Information Technology Risk Management
- Chapter 3: Maintaining Compliance
- Chapter 4: Developing a Risk Management Plan
Book:
Information systems security & assurance series
Jones & Barlett Learning
Managing Risk in Information Systems – Darril Gibson-second editio
“Compliance and Ethics” Please respond to the following:
- Read the article on NPR “As We Leave More Digital Tracks, Amazon Echo Factors in Murder Investigation” located at Echo. Then debate the ethical conflicts that can arise with compliance in this or similar cases. Choose a side, as if you were the lead attorney for that side and defend your chosen side (even if your chosen side isn’t how you totally feel is the correct response about the issue).
List all references.
|
CIS527 Week #2_ P1 IT Risk Management – Maintaining Compliance |
||
| Slide # | Slide Title | Slide Narration |
| Slide 1 | Introduction | Welcome to IT Risk Management.
In this lesson we will discuss Maintaining Compliance. Next slide |
| Slide 2 | Topics | The following topics will be covered in this lesson:
Compliance, U.S.-based laws related to compliance, regulations related to compliance, organizational policies for compliance, and standards and guidelines for compliance. Next slide |
| Slide 3 | Compliance | Many laws and regulations are in place regarding the protection of IT systems. Most organizations have requirements to comply with the laws that apply to them. This is commonly referred to as compliance.
Many organizations have internal programs in place to ensure they remain in compliance with relevant laws and regulations. These programs commonly use internal audits. They can also use certification and accreditation programs. The United States laws that cover compliance include the Federal Information Security Management Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley, the Sarbanes-Oxley Act, the Family Educational Rights and Privacy Act, and the Children’s Internet Protection Act. We will discuss these in detail in the following slides. Next slide |
| Slide 4 | U.S.- based laws related to compliance | The Federal Information Security Management Act (FISMA) was passed in 2002. The purpose of this act is to ensure that federal agencies protect their data. The act assigns specific responsibilities for federal agencies which include protecting systems and data, complying with all elements of FISMA, and integrating security in all processes.
FISMA requires annual inspections. Each year, agencies must have an independent evaluation of their program. The goal is to determine the effectiveness of the program. These evaluations include testing for effectiveness and writing an assessment or report that identifies the agency’s compliance. Next slide |
| Slide 5 | U.S.- based laws related to compliance, continued | The Health Insurance Portability and Accounting Act (HIPAA) was passed in 1996. This act ensures that health information data is protected. Before HIPAA, personal medical information was often available to anyone. Security to protect the data was lax, and the data was often misused.
If an organization handles health information, HIPAA applies. This makes the definition of health information very important. HIPAA defines health information as any data that is created or received by health care providers, health plans, public health authorities, employers, life insurers, schools and universities, or health care clearinghouses. This also applies to data that is related to the past, present or future health of the individual, physical health, mental health, or condition of an individual, and past, present or future payments for health care. Type two of HIPAA includes a section titled, “Administrative Simplification.” This section includes security standards, privacy standards and penalties. The process for creating a HIPAA compliance plan includes assessment, risk analysis, plan creation, plan implementation, continuous monitoring, and assessment. Next slide |
| Slide 6 | U.S.- based laws related to compliance, continued | The Gramm-Leach Bliley Act (GLBA) was passed in 1999. This act is also known as the Financial Services Modernization Act. It is broad in scope, and most of the Act is related to how banking and insurance institutions can merge.
Two parts of the GLBA are related to IT security – the Financial Privacy Rule and the Safeguards Rule. These rules apply to financial institutions in the United States. The Financial Privacy Rule is the rule that requires companies to notify customers about their privacy practices. The Safeguards Rule requires companies to have a security plan to protect customer information. This plan also ensures that data isn’t released without authorization, as well as ensures that the integrity of the data remains intact. Next slide |
| Slide 7 | U.S.- based laws related to compliance, continued | The Sarbanes Oxley Act (SOX) was passed in 2002. This law applies to any company that is publicly traded. It is designed to hold executives and board members personally responsible for financial data. If the data is not accurate, they can be fined and put in jail.
The goal of SOX is to reduce fraud. Chief Executive Officers and Chief Financial Officers must be able to verify accuracy of financial statements and prove the statements are accurate. Most of SOX is outside the scope of IT; however, Section four oh four has elements that are directly related. Section four oh four pertains to the accuracy of data and requires that a company use internal controls to protect the data. It also requires reports from both internal and external auditors to verify compliance. Next slide |
| Slide 8 | U.S.- based laws related to compliance, continued | The Family Educational Rights and Privacy Act (FERPA) was passed in 1974. This act has been amended nine times. The goal is to protect the privacy of student records, which includes education data and health data.
FERPA applies to all schools that receive any funding from the U.S. Department of Education, and includes any state or local educational agency, any institution of higher education, any community college, any school or agency offering a preschool program, and any other education institution. FERPA grants rights to parent of students under the age of 18. All personally identifiable information (PII) about the student must be protected. Schools usually need permission from either the parent or the student to release PII. Next slide |
| Slide 9 | U.S.- based laws related to compliance, continued | The Children’s Internet Protection Act (CIPA) was passed in 2000. This act is designed to limit access to offensive content from school and library computers. Any school or library that receives funding from the E-Rate program is covered under CIPA.
CIPA requires that schools and libraries block or filter Internet access to pictures that are obscene, pornographic, or harmful to minors. It also requires them to adopt and enforce a policy to monitor online activity of minors and implement an Internet safety policy. Next slide |
| Slide 10 | Check Your Understanding | |
| Slide 11 | Regulations Related to Compliance | In addition to all the laws, there are regulations that have created different U.S. entities. Most of these entities operate at the federal level. Organizations include the Securities and Exchange Commission, the Federal Deposit Insurance Corporation, the Department of Homeland Security, the Federal Trade Commission, the State Attorney General and the U.S. Attorney General.
The Securities and Exchange Commission (SEC) is a federal agency that is charged with regulating the securities industry. This includes any sales or trades of securities. The Federal Deposit Insurance Company (FDIC) is a federal agency that was created in 1933. The primary goal is to promote confidence in U.S. banks. The FDIC was created as a direct result of the bank failures that occurred in the 1920s and early 1930s. Funds in any bank insured by the FDIC are guaranteed. Depositors will not lose their money even if the bank goes bankrupt. The purpose is to prevent a run on a bank. Currently, funds for any individual depositor are insured up to two hundred and fifty thousand dollars. This was increased from one hundred thousand in 2007. It will return to one hundred thousand on January first, 2014. The Department of Homeland Security (DHS) is a federal agency that is responsible for protecting the United States from terrorist attacks. It is also charged with responding to natural disasters. The DHS was formed in 2002 as a direct response to the terrorist attacks of September eleventh, 2001. Next slide |
| Slide 12 | Regulations Related to Compliance (continued) | The Federal Trade Commission (FTC) is a federal agency that was created in 1914. The primary goal is to promote consumer protection, but this has changed over the years. When the FTC was first created, the goal was to prevent unfair methods of competition. Trusts had been engaged in anticompetitive practices included business monopolies, restraining trade, and fixing prices. The creation of the FTC was to “bust the trusts.” Congress since then has passed laws that protect the consumer. The hierarchy of the FTC has three primary bureaus, which include the Bureau of Consumer Protection, The Bureau of Competition, and the Bureau of Economics.
The State Attorney General (AG) is the primary legal advisor for the state. For many states, the AG is also the chief law enforcement officer. Some of the responsibilities include the representation of legal matters; defending the laws of the state; providing legal advice to all state entities; performing criminal investigations; reviewing all deeds, leases and contracts for the state; and proposing legislation. Some Attorney Generals are elected, while others are appointed by the governor or other state officials. The U.S. Attorney General (U.S AG) is the head of the United States Department of Justice (DOJ). The President of the United States nominates the U.S. AG. Specific responsibilities include enforcing the law, defending the interests of the United States, ensuring public safety against threats, providing federal leadership in preventing and controlling crime, seeking just punishment for those guilty of unlawful behavior, and ensuring fair and impartial justice for all Americans. Next slide |
| Slide 13 | Organizational Policies for Compliance | Organizations implement policies to ensure they remain compliant with different laws and regulations. These policies can contain multiple elements. One important element is fiduciary responsibility. Fiduciary refers to a relationship of trust. Some examples of fiduciary relationships include an attorney and a client, a CEO and a board of directors, and shareholders and a board of directors.
A great deal of trust is granted in a fiduciary relationship. Two steps that can be taken are due diligence and due care. Due diligence means the fiduciary takes a reasonable amount of time and effort to identify risks. Due care entails a known risk that the fiduciary takes reasonable steps to protect against. Failure to take due care to protect assets can also be considered negligence. A fiduciary is expected to understand and weigh the risks. By exercising due care and due diligence, the fiduciary is less likely to be accused of acting recklessly or being negligent. Other elements of an organizational policy include mandatory vacations, job rotation, separation of duties, and acceptable use. Next slide |
| Slide 14 | Standards and Guidelines for Compliance | Several standards and guidelines exist that can be used to assess and improve security. Most of these standards are optional, but some are mandatory for certain sectors. The standards and guidelines include:
The Payment Card Industry Data Security Standard; The National Institute of Standards and Technology; Generally Accepted Information Security Principles; Control Objectives for Information and related Technology; The International Organization for Standardization; The International Electrotechnical Commission; The Information Technology Infrastructure Library; Capability Maturity Model Integration; and The Department of Defense Information Assurance Certification and Accreditation Process. Next slide |
| Slide 15 | Standards and Guidelines for Compliance (continued) | The Payment Card Industry Data Security Standard (PCI DSS) is an international security standard. The purpose is to enhance the security of credit card data. It was created by the PCI Security Standards Council with input from major credit card companies, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. International.
The key pieces of data which allow for fraud and theft include name, credit card number, expiration date, and security code. This data is transmitted to and from the merchant. It travels from the merchant’s computer to an approval authority and can be intercepted any time it’s transmitted. The data can be easily read if it is not encrypted also. Some basic security to prevent this type of theft is PCI DSS, which is built around six principles. Each of these principles has one or two requirements. The principles are Build and Maintain a Secure Network; Protect Cardholder Data; Maintain a Vulnerability Management Program; Implement Strong Access Control Measures; Regularly Monitor and Test Networks; and Maintain an Information Security Policy. Compliance with PCI DSS is a three-step continuous process Next slide |
| Slide 16 | Standards and Guidelines for Compliance (continued) | The National Institute of Standards and Technology (NIST) is a division of the U.S. Department of Commerce. The mission of NIST is to promote U.S. innovation and competitiveness.
NIST hosts the Information Technology Laboratory (ITL). The ITL develops standards and guidelines related to IT. They are published as special publications whose titles have a prefix of SP dot SP eight hundred dash thirty, “Risk Management Guide for Information Technology Systems.” The publication is subtitled “Recommendations of the National Institute of Standards and Technology,” and identifies nine steps that can be taken for risk assessment, as follows: •Step one : System characterization •Step two: Threat identification •Step three: Vulnerability identification •Step four: Control analysis •Step five: Likelihood determination •Step six: Impact analysis •Step seven: Risk determination •Step eight: Control recommendations. Step nine: Results documentation Risk mitigation includes details on options and strategies. It talks about the types of controls that can be taken to reduce risks. It also has information on cost-benefit analysis and residual risk. Evaluation and assessment addresses the need to repeat risk assessments. ITL recommends repeating them at least every three years and mentions some keys for success of any risk management program. Next slide. |
| Slide 17 | Standards and Guidelines for Compliance (continued) | The Generally Accepted Information Security Principles (GAISP) is an older standard that evolved from Generally Accepted System Security Principles (GASSP). GASSP was created in 1992. GAISP was an update to GASSP.
GAISP version three was released in August 2003 and was adopted by the Information Systems Security Association (ISSA). It is important to note that GAISP is no longer mentioned on the ISSA Web site. Additionally, the gaisp dot org Website is no longer maintained. GAISP consists of two major sections which include pervasive principles and broad functional principles. Next slide |
| Slide 18 | Standards and Guidelines for Compliance (continued) | Control Objectives for Information and Related Technology (COBIT) is a set of good practices for IT management. COBIT is designed to provide a framework for control of IT functions.
COBIT was written by the IT Governance Institute (ITGI) with ISACA. ISACA used to be known as the Information Systems Audit and Control Association. COBIT is a well-respected standard and is often referenced by other standards. The basic principle of COBIT is that it helps reinforce that IT is in place in an organization to support business requirements. The COBIT framework is organized into four IT domains and thirty-four IT processes. These domains are process-oriented, meaning that they are focused on activities in the organization. Each of the four domains interacts with each other. The four domains include plan and organize, acquire and implement, deliver and support, and monitor and evaluate. COBIT is extensive, and the principles cannot be implemented overnight in an organization. Next slide |
| Slide 19 | Standards and Guidelines for Compliance (continued) | The International Organization for Standardization (ISO) develops and publishes standards, and includes members from one-hundred fifty nine countries. The main office is in Geneva, Switzerland.
ISO works with the International Electrotechnical Commission (IEC). Many of the ISO standards are published as ISO/IEC standards. ISO has published many standards that are relevant to risk and IT. Three important standards include ISO two-seven-zero-zero-two: Security Techniques; ISO thirty-one zero-zero-zero: Principles and Guidelines on Implementation; and ISO seventy-three Risk Management—Vocabulary. ISO two-seven-zero-zero-two Information Technology Security Techniques is a set of guidelines and principles which are used for security management. ISO two-seven-zero-zero-two/ two-thousand-and-five includes two parts, labeled as Part one and Part two. Part one includes objectives and controls that an organization can use. Part two is used by an outside third party to evaluate an organization. If the organization meets Part two elements, the third party can certify it with ISO two-seven-zero-zero-two. The third party can certify an organization using all or just a portion of Part two. ISO thirty-one zero-zero-zero: two-thousand-nine provides generic guidance on risk management. It is not specific to any specific industry or sector. In other words, it doesn’t apply only to IT. An organization can use the principles and guidelines throughout its life. There is no certification. Two supplementary documents associated with ISO thirty-one zero-zero-zero include ISO seventy-three Risk Management—Vocabulary and IEC three-one-zero-one-zero Risk Management—Risk Assessment Techniques. ISO seventy-three Risk Management—Vocabulary includes a list of terms. These terms are related to risk management. The goal is to provide a common definition for terms used in risk management. ISO seventy-three refers to ISO thirty-one zero-zero-zero: two-thousand-nine for principles and guidelines on risk management. Next slide |
| Slide 20 | Standards and Guidelines for Compliance (continued) | The International Electrotechnical Commission (IEC) is an international standards organization that prepares and publishes standards for electrical, electronic, and related technologies.
The overall objectives of the IEC are to meet the requirements of the global market, ensure maximum use of its standards, assess and improve products and services covered by its standards, aid in interoperability of systems, increase the efficiency of processes, aid in improvement of human health and safety, and aid in protection of the environment. The IEC has published “IEC three-one-zero-one-zero Risk Management—Risk Assessment Techniques”, which is a supporting standard for ISO thirty-one zero-zero-zero. Next slide. |
| Slide 21 | Standards and Guidelines for Compliance (continued) | The Information Technology Infrastructure Library (ITIL) is a group of books developed by the United Kingdom’s Office of Government Commerce (OGC). ITIL has been around
since the 1980s and has improved and matured since then. The most recent version is known as ITIL version three and was released in May 2007. In ITIL version three, “best practice” was replaced with “good practice.” A good practice is a proven, generally accepted practice, but is not required in every organization. However, good practices are implemented whenever possible. ITIL recommends the use of several frameworks as good practices. Two of the frameworks recommended by ITIL are the Control Objectives for IT (COBIT) and the Capability Maturity Model Integration (CMMI). ITIL version three Core is a collection of five books published by the United Kingdom’s Office of Government Commerce (OGC). The books focus on the ITIL Core, or the ITIL life cycle, and include the areas of Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement. Next slide |
| Slide 22 | Standards and Guidelines for Compliance (continued) | The Capability Maturity Model Integration (CMMI) is a process improvement approach to management that uses different levels to determine the maturity of a process. CMMI can be used in three primary areas of interest – product and service development, service establishment, management, and delivery, and product and service acquisition.
There are six levels of the CMMI which are also referred to as CMMI characteristics. The levels are used to determine the effectiveness of security within an organization. The following list identifies the levels and how they can be used to evaluate security: Level 0: Nonexistent—Security controls are not in place. There is no recognition of a need for security. Level 1: initial—This is sometimes referred to as ad hoc, or as needed. Risks are considered after a threat exploits vulnerability. Level 2: Managed—The organization recognizes risks. The organization recognizes a need for security. However, it performs controls out of intuition rather than from detailed plans. Responses are reactive. Level 3: Defined—The organization has security policies in place. It has some security awareness. Action is proactive. Level 4: Quantitatively Managed—The organization measures and controls security processes and has formal policies and standards in place. The organization also performs regular risk assessments and vulnerability assessments. Level 5: Optimized—The organization has formal security processes in place throughout the organization and monitors security on a continuous basis. The focus is on process improvement. Level 5 shows the highest level of maturity. Next slide |
| Slide 23 | Standards and Guidelines for Compliance (continued) | The Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) is a risk management process. DIACAP is designed for IT systems used by the U.S. DoD, and is fully documented in DoD instruction eight-five-one-zero-point-one. DIACAP details specific phases that IT systems must go through. The core goal is to ensure systems are in compliance with requirements.
These phases include: •Phase 1: initiate and Plan—Register the system with DIACAP. •Phase 2: implement and Validate—Implement the IA plan. •Phase 3: Make Certification and Accreditation Decisions—Analyze residual risk. •Phase 4: Maintain ATO/Review—Maintain the system. •Phase 5: Decommission—Decommission the system (ISC)Two offers a civilian-based certification that can be used for DoD eight-five-one-zero-point-one., which is called the Certification and Accreditation Professional (CAP). Next slide |
| Slide 24 | Check Your Understanding | |
| Slide 25 | Summary | We have reached the end of this lesson. Let’s take a look at what we’ve covered.
We began with an introduction to compliance. We learned that many laws and regulations have been created regarding the protection of IT systems, and that compliance simply means that organizations are required to comply with these laws and regulations. Also, many organizations have their own internal programs in place to ensure compliance. Our next topic was U.S.-Based Laws Related to Compliance. Here, we examined the Federal Information Security Act (FISMA), the Health Insurance Portability and Accounting Act (HIPAA), the Gramm-Leach Blily Act (GLBA), the Sarbanes Oxley Act (SOX), the Family Education Rights and Privacy Act (FERPA), and the Children’s Internet Protection Act (CIPA). We then moved on to discuss regulations related to compliance. We briefly looked at several U.S. entities created in response to regulations around IT security. These included the Securities and Exchange Commission (SEC), the Federal Deposit Insurance Company (FDIC), the Department of Homeland Security (DHS), the Federal Trade Commission (FTC), the State Attorney General (AG), and the U.S. General (U.S. AG). Next, we reviewed organizational policies for compliance. We learned about the concepts of fiduciary responsibility, due diligence, and due care in this section. Our final topic was standards and guidelines for compliance. Here, we examined several standards and guidelines that can be used to assess and improve security, some optional and some mandatory. This completes this lesson. |
|
CIS527 Week #2_ P2 IT Risk Management – Developing a Risk Management Plan |
||
| Slide # | Slide Title | Slide Narration |
| Slide 1 | Introduction | Welcome to IT Risk Management.
In this lesson we will discuss developing a risk management plan. Next slide |
| Slide 2 | Topics | The following topics will be covered in this lesson:
Objectives of the risk management plan, scope of the risk management plan, assigning responsibilities, describing procedures and schedules for accomplishments, reporting requirements, the plan of action and milestones, and charting the progress of the risk management plan. Next slide |
| Slide 3 | Objectives of a Risk Management Plan | One of the important first steps for a risk management plan is to establish the objectives. The objectives become the road map for the plan, and need to be established as early as possible.
The objectives identify the goals of the project. These objectives outline what components should be included in the plan. Some common objectives for a risk management plan include a list of threats, a list of vulnerabilities, costs associated with risks, a list of recommendations to reduce the risks, costs associated with recommendations, a cost-benefit analysis, and one or more reports. Once top managers receive a report, they will be able to make decisions based on the data. The next phase of the risk management plan covers implementation of the plan, which includes the tasks of documenting management decisions, documenting and tracking implementation of accepted recommendations, and including a POAM. Two examples display how the creation of a risk management plan for actual projects can be accomplished. The first is the Web site for a company known as Acme Widgets – the site is used to sell widgets. The Web site is hosted on a Web server owned and controlled by the company. The Web site was recently attacked and went down for two days, and the company lost a large amount of money. Additionally, the company lost the goodwill of many customers. This was the second major outage for this Web site in the past two months. There have been many outages in the past three years. The second example is HIPAA compliance for a company that was recently purchased, known as Mini Acme. Mini Acme has not complied with HIPAA regulations, and management wants to ensure that issues are corrected as soon as possible. Next slide |
| Slide 4 | Objectives of a Risk Management Plan (continued) | The Acme Widgets site suffered outages. These outages resulted in unacceptable losses. The Mini Acme company failed an inspection of records that revealed some health information was not protected. The company was not in compliance with HIPAA, which could result in fines and jail time. The losses in both scenarios could have been prevented if the risks had been managed adequately.
Next slide |
| Slide 5 | Objectives of a Risk Management Plan (continued) | The objectives of the risk management plan include:
Identify threats; Identify vulnerabilities; Assign responsibilities; Identify the cost of the outage; Provide recommendations; Identify the costs of recommendations; Provide a cost-benefit analysis; Document accepted recommendations; Track implementation; and Create a POAM Next slide |
| Slide 6 | Scope of a Risk Management Plan | In addition to the objectives, it is also important to identify the scope of a risk management plan. The scope identifies the boundaries of the plan. The boundaries could include the entire organization or a single system. Without defined boundaries, the plan could get out of control.
A common problem with many projects is scope creep. Scope creep comes from uncontrolled changes. As the changes creep in, the scope of the project grows. For example, we can consider the HIPAA compliance example. The objective of the project is to bring Mini Acme into compliance with HIPAA. If we discovered unprotected data that is not health-related, such as financial, research data, or user data, we would identify this as threats and vulnerabilities. We would then have to calculate the costs of the data loss, which would cost more time and money. The key is to control the changes. A risk management project manager should work with stakeholders to identify what changes are acceptable. Next slide |
| Slide 7 | Scope of a Risk Management Plan, continued | A stakeholder is a person on a project who has a vested interest in seeing it succeed. A stakeholder is also named as a figurehead without a stake in the project.
A project without a true stakeholder may complete unsuccessfully due to lack of stakeholder support. We can consider the unprotected data from the HIPAA example. If a risk management team discovered unprotected financial data, they could present their concerns to the project manager. The project manager would evaluate the data and determine whether or not it was HIPAA-related. This information would be passed on to the stakeholder. We can consider the Web site example. The purpose of the risk management plan is to secure the Acme Widgets Web site. The scope of the plan includes: Security of the server hosting the Web site; Security of the Web site itself; Availability of the Web site, and Integrity of the Web site’s data. The stakeholders for this project are the vice president of sales and the IT support department head. Written approval is required for any activities outside the scope of this plan. Next slide |
| Slide 8 | Check Your Understanding | |
| Slide 9 | Assigning Responsibilities | The risk management plan specifies responsibilities. This provides accountability. If responsibilities are not assigned, tasks can easily be missed. Responsibilities are typically assigned to the:
Risk management PM; Stakeholders; Departments or department heads, and Executive officers, such as a CIO or CFO. It is important to ensure that any entity that is assigned a responsibility has the authority to complete the task. This is especially important for the PM. We must consider that team members may not work directly for the PM. Their tasking can compete with the goals of the project. If the PM doesn’t have the authority to resolve these problems, they can affect the success of the project. The PM is responsible for the overall success of the plan. Some of the common tasks of a PM include: Ensuring costs and quality are controlled and maintained;; Ensuring the project stays on schedule and within scope; Tracking and managing project issues; Ensuring information is available to stakeholders; Raising issues and problems as they emerge ; and Ensuring others are aware of their responsibilities and deadlines. Next slide |
| Slide 10 | Assigning Responsibilities (continued) | Individual responsibilities could be assigned for the following activities:
Risk identification; Risk assessment ; Risk mitigation steps; and Reporting Next slide |
| Slide 11 | Assigning Responsibilities (continued) | Using an affinity diagram can help with the assigning of tasks. An affinity diagram is created in four basic steps:
Identify the problem; Generate ideas; Gather ideas into related groups, and Create the affinity diagram. Next slide |
| Slide 12 | Describing Procedures and Schedules for Accomplishment | The next part of the risk management plan after the project has started includes a recommended solution for any threat or vulnerability to the project, with a goal of mitigating
the associated risk. Although the solution may be summarized in a short phrase, the solution itself will often include multiple steps. For example, an existing firewall may expose a server to multiple vulnerabilities. The solution could be to upgrade the firewall. This upgrade would be broken down into several steps, such as: Determining what traffic should be allowed; Creating a firewall policy; Purchasing and installing a firewall; Configuring the firewall; and Testing and implementing the firewall Next slide |
| Slide 13 | Reporting Requirements | After the data is collected on the risks and recommendations, the report needs to be written and presented to management. The primary purpose of the report is to allow management to decide on what recommendations to use.
There are four major categories of reporting requirements, which include: Present recommendations ; Document management response to recommendations; Document and track implementation of accepted recommendations; and Plan of action and milestones (POAM) Next slide |
| Slide 14 | Reporting Requirements (continued) | This report should include the following information:
Findings; Recommendation cost and time frame; and Cost-benefit analysis Next slide |
| Slide 15 | Reporting Requirements (continued) | The findings list the facts. We must remember that losses from risks occur when a threat exposes a vulnerability. Risk management findings need to include threats, vulnerabilities,
and potential losses. These are described as cause, criteria, and effect. The cause is the threat. For example, an attacker may try to launch a DoS attack. In this case, the threat is the attacker. The criteria identifies what would need to be in place in order for the threat to succeed. These are the vulnerabilities. For example, a server will be susceptible to a DoS attack if the following criteria are met: Inadequate manpower; Unmanaged firewall; No intrusion detection system; Operating system not updated; and Antivirus software not installed or updated. The effect is often an outage of some type. For example, the effect on a Web site could be that the Web site is not reachable any more. Next slide |
| Slide 16 | Reporting Requirements (continued) | In addition to the findings, the report will include a list of recommendations. These recommendations will address the potential causes and criteria that can result in the
negative effect. Each item should include the cost required to implement it. For example, the following partial list of recommendations could be included in the Web site risk management plan: Upgrade the firewall; Purchase and install IDS; Create plan to keep system updated; Install antivirus software on server; Purchase and install the software; Upgrade antivirus software; and Add one IT administrator Next slide |
| Slide 17 | Reporting Requirements (continued) | The Cost-Benefit Analysis (CBA) was presented earlier in this course. It is a process used to determine how to manage a risk. If the benefits of a control outweigh the costs, the control can be implemented to reduce the risk. If the costs are greater than the benefits, the risk can be accepted.
In this context, the CBA should include two items: Cost of the recommendation; and Projected benefits An accurate CBA allows management to make intelligent decisions. Next slide |
| Slide 18 | Reporting Requirements (continued) | After presenting the managers with the recommendations, they will decide what to do. They can accept, defer or modify recommendations.
It’s important to document the decisions made by management. As time passes, the decisions can become distorted, thus the critical need for them to be documented formally. Without documentation, the result may be uncomfortable finger-pointing. Reports are often summarized in risk statements. You use risk statements to communicate a risk and the resulting impact. They are often written using “if/then” statements. The “if” part of the statement identifies the elements of the risk. Next slide |
| Slide 19 | Plan of Action and Milestones | A plan of action and milestones (POAM) is a document used to track progress. POAMs are used in many types of project management. A POAM is used to assign responsibility and to allow management follow-up. The elements of the POAM include:
Assignment of responsibility ; and Management follow-up POAMs are also useful for any audited projects. For example, HIPAA requires regular reviews. The POAM can show the progress the company has made to become compliant. If a company is not one hundred percent compliant but can show it has made significant progress, fines may be waived or reduced. If a company doesn’t have any documentation indicating progress, maximum fines could be assessed. There are no specific formats required for a POAM. One company may create a POAM in a Microsoft Excel spreadsheet with fifteen columns for every item. Another company may create a POAM in a Microsoft Word document. The POAM is a living document. Different tools can be used to assist in tracking the POAM. These tools don’t replace the POAM but instead provide graphical representations of the POAM and its progress. These tools include a milestone plan chart, a Gantt chart and a critical path chart. Next slide |
| Slide 20 | Charting the Progress of a Risk Management Plan | A milestone plan chart is a simple graphical representation of major milestones. It shows the major milestones laid out in a graphical format. If there are any dependencies between
the milestones, this chart will show them. A Gantt chart is a chart that that shows a project schedule. Gantt charts are commonly used in project management. The primary difference between the milestone plan chart and the Gantt chart is that the Gantt chart shows more detail. Most project management software automates the creation of Gantt charts. Additionally, as the tasks in the project are completed, they will automatically indicate completion in the chart. Before computers were so popular, these charts would be filled in by hand. Some tasks within a project can be delayed without impacting the project finish date. Other tasks must be completed on time. A critical path chart shows a list of project tasks that must be completed on time. If any task in the path is delayed, the overall project will be delayed. Next slide. |
| Slide 21 | Check Your Understanding | |
| Slide 22 | Summary | We have reached the end of this lesson. Let’s take a look at what we’ve covered.
First, we considered the objectives of the risk management plan, where we looked at the role of objectives, listed out the objectives., and introduced two example scenarios – Acme Widgets’ website issue, and Mini Acme’s HIPAA non-compliance issue. We then moved on to discuss the scope of the risk management plan. Here, we identified the boundaries of a plan, looked at the hazards of scope creep, and defined stakeholders. In the next topic, assigning responsibilities, we looked at the role of the Project Manager and listed the PM’s responsibilities in an effective risk management plan. We also looked at the use of an affinity diagram. We next described procedures and schedules for accomplishments. We used an example of upgrading a firewall to show how to break a recommended solution down into a series of action steps. We then considered the criticality of the reporting requirements. Here, we looked at the four major requirements – present recommendations; document management response to recommendations; document and track implementation of accepted recommendations; and plan of action and milestones (POAM). We next took a closer look at the plan of action and milestones, discussing the following two elements of a POAM – Assignment of responsibility and management follow-up. Finally, we looked at charting the progress of a Risk Management Plan. We looked at several key tracking tools for POAMs in this section – the Milestone chart, the Gantt chart, and the Critical Path chart. This completes this lesson. |
