Week 4 Discussion Post

profileAJ2020
risk3e_ppt_ch10.pptx

CHAPTER 10

Planning Risk Mitigation Throughout an Organization

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective(s) and Key Concepts

Identify risk mitigation security controls and develop a risk mitigation plan.

Scope of a risk management plan

Legal and compliance issues, including operational impacts

Assessing security countermeasures and safeguards

How to identify risk mitigation and risk reduction elements for an organization

Learning Objective(s)

Key Concepts

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Where Should an Organization Start with Risk Mitigation?

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Identify assets

High

Medium

Low

Identify and analyze threats and vulnerabilities

Evaluate the controls to determine what controls to implement

What Is the Scope of Risk Management for an Organization?

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Critical business operations

Mission-critical business systems, applications, and data access

Seven domains of a typical IT infrastructure

Information systems security gap

Customer service delivery

Critical Business Operations

A business impact analysis (BIA) helps an organization identify the impact on the business if various risks occur

BIAs identify the maximum acceptable outage (MAO), the maximum amount of time a system or service can be down before the mission is affected

When completing a BIA of a specific service or function, ask:

How does this service affect the organization’s profitability?

How does this service affect the organization’s survivability?

How does this service affect the organization’s image?

How will an outage affect employees?

How will an outage affect customers?

When does this service need to be available?

What is the MAO of the service?

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Customer Service Delivery

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Service level agreement (SLA) identifies an expected level of performance; includes the minimum uptime or the maximum downtime

Organizations use SLAs as a contract between a service provider and a customer

SLA can identify monetary penalties if the terms aren’t met

Internal customer services:

Email services

Internet access

Network access

Server applications, such as database servers

Access to internal servers, such as file servers

Desktop computer support

Mission-Critical Business Systems, Applications, and Data Access

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Critical business functions (CBFs)

Any function considered vital to an organization

Critical success factors (CSFs)

Any element necessary to perform the mission of an organization

Mission-Critical Business Systems, Applications, and Data Access (Cont.)

Critical business functions: making the purchase

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Mission-Critical Business Systems, Applications, and Data Access (Cont.)

Critical business functions: receiving funds

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Mission-Critical Business Systems, Applications, and Data Access (Cont.)

Critical business functions: shipping the product

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Seven Domains of a Typical IT Infrastructure

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Information Systems Security Gap

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

The difference between the controls that are in place and the controls that are needed

Gap analysis reports are often used when dealing with legal compliance

Combined with a remediation plan, the gap analysis report identifies how to close a security gap

Understanding and Assessing the Impact of Legal and Compliance Issues on an Organization

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Compliance is a mitigation control

Assessing the impact of compliance issues:

Identify what compliance issues apply to organization

Assess impact of issues on business operations

Legal Requirements, Compliance Laws, Regulations, and Mandates

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes-Oxley Act (SOX)

Federal Information Security Management Act (FISMA) (2002)

Federal Information Security Modernization Act (FISMA) (2014)

Family Educational Rights and Privacy Act (FERPA)

Children’s Internet Protection Act (CIPA)

Payment Card Industry Data Security Standard (PCI DSS)

Gramm-Leach-Bliley Act (GLBA)

General Data Protection Regulation (GDPR)

Assessing the Impact of Legal and Compliance Issues on an Organization’s Business Operations

CIPA requires a technology protection measure (TPM)

Proxy server used as a TPM

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Payment Card Industry Data Security Standard (PCI DSS) Principles and Requirements

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall

Requirement 2: Do not use defaults, such as default passwords

Protect Cardholder Data

Requirement 3: Protect stored data

Requirement 4: Encrypt transmissions

Maintain a Vulnerability Management Program

Requirement 5: Use and update antivirus software

Requirement 6: Develop and maintain secure systems

Payment Card Industry Data Security Standard (PCI DSS) Principles and Requirements (Cont.)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Implement Strong Access Control Measures

Requirement 7: Restrict access to data

Requirement 8: Use unique logons for each user. Don’t share usernames and passwords

Requirement 9: Restrict physical access

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to systems and data

Requirement 11: Regularly test security

Maintain an Information Security Policy

Requirement 12: Maintain a security policy

Translating Legal and Compliance Implications for an Organization

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Losses can be direct or indirect

A public relations (PR) campaign can sometimes restore an organization’s reputation

Proactively spending money on PR campaigns can reduce the effects of an incident

Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

User Domain

Workstation Domain

LAN Domain

LAN-to-WAN Domain

WAN Domain

Remote Access Domain

System/Application Domain

Assessing How Security Countermeasures, Controls, and Safeguards Can Assist With Risk Mitigation

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Controls are implemented at a point in time to reduce the risks at that time

A control will attempt to mitigate risk by:

Reducing the impact of threats to an acceptable level

Reducing a vulnerability to an acceptable level

A risk assessment (RA) evaluates threats and vulnerabilities at a point in time

Understanding the Operational Implications of Legal and Compliance Requirements

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

HIPAA

SOX

FISMA

FERPA

CIPA

PCI DSS

GDPR

Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Account management controls

Access controls

Physical access

Personnel policies

Security awareness and training

Performing a Cost-Benefit Analysis (CBA)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Compare cost of control to cost of risk if it occurs

Calculating projected benefits:

Loss Before Control ─ Loss After Control = Projected Benefits

Determining if control should be used:

Projected Benefits ─ Cost of Control = Control Value

Best Practices for Planning Risk Mitigation Throughout an Organization

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Review historical documentation

Although risks change, many of the threats and vulnerabilities will be the same

Include both a narrow and broad focus

Identify specific risks and mitigation strategies and broaden the focus to include the entire organization

Ensure that governing laws have been identified

If you don’t know what laws apply, you won’t be in compliance

Redo risk assessments when a control changes

If the control changes, the original risk assessment is no longer valid

Include a CBA

CBAs provide justification for controls and help determine their value

Summary

Scope of a risk management plan

Legal and compliance issues, including operational impacts

Assessing security countermeasures and safeguards

How to identify risk mitigation and risk reduction elements for an organization

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/9/2020

25