risk3e_pptededeeedeededde_cdeededh04.pptx
rivaldo1marere2
7 views
30 slides
Oct 17, 2024
Slide 1 of 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
About This Presentation
cyber security
Slide Content
CHAPTER 4 Developing a Risk Management Plan
Learning Objective(s) and Key Concepts Describe the components of and approaches to effective risk management in an organization. Fundamental components of a risk management plan Objectives, boundaries, and scope of a risk management plan Importance of assigning responsibilities in a risk management plan Significance of planning, scheduling, documentation, and reporting Steps of the NIST Risk Management Framework Learning Objective(s) Key Concepts
Objectives of a Risk Management Plan
Implementing a Risk Management Plan
Objectives Examples (1 of 3)
Objectives Examples (2 of 3)
Objectives Examples (3 of 3)
Scope of a Risk Management Plan
Scope Examples Website Creating a risk management plan to secure a website: Scope includes: Security of the server hosting the website Security of the website itself Availability of the website Integrity of the website’s data Stakeholders include: Vice president of sales Information technology (IT) support department head Written approval is required for all activities outside the scope of this plan HIPAA Compliance Creating a risk management plan to ensure HIPAA compliance: Scope includes: Identifying all health data Storing health data Using health data Transmitting health data Stakeholders include: Chief Information Officer (CIO) Human resources (HR) department head Written approval is required for all activities outside the scope of this plan
Assigning Responsibilities
Responsibilities Examples Website The IT department is responsible for providing: A list of threats A list of vulnerabilities A list of recommended solutions Costs for each of the recommended solutions The sales department is responsible for providing: Direct costs of all outages that last 15 minutes or longer Indirect costs of all outages that last 15 minutes or longer The CFO will: Validate the data provided by the IT and sales departments Complete a CBA HIPAA Compliance The HR department is responsible for providing: A list of all health information sources Inspection results for all data sources regarding HIPPA compliance How the data is stored, protected, and transmitted A list of existing and needed HIPAA policies A list of recommended solutions to ensure HIPPA compliance Costs for each of the recommended solutions Costs associated with noncompliance The IT department is responsible for providing: Identification of access controls used for data A list of recommended solutions to ensure compliance with HIPAA Costs for each of the recommended solutions The CFO will: Validate the data provided by the IT and sales departments Complete a CBA
Using Affinity Diagrams FIGURE 4-1 Affinity diagram.
Describing Procedures and Schedules for Accomplishment
Procedures Examples Website Mitigating the risk of denial of service (DoS) attacks: Recommendation —Upgrade the firewall. Justification —The current firewall is a basic router; it does not provide advanced firewall capabilities Procedures —The following steps can be used to upgrade the new firewall: Start firewall logging Create a firewall policy Purchase a firewall appliance Install the firewall Configure the firewall Test the firewall before going live Bring the firewall online HIPAA Compliance Procedures for mitigating the risk of HIPPA noncompliance: Recommendation —Increase awareness of HIPAA Justification —Make clear that noncompliance can result in fines totaling $25,000 a year for mistakes Procedures —Use the following steps to increase awareness: Require all employees to read and comply with HIPAA policies Provide training to all employees on HIPAA compliance
Reporting Requirements
Presenting Recommendations
Findings (1 of 3)
Findings (2 of 3) FIGURE 4-2 Website cause and effect diagram.
Findings (3 of 3) FIGURE 4-3 HIPAA compliance cause and effect diagram.
Recommendation Cost and Time Frame Each item should include the cost and timeframe required to implement it
Cost-Benefit Analysis (CBA) CBA should include two items: Cost of the recommendation, including any anticipated ongoing costs Projected benefits in terms of dollars Example of a CBA for a website recommendation: Recommendation Cost of the recommendation Background Loss before recommendation Expected loss with recommendation Benefit of the recommendation CBA = Loss before recommendation − Loss after recommendation − Cost of recommendation
Risk Statements Used to communicate a risk and the resulting impact Often written using “if/then” Should be matched to the scope and objectives of the project
Documenting Management Response to Recommendations
Documenting and Tracking Implementation of Accepted Recommendations The documentation doesn’t need to be extensive; it could be a simple document listing the recommendation and the decision, for example: Recommendation to purchase antivirus software Accepted. Software is to be purchased as soon as possible. Recommendation to hire an IT administrator Deferred. IT department needs to provide clearer justification for this. In the interim, the IT department is authorized to use overtime to ensure security requirements are met. Recommendation to purchase SS75 firewall Modified. Two SS75 firewalls are to be purchased as soon as possible. These two firewalls will be configured as a DMZ.
Plan of Action and Milestones (POAM)
Charting the Progress of a Risk Management Plan (1 of 3) The milestone plan chart lists only major milestones FIGURE 4-4 Milestone plan chart.
Charting the Progress of a Risk Management Plan (2 of 3) A Gantt chart shows a full project schedule FIGURE 4-5 Gantt chart.
Charting the Progress of a Risk Management Plan (3 of 3) The critical path chart identifies critical tasks to be managed FIGURE 4-6 Critical path chart.
Steps of the NIST Risk Management Framework (RMF) Seven-step process that combines security and risk management as part of a systems development life cycle:
Summary Fundamental components of a risk management plan Objectives, boundaries, and scope of a risk management plan Importance of assigning responsibilities in a risk management plan Significance of planning, scheduling, documentation, and reporting Steps of the NIST Risk Management Framework
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 7
- Slides 30
- Age 411 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
30 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
30 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
32 views