for your reference.

Page# 25
TSD (Pvt) Ltd
Tracking
This section of the document will give you overview about how risk activities will be recorded for the
benefit of the current project and how risk management processes will be audited. We can track risk by
making some flow diagram which shall be showing impact along-with it, for example
Moreover, we will add some reporting format which will be used for Risk Management process audit;

Page# 26
TSD (Pvt) Ltd
In order to deal with Risk Audit, Risk Auditor will audit every single risk bi-weekly and submit the report to
the following;
1- Project Manager
Risk Auditor will have the authority to hold meeting after every single audit and above said will be the
required participants of that meeting. Risk Auditor should use the attached reporting format for
documenting Risk Audit activity.

Page# 27
TSD (Pvt) Ltd
References
PMBOK 5th Edition 11th Chapter
www.google.com
www.wikipedia.com
http://www.mitre.org/publications
http://www.opengroup.org/subjectareas/security/risk

Page# 28
TSD (Pvt) Ltd
Attached Documents
Sr. No
Document No
Document Title
RMP 002
Risk Register
RMP 003
Risk Summary Report
RMP 004
Risk Detailed Report
RMP 005
Risk Tracking Document
RMP 006
Risk Audit Report
System Generated No
RiskNav Output

Page# 29

RMP Final

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

RMP Final

Transféré par

Droits d'auteur :

Formats disponibles

NOVEMBER 22ND, 2014

RADIX SECURITY SYSTEM

RADIX Security System

TSD (Pvt) Ltd

Document Receipt Acknowledgement

Risk Management Plan

RADIX Security System

TSD (Pvt) Ltd

Mr. Syed Touseef Ali

Mr. Danyal Ahmed

TSD Consultancy (Pvt) Ltd MS

TSD Consultancy (Pvt) Ltd

TSD Consultancy (Pvt) Ltd

Bahria University Lahore

Bahria University Lahore

Bahria University Lahore

Risk Management Plan

RADIX Security System

TSD (Pvt) Ltd

Risk Management Plan

RADIX Security System

TSD (Pvt) Ltd

Role: Project Manager

Name: Bahria University, Lahore

Name: Mr. Shawaz Balouch

Dated: 14th Nov, 2014

Dated: 14th Nov, 2014

Role: Risk Manager

Role: Risk Auditor

Name: Mr. Syed Touseef Ali

Name: Mr. Danyal Ahmed

Dated: 14th Nov, 2014

Dated: 14th Nov, 2014

Risk Management Plan

RADIX Security System

TSD (Pvt) Ltd

Role: Project Manager

Name: Bahria University, Lahore

Name: Mr. Shawaz Balouch

Dated: 18th Nov, 2014

Dated: 18th Nov, 2014

Role: Risk Manager

Role: Risk Auditor

Name: Mr. Syed Touseef Ali

Name: Mr. Danyal Ahmed

Dated: 18th Nov, 2014

Dated: 18th Nov, 2014

Risk Management Plan

RADIX Security System

TSD (Pvt) Ltd

Risk Management Plan

RADIX Security System

TSD (Pvt) Ltd

1- Risk Management Plan

4- Roles & Responsibilities

8- Definition of Risk Probability and Impact

9- Risk Probability and Impact Matrix

10- Revised Stakeholder's Tolerance

11- Reporting Format

14- Attached Documents

Risk Management Plan

RADIX Security System

TSD (Pvt) Ltd