You are on page 1of 15

IS 3110

Risk Management Plan
10/14/2013

4 ROLES AND RESPONSIBILITIES…………………………………………………1 2 RISK MANAGEMENT PROCEDURE……………….1 1..…….1 TABLE OF CONTENTS 1 INTRODUCTION……………………………………………………………………………..1 1.…….1 PURPOSE…………………………………………………………………………….4 ACTION PLAN………………………………………………………………………2 3 TOOLS AND PRACTICES…………………………………………………………..1 1.……………………………………2 2.2 SCOPE………………………………………………………………………….2 2.3 RISK REPORTING………………………………………………………………….……2 2.3 COMPLIANCE LAWS AND REGULATIONS………………………………..1 1.2 RISK MONITORING………………………………………………………….………3 4 RISK MANAGEMENT PLAN APPROVAL………………………………………………4 .1 RISK PLANNING……………………………………………………………………2 2.Risk Management Plan Version 1.

• Collecting. The ISCM strategy and program support ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance. Senior management at Defense Logistics Information Service has decided that the risk management plan for the organization is out of date. Department of Defense (DOD). and Information Assurance Certification and Accreditation Process (DAICAP). The risk management plan is for the organization‟s use only. Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization‟s information and information systems. • Maintaining an understanding of threats and threat activities. This necessitates: • Maintaining situational awareness of all systems across the organization. visibility into organizational assets. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance. as well as the ability to provide the information needed to respond to risk in a timely manner. and • Active management of risk by organizational officials. and analyzing security-related information. and the effectiveness of deployed security controls. Because of the importance of risk management a new plan needs to be developed. • Assessing all security controls. Purpose: The purpose of this guideline is to assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities. along with organizational resilience given known threat information. Control Objects for Information and Technology (COBIT). Department of Homeland Security (DHS).Risk Management Plan Version 1. but will also be in compliance with regulations such as the Federal Information Security Management Act (FISMA). This new risk management plan will not only minimize the amount of risk for future endeavors. . This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. and threats to support organizational risk management decisions. National Institute of Standards and Technology (NIST). correlating. vulnerabilities.1 Introduction: Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security. • Providing actionable communication of security status across all tiers of the organization.

monitoring. The severity of the loss/impact will depend greatly on the risk associated with it. Risk Management Procedure The Risk management procedure will start by obtaining senior management support and involvement. syn flood attacks. The scope of this project will include the planning. broken or damaged equipment/hardware including workstations. All policies and procedures will support or be in compliance to the FISMA. Risk Analysis Risks may vary greatly from natural disasters. and documenting results. estimate potential damage. reporting. identify and rank critical issues and operations. scheduling. operational errors. and controlling. designating focal points. and not having any backups of your business assets such as files and applications are some of the risks that should be considered critical to an organization. loss of connectivity. costs. vulnerabilities. auditing logs. budgeting. We must identify all the risks and vulnerabilities associated with this organization and create viable solutions that may mitigate these risks as quickly and as inexpensively as possible without compromising the integrity and confidentiality of any business assets. will be implemented. and documented. maintaining. Any outside sources from the scope and risk management plan may cause the network infrastructure to fail or will make it a high risk structure due to outside sources that are not protected to interact with other outside sources allowing hackers to infiltrate the system is steal important files. software vulnerabilities. running unneeded services and protocols. threats. reported. and the likelihood of those risks materializing. and consultation needed to perform an in depth risk assessment and research to determine which compliance laws this organization must follow. hard deadlines not being met. This procedure will identify risks. applying patches. and PCI standards. identify cost effective mitigating controls.1 Scope: This risk management plan is for the organizations use only and its network including remote access. attackers. Network and Server crashes. Implementing and executing these policies and procedures in order to mitigate these risks is a critical part of this projects process. analyzing. no IDs. employees calling in sick. and open ports on the firewall can all be considered risks. etc. creating a schedule with milestones and deadlines. defining procedures. buffer overflow attacks. and document assessment findings. COBIT. Other risks such as natural disasters and accidental fires/floods may also be considered risks and should be accommodated accordingly to include a backup and disaster recovery plan. involving business and technical experts as consultants. or even human interactions such as. Security features such as controls. monitored. Not having any anti-virus software. A cost benefit analysis should also be conducted prior to the planning phase of this project as well. . etc. not updating the operating systems.Risk Management Plan Version 1. financial hardships. DIACAP.

Risk Management Plan Threat Users Version 1. implement intrusion detection systems High Loss of confidentiality of data Loss depends on the goals and success of attacker Can be total loss of business Can be total loss of business Implement both authentication and access controls.1 Vulnerability Lack of access controls Workstations/ Equipment Failure Data not backed up Malware and viruses Lack of antivirus software. occasional e-mails. keep copies of backup offsite Install antivirus software. designate alternate backup sites Medium Low Low Low . raise awareness through posters. earthquake. outdated definitions Denial of Service (DoS) or distributed denial of service (DDoS) attack Public facing servers not protected with firewalls and intrusion detection systems Access controls not properly implemented Stolen data Social engineering Fire and Flood Hurricane. use principle of „need to know‟ Provide training. tornado Lack of security awareness Lack of fire detection and suppression equipment Location Harmful event/loss Loss of production data and confidentiality Loss of data availability (impact of loss determined by value of data) Infection (impact of loss determined by payload of malware) Loss of service availability Mitigation Implement both authentication and access controls Backup data regularly. and minipresentations Install fire detection and suppression equipment. update definitions at least weekly Probability of occurrence High Medium Medium Implement firewalls. Purchase insurance Purchase insurance.

Senior Information Security Officer (SISO). employee health. and provides support to information owners/information system owners and common control providers on how to implement ISCM for their information systems. provides an organization-wide forum to consider all sources of risk. Information Assurance Certification and Accreditation Process (DAICAP). . Risk Executive (Function). The risk executive (function) oversees the organization‟s ISCM strategy and program. provides training on the organization‟s ISCM program and process. acquires or develops and maintains automated tools to support ISCM and ongoing authorizations.e. Roles and Responsibilities:     Head of Agency. and maintaining high-level communications and working group relationships among organizational entities. budget. Their other organizations in which standards are given for risk management projects. information technology. promotes collaboration and cooperation among organizational entities. Chief Information Officer (CIO).Risk Management Plan Version 1. The agency head is likely to participate in the organization‟s ISCM program within the context of the risk executive (function).. Department of Homeland Security compliance is also required for the protection of the United States against terrorists. develops configuration management guidance for the organization. The CIO leads the organization‟s ISCM program. and ensures that risk information is considered for continuous monitoring decisions. and human resources. and Control Objects for Information and related Technology (COBIT) and also the Department of Homeland Security (DHS) compliance is required for the protection of the United States against terrorists. Department of Defense (DOD). working closely with authorizing officials to provide funding. including: National Institute of Standards and Technology (NIST). The DLIS security and safety risk management program also encompasses many operational departments and services throughout the organization including the buildings and grounds. accident reporting and investigation. The CIO ensures that an effective ISCM program is established and implemented for the organization by establishing expectations and requirements for the organization‟s ISCM program. implements. and maintains the organization‟s ISCM program. and other resources to support ISCM. disaster preparation and management. develops organizational program guidance (i. DOD regulatory compliance.1 Compliance Laws and Regulation: Federal Information Security Management (FISMA) compliance is required for federal agencies to protect their important information. The risk executive (function) reviews status reports from the ISCM process as input to information security risk posture and risk tolerance decisions and provides input to mission/business process and information systems tier entities on ISCM strategy and requirements. policies/procedures) for continuous monitoring of the security program and information systems. consolidates and analyzes POA&Ms to determine organizational security weaknesses and deficiencies. personnel. The SISO establishes. facilitates sharing of security-related information.

conducting security impact analyses on changes to the information system. conducting remediation activities as necessary to maintain system authorization. reviews security status reports and critical security documents and determines if the risk to the organization from operation of the information system remains acceptable. The common control provider develops and documents an ISCM strategy for assigned common controls.related information gathered as part of ISCM and assesses information system or program management security controls for the organization‟s ISCM program. The security control assessor provides input into the types of security.Risk Management Plan      Version 1. and distributes critical security documents to individual information owners/information system owners. prepares and submits security status reports in accordance with organizational policy/procedures. conducts security impact analyses on changes that affect the common controls. The ISSO supports the organization‟s ISCM program by assisting the ISO in completing ISCM responsibilities and by participating in the configuration management process. The AO ensures the security posture of the information system is maintained. ensures security controls are assessed according to the ISCM strategy. participates in the organization‟s configuration management process. or ensuring conduct of. and updating critical security documents based on the results of ISCM. The AO also determines whether significant information system changes require reauthorization actions and reauthorizes the information system when required. . Security Control Assessor.1 Authorizing Official (AO). The security control assessor develops a security assessment plan for each security control. establishes and maintains an inventory of components associated with the common controls. updates/revises the common security control monitoring process as required. reviewing ISCM reports from common control providers to verify that the common controls continue to provide adequate protection for the information system. conducts assessments of security controls as defined in the security assessment plan. conducting. submits the security assessment plan for approval prior to conducting assessments. This includes developing and documenting an ISCM strategy for the information system. The ISO establishes processes and procedures in support of system-level implementation of the organization‟s ISCM program. Information System Owner (ISO)/Information Owner/Steward. updates the security assessment report as changes occur during ISCM. revising the system-level security control monitoring process as required. Information System Security Officer (ISSO). and updates/revises the security assessment plan as needed. The common control provider establishes processes and procedures in support of ongoing monitoring of common controls. and other senior leaders in accordance with organizational policy/procedures. assessment of security controls according to the ISCM strategy. conducts remediation activities as necessary to maintain common control authorization. participating in the organization‟s configuration management process. preparing and submitting security status reports in accordance with organizational policy and procedures. establishing and maintaining an inventory of components associated with the information system. The AO assumes responsibility for ensuring the organization‟s ISCM program is applied with respect to a given information system. updates critical security documents as changes occur.

additional or revised assessments. and how those tools interface with one another in support of the ISCM strategy.. classified and unclassified threat briefs. Provide input to the development and implementation of the organization-wide ISCM strategy along with development and implementation of the system level ISCM strategy.  Review monitoring results to identify new information on vulnerabilities.g. Assess ongoing security control effectiveness. for any changes to security requirements.1 Organizations may define other roles (e. Analyze potential security impact to organization and mission/business process functions resulting from changes to information systems and their environments of operation. interagency sharing. ISCM program manager) as needed to support the ISCM process. Special Publication 800-137.   Support planning and implementation of security controls. policy. and provisions for ensuring sufficient depth and coverage when sampling methodologies are utilized.  Update relevant security documentation.  Take steps to respond to risk as needed (e. and external government sources.  Determine the security impact of changes to the information system and its environment of operation.  Review monitoring results to determine if organizational plans and polices should be adjusted or updated.Risk Management Plan Version 1. directives. along with the security impact to the enterprise architecture resulting from the addition or removal of information systems.  Make a determination as to whether or not current risk is within organizational risk tolerance levels. including changes associated with commissioning or decommissioning the system..  . information system administrator.  Review new or modified legislation. the deployment of automation tools. Review monitoring results (security-related information) to determine security status in accordance with organizational policy and definitions. threat modeling (asset. USCERT reports. policies. and procedures. request new or revised metrics. or additional controls) based on the results of ongoing monitoring activities and assessment of risk. compiling and correlating Tier 3 data into security-related information of use at Tiers 1 and 2.. Roles and Responsibilities provided by the National Institute of Standards and Technology (NIST) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. etc.    Provide input to the development of the organizational ISCM strategy including establishment of metrics.and attack-based). policies on assessment and monitoring frequencies.g. and other information available through trusted sources.  Review information on new or emerging threats as evidenced by threat activities present in monitoring results. modifications to existing common or PM security controls.

which should include information about a warm site.) For each risk that will be mitigated.  Provide ongoing input to the security plan. Each major risk (those falling in the Red & Yellow zones) will be assigned to a project team member for monitoring purposes to ensure that the risk will not “fall through the cracks”. For each major risk that is to be mitigated or that is accepted. and outstanding items in the plan of action and milestones. the project team will identify ways to prevent the risk from occurring or reduce its impact or probability of occurring. analyzed. Recommended solutions for the Defense Logistics Agency will be implemented such as creating a firewall policy. etc. . modify existing security controls. the operating system and applications will have a positive effect on this organization. etc.  Report the security status of the information system including the data needed to inform Tiers 1 and 2 metrics. one of the following approaches will be selected to address it:  Avoid – eliminate the threat by eliminating the cause  Mitigate – Identify ways to reduce the probability or the impact of the risk  Accept – Nothing will be done  Transfer – Make another party responsible for the risk (buy insurance. will also be created for security purposes.g. managing.  Review the reported security status of the information system to determine whether the risk to the system and the organization remains within organizational risk tolerances. Therefor an update and backup policy. assessment of risk. a course of action will be outlined for the event that the risk does materialize in order to minimize its impact. etc. We may also add network and host firewalls. Our team will also provide a mechanism for reaching consensus. security assessment report. testing. For each major risk. and essentially mitigated. and plan of action and milestones based on the results of the ISCM process. and implementing the firewalls.Risk Management Plan Version 1. configuring. This may include prototyping. implement additional security controls. accept risk. adding resources. Risk Management Planning Process: The Defense Logistics Information Services team will provide detailed documentation that includes mitigation techniques explaining the risks that have been identified.1  Take steps to respond to risk as needed (e. adding tasks to the project schedule. support for needed controls.) based on the results of ongoing monitoring activities. and a means for communicating and documenting results. and an added intrusion detection system along with other administrators for separation of duties as well. outsourcing. and also determining what traffic should be allowed. Regularly updating anti-virus software.. request additional or revised assessments.

and lack of authentication and access controls. Documenting findings. vulnerabilities are identified during the risk assessment or during security testing and evaluation. software. personnel and physical security controls and security auditing.  Operational Controls comprise the operational procedures that are performed with respect to an information system. and the management or administration of hardware. Examples of operational vulnerabilities include the lack of (adequate) security awareness and training. Examples of technical vulnerabilities include insufficient security software controls and mechanisms.  Technical Controls are countermeasures related to the protection of hardware. Normally. and the absence of some or all of the procedural documentation critical to an effectively applied and managed security program. Conducting site surveys and visits of representative installation sites. security monitoring and detection provisions. data. mitigated. CONTROLLING. Examples of management vulnerabilities include lack of risk management. the threats associated with them. system vulnerabilities are then identified. or practices. system architecture. and modes of communication. and then monitored and reported. In accordance with NIST Recommended Security Controls for Federal Information Systems. system security plans. facility. and the probable impact of that vulnerability exploitation resulted in a risk rating for each missing or partially implemented control. SP 800-53. system architecture.1 RISK MONITORING. After analyzing system management. design. and security control reviews. The risk level was determined on the following two factors: . or personnel resources. the organizational policies. life cycle activities. major security certification activities include:     Developing a detailed data collection questionnaire. or stored by the system. procedures. these vulnerabilities stem from the lack of (or an insufficiency in) the various practices and procedures that are critical to the secure operation of a system. transported. In order to gain an understanding of the system vulnerabilities. The analysis of the Defense Logistics Agency‟s system‟s vulnerabilities. lack of virus controls and procedures. the vulnerability analysis encompasses the following three security control areas:  Management Controls are safeguards related to the management of security of the system and management of the risk for a system. operational. Interviewing users and maintainers of the system. software. certification and accreditation activities. More often than not. or implementation. Vulnerabilities that are exploited may cause harm to the system or information processed.Risk Management Plan Version 1. faulty operating system code. and technical security controls for the Defense Logistics Agency in its fielded environment. AND REPORTING: Vulnerabilities are weaknesses in the environment.

specific system functionality or data is not available (Asset is not destroyed). To determine overall risk levels.will identify how the data and resources housing the data will be protected from unauthorized entry.Risk Management Plan Version 1. repairable damage to the asset. and confidentiality of the system is in relation to it being able to perform its function. All project change requests will be analyzed for their possible impact to the project risks. and the types of damage that could be caused by the exercise of each threat-vulnerability pair.  Loss of Integrity/Destruction and/or Modification – Total loss of the asset either by complete destruction of the asset or irreparable damage. The risk assessment will also determine which threat or risk would cause the most expensive/harmful damage to that business and the time required making those repairs. Deliverable 1: Risk Assessment.  Loss of Confidentiality/Disclosure – Release of sensitive data to individuals or to the public who do not have a “need to know. if something breaks/fails or is . integrity.The likelihood to which the threat can exploit vulnerabilities given the system environment and other mitigating controls that are in place.will include back-up and redundancy.” The level of risk on a project will be tracked. Exploitation of vulnerability may result in one or more of the following types of damage to a system or its data:  Loss of Availability/Denial of Service – Access to the system. monitored and reported throughout the project lifecycle.  Impact – The impact of the threat exploiting the vulnerability in terms of loss of tangible assets or resources and impact on the organization‟s mission.a determination of what the company will need will be made outlining what requires attention first and in what priority if multiple items are at risk or vulnerable. reputation or interest. the analyst must first look at how important the availability. or change to asset functionality. Deliverable 3: Disaster Recovery Plan. A “Top 10 Risk List” will be maintained by the project team and will be reported as a component of the project status reporting process for this project. Management will be notified of important changes to risk status as a component to the Executive Project Status Report. or unauthorized change.1  Likelihood of Occurrence . Deliverable 2: Security Controls.

Security breaches in the network such as user/hacker threats may occur when passwords are stolen because unprotected wireless networks were used.  Create a password policy for the organization to use complex passwords within the network and have employees change their passwords regularly.  Create a firewall policy and determine what traffic should be allowed into the network then set up these firewalls on network routers for an added layer of security. Hackers may use packet sniffers and password cracking software to gain access into the network and create denial of service attacks. network services could be interrupted. and even loss of revenue.  A fire suppression system should be made available in the building in the event of a fire.  Create a contingency plan and a policy statement. training.  Create testing. operational.  An intrusion detection system should be put in place and monitored. .  Have extra materials onsite along with a 24 hour on call IT support for emergency calls. Action Plan  Create a regularly scheduled maintenance plan and include a backup and updating policy.  Create redundancy on the servers by using multiple hard drives and raid cards.1 damaged due to fire/floods and other natural disasters this plan will outline how to repair it. Anywhere from network/server crashes to stolen information could result in loss of production.Risk Management Plan Version 1.  Use encryption when sending and receiving data across the network. Not all former employees may be disgruntled and vindictive. In either case security breaches can lead to serious business damages.  Identify and correctly implement all system-level preventative security controls (technical.  Security may be compromised by failing to change employee login information when an employee leaves or is terminated. Human resources should be contacted immediately for legal action in these circumstances. and damage would depend on the type of attack suffered. but it only takes one. Business and personal information may be compromised.  Create separation of duties. and exercising manuals. and management controls) and auditing logs to monitor and prevent attacks.

The business impact analysis helps to identify and prioritize critical IT systems and components.Risk Management Plan Version 1.1 Tools and Practices: A Risk Log will be maintained by the project manager and will be reviewed as a standing agenda item for project team meetings. A formal policy provides the authority and guidance necessary to develop an effective contingency plan. prioritizes their recovery time objective. Disaster Recovery Plan An information technology (IT) disaster recovery (DR) plan provides a structured approach for responding to unplanned incidents that threaten an IT infrastructure.         Develop the contingency planning policy statement. These are measures that reduce the effects of system disruptions and can increase system availability and reduce contingency life cycle costs. A comprehensive IT DR plan also includes all the relevant supplier contacts. Conduct the business impact analysis (BIA). software. processes and people. The plan should be a living document that is updated regularly to remain current with system enhancements . The contingency plan should contain detailed guidance and procedures for restoring a damaged system. Thorough recovery strategies ensure that the system can be recovered quickly and effectively following a disruption. reconfigure. and protecting their ability to conduct business are the key reasons for implementing an IT disaster recovery plan. both activities improve plan effectiveness and overall agency preparedness. Plan testing. Develop recovery strategies. and outlines the steps needed to restart. The IT disaster recovery process identifies critical IT systems and networks. Formal Backup and Recovery policies and procedures. Protecting the Defense Logistics Information Services‟ (DLIS) investment in its technology infrastructure. and recover them. whereas training prepares recovery personnel for plan activation. Develop an IT contingency plan. Testing the plan identifies planning gaps. training and exercising. The goal of these processes is to minimize any negative impacts such as loss of revenue and loss of data and confidentiality to DLIS operations. and help them resume normal operations in a timely manner. Identify preventive controls. We will provide step-by-step procedures for recovering disrupted systems and networks. Plan maintenance. sources of expertise for recovering disrupted systems and a logical sequence of action steps to take for a smooth recovery. networks. which includes hardware. Backup and Recovery warm-sites.

Monitor audit logs and surveillance for more potential employee threats. purchased for ease of authorizing and launching the disaster recovery plan. Recovery Scenarios  Minor Damage Scenarios  Employee theft or fraud  Change employee login information when an employee leaves the company. Maintain a log of all data stored.  Major Damage Scenarios  Hurricane and water damages  Redundancy servers. A prompt warning to employees to evacuate. Have a temporary or mobile network site available for operations until the site can be brought back online. Recovery Activities DLIS will define roles and responsibilities and where to assemble employees if forced to evacuate the building and lists of key contacts and their contact information. Action by employees with knowledge of building and process systems can help control a leak and minimize damage to the facility and the environment. An employee trained to administer first aid or perform CPR can be lifesaving. shelter or lockdown can save lives. backups and off-site back-up facilities.Risk Management Plan Version 1. . A call for help to public emergency services that provides full and accurate information will help the dispatcher send the right responders and equipment.1 Types of Teams     Senior Management support Project Manager Technical team members IT Interns for DLIS In the Event of a Disaster The actions taken in the initial minutes of an emergency are critical.

Changes to this Risk Management Plan will be coordinated with and approved by the undersigned or their designated representatives. Signature: Date: Print Name: Title: Role: Signature: Date: Print Name: Title: Role: Signature: Date: Print Name: Title: Role: Signature: Print Name: Title: Role: Date: .Risk Management Plan Version 1.1 Risk Management Plan Approval: The undersigned acknowledge they have reviewed the Risk Management Plan for the project.