Large organizations tend to spend great number of resources on implementing security measures to keep their informational assets safe but the writer states that there is not much awareness about this aspect in the non-profit organizations that have very limited resources and IT budgets.
The author of the chosen paper, Fox (2008) understands the constraint of limited budgets in non-profit organizations therefore devised the methodology that would not cause them any setbacks in their financial system. The following aspects are considered for the development of the respective methodology; inexpensive or free software components that are compatible with Microsoft, no new infrastructure risk is brought about in the system, tools must be simple enough to be operable by volunteers after only few training sessions.
The methodology that has been proposed by the author involves a series of steps that should be followed to ensure that the non-profit organization understands the risks that might be present in their IT infrastructure. Fox (2008) proposed the following steps:
The series of steps for the risk assessment process is detailed and covers some of the basic considerations that should be involved in the conventional mode of risk assessment for example; the views of the top management regarding the important data that should be safeguarded and the authorities who should have access to the data. However, the implementation of the methodology requires the assessor to be equipped with the knowledge of UML which might pose to be a challenge for the volunteers in the non-profit organization. It requires considerable training to possess the skill of framing real life instances into UML framework.
Another aspect of the paper that could have been explained in a better manner involves COBIT and NIST 800-30 security standards. The methodology is claimed to be based on these security standards but the