Week 2 Discussion Posting
CHAPTER 4
Developing a Risk Management Plan
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Learning Objective(s) and Key Concepts
Describe the components of and approaches to effective risk management in an organization.
Fundamental components of a risk management plan
Objectives, boundaries, and scope of a risk management plan
Importance of assigning responsibilities in a risk management plan
Significance of planning, scheduling, documentation, and reporting
Steps of the NIST Risk Management Framework
Learning Objective(s)
Key Concepts
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Objectives of a Risk Management Plan
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
A list of threats
A list of vulnerabilities
Costs associated with risks
A list of recommendations to reduce the risks
Costs associated with recommendations
A cost-benefit analysis (CBA)
One or more reports
Implementing a Risk Management Plan
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Document management decisions
Document and track implementation of accepted recommendations
Create a plan of action and milestones (POAM)
Objectives Examples
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Identifying threats
Identifying vulnerabilities
Identifying assets
Assigning responsibilities
Objectives Examples (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Identifying the costs of an outage/noncompliance
Providing recommendations
Identifying the costs of recommendations
Providing a CBA
Objectives Examples (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Documenting accepted recommendations
Tracking implementation
Creating a POAM
Scope of a Risk Management Plan
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Identify the boundaries of the plan
Avoid scope creep
Identify stakeholders
Create a change control board
Draft a scope statement
Scope Examples
Website
Creating a risk management plan to secure a website:
Scope includes:
Security of the server hosting the website
Security of the website itself
Availability of the website
Integrity of the website’s data
Stakeholders include:
Vice president of sales
Information technology (IT) support department head
Written approval is required for all activities outside the scope of this plan
HIPAA Compliance
Creating a risk management plan to ensure HIPAA compliance:
Scope includes:
Identifying all health data
Storing health data
Using health data
Transmitting health data
Stakeholders include:
Chief Information Officer (CIO)
Human resources (HR) department head
Written approval is required for all activities outside the scope of this plan
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Assigning Responsibilities
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Responsibilities can be assigned to:
Risk management PM
Stakeholders
Departments or department heads
Executive officers, such as the CIO or CFO
Individual responsibilities:
Identifying risk
Assessing risk
Identifying risk mitigation steps
Reporting
Responsibilities Examples
Website
The IT department is responsible for providing:
A list of threats
A list of vulnerabilities
A list of recommended solutions
Costs for each of the recommended solutions
The sales department is responsible for providing:
Direct costs of all outages that last 15 minutes or longer
Indirect costs of all outages that last 15 minutes or longer
The CFO will:
Validate the data provided by the IT and sales departments
Complete a CBA
HIPAA Compliance
The HR department is responsible for providing:
A list of all health information sources
Inspection results for all data sources regarding HIPPA compliance
How the data is stored, protected, and transmitted
A list of existing and needed HIPAA policies
A list of recommended solutions to ensure HIPPA compliance
Costs for each of the recommended solutions
Costs associated with noncompliance
The IT department is responsible for providing:
Identification of access controls used for data
A list of recommended solutions to ensure compliance with HIPAA
Costs for each of the recommended solutions
The CFO will:
Validate the data provided by the IT and sales departments
Complete a CBA
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Using Affinity Diagrams
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Describing Procedures and Schedules for Accomplishment
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Include a recommended solution for any threat or vulnerability, with a goal of mitigating the associated risk
The solution will often include multiple steps
Describe each step in detail
Include a timeline for completion of each step
Remember:
Management is responsible for choosing the controls to implement
Management is responsible for residual risk
Procedures Examples
Website
Mitigating the risk of denial of service (DoS) attacks:
Recommendation—Upgrade the firewall.
Justification—The current firewall is a basic router; it does not provide advanced firewall capabilities
Procedures—The following steps can be used to upgrade the new firewall:
Start firewall logging
Create a firewall policy
Purchase a firewall appliance
Install the firewall
Configure the firewall
Test the firewall before going live
Bring the firewall online
HIPAA Compliance
Procedures for mitigating the risk of HIPPA noncompliance:
Recommendation—Increase awareness of HIPAA
Justification—Make clear that noncompliance can result in fines totaling $25,000 a year for mistakes
Procedures—Use the following steps to increase awareness:
Require all employees to read and comply with HIPAA policies
Provide training to all employees on HIPAA compliance
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Reporting Requirements
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Present recommendations
Document management response to recommendations
Document and track implementation of accepted recommendations
Create a plan of action and milestones (POAM)
Presenting Recommendations
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Report should include:
Findings
Reports are often summarized in risk statements
Use risk statements to communicate a risk and the resulting impact
Recommendation cost and time frame
Cost-benefit analysis (CBA)
Findings
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Cause—The threat
Criteria—The criteria that will allow the threat to succeed
Inadequate manpower
Unmanaged firewall
No intrusion detection system (IDS)
Operating system not updated
Antivirus software not installed and updated
Effect—Often an outage of some type
Findings (Cont.)
Website cause and effect diagram
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Findings (Cont.)
HIPAA compliance cause and effect diagram
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Recommendation Cost and Time Frame
Each item should include the cost and timeframe required to implement it
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Example list of recommendations included in the website risk management plan
Upgrade firewall
Purchase and install IDS
Create a plan to keep the system updated
Install antivirus software on server
Update antivirus software
Add one IT administrator
Cost-Benefit Analysis (CBA)
CBA should include two items:
Cost of the recommendation, including any anticipated ongoing costs
Projected benefits in terms of dollars
Example of a CBA for a website recommendation:
Recommendation
Cost of the recommendation
Background
Loss before recommendation
Expected loss with recommendation
Benefit of the recommendation
CBA = Loss before recommendation − Loss after recommendation − Cost of recommendation
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Risk Statements
Used to communicate a risk and the resulting impact
Often written using “if/then”
Should be matched to the scope and objectives of the project
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Documenting Management Response to Recommendations
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Accept
Management can approve the recommendation
Defer
Management can defer a recommendation
Modify
Management can modify a recommendation
Documenting and Tracking Implementation of Accepted Recommendations
The documentation doesn’t need to be extensive; it could be a simple document listing the recommendation and the decision, for example:
Recommendation to purchase antivirus software
Accepted. Software is to be purchased as soon as possible.
Recommendation to hire an IT administrator
Deferred. IT department needs to provide clearer justification for this. In the interim, the IT department is authorized to use overtime to ensure security requirements are met.
Recommendation to purchase SS75 firewall
Modified. Two SS75 firewalls are to be purchased as soon as possible. These two firewalls will be configured as a DMZ.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Plan of Action and Milestones (POAM)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Is a living document
A document used to track progress
Used to assign responsibility and to allow management follow-up
Charting the Progress of a Risk Management Plan
The milestone plan chart lists only major milestones
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Charting the Progress of a Risk Management Plan (Cont.)
A Gantt chart shows a full project schedule
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Charting the Progress of a Risk Management Plan (Cont.)
The critical path chart identifies critical tasks to be managed
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Steps of the NIST Risk Management Framework (RMF)
Seven-step process that combines security and risk management as part of a systems development life cycle:
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Prepare
Categorize
Select
Implement
Assess
Authorize
Monitor
Summary
Fundamental components of a risk management plan
Objectives, boundaries, and scope of a risk management plan
Importance of assigning responsibilities in a risk management plan
Significance of planning, scheduling, documentation, and reporting
Steps of the NIST Risk Management Framework
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
10/8/2020
30