More Related Content Similar to CHAPTER 4Developing a Risk Management PlanCopyright (20) More from WilheminaRossi174 (20) CHAPTER 4Developing a Risk Management PlanCopyright 1. CHAPTER 4
Developing a Risk Management Plan
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Learning Objective(s) and Key Concepts
Describe the components of and approaches to effective risk
management in an organization.
Fundamental components of a risk management plan
Objectives, boundaries, and scope of a risk management plan
Importance of assigning responsibilities in a risk management
plan
Significance of planning, scheduling, documentation, and
reporting
Steps of the NIST Risk Management Framework
Learning Objective(s)
Key Concepts
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Objectives of a Risk Management Plan
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
2. Learning Company. www.jblearning.com
A list of threats
A list of vulnerabilities
Costs associated with risks
A list of recommendations to reduce the risks
Costs associated with recommendations
A cost-benefit analysis (CBA)
One or more reports
Implementing a Risk Management Plan
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Document management decisions
Document and track implementation of accepted
recommendations
3. Create a plan of action and milestones (POAM)
Objectives Examples
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Identifying threats
Identifying vulnerabilities
Identifying assets
Assigning responsibilities
Objectives Examples (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Identifying the costs of an outage/noncompliance
Providing recommendations
4. Identifying the costs of recommendations
Providing a CBA
Objectives Examples (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Documenting accepted recommendations
Tracking implementation
Creating a POAM
Scope of a Risk Management Plan
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Identify the boundaries of the plan
Avoid scope creep
Identify stakeholders
5. Create a change control board
Draft a scope statement
Scope Examples
Website
Creating a risk management plan to secure a website:
Scope includes:
Security of the server hosting the website
Security of the website itself
Availability of the website
Integrity of the website’s data
Stakeholders include:
Vice president of sales
Information technology (IT) support department head
Written approval is required for all activities outside the scope
of this plan
HIPAA Compliance
Creating a risk management plan to ensure HIPAA compliance:
Scope includes:
Identifying all health data
Storing health data
Using health data
Transmitting health data
Stakeholders include:
Chief Information Officer (CIO)
Human resources (HR) department head
Written approval is required for all activities outside the scope
of this plan
6. Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Assigning Responsibilities
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Responsibilities can be assigned to:
Risk management PM
Stakeholders
Departments or department heads
Executive officers, such as the CIO or CFO
Individual responsibilities:
Identifying risk
Assessing risk
7. Identifying risk mitigation steps
Reporting
Responsibilities Examples
Website
The IT department is responsible for providing:
A list of threats
A list of vulnerabilities
A list of recommended solutions
Costs for each of the recommended solutions
The sales department is responsible for providing:
Direct costs of all outages that last 15 minutes or longer
Indirect costs of all outages that last 15 minutes or longer
The CFO will:
Validate the data provided by the IT and sales departments
Complete a CBA
HIPAA Compliance
The HR department is responsible for providing:
A list of all health information sources
Inspection results for all data sources regarding HIPPA
compliance
How the data is stored, protected, and transmitted
A list of existing and needed HIPAA policies
A list of recommended solutions to ensure HIPPA compliance
Costs for each of the recommended solutions
Costs associated with noncompliance
The IT department is responsible for providing:
Identification of access controls used for data
A list of recommended solutions to ensure compliance with
HIPAA
Costs for each of the recommended solutions
8. The CFO will:
Validate the data provided by the IT and sales departments
Complete a CBA
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Using Affinity Diagrams
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Describing Procedures and Schedules for Accomplishment
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Include a recommended solution for any threat or vulnerability,
with a goal of mitigating the associated risk
The solution will often include multiple steps
Describe each step in detail
Include a timeline for completion of each step
Remember:
9. Management is responsible for choosing the controls to
implement
Management is responsible for residual risk
Procedures Examples
Website
Mitigating the risk of denial of service (DoS) attacks:
Recommendation—Upgrade the firewall.
Justification—The current firewall is a basic router; it does not
provide advanced firewall capabilities
Procedures—The following steps can be used to upgrade the
new firewall:
Start firewall logging
Create a firewall policy
Purchase a firewall appliance
Install the firewall
Configure the firewall
Test the firewall before going live
Bring the firewall online
HIPAA Compliance
Procedures for mitigating the risk of HIPPA noncompliance:
Recommendation—Increase awareness of HIPAA
Justification—Make clear that noncompliance can result in fines
totaling $25,000 a year for mistakes
Procedures—Use the following steps to increase awareness:
Require all employees to read and comply with HIPAA policies
Provide training to all employees on HIPAA compliance
10. Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Reporting Requirements
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Present recommendations
Document management response to recommendations
Document and track implementation of accepted
recommendations
Create a plan of action and milestones (POAM)
Presenting Recommendations
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Report should include:
Findings
11. Reports are often summarized in risk statements
Use risk statements to communicate a risk and the resulting
impact
Recommendation cost and time frame
Cost-benefit analysis (CBA)
Findings
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Cause—The threat
Criteria—The criteria that will allow the threat to succeed
Inadequate manpower
Unmanaged firewall
No intrusion detection system (IDS)
Operating system not updated
12. Antivirus software not installed and updated
Effect—Often an outage of some type
Findings (Cont.)
Website cause and effect diagram
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Findings (Cont.)
HIPAA compliance cause and effect diagram
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Recommendation Cost and Time Frame
Each item should include the cost and timeframe required to
implement it
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Example list of recommendations included in the website risk
management plan
13. Upgrade firewall
Purchase and install IDS
Create a plan to keep the system updated
Install antivirus software on server
Update antivirus software
Add one IT administrator
Cost-Benefit Analysis (CBA)
CBA should include two items:
Cost of the recommendation, including any anticipated ongoing
costs
Projected benefits in terms of dollars
Example of a CBA for a website recommendation:
Recommendation
Cost of the recommendation
Background
Loss before recommendation
Expected loss with recommendation
Benefit of the recommendation
CBA = Loss before recommendation − Loss after
recommendation − Cost of recommendation
14. Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Risk Statements
Used to communicate a risk and the resulting impact
Often written using “if/then”
Should be matched to the scope and objectives of the project
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Documenting Management Response to Recommendations
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Accept
Management can approve the recommendation
Defer
Management can defer a recommendation
Modify
Management can modify a recommendation
15. Documenting and Tracking Implementation of Accepted
Recommendations
The documentation doesn’t need to be extensive; it could be a
simple document listing the recommendation and the decision,
for example:
Recommendation to purchase antivirus software
Accepted. Software is to be purchased as soon as possible.
Recommendation to hire an IT administrator
Deferred. IT department needs to provide clearer justification
for this. In the interim, the IT department is authorized to use
overtime to ensure security requirements are met.
Recommendation to purchase SS75 firewall
Modified. Two SS75 firewalls are to be purchased as soon as
possible. These two firewalls will be configured as a DMZ.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Plan of Action and Milestones (POAM)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Is a living document
A document used to track progress
Used to assign responsibility and to allow management follow -
up
16. Charting the Progress of a Risk Management Plan
The milestone plan chart lists only major milestones
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Charting the Progress of a Risk Management Plan (Cont.)
A Gantt chart shows a full project schedule
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Charting the Progress of a Risk Management Plan (Cont.)
The critical path chart identifies critical tasks to be managed
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Steps of the NIST Risk Management Framework (RMF)
Seven-step process that combines security and risk management
as part of a systems development life cycle:
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
18. 10/8/2020
30
CHAPTER 3
Understanding and Maintaining Compliance
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Learning Objective(s) and Key Concepts
Identify compliance laws, standards, best practices, and policies
of risk management.
Compliance laws that affect information technology (IT)
systems
Regulations related to compliance
Organizational policies for compliance
Standards and guidelines for compliance
Learning Objective(s)
Key Concepts
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
19. U.S. Compliance Laws
Federal Information Security Modernization Act (FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
Sarbanes-Oxley Act (SOX)
Family Educational Rights and Privacy Act (FERPA)
Children’s Internet Protection Act (CIPA)
Children’s Online Privacy Protection Act (COPPA)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
U.S. Compliance Laws and Their
ApplicabilityLawApplicabilityFISMAFederal
agenciesHIPPAAny organization handling medical
dataGLBABanks, brokerage companies, and insurance
companiesSOXAll publicly traded companiesFERPAEducational
institutionsCIPASchools and libraries using E-Rate
discountsCOPPAWebsites or online services directed at children
under 13 and you collect personal information from them
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Health Insurance Portability and Accountability Act
Covers any organization that handles health data
Medical facilities
Insurance companies
Any company with a health plan if employees handle health data
HIPPA Compliance
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
20. Learning Company. www.jblearning.com
Assessment
Risk analysis
Plan creation
Plan implementation
Continuous monitoring
Gramm-Leach-Bliley Act (GLBA)
Also known as the Financial Services Modernization Act
Most of GLBA relates to how banking and insurance institutions
can merge
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Financial Privacy Rule
Requires companies to notify customers about privacy practice
Explains how the bank or company collects and shares data
21. Safeguards Rule
Requires companies to have a security plan to protect customer
information
Ensures data isn’t released without authorization; ensures data
integrity
Companies must use a risk management plan, provide security
training
Sarbanes-Oxley (SOX) Act
Applies to publicly traded companies
Designed to hold company executives and board members
personally responsible for financial data
Chief executive officers (CEOs) and chief financial officers
(CFOs) must be able to:
Verify accuracy of financial statements
Prove the statements are accurate
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Family Educational Rights and Privacy Act (FERPA)
Protects the privacy of student records, which includes
education and health data
Applies to all schools that receive funding from the U.S.
Department of Education:
22. State or local educational agencies
Institutions of higher education
Community colleges
Schools or agencies that offer a preschool program
All other education institutions
For students under 18, parent can inspect records and request
corrections
Protects student personally identifiable information (PII)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Children’s Internet Protection Act (CIPA)
Designed to limit access to offensive content from school and
library computers
Covers schools and libraries that receive funding from the E-
Rate program
Requires schools and libraries to block or filter Internet access
to pictures that are obscene or harmful to minors
Requires schools and libraries to:
Adopt and enforce a policy to monitor online activity of minors
Implement an Internet safety policy that addresses:
Access by minors to inappropriate content
Safety and security of minors when using email and chat rooms
Unauthorized access
Unlawful activities by minors online
Unauthorized use of minors’ personal information
Measures restricting minors’ access to harmful materials
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
23. Children’s Online Privacy Protection Act (COPPA)
Designed to protect the privacy of children under 13
Sites must require parental consent to collect or use personal
information of young website users
Sites must post:
Contents of privacy policy
When and how to seek verifiable consent from a parent or
guardian
Responsibility of a website operator regarding children’s
privacy and safety online, including restrictions on the types
and methods of marketing that targets those under 13
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Regulations Related to Compliance
Securities and Exchange Commission (SEC)
Federal Trade Commission (FTC)
Protects consumers
Prevents anticompetitive practices
Evaluates economic impact of actions
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Federal Trade Commission (FTC)
24. Bureau of Consumer Protection
Bureau of Competition
Bureau of Economics
U.S. Compliance Regulatory Agencies
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Federal Deposit Insurance Corporation (FDIC)
Department of Homeland Security (DHS)
State Attorney General (AG)
U.S. Attorney General (U.S. AG)
Organizational Policies for Compliance
Fiduciary
Refers to a relationship of trust
Could be a person who is trusted to hold someone else’s assets
Trusted person has the responsibility to act in the other person’s
25. best interests and avoid conflicts of interest
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Organizational Policies for Compliance (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Examples of trust relationships:
An attorney and a client
A CEO and a board of directors
Shareholders and a board of directors
Fiduciary is expected to take extra steps:
Due diligence
Due care
Organizational policy could include:
26. Mandatory vacations
Job rotation
Separation of duties
Acceptable use
Standards and Guidelines for Compliance
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Payment Card Industry Data Security Standard (PCI DSS)
National Institute of Standards and Technology (NIST)
Generally Accepted Information Security Principles (GAISP)
Control Objectives for Information and Related Technology
(COBIT)
International Organization for Standardization (ISO)
27. Standards and Guidelines for Compliance (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
International Electrotechnical Commission (IEC)
Information Technology Infrastructure Library (ITIL)
Capability Maturity Model Integration (CMMI)
General Data Protection Regulation (GDPR)
Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP)
Payment Card Industry Data Security Standard
Created by Payment Card Industry Security Standards Council
American Express, Discover Financial Services, JCB
International, MasterCard Worldwide, and Visa Inc.
Key pieces of data:
Name
Credit card number
Expiration date
Security code
Merchants using credit cards are required to comply
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
28. Learning Company. www.jblearning.com
Payment Card Industry Data Security Standard
(Cont.)GoalsProcess StepsBuild and maintain a secure network
that is PCI compliantInstall and maintain a firewall
Do not use defaults, such as default passwordsProtect
cardholder dataProtect stored data
Encrypt transmissionsMaintain a vulnerability management
programUse and update antivirus software
Develop and maintain secure systemsImplement strong access
control measuresRestrict access to data
Use unique logins for each user
Don’t share usernames and passwords
Restrict physical accessRegularly monitor and test
networksTrack and monitor all access to systems and data
Regularly test securityMaintain an information security
policyMaintain a security policy
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Payment Card Industry Data Security Standard (Cont.)
Build and maintain a secure network that is PCI compliant
Protect cardholder data
Maintain a vulnerability management program
Implement strong access
control measures
Regularly monitor and test networks
Maintain an information security policy
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Assess
29. Report
Remediate
National Institute of Standards and Technology (NIST)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Promotes U.S. innovation and competitiveness
Hosts the Information Technology Laboratory (ITL)
Special publications, SP 800-30: Guide for Conducting Risk
Assessments
Generally Accepted Information Security Principles (GAISP)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Includes two major sections:
Pervasive principles
30. Broad functional principles
Control Objectives for Information and Related Technology
(COBIT)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Meet stakeholder needs
Cover the enterprise end to end
Apply a single integrated framework
Enable a holistic approach
Separate governance from management
Control Objectives for Information and Related Technology
(Cont.)
Adapted from COBIT 5 for Risk ©2013 ISACA.
All rights reserved. Used with permission.
31. Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
International Organization for Standardization (ISO)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
ISO 27002
Security Techniques
ISO 31000
Principles and Guidelines on Implementation
ISO 73
Risk Management—Vocabulary
International Electrotechnical Commission (IEC)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Meet the requirements of the global market
32. Ensure maximum use of its standards
Assess and improve products and services covered by its
standards
Aid in interoperability of systems
Increase the efficiency of processes
Aid in improvement of human health and safety
Aid in protection of the environment
Information Technology Infrastructure Library (ITIL)
ITIL life cycle:
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Capability Maturity Model Integration (CMMI)
Primary areas of interest:
33. Product and service development
Service establishment, management, and delivery
Product and service acquisition
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Level 5
Optimized
Level 4
Defined
Level 2
Managed
Level 1
Initial
Level 0
Nonexistent
34. Quantitatively Managed
Level 3
General Data Protection Regulation (GDPR)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Regulates how companies protect the personal data of EU
citizens and those in the European Economic Area (EEA)
Applies to all businesses that deal with the personal data of
individuals living in the EU or EEA
Key changes to GDPR in 2018:
Increased territorial scope (extraterritorial applicability)
Penalties
Consent
Data subject rights
35. Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
Phase 1
Initiate and Plan
Phase 2
Make Certification and Accreditation Decisions
Phase 4
Maintain ATO/Review
Phase 5
Decommission
Implement and Validate
36. Phase 3
Summary
Compliance laws that affect information technology (IT)
systems
Regulations related to compliance
Organizational policies for compliance
Standards and guidelines for compliance
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend
Learning Company. www.jblearning.com
10/8/2020
30
DISUCSSION – Intro to Data Mining
Chapter 7 : Cluster Analysis: Basic Concepts and Algorithms
This week we also discuss the concepts in chapter seven, which
deals with the basic concepts and algorithms of cluster analysis.
After reading chapter seven answer the following questions:
· What is K-means from a basic standpoint?
37. · What are the various types of clusters and why is the
distinction important?
· What are the strengths and weaknesses of K-means?
· What is a cluster evaluation?
Select at least two types of cluster evaluations, discuss the
concepts of each method.
Reference:
TextBook :
1) Data Mining: Concepts and Techniques
Author: Jiawei Han, Jian Pei, Micheline Kamber Date:
2011
2) Križanić, S. (2020). Educational data mining using cluster
analysis and decision tree technique: A case study .
International Journal of Engineering Business Management, 12,
184797902090867–.
Discussion – Info Security and Risk Management
Chapter 3 - Access Controls in Microsoft Windows
Chapter 4 - Microsoft Windows Encryption Tools and
Technologies
In week 2, analyze the difference between intentional and
unintentional threats.
You must use at least one scholarly resource. Every discussion
posting must be properly APA formatted.
PPT attached
Text Book:
Title: Managing Risk in Information Systems
ISBN: 9781284193602
Authors: Darril Gibson, Andy Igonor
Publisher: Jones & Bartlett Learning
Publication Date: 2021
Edition: 3rd edition
38. Assignment – Intro to Data Mining
Chapter 7 : Cluster Analysis: Basic Concepts and Algorithms
After reviewing the case study this week by Krizanic (2020),
answer the following questions in essay format.
· What is the definition of data mining that the author mentions?
How is this different from our current understanding of data
mining?
· What is the premise of the use case and findings?
· What type of tools are used in the data mining aspect of the
use case and how are they used?
· Were the tools used appropriate for the use case? Why or why
not?
In an APA7 formatted essay answer all questions above. There
should be headings to each of the questions above as well.
Ensure there are at least two-peer reviewed sources to support
your work. The paper should be at least two pages of content
(this does not include the cover page or reference page).
Reference:
TextBook :
1) Križanić, S. (2020). Educational data mining using cluster
analysis and decision tree technique: A case study .
International Journal of Engineering Business Management, 12,
184797902090867–.
PFA document.