Week 4 Discussion Post
CHAPTER 10
Planning Risk Mitigation Throughout an Organization
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Learning Objective(s) and Key Concepts
Identify risk mitigation security controls and develop a risk mitigation plan.
Scope of a risk management plan
Legal and compliance issues, including operational impacts
Assessing security countermeasures and safeguards
How to identify risk mitigation and risk reduction elements for an organization
Learning Objective(s)
Key Concepts
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Where Should an Organization Start with Risk Mitigation?
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Identify assets
High
Medium
Low
Identify and analyze threats and vulnerabilities
Evaluate the controls to determine what controls to implement
What Is the Scope of Risk Management for an Organization?
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Critical business operations
Mission-critical business systems, applications, and data access
Seven domains of a typical IT infrastructure
Information systems security gap
Customer service delivery
Critical Business Operations
A business impact analysis (BIA) helps an organization identify the impact on the business if various risks occur
BIAs identify the maximum acceptable outage (MAO), the maximum amount of time a system or service can be down before the mission is affected
When completing a BIA of a specific service or function, ask:
How does this service affect the organization’s profitability?
How does this service affect the organization’s survivability?
How does this service affect the organization’s image?
How will an outage affect employees?
How will an outage affect customers?
When does this service need to be available?
What is the MAO of the service?
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Customer Service Delivery
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Service level agreement (SLA) identifies an expected level of performance; includes the minimum uptime or the maximum downtime
Organizations use SLAs as a contract between a service provider and a customer
SLA can identify monetary penalties if the terms aren’t met
Internal customer services:
Email services
Internet access
Network access
Server applications, such as database servers
Access to internal servers, such as file servers
Desktop computer support
Mission-Critical Business Systems, Applications, and Data Access
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Critical business functions (CBFs)
Any function considered vital to an organization
Critical success factors (CSFs)
Any element necessary to perform the mission of an organization
Mission-Critical Business Systems, Applications, and Data Access (Cont.)
Critical business functions: making the purchase
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Mission-Critical Business Systems, Applications, and Data Access (Cont.)
Critical business functions: receiving funds
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Mission-Critical Business Systems, Applications, and Data Access (Cont.)
Critical business functions: shipping the product
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Seven Domains of a Typical IT Infrastructure
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Information Systems Security Gap
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
The difference between the controls that are in place and the controls that are needed
Gap analysis reports are often used when dealing with legal compliance
Combined with a remediation plan, the gap analysis report identifies how to close a security gap
Understanding and Assessing the Impact of Legal and Compliance Issues on an Organization
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Compliance is a mitigation control
Assessing the impact of compliance issues:
Identify what compliance issues apply to organization
Assess impact of issues on business operations
Legal Requirements, Compliance Laws, Regulations, and Mandates
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX)
Federal Information Security Management Act (FISMA) (2002)
Federal Information Security Modernization Act (FISMA) (2014)
Family Educational Rights and Privacy Act (FERPA)
Children’s Internet Protection Act (CIPA)
Payment Card Industry Data Security Standard (PCI DSS)
Gramm-Leach-Bliley Act (GLBA)
General Data Protection Regulation (GDPR)
Assessing the Impact of Legal and Compliance Issues on an Organization’s Business Operations
CIPA requires a technology protection measure (TPM)
Proxy server used as a TPM
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Payment Card Industry Data Security Standard (PCI DSS) Principles and Requirements
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall
Requirement 2: Do not use defaults, such as default passwords
Protect Cardholder Data
Requirement 3: Protect stored data
Requirement 4: Encrypt transmissions
Maintain a Vulnerability Management Program
Requirement 5: Use and update antivirus software
Requirement 6: Develop and maintain secure systems
Payment Card Industry Data Security Standard (PCI DSS) Principles and Requirements (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Implement Strong Access Control Measures
Requirement 7: Restrict access to data
Requirement 8: Use unique logons for each user. Don’t share usernames and passwords
Requirement 9: Restrict physical access
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to systems and data
Requirement 11: Regularly test security
Maintain an Information Security Policy
Requirement 12: Maintain a security policy
Translating Legal and Compliance Implications for an Organization
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Losses can be direct or indirect
A public relations (PR) campaign can sometimes restore an organization’s reputation
Proactively spending money on PR campaigns can reduce the effects of an incident
Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
User Domain
Workstation Domain
LAN Domain
LAN-to-WAN Domain
WAN Domain
Remote Access Domain
System/Application Domain
Assessing How Security Countermeasures, Controls, and Safeguards Can Assist With Risk Mitigation
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Controls are implemented at a point in time to reduce the risks at that time
A control will attempt to mitigate risk by:
Reducing the impact of threats to an acceptable level
Reducing a vulnerability to an acceptable level
A risk assessment (RA) evaluates threats and vulnerabilities at a point in time
Understanding the Operational Implications of Legal and Compliance Requirements
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
HIPAA
SOX
FISMA
FERPA
CIPA
PCI DSS
GDPR
Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Account management controls
Access controls
Physical access
Personnel policies
Security awareness and training
Performing a Cost-Benefit Analysis (CBA)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Compare cost of control to cost of risk if it occurs
Calculating projected benefits:
Loss Before Control ─ Loss After Control = Projected Benefits
Determining if control should be used:
Projected Benefits ─ Cost of Control = Control Value
Best Practices for Planning Risk Mitigation Throughout an Organization
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Review historical documentation
Although risks change, many of the threats and vulnerabilities will be the same
Include both a narrow and broad focus
Identify specific risks and mitigation strategies and broaden the focus to include the entire organization
Ensure that governing laws have been identified
If you don’t know what laws apply, you won’t be in compliance
Redo risk assessments when a control changes
If the control changes, the original risk assessment is no longer valid
Include a CBA
CBAs provide justification for controls and help determine their value
Summary
Scope of a risk management plan
Legal and compliance issues, including operational impacts
Assessing security countermeasures and safeguards
How to identify risk mitigation and risk reduction elements for an organization
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
10/9/2020
25