Multiple choice questions
Managing Risk in Information Systems
Lesson 10
Planning Risk Mitigation Throughout Your Organization
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective and Key Concepts
Learning Objective
Describe concepts for planning risk mitigation throughout an organization.
Key Concepts
Identifying the scope of a risk management plan
Best practices for risk planning risk mitigation
Ways to prioritize risk management requirements
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Where Should Your Organization Start with Risk Mitigation?
Identify assets
High, medium, low
Identify and analyze threats and vulnerabilities
Evaluate the controls to determine what controls to implement
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
As discussed earlier, you should use Assess Management to identify assets and then establish their importance to the organization. Then you analyze threats and weaknesses and evaluate controls
3
Scope of Risk Management
Critical business operations
Customer service delivery
Mission-critical business systems, applications, and data access
Seven domains of a typical IT infrastructure
Information systems security gap
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The scope of the Risk Management plan identifies what areas are of concern.
Critical Business Operations are those that keep the company solvent. We use a Business Impact Analysis (BIA) to identify the impact on the business. One of the key elements of the BIA is in identifying costs and their impact on the services provided to the customer and the function of the organization.
A large part of the VIA is data collection from reports and employee interviews. One measurement is the Maximum Acceptable Outage (MAO) which identifies the maximum time a system or service can be down before the company’s mission is impacted. The MAO is also called the Maximum Tolerable Outage (MTO) or the Maximum Tolerable Period of Disruption (MTPOD).
Customer Service Delivery looks at the services provided to customers. One tool available is the Service Level Agreement (SLA). The VA Automation Center uses SLA’s to negotiate with their customers on acceptable downtimes – if the system exceed the downtime, the agency pays the customer as a penalty.
Mission-critical systems are those critical to the organization. You identify any system, application or data access that is a Critical Business Function (CBF) (functions that are vital) or Critical Success Factors (CSF) (elements that vital to the mission).
Once identified, we use the Seven Domains to look at risks.
Remember the Information Systems Security Gap is the difference between what is handled by existing controls and what has previously been identified as being needed. Gap reports are used when dealing with legal compliance and are extremely important. These reports should be paired with a solid remediation plan.
4
Understanding/Assessing Impact of Legal and Compliance Issues
Compliance is a mitigation control
Assessing the impact of compliance issues:
Identify what compliance issues apply to organization
Assess impact of issues on business operations
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
It is important that companies understand and achieve compliance to a number of laws and policies. By achieving compliance, you mitigate the risk.
The first step is to identify all compliance issues. Then you determine the impact of these compliance issues to the business operations.
5
Legal Requirements, Compliance Laws, Regulations, and Mandates
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX)
Federal Information Security Management Act (FISMA)
Family Educational Rights and Privacy Act (FERPA)
Children’s Internet Protection Act (CIPA)
Payment Card Industry Data Security Standard (PCI DSS)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
There are a number of Legal Requirements, Compliance Laws, Regulations and Mandates that affect businesses:
HIPAA applies to companies that handle health information
SOX applies to companies publicly trade stocks.
FISMA applies to Federal agencies
FERPA applies to education institutions receiving federal funding.
CIPA applies to schools or libraries who receive federal funding.
PCI DSS applies to companies that accept credit card payments.
6
Understanding Operational Implications of Legal and Compliance Requirements
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Let’s look at each of these replaced to operational impact:
HIPAA penalties range from $100 per violation to $25,000 per year. HIPAA compliance is an expensive task because of the sensitivity of the data. Use of health information is restricted, cannot be released without consent and must be protected during transmission.
SOX requires companies to take extra steps to ensure the accuracy and integrity of data.
.
FISMA requires agencies to identify, certify and authorize operations of IT systems.
FERPA limits the sharing of student records. There are separate rules for students who are considered minors (under 18) versus those who are older. This often causes confusion for parents who want access to their child’s records.
CIPA provides discounts but it is a challenge to identify problems and filter content.
PCI DSS is complicated by a large number of principles and requirements related to Secure Networks, Cardholder Data, Vulnerability Management, Strong Access Controls, Monitoring and Testing Networks and Information Security policies.
7
HIPAA
SOX
FISMA
FERPA
CIPA
PCI DSS
Identifying Risk Mitigation and Risk Reduction Elements
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The book reminds us that we have been concentrating on individual assets but it is important to consider the macro view of the organization. A security policy is created for and by senior management.
Account Management Controls cross all functions and departments within an organization. Each user is assigned a separate account – accounts are disabled when an employee leaves – passwords should be changed regularly and should use strong standards.
Access Controls are managed by a centralized process and affect all groups of systems.
Physical Access controls the valuable assets through locks and other controls.
Personnel Policies applies to all employees and include separation of duties and applicability to all positions within the organization.
Security Awareness is an organizational effort to training everyone on security. Other specialized training is geared to large groups of people.
8
Account management controls
Access controls
Physical access
Personnel policies
Security awareness and training
Performing a Cost-Benefit Analysis
Compare cost of control to cost of risk if it occurs
Calculating projected benefits:
Loss Before Control ─ Loss After Control = Projected Benefits
Determining if control should be used:
Projected Benefits ─ Cost of Control = Control Value
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
A cost-benefit analysis (CBA) is critical in evaluating controls. The CBA needs to know the cost of the control and the benefit of the control.
Projected Benefits = Loss before the Control was applied minus the Loss after the Control was applied
Then you calculate the Control’s Value by subtracting the Cost of the Control from the Projected Benefit.
If the Control’s Value is positive, the control is worthwhile.
9
Risk Mitigation Best Practices
Review historical documentation
Although risks change, many of the threats and vulnerabilities will be the same
Include both a narrow and broad focus
Identify specific risks and mitigation strategies and broaden the focus to include the entire organization
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Risk Mitigation Best Practices
Ensure that governing laws are identified
If you don’t know what laws apply, you won’t be in compliance
Redo RAs when a control changes
If a control changes, the original RA is no longer valid
Include a cost-benefit analysis
CBAs provide justification for controls and help determine their value
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
11
Summary
Identifying the scope of a risk management plan
Best practices for risk planning risk mitigation
Ways to prioritize risk management requirements
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
12