Risk Management in Information Technology Security STUDENT

Project: Risk Management Plan

Deliverables

Introduction:

As discussed so far in this course, risk management is an important process for all organizations. This is

particularly true in information systems, which provides critical support for organizational missions. The

heart of risk management is a formal risk management plan.

This activity allows you to fulfill the role of an employee participating in the risk management process in a

specific business situation.

Scenario:

You are an information technology (IT) intern working for the Defense Logistics Information Service

(DLIS) in Battle Creek, Michigan. DLIS is an organization within the Defense Logistics Agency (DLA),

which is the largest logistics combat support agency for the Department of Defense. DLIS creates,

manages, and disseminates logistics information to military and government customers using the latest

technology.

Senior management at DLIS decided that the existing risk management plan for the organization is out of

date, and that a new risk management plan must be developed. Because of the importance of risk

management to the organization, senior management is committed to and supportive of the project to

develop a new plan. You have been assigned to develop this new plan.

Project Part 1

Project Part 1 Task 1: Draft Risk Management Plan

For the first part of the assigned project, you must create an initial draft of the final risk management plan.

To do so, you must:

1. Develop and provide an introduction to the plan by explaining its purpose and importance.

2. Create an outline for the completed risk management plan.

3. Define the scope and boundaries of the plan.

4. Research and summarize compliance laws and regulations that pertain to the organization.

5. Identify the key roles and responsibilities of individuals and departments within the organization

as they pertain to risk management.

6. Develop a proposed schedule for the risk management planning process.

7. Create a professional report detailing the information above as an initial draft of the risk

management plan.

Write an initial draft of the risk management plan as detailed in the instructions above. Your plan should

be made using a standard word processor format compatible with Microsoft Word.

After creating an initial draft of the risk management plan, the second part of the assigned project requires

you to create an initial draft of the final RA plan. To do so, you must:

1. Develop an introduction to the plan explaining its purpose and importance.

2. Create an outline for the completed RA plan.

3. Define the scope and boundaries for the plan.

4. Research and summarize RA approaches.

5. Identify the key roles and responsibilities of individuals and departments within the organization

as they pertain to RA.

6. Develop a proposed schedule for the RA process.

7. Create a professional report detailing the information above as an initial draft of the RA plan.

Project Part 1 Task 3: Risk Mitigation Plan

Senior management at DLIS decided that the risk manager and his/her team should continue and

develop a risk mitigation plan based on inputs provided by the team in earlier project deliverables.

Management has also allocated funds for a risk mitigation plan. Because of the importance of risk

management to the organization, senior management is committed to and supportive of the project to

develop a new plan. You have been assigned to develop this new plan.

Project Part 2

Project Part 2 Task 1: Introduction and Business Impact Analysis Plan

As discussed so far in this course, risk management is an important process for all organization. This is

particularly true for information systems, which provide critical support for organizational missions. The

heart of risk management is a formal risk management plan.

This part of the project is a continuation of the Project Part 1 where you prepared RA plan and a risk

mitigation plan for the DLIS. Senior management at DLIS decided that the risk manager and his/her team

should continue and develop a RA plan based on inputs provided by the team in earlier project

deliverables. Management has also allocated funds for a risk mitigation plan and a BIA plan. Because of

the importance of risk management to the organization, senior management is committed to and

supportive of the project to develop a new plan. You have been assigned to develop this new plan.

Project Part 2 Task 2: Business Continuity Plan

After having reviewed and being impressed by your Project Part 1 on Risk Management, the senior

management at DLIS decided that your team must also develop a BCP as your team is doing so well.

Management has also allocated all funds for a BCP and your team has their full support, as well as free

reign to call on any of them for participation or inclusion in your BCP plan. You have been assigned to

develop this new plan after taking into consideration the following additional information on DLIS IT

infrastructure.

DLIS has a global reach and at least 50 file servers and various databases (12) running everything from

an enterprise resource planning (ERP) system to the organization payroll system that has an electronic

funds transfer (EFT) capability. Other things worth noting are a warm site within 50 miles of the

headquarters data center. No plans exist for it. You will want to use it in your BCP planning. Currently

back-ups are done with an outside vendor. However your team will want to recommend a new process

(vendor), and develop a new back-up plan for approximately five terabyte (TB) of critical classified data.

Do not forget to develop a testing plan for your team’s BCP.

You can refer to the following additional resources that will help you and your team to develop a BCP:

ISO References:

§ ISO/IEC 22399:2007 Guideline for incident preparedness and operational continuity

management.

§ ISO/IEC 24762:2008 Guidelines for information and communications technology disaster

recovery services.

Project Part 2 Task 3: Disaster Recovery Plan

Your project on risk management up to this point has been liked and appreciated by the senior

management at DLIS. They now want you to develop a DRP in order to overcome any mishaps that might

occur in the future. Use your research on NIST templates to develop a DRP plan for DLIS.

Project Part 2 Task 4: Computer Incident Response Team Plan

By now you should have developed a RA, BIA, BCP, DRP, and a risk mitigation plan.

In this Unit you will create a CIRT plan for DLIS after having learned the concepts of CIRT. Remember

that the DLIS headquarters (HQ) handles all incidents, so the plan will have its roots at HQ. After creating

the CIRT plan you will have to compile the completed set of your risk management plan together for final

submission of the project. Make sure to incorporate your instructor’s feedback in your final set of risk

management plans.

Risk Management Plan Final Submission

After creating the CIRT plan, compile all projects parts and submit to your instructor. Make sure to

incorporate your instructor’s feedback on the previous submissions in the final risk management plan.