Assignment
kirankumar
risk_ppt15_l10.pptxManaging Risk in Information Systems
Lesson 10
Planning Risk Mitigation Throughout Your Organization
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective and Key Concepts
Learning Objective
Describe concepts for planning risk mitigation throughout an organization.
Key Concepts
Identifying the scope of a risk management plan
Best practices for risk planning risk mitigation
Ways to prioritize risk management requirements
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Where Should Your Organization Start with Risk Mitigation?
Identify assets
High, medium, low
Identify and analyze threats and vulnerabilities
Evaluate the controls to determine what controls to implement
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Scope of Risk Management
Critical business operations
Customer service delivery
Mission-critical business systems, applications, and data access
Seven domains of a typical IT infrastructure
Information systems security gap
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying CBFs
Making a purchase
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying CBFs
Receiving funds
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying CBFs
Shipping products
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Risk Within the Seven Domains
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8
User Domain— Risk here is a failure to follow or develop user policies relating to acceptable use policy (AUP) or E-mail Polices
Workstation Domain— Risk here is a failure to follow or develop policies regarding the use of computing devices
Local Area Network (LAN ) Domain—The risk involved here include the lack of controls placed on the LAN environment
LAN-to-WAN Domain—A big risk here is the lack of controls on the organizations firewall or lack of controls in the demilitarized zone (DMZ)
Remote Access Domain— Risk with access controls
Wide-Area Network (WAN Domain)— Risk from a weak virtual private network (VPN) policy or controls
System/Application Domain— Lack of controls placed on applications or systems
Understanding/Assessing Impact of Legal and Compliance Issues
Compliance is a mitigation control
Assessing the impact of compliance issues:
Identify what compliance issues apply to organization
Assess impact of issues on business operations
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Legal Requirements, Compliance Laws, Regulations, and Mandates
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX)
Federal Information Security Management Act (FISMA)
Family Educational Rights and Privacy Act (FERPA)
Children’s Internet Protection Act (CIPA)
Payment Card Industry Data Security Standard (PCI DSS)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Compliance Issues
CIPA requires a TPM
Other laws may require other controls
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Assessing the Impact of Legal/Compliance Implications on the Seven Domains
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
User Domain
Workstation Domain
LAN Domain
LAN-to-WAN Domain
WAN Domain
Remote Access Domain
System/ Application Domain
Assessing How Security Countermeasures/Safeguards Can Assist with Risk Mitigation
Controls are implemented at a point in time to reduce the risks at that time
A control will attempt to mitigate risk by:
Reducing the impact of threats to an acceptable level
Reducing a vulnerability to an acceptable level
Risk assessment (RA) is a point-in-time assessment
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Understanding Operational Implications of Legal and Compliance Requirements
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
HIPAA
SOX
FISMA
FERPA
CIPA
PCI DSS
Identifying Risk Mitigation and Risk Reduction Elements
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Account management controls
Access controls
Physical access
Personnel policies
Security awareness and training
Performing a Cost-Benefit Analysis
Compare cost of control to cost of risk if it occurs
Calculating projected benefits:
Loss Before Control ─ Loss After Control = Projected Benefits
Determining if control should be used:
Projected Benefits ─ Cost of Control = Control Value
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Mitigation Best Practices
Review historical documentation
Although risks change, many of the threats and vulnerabilities will be the same
Include both a narrow and broad focus
Identify specific risks and mitigation strategies and broaden the focus to include the entire organization
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Mitigation Best Practices
Ensure that governing laws are identified
If you don’t know what laws apply, you won’t be in compliance
Redo RAs when a control changes
If a control changes, the original RA is no longer valid
Include a cost-benefit analysis
CBAs provide justification for controls and help determine their value
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Identifying the scope of a risk management plan
Best practices for risk planning risk mitigation
Ways to prioritize risk management requirements
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OPTIONAL SLIDES
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/16/2014
20
Strategies of Risk Mitigation
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk can be eliminated from the organization but at a high cost. Cost is an important factor of risk management.
Before we can look at risk we must first know what will be lost if a threat exploits a vulnerability, which will result in a loss to an organization.
To do this a risk assessment must be undertaken starting with an asset inventory, followed by a business impact analysis (BIA).
The maximum acceptable outage (MAO) must also be calculated.
Service level agreements and operational level agreements must be drawn up.
Mission critical applications must be identified and disaster recovery plan (DRP’s) need to be developed.
Many template are available to accomplish this National Institute of Standard and Technology(NIST) has many relating to organizational risk.
21
Identify the cost of risk mitigation
Determine loss if threat exploits vulnerability
Conduct business impact analysis (BIA)
Calculate maximum acceptable outage (MAO)
Establish service level agreements
Develop disaster recovery plan (DRP)
National Institute of Standard and Technology
Key Roles Involved with a Risk Management Plan
Chief executive officer (CEO)
Chief operating officer (COO)
Chief financial officer (CFO)
Data owners and custodians
IT management
Human resources (HR) professionals
Industry-specific management
Corporate legal department
Auditors
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Prioritizing and Analyzing Risk
Cost associated with the loss of a business component or process
Loss of customer confidence
Lack of compliance
Lack of insurance to mitigate or transfer risk
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
