Fluent Essays

Using all of the previous assignment information, students will create a Cybersecurity Risk Report that helps their proposed business manage cybersecurity risks. Refer to the Framework Compliance Assessment Report Guide, located within the Course Materials, for full instructions. APA style is not required, but solid academic writing is expected. This assignment uses a rubric. Please review the rubric prior to beginning the assignment to become familiar with the expectations for successful completion. You are required to submit this assignment to LopesWrite. Refer to the LopesWrite Technical Support articles for assistance.  This benchmark assignment assesses the following programmatic competencies: MS Cybersecurity 2.2: Define and apply the NIST Cybersecurity Framework functional areas, implementation tiers, and profiles. 2.3: Apply the Cybersecurity Life Cycle, Cybersecurity Framework, and Methodologies to establish a Cybersecurity Program that supports an organizations strategic initiatives. Framework Compliance Assessment Report Guide Directions: Throughout the course students will work on applying a cybersecurity framework to a small to medium-sized business. Each assignment will build upon the next and will be compiled into a Framework Compliance Assessment Report that helps their proposed business identify, assess, and manage cybersecurity risk. When developing this report, students are encouraged to refer to the Framework for Improving Critical Infrastructure Cybersecurity, located within the Course Materials. The formal report must include the following components: I. Executive Summary Briefly summarize the scope and results of the framework compliance assessment. Highlight high-risk findings and comment on required management actions. Present an action plan to address and prioritize compliance gaps. Present a cost/benefit analysis. Explain the risks involved in trying to achieve the necessary outcomes and the resources required to address the gaps. II. Organizational Objectives and Priorities This section should include an Organizational Data Flow Diagram. Current Framework Compliance Status: Describe the current cybersecurity environment, such as processes, information, and systems directly involved in the delivery of services. Describe the current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints using the framework identified in the Organizational Objectives and Priorities assignment. Include a diagram related to the common flow of information and decisions at the major levels within the organization. Future Cybersecurity Policy Implementations: Describe the critical cybersecurity needs that should be in place to ensure compliance with ISO/IEC 27001 Cybersecurity Framework and then prioritize outcomes. III. Operational Compliance and Risk Assessment This section should include a Portal Diagram and Organizational Risk Assessment Chart. Cybersecurity Risk Assessment: Describe the likelihood of risks occurring and the resulting impact. Identify threats to, and vulnerabilities of, those systems and assets. Express risks both internally and externally. Determine the acceptable level of risk (risk tolerance). Describe the response to the risk. Describe how identified risks are managed and resolved. Privacy Risk Management: Describe how the business is integrating privacy laws and regulations, prioritizing, and measuring progress. Compliance Gaps: Describe the type of audits that should be performed in order to keep a consistent measure of risk. Determine what type of gap analysis should be performed in order to properly identify the security elements and variables within the environment that pose the most risk. Develop a compliance management plan based on the findings using the aforementioned information gathered for reference. IV. Response and Recovery Planning Contingency Planning Process: Define the roles, responsibilities, and procedures associated with restoring IT systems following any kind of disruption. The Data Backup Planning Process: Briefly describe the data to be backed up, the backup method, and the backup frequency that best meets the business requirements. The Disaster Recovery Planning Process: Briefly describe the recovery of data specific to your operating environment. The Emergency Operations Mode Planning: Briefly describe how your organization would carry out operations between the onset of restoration activity and when system functions return. Testing and Revision Procedures: Briefly describe the frequency and sophistication of the testing and revision procedures. V. Improvements and Recommendations Opportunities for Improvement: Identify and prioritize improvement opportunities within the context of a continuous and repeatable process, identifying opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices. Identify opportunities to address an organizations emerging needs. Organizational Impact: Describe the impact to the organization in the case that improvements to security are made, whilst also describing what may occur if the improvements are not made. Monitoring: Describe how the organization would assess their progress towards accurately monitoring and analyzing future cybersecurity threats. Running Head: ORGANIZATIONAL OBJECTIVES AND PRIORITIES 1 ORGANIZATIONAL OBJECTIVES AND PRIORITIES Student Name NetLab Inc. Organizations face a number of risks and therefore the need to take all into account so that they build better relationships with their customers and other stakeholders as well as increase revenue generation and effectively achieve their business goals. There are different types of risks that companies need to take into account beforehand in order to run their business smoothly in the software development industry. This means they will always be ready for any threat.  The organizations mission, vision and objectives. Net lab’s Mission Statement The corporate mission of NetLab is “to empower all the people and business to move ahead.” The object of this mission statement is to empower people and business to achieve more. NetLab’s Vision Statement The vision is “to globally help people and corporates realize success in their businesses.” This indicates the company presents products and services to help people and business to develop. Main product, service offerings, and consumer base. NetLab develop and market software, services, and hardware for greater convenience, and enhanced value to people across the globe. It generates revenue through licenses, design and selling hardware and software, and online advertising as well as sale of individual products and services. Main departments and major stakeholders. Windows Department The department develops operating systems used in computing devices, and online services, and PC accessories. The ultimate goal is to empower individuals, and organizations through simplification of daily tasks through seamless products. The Tools department NetLab has a department for development of servers and tools to make professionals in IT their systems efficient. The department offers on premise software and cloud-based offerings. Department of Online Services (DOS). This division is developing and market information and content that people use to simplify tasks and decision making online. NetLab Business Department The department is helps increase personal, and organization efficiency and productivity through the provision of business solutions such as customer relationship management and business analytics applications. Stakeholders The major stakeholder groups significant in NetLab’s business are: Customers- They purchase NetLab’s products and ensure business continuity and sales revenue (Agrawal, Kaushik, & Rahman, 2015). Employees- They competently ensure the products reach the consumers and that the goals of NetLab are competently achieved. Communities- They are important as they represent the corporate and brand image. Investors- Investors are important stakeholders as they ensure capital is available for business growth Governments- As stakeholders the government ensure that NetLab operate within the legal business limits. NetLab information technology infrastructure. NetLab has an IT department for provision of tech support, security and network maintenance, and device management. Hardware and infrastructure: The physical components under NetLab are routers, servers, and laptops among others. A sophisticated, well-managed software infrastructure provides reliable security, strong speeds and connectivity, and a satisfying user experience for the clients of NetLab. Currently, the company operates more than 100 datacenters in more than 70 countries. Flow of information and decisions. In NetLab the decision processes are linked, interdependent to together transform inputs into tangible outputs. Executive Executive level decision making in NetLab Inc. involve the tackling of strategic issues and long-term trend for the business. They address non-routine decisions that require judgment, and insight to arrive at a solution (Melone, 1994). The information flows to the lower levels through senior level management for implementation at the lower levels. Business/Process The section managers evaluate and revisit the decision making processes and get sign-off from stakeholders in advance to keep them in the loop. Implementation/Operations Quality Management. Operations managers make decisions aimed at customer satisfaction through quality products. For example, NetLab use several feedback systems that collect customer information, and integrates it in iteration of future computer software products. Process and Capacity Design. The operations managers use extensive automation towards process optimization and capacity streamlining to reduce errors while increasing the levels of operational efficiency. Cybersecurity threats and their management. The common cybersecurity threats are data leakage and theft, phishing attack, and identity theft. Tackling cybersecurity threats. The use of multifactor authentication ensures that hackers do not log into the potential victim’s account and commit identity theft. Cloud Protection- This helps to spot abnormal behavior that would result to data leakage and seals off that gap. Incorporation of privacy principles by NetLab NetLab Inc. has Corporate Privacy and standard Policy to ensure we meet all the privacy commitments. Data Handling Standards provide guidance on how to manage each data type within specific activities. NetLab processes data based on customer guidance and in compliance with applicable security and privacy law and limits collection of customer data (Mylrea, Gourisetti, & Nicholls, 2017). NetLab does not access personal customer but instead protect the data accordingly. The Data Handling Standard specifies how long customer data is retained after deletion or after a customer ends their subscription with NetLab. References Agrawal, A. K., Kaushik, A. K., & Rahman, Z. (2015). Co-creation of social value through integration of stakeholders. Procedia-Social and Behavioral Sciences, 189, 442-448. Melone, N. P. (1994). Reasoning in the executive suite: The influence of role/experience-based expertise on decision processes of corporate executives. Organization Science, 5(3), 438-455. Mylrea, M., Gourisetti, S. N. G., & Nicholls, A. (2017). An introduction to buildings cybersecurity framework. In 2017 IEEE symposium series on computational intelligence (SSCI) (pp. 1-7). IEEE. RUNNING head: OPERATIONAL COMPLIANCE 1 OPERATIONAL COMPLIANCE 2 Students Name Operational security compliance is a necessity in any working cybersecurity environment, as it sets the standard for policy, rule, and guideline regulation. Therein, it is necessary for security professionals to grasp the fundamental aspects of operational compliance if they are expected to be able to manage day-to-day operations that require a different level of compliance throughout a given organization. Why is operational security compliance important? With frequent cases of data breaches even in large companies around the world, maintaining the customer security and privacy not only is a major concern in the finance sector but every other business. In the context of IT security, being compliance means that your organization meets the data standards as far as data privacy and security applies in your specific industry. Being compliant helps to avert fines and penalties - Finance organizations with IT frameworks should know about the current compliance laws that are pertinent to them. These enactments help to ensure the security and protection of individual information gathered by the privately owned businesses (Julisch, 2008). Disregarding these laws can prompt serious fines and punishments, yet firms with hearty security compliance capacities have the chance to stay away from these issues by satisfactorily getting the information they collect. Security Compliance helps to build positively and protect the reputation of the business - Information breaches are turning out to be progressively normal in the 21st century. Bad information breaches have happened more than once over the previous decade. Data breaches causes lots of damage to an organizations standing, sabotage trust between the organization and its clients, and send the message that the organization is deceitful and doesnt find proper ways to ensure the protection and security of its clients. Operational Security Compliance promotes a firm’s data management capabilities- For most IT frameworks in finance sectors, keeping up with consistence with information security guidelines begins with monitoring what sensitive data they hold about clients and fostering the capacities to get to and alter that data in a smoothed out manner. This implies that the organization should know where the information is put away and have the option to get to the information in a convenient design. Effective security compliance strengthens the company culture- Firms that gather information from their clients have a remarkable chance to upgrade their corporate culture through the adoption of state of the art security compliance measures that meet or surpass the guidelines and show industry authority in data security (von Solms, 2005). Organizations can develop an inner corporate culture and an outside corporate personality around the significance that they put on the protection and security of clients, situating their association as one that makes the best decision, approaches security in a serious way, puts resources into the security of clients’ data. It helps to support access controls and accountability- A compelling framework for IT security compliance guarantees that people with the necessary certifications can get to the safe frameworks and data sets that contain sensitive client information. IT firms that execute necessary security compliance frameworks should guarantee that entry to those frameworks is checked at organization level, and that activities inside the framework are logged to such an extent that they can be traced to their starting point (Chatzipoulidis, & Mavridis,2009). Operational problems require there is place some operational solutions, and that an organization is operationally competent. Operational security compliance steps in our organization involves the following: Step one: Establishment of a clear operational security policy. There ought to be clear rules on what administrators are permitted to do and what they are not permitted to do. Escalation ways should be well defined and guided such that there is no progress if an administrator doesnt have the approval needed for a particular activity. The functional security strategy ought to characterize the obligations and approval, just as disciplinary measures if there should arise any breaches. Step two: Clearly defined change management process Each organization running a network ought to make exact processes that characterize and control how changes to the organization are executed. The condition of the equipment, working framework, and setups ought to be observed, and all progressions ought to be logged and executed in a controlled manner. The logs ought to be assessed and checked for expected misconfigurations. Step three: Access controls It is a decent practice to limit entry to organizational devices. This safety effort is normally executed, albeit in a huge number an excessive number of administrators approach network gadgets. Limiting this number to the base measure of administrators fundamentally lessens the danger. Step four: Authorization steps The entrance an administrator ought to be confined to the base access required for the administrator to tackle their work. Much of the time its anything but a smart thought for all administrators to have full-enable access to gadgets. This training can be more hard to carry out particularly on who can and cant enter setup mode (AlKalbani, Deng, Kam, & Zhang, 2017). Step five: system dual control Security control ought not be performed by the same people. In a perfect world, a security bunch controls who approaches what, and an organization then executes the configuration activities. Commonly the logs are constrained by the security bunch. Step six: Security and verification steps The entirety of the above measures are dynamic steps to identify an adjustment of the organization, for example, a setup change. It is additionally conceivable to distinguish strategy infringement by investigating the traffic on the organization, or the condition of dynamic data like routing tables. Step seven: System automation It is highly recommended to automate procedures since people will in general neglect subtleties in log records and comparable steps. When steps are automated, then there is less likelihood to commit errors, despite the fact that if a mistake occurs, it is normally systematic and easy to detect and take corrective measures. List of references Julisch, K. (2008, September). Security compliance: the next frontier in security research. In Proceedings of the 2008 New Security Paradigms Workshop (pp. 71-74). Von Solms, S. B. (2005). Information Security Governance–compliance management vs operational management. Computers & Security, 24(6), 443-447. AlKalbani, A., Deng, H., Kam, B., & Zhang, X. (2017). Information Security compliance in organizations: an institutional perspective. Data and Information Management, 1(2), 104-114. Chatzipoulidis, A., & Mavridis, I. (2009). Evolving Challenges In Information Security Compliance. In MCIS (p. 75). Running Head: BENCHMARK-SMALL TO MEDIUM SIZED BUSINESS 2 Student Name IT is a broad term that encompasses everything that businesses do with computers. Information technology is responsible for developing a businesss communications networks, safeguarding data and information, creating and administering databases, assisting employees with computer or mobile device issues, and a variety of other tasks necessary to ensure the efficiency and security of business information systems (Kiel, Arnold, Collisi & Voigt, 2016, May). The advancement of communication and information technology has emphasized the internets importance in business. The internet is extensively used by businesses to market and promote their products and services. Customer support is provided via the internet, as is information sharing and employee training. Essentially, Internet use has had a variety of consequences in a variety of fields. To begin, the internet has altered the landscape of business. It has resulted in the creation of new business opportunities. From a security standpoint, internet use has a plethora of implications. The issue of intellectual property (IP) rights infringement, piracy, and security breach, among others, has broader implications for the internet, online shopping, basic web presence, vendor-specific portals, vendor-exclusive portals, social media, the Internet of Things, and VPN use. SBM and data protection are inextricably linked to rule and regulation compliance. Noncompliance at any level can have a catastrophic effect on security. Second, the use of the Internet has resulted in a number of implications for intellectual property data protection. Intellectual property (IP) is the result of an individuals ideas, thoughts, intellectual influence, and copyright. Nowadays, legislators and the government, recognizing its strength and scope of operation, have provided it with legal protection against patents, copyrights, trademarks, and design rights. IP can assist SMBs in expanding globally and becoming as large as their competitors in all areas of the business. It is critical to consider third-party vendors, cloud computing, and technological trends. Without addressing them, the consequences will persist and security will be jeopardized. To mitigate the consequences, strong and effective compliance strategies must be implemented. For SMBs, the most significant impact of the internet on the international marketplace is the ability to reach a global platform at a low cost (Wnuk & Murari, 2016, June). A company website can serve as a promotional resource for an organization that is accessible to anyone on the planet. SMBs can use a basic web presence to promote their products, advertise their store, and communicate with their customers. Online shopping is a significant innovation that has benefited industries worldwide, including small and medium-sized businesses. Small and medium-sized businesses (SMBs) account for a sizable portion of the economy, and they heavily rely on electronic information sharing to advance their operations. A vendor-specific portal enables users to track suppliers by diversity category and resource category, providing a clear picture of the companys progress toward multiple internal goals. Additionally, they enable businesses to connect and collaborate online with their third-party suppliers. They are required for any business that works with multiple suppliers, as they provide a simple and secure method for the business and its suppliers to track orders, raise concerns, and communicate, as well as ensure that both parties are on the same page. Vendor-specific portals are a critical component of a vendor management system because they help manufacturing facilities organize their data and improve turn-around times. Businesses can communicate for free with millions of customers worldwide via social media sites. The Internet enables SMB owners to become more mobile by simplifying the process of enhancing the business from anywhere. The Internet of Things and related technologies such as artificial intelligence and machine learning have far-reaching implications. From anywhere in the world, an SMB owner on a business trip can communicate with their office in real time via an online chat feature and share critical information with others. A VPN is an excellent tool for cost-effectively connecting remote offices and employees to an organizations network. Internet use has excess of implications for data protection and intellectual property protection. Intellectual property rights are critical for the development and protection of small business data. IP can aid SMBs in all aspects of business development and management, from brand management to service, product development to design, and from increasing economic resources to exporting or expanding business internationally through IP assignments such as licensing. IP contributes to a businesss value and worth in the eyes of financial institutions and investors. Finally, it is critical that compliance with rules and regulations is effectively monitored at all levels. If this is not done, cloud-based data will be compromised, and third-party vendor channels will be used to circumvent security measures (Kerber, 2016). The technology trend will eventually become synonymous with non-compliance. Each of the areas mentioned above is addressed by a robust compliance mechanism. References Kiel, D., Arnold, C., Collisi, M., & Voigt, K. I. (2016, May). The impact of the industrial internet of things on established business models. In Proceedings of the 25th international association for management of technology (IAMOT) conference (pp. 673-695). Wnuk, K., & Murari, B. T. (2016, June). The impact of Internet of things on software business models. In International Conference of Software Business (pp. 94-108). Springer, Cham. Kerber, W. (2016). Digital markets, data, and privacy: competition law, consumer law and data protection. Journal of Intellectual Property Law & Practice, 11(11), 856-866. RUNNING HEAD: ORGANISATION RISK ASSESSMENT CYBERSECURITY CONTROLS 6 Student Name A Cybersecurity framework describe controls that once fulfilled, are a representation of a completely functional program for cybersecurity. There are various framework controls that serve the needs that exists in various industries. Cybersecurity controls encompass the safeguards that are executed by an organization towards preventing a possible compromise on an electronic information (Thames, & Schaefer, 2017). A compromise on electronic data means any action that lowers the confidentiality as well as integrity of the electronic information. Cybersecurity controls are designed to be either preventive in nature or detective. All the forms of cybersecurity controls prevent, identify, or respond to any forms of breach on electronic information in an organization. When some controls cannot be implemented One of the biggest threats that basically come from personal laptops is connections with other networks. In the instance where a personal laptop is connected to a network whether public or private, protection to that computer is provided by firewall. While it is easy to implement some security controls on stand-alone personal computers, it is a hard task to ensure that your personal computer is securely protected when it is connected to a network (Lin, 2006). The reason being that the available firewall rules may not offer the level of protection required whenever there are threats that result from new malware or changes on the network. Again, some firewalls can be misconfigured and therefore exposing the firewalls to attacks that check for known vulnerabilities from those personal computers. Solutions to the above case highlighted above. Identification is the capacity to establish in a unique way the user of a computer system. Authentication is the way to prove that a user of a system is who they claim to be. Therefore, the authentication scheme refers to what is needed during the entre user identification process. This includes the following: · The system login module stack · The user interfaces that collect all the necessary details for user authentication. Owners of data resources or network resources wishes to verify the correctness of the user, who is trying to access the resources that are stored in diverse location. Identifying a particular user which determines which parts of the resource user is trying to access (Liao, Lee, & Hwang, 2006). Keep tracking unknown uniquely is vital because history is used to provide the details activities of the user. How compensating controls ensure the non-compliant system can continue operating within a secured and compliant environment. A compensating control refers to a mechanism established to ensure the security requirements of a system thought to be extremely hard to implement in the meantime. There are number of compensatory controls that deliver smooth operation of a system that is non-compliant: · Identify diverse locations of data stored and accordingly define compliance scope. · Gain visibility over data as well as control over sensitive and private data. · Periodically keep monitor system security control as well as compliance of the system. · Training and hands-on session about security awareness to all the members working in particular organization (Christ, Masli, Sharp, & Wood, 2015). · Filling of questionnaires on compliance self-assessment is essential without validating some of the security controls. In short, compensating controls remain very important as far as compliance is concerned. However, they are not lifetime solutions and therefore the organization should take back the original control in a short time possible. This should never be a shortcut for organization towards compliance. The likelihood of a cyber security breach within the compliant environment and the impact it might have on the organization. A cybersecurity breach can happen to even the companies that have their systems compliant. Dealing with a data breach can be a very stressful experience for any company. Even when a data breach occurs in an environment that is compliant, the issue should be taken seriously and treated as one that be dealt with well.  Cyber Threats Cyber threats are a cyber security event which causes harm inside the system. Some of the example of cyber threats are phishing attack which enable an attacker to install malicious software such as Trojan and stealing private data from users application, second one is when an system administrator leaving deliberately data which leads to data breach. Vulnerabilities Major weaknesses in a particular system is known as a vulnerability. Vulnerabilities essentially, make threat which is very dangerous for the system. Any system must be exploited via a single vulnerability, take an example of single SQL Injection attack, which gives full control to attacker on private and sensitive data. Risks A cyber security risk is collection of threat probability and loss that can happen in a particular system. One example of the risk is private and sensitive information theft is biggest threats which SQL injection can enable. Any kind of cyber security breach can impact an organization negative in the following ways. Destruction of the brand reputation- A security breach can have a long-term effect on the reputation of any brand not just the revenue streams. For instance, any breach on the information about customer payment details may violation of privacy and customers or even those potential will find it hard to trust a firm with history of not protecting their data against invasion by unauthorized persons (Haislip, Kolev, Pinsker, & Steffen, 2019). Intellectual Property loss- Revenue loss plus damaged organizational image is a big deal for any organization. However, hackers also target at designs, strategies, and blueprints of companies. A loss of an intellectual property negatively impacts the trustworthy and respect of your firm thus the competitors get some undue advantage. List of references Lin, P. P. (2006). System security threats and controls. CPA JOURNAL, 76(7), 58. Thames, L., & Schaefer, D. (2017). Cybersecurity for industry 4.0. Heidelberg: Springer. Liao, I. E., Lee, C. C., & Hwang, M. S. (2006). A password authentication scheme over insecure networks. Journal of Computer and System Sciences, 72(4), 727-740. Christ, M. H., Masli, A., Sharp, N. Y., & Wood, D. A. (2015). Rotational internal audit programs and financial reporting quality: Do compensating controls help?. Accounting, Organizations and Society, 44, 37-59. Haislip, J., Kolev, K., Pinsker, R., & Steffen, T. (2019). The economic cost of cybersecurity breaches: A broad-based analysis. In Workshop on the Economics of Information Security (WEIS) (pp. 1-37). Running Head: EXECUTIVE SUMMARY 1 EXECUTIVE SUMMARY 2 3 Student Name EXECUTIVE SUMMARY Weaknesses and Risks Identified The MECSS lacks fulltime staff to handle the procurement duties and those available are overloaded out of other responsibilities and duties. The department still does not have people with adequate capacity to come up with complex specifications that can be associated with procurements of civil works or even execute the administration of active contracts. Furthermore, the MECSS do not have proper capacity to design good terms of reference (TORs), RFPs, and proper evaluation of available expressions of interest among other important documentation (Dixit, Srivastava, & Chaudhuri, 2014). This inability to perform these duties as required occasionally lead to delays in the procurement processes as well as contracting and end up delaying the overall delivery periods of the actual, works, and services. There are no properly constituted teams to handle matters that relate to monitoring warranties and defect periods for assets categorized as high value assets. This is an indication that MECSS may not fully benefit from the total value for warranties on assets. The MECSS lacks properly detailed procedures and well trained and qualified staff who would carry out monitoring of the complex civil works contracts. It is worth to note that budgets for any civil works and payment disbursements require proper tracking and recording to ensure there are no unwanted cost overruns and that the civil works are completed in good time. The other weaknesses identified concern the MECSS asset management and receipt of goods and the subsequent control methodologies. There are however chances for improving the tracking of assets as a step towards improved service delivery. Recommended management Measures to be taken The PIU must engage a procurement specialist who possess good understanding of the procurement procedures for complex civil works. The ADB can review the TOR of that procurement specialist and guide on the recruitment as well as the selection process. Training on the successful personnel shall be done to equip them with the processes and necessary guidelines on consultant and project coordination baselines. Through the support of the PIU, the specs and designs plus the bill of quantities shall be done by local engineering firms that have the necessary capacity with the input of the engineering and procurement specialist. The procurement team shall also help in the preparation of TORs and RFPs, and evaluation of the proposals attached to such as the EOIs, and financial proposals. Proper monitoring of the contracts shall be done with adequate supervision being offered throughout the project life. Furthermore, the PIU shall be responsible for the monitoring of the way the consultants work and follow up to ensure they deliver as per the terms of the contracts awarded to them. The DB shall be responsible to review and document the performance of all the contractors as well as suppliers (AHMED, 2012). The risk assessment (PRA) was conducted with the main consideration being the organizational and staff capacity, how the information is managed, practices that relate to procurement and what their effectiveness, and accountability were. Organization and Staff Capacity The MECSS creates a procurement committee especially or every major procurement and whose chairman is an Investment Officer seconded from the department of Finance and Economics. This is the person charged with overseeing the investments in that area. This committee comprises of officers appointed by the secretary by virtue of their technical knowledge having worked in similar projects in other government agencies. A project implementation unit was also established to help in the management of the activities of the project daily. The PIU shall comprise if project coordinator, an accountant, a procurement person, engineer among other professionals. Information Management The MECSS has come up with good procedures to ensure that storage of documents is safe and well organized. The documents of the project are kept in archives for a period of 10 years and they usually have an electronic back up of the data (Gray, & Hughes, 2007). All the documents are handled securely so that there is enough transparency in the whole procurement and project implementation period. The properly kept documents are also availed on the request of the auditors. Practices related to the procurement of goods and services. The procurement procedures of the MECSS comply with the financier guidelines and follow the guidelines laid down by the ADB. The MECSS will require some experienced procurement specialist who would be responsible in the management if the procurements and recruitments for the consultants. The engineer on the PIU shall also be helpful in the development of the specifications and monitoring the general compliance of the contract. List of references AHMED, Y. (2012). Risk Assessment of Construction Projects and Development of a Software (Doctoral dissertation, Shahjalal University of Science & Technology). Dixit, V., Srivastava, R. K., & Chaudhuri, A. (2014). Procurement scheduling for complex projects with fuzzy activity durations and lead times. Computers & industrial engineering, 76, 401-414. Gray, C., & Hughes, W. (2007). Building design management. Routledge. Question Good Evening Professor,  Is this final report supposed to combine all the other reports we have completed in weeks 1, 3, 4, 5. 6, and 7 into one final report due in week 8 or is it supposed to be all original work? According to the Report Guide we are supposed to use to complete the assignment, it is broken in sections listed below.  Section I: Executive Summary: which we are doing in week 7 Section II Organizational Objectives and Priorities: We completed this in Week 2. Section III Operational Compliance and Risk Assessment: We completed this in Week 4  Section IV Response and Recovery Planning Section V: Improvements and Recommendations: Completed a portion of this in Week 6 If we are supposed to combine all the work we have already done in this class, is that ok to do to complete this assignment.  Sorry for the long question, just looking for clarification.  Thank you  Response:- Re: Benchmark - Framework Compliance Report Harry, you combine all the previous weeks work into a single report. What you have is excellent in the layout. Any questions please let me know.