Illinois institute of technology

Project Part 3

Risk Mitigation Plan

Ala Alsharbini

ITMS-484-02

Professor: - Marwan Omar

March-13-2023
 Project Part 3: Risk Mitigation Plan

In today's digital age, the protection of sensitive information is a top priority for all

organizations. Health Network, a large healthcare provider, is no exception to this. With

the increasing number of cybersecurity threats, senior management at Health Network

has allocated funds to support a risk mitigation plan. As a risk manager, my task is to

create a plan that addresses the identified threats described in the project scenario and

any new threats discovered during the risk assessment. the importance of data security

and privacy cannot be overstated. For organizations like Health Network, a data breach

could result in devastating consequences, including financial losses, damage to

reputation, and legal liability. Therefore, it is essential for organizations to have a risk

mitigation plan in place to proactively identify and address potential threats to their data.

Senior management at Health Network has allocated funds to support a risk mitigation

plan, and they have requested that the risk manager and team develop a plan in

response to the deliverables produced in earlier phases of the project. The risk

mitigation plan should address the identified threats described in the scenario for this

project, as well as any new threats that may have been discovered during the risk

assessment.

The purpose of a risk mitigation plan is to identify, assess, and prioritize potential risks

to an organization's information systems and develop a plan to reduce or eliminate

these risks. The plan's primary objective is to ensure the confidentiality, integrity, and

availability of sensitive information, such as patient health records, medical research

data, and financial information. It is essential to have a risk mitigation plan in place to

minimize the impact of cyber threats and protect the organization's reputation.

The first step in developing a risk mitigation plan is to identify the threats and

vulnerabilities that could harm the organization's information systems. The project

scenario identifies several threats, including phishing attacks, ransomware attacks, and

social engineering attacks. In addition, the risk assessment has revealed new threats,

such as insider threats, supply chain attacks, and zero-day vulnerabilities.

The next step is to prioritize the risks based on their potential impact on the organization

and the likelihood of their occurrence. Once the risks have been prioritized, the risk

mitigation plan can be developed, which should include measures to prevent, detect,

and respond to each risk. For example, preventive measures may include implementing

access controls, firewalls, and antivirus software, while detective measures may include

intrusion detection systems and security monitoring. Response measures may include

disaster recovery and business continuity plans, which would enable the organization to

quickly recover from a security incident.

The risk mitigation plan should identify and prioritize the threats based on their

likelihood and potential impact on the organization. Once the threats are identified, the

next step is to develop and implement controls to mitigate these risks. Controls can be

administrative, technical, or physical, and they should be designed to prevent, detect, or

respond to threats.
The risk mitigation plan should also identify the key roles and responsibilities of

individuals and departments within the organization as they pertain to risk assessments.

This includes the risk management team, IT department, executive leadership, and all

employees. Each department should have a clear understanding of their role in

mitigating risks and protecting sensitive information. the risk mitigation plan should also

include measures to mitigate any new threats that may be discovered during the risk

assessment. This is an ongoing process that requires continuous monitoring and

assessment of the organization's security posture.

In addition to identifying threats and developing controls, the risk mitigation plan should

also include a proposed schedule for the risk assessment process. The schedule should

include the frequency of risk assessments, the individuals responsible for conducting

the assessments, and the timeframe for implementing controls.

Finally, it is important to ensure that the risk mitigation plan is regularly reviewed and

updated to reflect new threats and changes to the organization's information systems.

Risk mitigation is an ongoing process that requires continuous monitoring and

adaptation to new threats and vulnerabilities.

In conclusion, the risk mitigation plan is essential for protecting sensitive information

and ensuring the organization's overall cybersecurity. The plan should address the

identified threats in the project scenario and any new threats discovered during the risk

assessment. It should prioritize risks based on their likelihood and potential impact,

develop controls to mitigate risks, identify key roles and responsibilities, propose a

schedule for risk assessments, and regularly review and update the plan. With a

comprehensive risk mitigation plan in place, Health Network can minimize the impact of
cyber threats and maintain the confidentiality, integrity, and availability of sensitive

information.
 Sources:
Federal Risk and Authorization Management Program. (2021, May 3). GSA.gov.
https://www.gsa.gov/fedramp

Payment Card Industry Data Security Standard. (2021, August 27). PCI Security Standards Council.
https://www.pcisecuritystandards.org/pci_security/

Health Insurance Portability and Accountability Act. (2021, August 2). HHS.gov.
https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-administrative-simplification-
compliance-regulation

Sarbanes-Oxley Act. (2021, June 2). Investopedia. https://www.investopedia.com/terms/s/sarbanes-

oxleyact.asp