Discussion

profileKayan1234
Chapter4.pptx

Managing Risk in Information Systems

Chapter 4

Developing a Risk Management Plan

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Components of Risk Management

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

The remainder of the course details with the specific components of Risk Management which includes Risk Assessment and its components and Risk Control and its components.

2

South Texas University – Case Study

A gulf-coast University is threatened by hurricanes every 7 years. Located inland, high wind are the major concern and windows are covered to minimize wind damage. Severe hurricanes could cause flooding to the University grounds.

The University conducted an independent audit of its Network and Enterprise systems and put controls into place to protect its infrastructure and minimize risks to its operations. These include the University’s Web Servers, Email Servers, Enterprise Systems and other Administrative IT systems. These systems are under a Risk Management Plan and are considered protected.

The new Information Systems Security Manager has now been charged to conduct a walk-thru of the campus to identify other automated systems that may be at risk.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3

University Computer and Data Center

Is housed on the 1st floor of a classroom building

The exterior walls do not have windows but the interior walls have windows that face the building’s hallway

Electricity feeds the entire building and an overload of circuits in the building may lead to a power outage

There are no UPS systems

The A/C system feeds the entire building and may not be sufficient to keep the building adequately cooled

During summer fans are used to cool the equipment

The entryway to the computer room has a Break Room

a Coffee Pot and Microwave are located in the Break Room

Access to the Computer room uses Key Cards issued to authorized personnel only

The Computer Room has raised floors

A sprinkler system runs across ceiling but the sprinklers are capped

There is No Fire Suppression system

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

4

Other University Systems

Enrollment Management is housed in an old 2-story library

Cubicles are used to process student records and cannot be locked

Customers can wander into these areas when staff are not present

Front counters are used to query and update student records and are sometimes left unmanned

Servers are housed in offices that are rarely locked and have windows

Some System Admins work for the CIO but have offices in Enrollment Management

One System Admin has no Security training and works for Enrollment Management

Data extracts from Report server includes National ID

Electricity is provided to the entire building but may not be stable.

Sprinkler systems provide fire protection.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5

Other University Systems

The University has 5 colleges located in separate buildings

Each College maintain its own server(s) to track programs, research and other initiatives

Colleges use existing staff and student workers to manage their servers (typically computer science students)

Servers are stored in offices and the doors are rarely locked and the rooms often have multiple windows

Electricity is provided to all building and no UPS systems are used

Sprinkler systems provide fire protection.

The University includes a completely independent Research facility housed in a state-of-the-art building on campus

Maintains its own hardware, software and systems with NO oversite from the CIO and the IT professionals.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

6

Objectives of a Risk Management Plan

A list of threats

A list of vulnerabilities

Costs associated with risks

A list of recommendations to reduce the risks

Costs associated with recommendations

A cost-benefit analysis

One or more reports

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

We discussed in earlier chapters that the university I worked at in South Texas had a problem with security breaches when faculty downloaded data to a flash drive and lost the drive. The University hired a new Information Systems Security Manager to begin working on resolving issues that lead to this security breach by creating a Risk Management Plan which would be made up of the items listed on this page.

The manager started by walking around the campus to identify systems that were being used. During this walkthrough, the manager looked for weaknesses and threats, began thinking about what it would require to manage these risks and formulating a plan.

7

Scope of Plan Dimensions

Extent the plan will be organized

Level of implementation

Range of view and outlook

Degree of application and operation

Measurement of effectiveness

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Looking at the information collected in the first slides, the InfoSystems Security Manager identified some of the weaknesses and threats.

Looking through the list we find a number of broad areas 1. the computer and data center; 2. the systems located across the campus; 3. the open work areas in Enrollment Management; and 4. the independent Research Institute.

The manager decides to limit the Scope (boundaries) to the computer and data center as well as the systems located across the campus. The open work areas in Enrollment Management could be handled by a general statement to the entire campus about security and by providing training. The research institute would be a project on its own because of its size and political considerations. It has the potential to become very complex and lead to more and more risks that would have to be addressed – this would lead to ‘scope creep’ and potentially derail the project.

Simply correcting problems with the computer and data center would require a number of changes to operations and policies within IT. Addressing problems with the campus-wide servers would require extensive discussions with their owners and IT and management (the stakeholders). These discussions often lead to strong opinions about ownership and buy-in and may require senior management to intervene and make decisions that are not always easily accepted.

8

Creating a Plan

Risk management plans can be simple or complex

Dependent on:

Organization size

Business functions

Assets

Important to get input from multiple roles within the organization

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

In the example chosen for this chapter, the scope is simplified for our discussion but often Risk Management Plans are very complex and require a great amount of time and people-resources to accomplish.

Larger organizations may have the people-resources to develop an extensive and all-inclusive plan that covers the huge inventory of IT assets. These plans will typically be more complex. Smaller organizations will not have the people resources nor the IT assets so their plans will be less complex.

Risk Management should concentrate first on business functions that are most critical and lead to the most significant loss.

Finally, some businesses depend extensive on IT and must protect their large investment in equipment while other organizations have limited IT assets

When developing a plan, do not limit input from organizational elements that are impacted by the loss of the assets. Not only do they have the broad knowledge needed to provide the best solution but buy-in to any solution is critical to marketing the solution and gaining management acceptance.

9/18/2016

9

Assignment of Responsibilities

Align resources

Assign responsibilities

Evaluate relationships

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Let us consider the Enrollment Management and College server issues. Responsibility for the Project Management role would be assigned to the Information Systems Security Manager who is tasked to resolve the problems.

The stakeholders include the owners of the servers, the users of the system and the administrators of the systems. The owners include the Asst. V.P. of Enrollment Management and the Dean who spent their own funds to buy the hardware and software. They also own the data that is stored on these devices and that are used to help them complete their mission. More important are the Custodians of these systems – the people who must ensure the systems are secure and the data is protected.

The Enrollment Manager and Deans will typically assign expert users to be part of the planning team along with their respective System Administrators. Key is to assign at least one decision-maker from each area who will protect the interests of their managers. The CIO will assign System Administrators who will function as the future Custodians of the system and serve as consultants. The team members will typically meet a number of times to identify, assess and find ways to mitigate the risks. The Project Manager not only ensures the team stays on track and is productive but also serves as an expert on the risk management process and the decision maker for the CIO.

10

Affinity Diagram for the Other University Systems

Vulnerabilities
Servers housed in offices that are rarely locked and have windows
Unstable Electricity
Water Sprinkler System
System Admin has no Security training
National ID included in download extracts
Threats
Servers can be stolen
Servers can be destroyed by vandals
Servers can be destroyed by wind damage
Servers can be destroyed by power spikes
Servers can be destroyed by water from sprinkler system
System Admins does not know how to protect the server, software and data
National ID downloaded and stolen
Recommendations
Move Servers to Computer Data Center
Train System Administrator
Prevent National ID from being downloaded

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Looking again at the Other University systems, we notice there are 5 Vulnerabilities and three of these deal with the server, one with the Systems Administrator and one with the reporting server data downloads.

These vulnerabilities are tied to 7 Threats and five of these deal with the server.

Moving the servers to the Computer Data Center that is already a secure environment is the simple solution.

Training the System Administrators, employed by Enrollment Management and the Deans, makes them aware of their security duties while allowing the owners to retain personnel responsible for supporting their specific missions

Removing the National ID, which is not needed, is another simple solution.

11

Describing Procedures and Schedules for Accomplishment

Include a recommended solution for any threat or vulnerability, with a goal of mitigating the associated risk.

The solution will often include multiple steps.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Looking at the previous slide, there are three recommended solutions to mitigate the risks.

Move Servers to the Computer Data Center

Train the System Administrators

Prevent the National ID from being downloaded

Each of these recommendations will require a number of steps and may not be easily and quickly accomplished. It will take time to detail the steps needed.

12

Describing Procedures and Schedules for Accomplishment

Describe each step in detail.

Include a timeline for completion of each step.

Remember:

Management is responsible for choosing the controls to implement.

Management is responsible for residual risk.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

This is where the team of users, Systems Administrators and others can provide guidance while generating buy-in to the eventual solution. The team will be responsible for expanding each recommendations to determine how complex the solution will be and what steps must be taken. There may be cases where the entire team isn’t involved in each recommendation – only those who are stakeholders to the recommendation will need to be involved.

Eliminating the National ID involves the users so the Project Manager would meet individually with them to determine the process.

Moving the servers and training of the System Administrator will not require input from the users so they can be excluded from this discussion.

Once the details are documented and the team agree to the steps, the team must estimate the time it will take to implement. In addition, the day-to-day operations must be analyzed so that a timeline can be established that does not impact operations.

Next, management can be briefed on the Controls and any Residual risks that may remain after the plan is implemented. Management must agree to the recommendations and trust their team members represent their mission goals and requirements. Remember that in this case, management includes not only the Asst. V.P. for Enrollment Management and the Deans but also the CIO who has the responsibility to defend the interests of the University’s security policies.

13

Reporting Requirements

Present recommendations

Document management response to recommendations

Document and track implementation of accepted recommendations

Create plan of action and milestones (POAM)

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Typically the Project Manager is responsible to presenting the recommendations to management however, if a decision-maker was assigned to the team by the Enrollment Manager or Dean, they may also be invited to ensure the presentation covers all critical points.

The Project Manager also ensures any decisions made are documented and any exceptions or follow-on questions are documented.

If the plan or any portion of the plan is accepted, the Project Manager developed a details Project Management Plan of Action and Milestone plan to implement the recommendations and track the progress of the change.

If the plan or any portion of the plan is rejected, the decision is noted.

If the plan or any portion of the plan is deferred, the Project Manager works with management to eventually change that decision into either an acceptance or rejection.

14

Reporting Requirements (Cont.)

Report should include:

Findings

Recommendation cost and time frame

Cost-benefit analysis

Reports are often summarized in risk statements

Use risk statements to communicate a risk and the resulting impact

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Although the final report may be very extensive, Project Managers usually brief the managers together as a group to allow them to discuss and consider the recommendations and the impact on their organization. It is assumed that these managers have already discussed the recommendations with their respective team members to judge whether they should accept, reject or defer the plan or parts of the plan. This is why it is critical to ensure the team members buy-in to the recommended solutions.

Depending on the level of management, the meeting may be very short and the briefing may be very concise. If the president is involved in the decision, there may only have a few minutes to hear and decide. If a lower level manager makes the decision, then there may be more time for presentation and discussion.

Managers need to know how much it will cost and what the cost-benefit is to the solution. In the case of the servers, moving them may be relatively inexpensive, requiring more man-hours over costs. Training of the system admin may simply be taking a previous training presentation off the shelf. Removing the National ID may require the rewriting of the reporting solution which again requires man-hours rather than actual funding.

In the case of the servers, the report would use risk statements to communicate the risk – what is the cause (threat), what is the criteria (vulnerability/weakness) and what is the effect (the risk).

15

Using a Cause and Effect Diagram

Server risk

Data Risk

Cause/Threat  Theft Destruction Effect:

Criteria/Vulnerability  Room Object breaks Loss of Server Unlocked through window

Cause/Threat  Destruction Data Breach Effect:

Criteria/Vulnerability  Untrained Download Loss or compromise SysAdmin National ID of Critical Data

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

These Cause and Criteria OR Cause and Effect diagrams, visually show the basic problems.

When the room is unlocked, the server can be stolen or destroyed and the server will be lost.

During a wind storm, objects can break through the window and the server can be destroyed and lost

An untrained System Administrator can destroy or fail to protect the data on the server and it will be lost.

The download of the National ID can result in a data breach and the data can be lost or compromised

16

Plan of Action and Milestones (POAM)

A document used to track progress

Used to assign responsibility and to allow management follow-up

Is a living document

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Earlier we said the team needs to provide a detailed list of steps needed to accomplish the plan. The plan is often broken down into work elements. In our example, there would have been a large number of steps for the work elements needed to “move the server”. There would be a large number of steps for the work elements to “eliminate the downloading of National ID numbers”. There would probably be a small number of steps for the work elements to “training the systems administrators”.

Within each work element, when the last step is finished, it is considered a Milestone for that work element. A plan may have so many steps, called tasks, that you might break it down into segments, each with its own milestone. I.E. for ‘eliminate the National ID’, the steps needed to rewrite the program would end with a ‘Program rewritten’ milestone. Then the steps needed to test the new program would end with a “Testing completed” milestone; etc.

Plan of Action and Milestones (POAM) vary in structure and content. The example shown in the book shows Work Elements, Responsible person and Milestone dates. Some POAM documents are actually Project Management Plans that include many rows that identify every step/task, grouped by work elements that end with a milestone. Typically the PM Plan includes columns for a Task #, Task Name, Time to complete the Task, task(s) that must be done before this one (predecessors) and the resources (people, etc) needed to complete the task. Since these Plans are often very complex, the team may forget to add a tasks/steps and later, add that task to the plan - a living document.

17

Project Management (PM) Plan

MOVE SERVERS
Task # Task Description Duration in Hours Predecessor Resource
1 Identify Enrollment Management servers to be moved 40   EM-SysAdmin
2 Identify software running on the servers 80 1 EM-SysAdmin
3 Identify peripherals connected to server 40 1 EM-SysAdmin
4 Identify wireless/wired configuation 40 1 EM-SysAdmin
5 Export data to external drive 8 1 EM-SysAdmin
6 Export image of the server to external drive 8 1 EM-SysAdmin
7     EM-SysAdmin
8 Milestone: Server Prep Completed 0    
9 Identify new location in data center 20 1 IT-SysAdmin
10 Run wireless/wired configuation for new location 20 9 IT-SysAdmin
11     IT-SysAdmin
12 Milestone: New location prep completed 0    
13 Disconnect server 0.5 8, 12 EM-SysAdmin
14 Package server and components 0.5 13 EM-SysAdmin; IT-SysAdmin
15 Transport system to data center 1 14 IT-SysAdmin
16      
17 Milestone: Server moded 0    
18 Connect server at new location 0.5 15 IT-SysAdmin
19 Connect peripherals at new location 0.5 18 IT-SysAdmin
20 Connect wires/wireless at new location 1 18 IT-SysAdmin
21      
22 Milestone: Server setup at new location 0    
23 Test Server OS at new location 2 22 IT-SysAdmin
26      

Similar steps needed for each Dean’s Systems

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

18

Milestone Plan Chart

Only lists major milestones

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

When using a Project Management software package like MS Project, there are packaged reports available to provide a visual representation of the tasks and milestones.

A Milestone Plan Chart only displays the start and end of the work elements that end with a milestone. This is displayed as a number of lines that allow the users to quickly see how long the elements take and the sequence and relationship to other work elements that start before of after that milestone.

For the ‘eliminating National ID’ plan, you would probably see the following work elements in sequence

Analyze the requirement to see what programs must be modified – Milestone: Analysis completed

Rewrite the programs to eliminate the National ID Milestone: Program Rewrite completed

Test the programs to ensure they work properly Milestone: Testing completed

Implement the new programs Milestone: New system implemented

Train the user on the new program outputs Milestone: Training completed

Go back to the users to make sure everything is working properly Milestone: Evaluation completed

19

Gantt Chart

Shows a full project schedule

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

The Gantt Chart is another visual representation of the project and all of its steps and shows how the tasks relate to each other, especially when one task is dependent on the completion of a previous task. In our discussion of the Milestone Plan chart, Programming wasn’t started until Analysis was done; Testing wasn’t done until Programming was completed.

In the Gantt Chart you see the length of time it takes to complete the tasks and the sequence and timing of the next tasks.

At the top of the Gantt Chart, a time bar is shown so the user can see when the task should be started and ends.

20

Critical Path Chart

Identifies critical tasks to be managed

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

The Critical Path chart is another visual presentation showing the work elements that take the longest to complete. This is used when multiple work elements are being executed at the same time.

Looking at all three of the work elements we discussed earlier, ‘move servers’, ‘eliminate National ID’ and ‘train systems administrators’ they would probably be executed at the same time because the resources needed to complete them are often independent of each other (System Admins move servers; programmers rewrite the programs that display National ID’s, trainers train the system administrators.

If the goal is to complete all of these work elements by a certain date, you would want to see which one has the potential to be late.

In our example, the Enrollment Management and Dean’s SysAdmins get the servers ready for the move and then the IT SysAdmins complete the move and setup the systems in the Data Center. If the Enrollment Managerment and Deans SysAdmins are scheduled for training at the same time they should be preparing for the move, it most likely will delay the finish of the move. The Critical Path would show the move as the longest ‘path’. By moving the training to a later date, the finish of the move would be shortened and the deadline would be easier to accomplish.

21

Summary

Fundamental components of a risk management plan

Objectives of a risk management plan

Boundaries and scope of a risk management plan

Importance of assigning responsibilities in a risk management plan

Significance of planning, scheduling, and documentation

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

22