Discussion
Managing Risk in Information Systems
Chapter 4
Developing a Risk Management Plan
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Components of Risk Management
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The remainder of the course details with the specific components of Risk Management which includes Risk Assessment and its components and Risk Control and its components.
2
South Texas University – Case Study
A gulf-coast University is threatened by hurricanes every 7 years. Located inland, high wind are the major concern and windows are covered to minimize wind damage. Severe hurricanes could cause flooding to the University grounds.
The University conducted an independent audit of its Network and Enterprise systems and put controls into place to protect its infrastructure and minimize risks to its operations. These include the University’s Web Servers, Email Servers, Enterprise Systems and other Administrative IT systems. These systems are under a Risk Management Plan and are considered protected.
The new Information Systems Security Manager has now been charged to conduct a walk-thru of the campus to identify other automated systems that may be at risk.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
University Computer and Data Center
Is housed on the 1st floor of a classroom building
The exterior walls do not have windows but the interior walls have windows that face the building’s hallway
Electricity feeds the entire building and an overload of circuits in the building may lead to a power outage
There are no UPS systems
The A/C system feeds the entire building and may not be sufficient to keep the building adequately cooled
During summer fans are used to cool the equipment
The entryway to the computer room has a Break Room
a Coffee Pot and Microwave are located in the Break Room
Access to the Computer room uses Key Cards issued to authorized personnel only
The Computer Room has raised floors
A sprinkler system runs across ceiling but the sprinklers are capped
There is No Fire Suppression system
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
4
Other University Systems
Enrollment Management is housed in an old 2-story library
Cubicles are used to process student records and cannot be locked
Customers can wander into these areas when staff are not present
Front counters are used to query and update student records and are sometimes left unmanned
Servers are housed in offices that are rarely locked and have windows
Some System Admins work for the CIO but have offices in Enrollment Management
One System Admin has no Security training and works for Enrollment Management
Data extracts from Report server includes National ID
Electricity is provided to the entire building but may not be stable.
Sprinkler systems provide fire protection.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5
Other University Systems
The University has 5 colleges located in separate buildings
Each College maintain its own server(s) to track programs, research and other initiatives
Colleges use existing staff and student workers to manage their servers (typically computer science students)
Servers are stored in offices and the doors are rarely locked and the rooms often have multiple windows
Electricity is provided to all building and no UPS systems are used
Sprinkler systems provide fire protection.
The University includes a completely independent Research facility housed in a state-of-the-art building on campus
Maintains its own hardware, software and systems with NO oversite from the CIO and the IT professionals.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
6
Objectives of a Risk Management Plan
A list of threats
A list of vulnerabilities
Costs associated with risks
A list of recommendations to reduce the risks
Costs associated with recommendations
A cost-benefit analysis
One or more reports
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
We discussed in earlier chapters that the university I worked at in South Texas had a problem with security breaches when faculty downloaded data to a flash drive and lost the drive. The University hired a new Information Systems Security Manager to begin working on resolving issues that lead to this security breach by creating a Risk Management Plan which would be made up of the items listed on this page.
The manager started by walking around the campus to identify systems that were being used. During this walkthrough, the manager looked for weaknesses and threats, began thinking about what it would require to manage these risks and formulating a plan.
7
Scope of Plan Dimensions
Extent the plan will be organized
Level of implementation
Range of view and outlook
Degree of application and operation
Measurement of effectiveness
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Looking at the information collected in the first slides, the InfoSystems Security Manager identified some of the weaknesses and threats.
Looking through the list we find a number of broad areas 1. the computer and data center; 2. the systems located across the campus; 3. the open work areas in Enrollment Management; and 4. the independent Research Institute.
The manager decides to limit the Scope (boundaries) to the computer and data center as well as the systems located across the campus. The open work areas in Enrollment Management could be handled by a general statement to the entire campus about security and by providing training. The research institute would be a project on its own because of its size and political considerations. It has the potential to become very complex and lead to more and more risks that would have to be addressed – this would lead to ‘scope creep’ and potentially derail the project.
Simply correcting problems with the computer and data center would require a number of changes to operations and policies within IT. Addressing problems with the campus-wide servers would require extensive discussions with their owners and IT and management (the stakeholders). These discussions often lead to strong opinions about ownership and buy-in and may require senior management to intervene and make decisions that are not always easily accepted.
8
Creating a Plan
Risk management plans can be simple or complex
Dependent on:
Organization size
Business functions
Assets
Important to get input from multiple roles within the organization
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In the example chosen for this chapter, the scope is simplified for our discussion but often Risk Management Plans are very complex and require a great amount of time and people-resources to accomplish.
Larger organizations may have the people-resources to develop an extensive and all-inclusive plan that covers the huge inventory of IT assets. These plans will typically be more complex. Smaller organizations will not have the people resources nor the IT assets so their plans will be less complex.
Risk Management should concentrate first on business functions that are most critical and lead to the most significant loss.
Finally, some businesses depend extensive on IT and must protect their large investment in equipment while other organizations have limited IT assets
When developing a plan, do not limit input from organizational elements that are impacted by the loss of the assets. Not only do they have the broad knowledge needed to provide the best solution but buy-in to any solution is critical to marketing the solution and gaining management acceptance.
9/18/2016
9
Assignment of Responsibilities
Align resources
Assign responsibilities
Evaluate relationships
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Let us consider the Enrollment Management and College server issues. Responsibility for the Project Management role would be assigned to the Information Systems Security Manager who is tasked to resolve the problems.
The stakeholders include the owners of the servers, the users of the system and the administrators of the systems. The owners include the Asst. V.P. of Enrollment Management and the Dean who spent their own funds to buy the hardware and software. They also own the data that is stored on these devices and that are used to help them complete their mission. More important are the Custodians of these systems – the people who must ensure the systems are secure and the data is protected.
The Enrollment Manager and Deans will typically assign expert users to be part of the planning team along with their respective System Administrators. Key is to assign at least one decision-maker from each area who will protect the interests of their managers. The CIO will assign System Administrators who will function as the future Custodians of the system and serve as consultants. The team members will typically meet a number of times to identify, assess and find ways to mitigate the risks. The Project Manager not only ensures the team stays on track and is productive but also serves as an expert on the risk management process and the decision maker for the CIO.
10
Affinity Diagram for the Other University Systems
| Vulnerabilities |
| Servers housed in offices that are rarely locked and have windows |
| Unstable Electricity |
| Water Sprinkler System |
| System Admin has no Security training |
| National ID included in download extracts |
| Threats |
| Servers can be stolen |
| Servers can be destroyed by vandals |
| Servers can be destroyed by wind damage |
| Servers can be destroyed by power spikes |
| Servers can be destroyed by water from sprinkler system |
| System Admins does not know how to protect the server, software and data |
| National ID downloaded and stolen |
| Recommendations |
| Move Servers to Computer Data Center |
| Train System Administrator |
| Prevent National ID from being downloaded |
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Looking again at the Other University systems, we notice there are 5 Vulnerabilities and three of these deal with the server, one with the Systems Administrator and one with the reporting server data downloads.
These vulnerabilities are tied to 7 Threats and five of these deal with the server.
Moving the servers to the Computer Data Center that is already a secure environment is the simple solution.
Training the System Administrators, employed by Enrollment Management and the Deans, makes them aware of their security duties while allowing the owners to retain personnel responsible for supporting their specific missions
Removing the National ID, which is not needed, is another simple solution.
11
Describing Procedures and Schedules for Accomplishment
Include a recommended solution for any threat or vulnerability, with a goal of mitigating the associated risk.
The solution will often include multiple steps.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Looking at the previous slide, there are three recommended solutions to mitigate the risks.
Move Servers to the Computer Data Center
Train the System Administrators
Prevent the National ID from being downloaded
Each of these recommendations will require a number of steps and may not be easily and quickly accomplished. It will take time to detail the steps needed.
12
Describing Procedures and Schedules for Accomplishment
Describe each step in detail.
Include a timeline for completion of each step.
Remember:
Management is responsible for choosing the controls to implement.
Management is responsible for residual risk.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
This is where the team of users, Systems Administrators and others can provide guidance while generating buy-in to the eventual solution. The team will be responsible for expanding each recommendations to determine how complex the solution will be and what steps must be taken. There may be cases where the entire team isn’t involved in each recommendation – only those who are stakeholders to the recommendation will need to be involved.
Eliminating the National ID involves the users so the Project Manager would meet individually with them to determine the process.
Moving the servers and training of the System Administrator will not require input from the users so they can be excluded from this discussion.
Once the details are documented and the team agree to the steps, the team must estimate the time it will take to implement. In addition, the day-to-day operations must be analyzed so that a timeline can be established that does not impact operations.
Next, management can be briefed on the Controls and any Residual risks that may remain after the plan is implemented. Management must agree to the recommendations and trust their team members represent their mission goals and requirements. Remember that in this case, management includes not only the Asst. V.P. for Enrollment Management and the Deans but also the CIO who has the responsibility to defend the interests of the University’s security policies.
13
Reporting Requirements
Present recommendations
Document management response to recommendations
Document and track implementation of accepted recommendations
Create plan of action and milestones (POAM)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Typically the Project Manager is responsible to presenting the recommendations to management however, if a decision-maker was assigned to the team by the Enrollment Manager or Dean, they may also be invited to ensure the presentation covers all critical points.
The Project Manager also ensures any decisions made are documented and any exceptions or follow-on questions are documented.
If the plan or any portion of the plan is accepted, the Project Manager developed a details Project Management Plan of Action and Milestone plan to implement the recommendations and track the progress of the change.
If the plan or any portion of the plan is rejected, the decision is noted.
If the plan or any portion of the plan is deferred, the Project Manager works with management to eventually change that decision into either an acceptance or rejection.
14
Reporting Requirements (Cont.)
Report should include:
Findings
Recommendation cost and time frame
Cost-benefit analysis
Reports are often summarized in risk statements
Use risk statements to communicate a risk and the resulting impact
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Although the final report may be very extensive, Project Managers usually brief the managers together as a group to allow them to discuss and consider the recommendations and the impact on their organization. It is assumed that these managers have already discussed the recommendations with their respective team members to judge whether they should accept, reject or defer the plan or parts of the plan. This is why it is critical to ensure the team members buy-in to the recommended solutions.
Depending on the level of management, the meeting may be very short and the briefing may be very concise. If the president is involved in the decision, there may only have a few minutes to hear and decide. If a lower level manager makes the decision, then there may be more time for presentation and discussion.
Managers need to know how much it will cost and what the cost-benefit is to the solution. In the case of the servers, moving them may be relatively inexpensive, requiring more man-hours over costs. Training of the system admin may simply be taking a previous training presentation off the shelf. Removing the National ID may require the rewriting of the reporting solution which again requires man-hours rather than actual funding.
In the case of the servers, the report would use risk statements to communicate the risk – what is the cause (threat), what is the criteria (vulnerability/weakness) and what is the effect (the risk).
15
Using a Cause and Effect Diagram
Server risk
Data Risk
Cause/Threat Theft Destruction Effect:
Criteria/Vulnerability Room Object breaks Loss of Server Unlocked through window
Cause/Threat Destruction Data Breach Effect:
Criteria/Vulnerability Untrained Download Loss or compromise SysAdmin National ID of Critical Data
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
These Cause and Criteria OR Cause and Effect diagrams, visually show the basic problems.
When the room is unlocked, the server can be stolen or destroyed and the server will be lost.
During a wind storm, objects can break through the window and the server can be destroyed and lost
An untrained System Administrator can destroy or fail to protect the data on the server and it will be lost.
The download of the National ID can result in a data breach and the data can be lost or compromised
16
Plan of Action and Milestones (POAM)
A document used to track progress
Used to assign responsibility and to allow management follow-up
Is a living document
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Earlier we said the team needs to provide a detailed list of steps needed to accomplish the plan. The plan is often broken down into work elements. In our example, there would have been a large number of steps for the work elements needed to “move the server”. There would be a large number of steps for the work elements to “eliminate the downloading of National ID numbers”. There would probably be a small number of steps for the work elements to “training the systems administrators”.
Within each work element, when the last step is finished, it is considered a Milestone for that work element. A plan may have so many steps, called tasks, that you might break it down into segments, each with its own milestone. I.E. for ‘eliminate the National ID’, the steps needed to rewrite the program would end with a ‘Program rewritten’ milestone. Then the steps needed to test the new program would end with a “Testing completed” milestone; etc.
Plan of Action and Milestones (POAM) vary in structure and content. The example shown in the book shows Work Elements, Responsible person and Milestone dates. Some POAM documents are actually Project Management Plans that include many rows that identify every step/task, grouped by work elements that end with a milestone. Typically the PM Plan includes columns for a Task #, Task Name, Time to complete the Task, task(s) that must be done before this one (predecessors) and the resources (people, etc) needed to complete the task. Since these Plans are often very complex, the team may forget to add a tasks/steps and later, add that task to the plan - a living document.
17
Project Management (PM) Plan
| MOVE SERVERS | ||||
| Task # | Task Description | Duration in Hours | Predecessor | Resource |
| 1 | Identify Enrollment Management servers to be moved | 40 | EM-SysAdmin | |
| 2 | Identify software running on the servers | 80 | 1 | EM-SysAdmin |
| 3 | Identify peripherals connected to server | 40 | 1 | EM-SysAdmin |
| 4 | Identify wireless/wired configuation | 40 | 1 | EM-SysAdmin |
| 5 | Export data to external drive | 8 | 1 | EM-SysAdmin |
| 6 | Export image of the server to external drive | 8 | 1 | EM-SysAdmin |
| 7 | … | EM-SysAdmin | ||
| 8 | Milestone: Server Prep Completed | 0 | ||
| 9 | Identify new location in data center | 20 | 1 | IT-SysAdmin |
| 10 | Run wireless/wired configuation for new location | 20 | 9 | IT-SysAdmin |
| 11 | … | IT-SysAdmin | ||
| 12 | Milestone: New location prep completed | 0 | ||
| 13 | Disconnect server | 0.5 | 8, 12 | EM-SysAdmin |
| 14 | Package server and components | 0.5 | 13 | EM-SysAdmin; IT-SysAdmin |
| 15 | Transport system to data center | 1 | 14 | IT-SysAdmin |
| 16 | … | |||
| 17 | Milestone: Server moded | 0 | ||
| 18 | Connect server at new location | 0.5 | 15 | IT-SysAdmin |
| 19 | Connect peripherals at new location | 0.5 | 18 | IT-SysAdmin |
| 20 | Connect wires/wireless at new location | 1 | 18 | IT-SysAdmin |
| 21 | … | |||
| 22 | Milestone: Server setup at new location | 0 | ||
| 23 | Test Server OS at new location | 2 | 22 | IT-SysAdmin |
| 26 | … |
Similar steps needed for each Dean’s Systems
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
18
Milestone Plan Chart
Only lists major milestones
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
When using a Project Management software package like MS Project, there are packaged reports available to provide a visual representation of the tasks and milestones.
A Milestone Plan Chart only displays the start and end of the work elements that end with a milestone. This is displayed as a number of lines that allow the users to quickly see how long the elements take and the sequence and relationship to other work elements that start before of after that milestone.
For the ‘eliminating National ID’ plan, you would probably see the following work elements in sequence
Analyze the requirement to see what programs must be modified – Milestone: Analysis completed
Rewrite the programs to eliminate the National ID Milestone: Program Rewrite completed
Test the programs to ensure they work properly Milestone: Testing completed
Implement the new programs Milestone: New system implemented
Train the user on the new program outputs Milestone: Training completed
Go back to the users to make sure everything is working properly Milestone: Evaluation completed
19
Gantt Chart
Shows a full project schedule
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Gantt Chart is another visual representation of the project and all of its steps and shows how the tasks relate to each other, especially when one task is dependent on the completion of a previous task. In our discussion of the Milestone Plan chart, Programming wasn’t started until Analysis was done; Testing wasn’t done until Programming was completed.
In the Gantt Chart you see the length of time it takes to complete the tasks and the sequence and timing of the next tasks.
At the top of the Gantt Chart, a time bar is shown so the user can see when the task should be started and ends.
20
Critical Path Chart
Identifies critical tasks to be managed
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Critical Path chart is another visual presentation showing the work elements that take the longest to complete. This is used when multiple work elements are being executed at the same time.
Looking at all three of the work elements we discussed earlier, ‘move servers’, ‘eliminate National ID’ and ‘train systems administrators’ they would probably be executed at the same time because the resources needed to complete them are often independent of each other (System Admins move servers; programmers rewrite the programs that display National ID’s, trainers train the system administrators.
If the goal is to complete all of these work elements by a certain date, you would want to see which one has the potential to be late.
In our example, the Enrollment Management and Dean’s SysAdmins get the servers ready for the move and then the IT SysAdmins complete the move and setup the systems in the Data Center. If the Enrollment Managerment and Deans SysAdmins are scheduled for training at the same time they should be preparing for the move, it most likely will delay the finish of the move. The Critical Path would show the move as the longest ‘path’. By moving the training to a later date, the finish of the move would be shortened and the deadline would be easier to accomplish.
21
Summary
Fundamental components of a risk management plan
Objectives of a risk management plan
Boundaries and scope of a risk management plan
Importance of assigning responsibilities in a risk management plan
Significance of planning, scheduling, and documentation
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
22