Week 2 Discussion Posting

profileAJ2020
risk3e_ppt_ch04.pptx

CHAPTER 4

Developing a Risk Management Plan

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective(s) and Key Concepts

Describe the components of and approaches to effective risk management in an organization.

Fundamental components of a risk management plan

Objectives, boundaries, and scope of a risk management plan

Importance of assigning responsibilities in a risk management plan

Significance of planning, scheduling, documentation, and reporting

Steps of the NIST Risk Management Framework

Learning Objective(s)

Key Concepts

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Objectives of a Risk Management Plan

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

A list of threats

A list of vulnerabilities

Costs associated with risks

A list of recommendations to reduce the risks

Costs associated with recommendations

A cost-benefit analysis (CBA)

One or more reports

Implementing a Risk Management Plan

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Document management decisions

Document and track implementation of accepted recommendations

Create a plan of action and milestones (POAM)

Objectives Examples

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Identifying threats

Identifying vulnerabilities

Identifying assets

Assigning responsibilities

Objectives Examples (Cont.)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Identifying the costs of an outage/noncompliance

Providing recommendations

Identifying the costs of recommendations

Providing a CBA

Objectives Examples (Cont.)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Documenting accepted recommendations

Tracking implementation

Creating a POAM

Scope of a Risk Management Plan

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Identify the boundaries of the plan

Avoid scope creep

Identify stakeholders

Create a change control board

Draft a scope statement

Scope Examples

Website

Creating a risk management plan to secure a website:

Scope includes:

Security of the server hosting the website

Security of the website itself

Availability of the website

Integrity of the website’s data

Stakeholders include:

Vice president of sales

Information technology (IT) support department head

Written approval is required for all activities outside the scope of this plan

HIPAA Compliance

Creating a risk management plan to ensure HIPAA compliance:

Scope includes:

Identifying all health data

Storing health data

Using health data

Transmitting health data

Stakeholders include:

Chief Information Officer (CIO)

Human resources (HR) department head

Written approval is required for all activities outside the scope of this plan

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Assigning Responsibilities

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Responsibilities can be assigned to:

Risk management PM

Stakeholders

Departments or department heads

Executive officers, such as the CIO or CFO

Individual responsibilities:

Identifying risk

Assessing risk

Identifying risk mitigation steps

Reporting

Responsibilities Examples

Website

The IT department is responsible for providing:

A list of threats

A list of vulnerabilities

A list of recommended solutions

Costs for each of the recommended solutions

The sales department is responsible for providing:

Direct costs of all outages that last 15 minutes or longer

Indirect costs of all outages that last 15 minutes or longer

The CFO will:

Validate the data provided by the IT and sales departments

Complete a CBA

HIPAA Compliance

The HR department is responsible for providing:

A list of all health information sources

Inspection results for all data sources regarding HIPPA compliance

How the data is stored, protected, and transmitted

A list of existing and needed HIPAA policies

A list of recommended solutions to ensure HIPPA compliance

Costs for each of the recommended solutions

Costs associated with noncompliance

The IT department is responsible for providing:

Identification of access controls used for data

A list of recommended solutions to ensure compliance with HIPAA

Costs for each of the recommended solutions

The CFO will:

Validate the data provided by the IT and sales departments

Complete a CBA

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Using Affinity Diagrams

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Describing Procedures and Schedules for Accomplishment

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Include a recommended solution for any threat or vulnerability, with a goal of mitigating the associated risk

The solution will often include multiple steps

Describe each step in detail

Include a timeline for completion of each step

Remember:

Management is responsible for choosing the controls to implement

Management is responsible for residual risk

Procedures Examples

Website

Mitigating the risk of denial of service (DoS) attacks:

Recommendation—Upgrade the firewall.

Justification—The current firewall is a basic router; it does not provide advanced firewall capabilities

Procedures—The following steps can be used to upgrade the new firewall:

Start firewall logging

Create a firewall policy

Purchase a firewall appliance

Install the firewall

Configure the firewall

Test the firewall before going live

Bring the firewall online

HIPAA Compliance

Procedures for mitigating the risk of HIPPA noncompliance:

Recommendation—Increase awareness of HIPAA

Justification—Make clear that noncompliance can result in fines totaling $25,000 a year for mistakes

Procedures—Use the following steps to increase awareness:

Require all employees to read and comply with HIPAA policies

Provide training to all employees on HIPAA compliance

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Reporting Requirements

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Present recommendations

Document management response to recommendations

Document and track implementation of accepted recommendations

Create a plan of action and milestones (POAM)

Presenting Recommendations

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Report should include:

Findings

Reports are often summarized in risk statements

Use risk statements to communicate a risk and the resulting impact

Recommendation cost and time frame

Cost-benefit analysis (CBA)

Findings

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Cause—The threat

Criteria—The criteria that will allow the threat to succeed

Inadequate manpower

Unmanaged firewall

No intrusion detection system (IDS)

Operating system not updated

Antivirus software not installed and updated

Effect—Often an outage of some type

Findings (Cont.)

Website cause and effect diagram

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Findings (Cont.)

HIPAA compliance cause and effect diagram

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Recommendation Cost and Time Frame

Each item should include the cost and timeframe required to implement it

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Example list of recommendations included in the website risk management plan

Upgrade firewall

Purchase and install IDS

Create a plan to keep the system updated

Install antivirus software on server

Update antivirus software

Add one IT administrator

Cost-Benefit Analysis (CBA)

CBA should include two items:

Cost of the recommendation, including any anticipated ongoing costs

Projected benefits in terms of dollars

Example of a CBA for a website recommendation:

Recommendation

Cost of the recommendation

Background

Loss before recommendation

Expected loss with recommendation

Benefit of the recommendation

CBA = Loss before recommendation − Loss after recommendation − Cost of recommendation

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Risk Statements

Used to communicate a risk and the resulting impact

Often written using “if/then”

Should be matched to the scope and objectives of the project

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Documenting Management Response to Recommendations

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Accept

Management can approve the recommendation

Defer

Management can defer a recommendation

Modify

Management can modify a recommendation

Documenting and Tracking Implementation of Accepted Recommendations

The documentation doesn’t need to be extensive; it could be a simple document listing the recommendation and the decision, for example:

Recommendation to purchase antivirus software

Accepted. Software is to be purchased as soon as possible.

Recommendation to hire an IT administrator

Deferred. IT department needs to provide clearer justification for this. In the interim, the IT department is authorized to use overtime to ensure security requirements are met.

Recommendation to purchase SS75 firewall

Modified. Two SS75 firewalls are to be purchased as soon as possible. These two firewalls will be configured as a DMZ.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Plan of Action and Milestones (POAM)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Is a living document

A document used to track progress

Used to assign responsibility and to allow management follow-up

Charting the Progress of a Risk Management Plan

The milestone plan chart lists only major milestones

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Charting the Progress of a Risk Management Plan (Cont.)

A Gantt chart shows a full project schedule

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Charting the Progress of a Risk Management Plan (Cont.)

The critical path chart identifies critical tasks to be managed

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Steps of the NIST Risk Management Framework (RMF)

Seven-step process that combines security and risk management as part of a systems development life cycle:

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Prepare

Categorize

Select

Implement

Assess

Authorize

Monitor

Summary

Fundamental components of a risk management plan

Objectives, boundaries, and scope of a risk management plan

Importance of assigning responsibilities in a risk management plan

Significance of planning, scheduling, documentation, and reporting

Steps of the NIST Risk Management Framework

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/8/2020

30