Managing Risk in Information SystemsChapter 4Developing a .docx

Managing Risk in Information Systems
Chapter 4
Developing a Risk Management Plan
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
1
Components of Risk Management
Page ‹#›
Company
www.jblearning.com
The remainder of the course details with the specific
components of Risk Management which includes Risk
Assessment and its components and Risk Control and its
components.
2
South Texas University – Case Study
A gulf-coast University is threatened by hurricanes every 7

years. Located inland, high wind are the major concern and
windows are covered to minimize wind damage. Severe
hurricanes could cause flooding to the University grounds.
The University conducted an independent audit of its Network
and Enterprise systems and put controls into place to protect its
infrastructure and minimize risks to its operations. These
include the University’s Web Servers, Email Servers, Enterprise
Systems and other Administrative IT systems. These systems
are under a Risk Management Plan and are considered
protected.
The new Information Systems Security Manager has now been
charged to conduct a walk-thru of the campus to identify other
automated systems that may be at risk.
Page ‹#›
Company
www.jblearning.com
3
University Computer and Data Center
Is housed on the 1st floor of a classroom building
The exterior walls do not have windows but the interior walls
have windows that face the building’s hallway
Electricity feeds the entire building and an overload of circuits
in the building may lead to a power outage
There are no UPS systems

The A/C system feeds the entire building and may not be
sufficient to keep the building adequately cooled
During summer fans are used to cool the equipment
The entryway to the computer room has a Break Room
a Coffee Pot and Microwave are located in the Break Room
Access to the Computer room uses Key Cards
issued to authorized personnel only
The Computer Room has raised floors
A sprinkler system runs across ceiling but the
sprinklers are capped
There is No Fire Suppression system
Page ‹#›
Company
www.jblearning.com
4
Other University Systems
Enrollment Management is housed in an old 2-story library
Cubicles are used to process student records and cannot be
locked
Customers can wander into these areas when staff are not
present
Front counters are used to query and update student records and
are sometimes left unmanned
Servers are housed in offices that are rarely locked and have
windows
Some System Admins work for the CIO but have offices in
Enrollment Management
One System Admin has no Security training and works for

Enrollment Management
Data extracts from Report server includes
National ID
Electricity is provided to the entire building
but may not be stable.
Sprinkler systems provide fire protection.
Page ‹#›
Company
www.jblearning.com
5
Other University Systems
The University has 5 colleges located in separate buildings
Each College maintain its own server(s) to track programs,
research and other initiatives
Colleges use existing staff and student workers to manage their
servers (typically computer science students)
Servers are stored in offices and the doors are rarely locked and
the rooms often have multiple windows
Electricity is provided to all building and no UPS systems are
used
Sprinkler systems provide fire protection.
The University includes a completely independent Research
facility housed in a state-of-the-art building on campus
Maintains its own hardware, software and systems with NO
oversite from the CIO and the IT professionals.

Page ‹#›
Company
www.jblearning.com
6
Objectives of a Risk Management Plan
A list of threats
A list of vulnerabilities
Costs associated with risks
A list of recommendations to reduce the risks
Costs associated with recommendations
A cost-benefit analysis
One or more reports
Page ‹#›
Company
www.jblearning.com
We discussed in earlier chapters that the university I worked at
in South Texas had a problem with security breaches when
faculty downloaded data to a flash drive and lost the drive. The
University hired a new Information Systems Security Manager
to begin working on resolving issues that lead to this security
breach by creating a Risk Management Plan which would be

made up of the items listed on this page.
The manager started by walking around the campus to identify
systems that were being used. During this walkthrough, the
manager looked for weaknesses and threats, began thinking
about what it would require to manage these risks and
formulating a plan.
7
Scope of Plan Dimensions
Extent the plan will be organized
Level of implementation
Range of view and outlook
Degree of application and operation
Measurement of effectiveness
Page ‹#›
Company
www.jblearning.com
Looking at the information collected in the first slides, the
InfoSystems Security Manager identified some of the
weaknesses and threats.
Looking through the list we find a number of broad areas 1. the
computer and data center; 2. the systems located across the
campus; 3. the open work areas in Enrollment Management; and
4. the independent Research Institute.
The manager decides to limit the Scope (boundaries) to the
computer and data center as well as the systems located across
the campus. The open work areas in Enrollment Management
could be handled by a general statement to the entire campus
about security and by providing training. The research institute
would be a project on its own because of its size and political

considerations. It has the potential to become very complex and
lead to more and more risks that would have to be addressed –
this would lead to ‘scope creep’ and potentially derail the
project.
Simply correcting problems with the computer and data center
would require a number of changes to operations and policies
within IT. Addressing problems with the campus-wide servers
would require extensive discussions with their owners and IT
and management (the stakeholders). These discussions often
lead to strong opinions about ownership and buy-in and may
require senior management to intervene and make decisions that
are not always easily accepted.
8
Creating a Plan
Risk management plans can be simple or complex
Dependent on:
Organization size
Business functions
Assets
Important to get input from multiple roles within the
organization
Page ‹#›
Company
www.jblearning.com
In the example chosen for this chapter, the scope is simplified

for our discussion but often Risk Management Plans are very
complex and require a great amount of time and people-
resources to accomplish.
Larger organizations may have the people-resources to develop
an extensive and all-inclusive plan that covers the huge
inventory of IT assets. These plans will typically be more
complex. Smaller organizations will not have the people
resources nor the IT assets so their plans will be less complex.
Risk Management should concentrate first on business functions
that are most critical and lead to the most significant loss.
Finally, some businesses depend extensive on IT and must
protect their large investment in equipment while other
organizations have limited IT assets
When developing a plan, do not limit input from organizational
elements that are impacted by the loss of the assets. Not only
do they have the broad knowledge needed to provide the best
solution but buy-in to any solution is critical to marketing the
solution and gaining management acceptance.
9/18/2016
9
Assignment of Responsibilities
Align resources
Assign responsibilities
Evaluate relationships
Page ‹#›
Company
www.jblearning.com

Let us consider the Enrollment Management and College server
issues. Responsibility for the Project Management role would
be assigned to the Information Systems Security Manager who
is tasked to resolve the problems.
The stakeholders include the owners of the servers, the users of
the system and the administrators of the systems. The owners
include the Asst. V.P. of Enrollment Management and the Dean
who spent their own funds to buy the hardware and software.
They also own the data that is stored on these devices and that
are used to help them complete their mission. More important
are the Custodians of these systems – the people who must
ensure the systems are secure and the data is protected.
The Enrollment Manager and Deans will typically assign expert
users to be part of the planning team along with their respective
System Administrators. Key is to assign at least one decision-
maker from each area who will protect the interests of their
managers. The CIO will assign System Administrators who will
function as the future Custodians of the system and serve as
consultants. The team members will typically meet a number of
times to identify, assess and find ways to mitigate the risks.
The Project Manager not only ensures the team stays on track
and is productive but also serves as an expert on the risk
management process and the decision maker for the CIO.
10
Affinity Diagram for the Other University
SystemsVulnerabilitiesServers housed in offices that are rarely
locked and have windowsUnstable ElectricityWater Sprinkler
System System Admin has no Security trainingNational ID
included in download extractsThreatsServers can be
stolenServers can be destroyed by vandalsServers can be
destroyed by wind damageServers can be destroyed by power
spikesServers can be destroyed by water from sprinkler
systemSystem Admins does not know how to protect the server,
software and dataNational ID downloaded and

stolenRecommendationsMove Servers to Computer Data
CenterTrain System AdministratorPrevent National ID from
being downloaded
Page ‹#›
Company
www.jblearning.com
Looking again at the Other University systems, we notice there
are 5 Vulnerabilities and three of these deal with the server, one
with the Systems Administrator and one with the reporting
server data downloads.
These vulnerabilities are tied to 7 Threats and five of these deal
with the server.
Moving the servers to the Computer Data Center that is already
a secure environment is the simple solution.
Training the System Administrators, employed by Enrollment
Management and the Deans, makes them aware of their security
duties while allowing the owners to retain personnel responsible
for supporting their specific missions
Removing the National ID, which is not needed, is another
simple solution.
11
Describing Procedures and Schedules for Accomplishment
Include a recommended solution for any threat or vulnerability,
with a goal of mitigating the associated risk.
The solution will often include multiple steps.
Page ‹#›

Company
www.jblearning.com
Looking at the previous slide, there are three recommended
solutions to mitigate the risks.
Move Servers to the Computer Data Center
Train the System Administrators
Prevent the National ID from being downloaded
Each of these recommendations will require a number of steps
and may not be easily and quickly accomplished. It will take
time to detail the steps needed.
12
Describing Procedures and Schedules for Accomplishment
Describe each step in detail.
Include a timeline for completion of each step.
Remember:
Management is responsible for choosing the controls to
implement.
Management is responsible for residual risk.
Page ‹#›
Company
www.jblearning.com
This is where the team of users, Systems Administrators and
others can provide guidance while generating buy-in to the
eventual solution. The team will be responsible for expanding
each recommendations to determine how complex the solution

will be and what steps must be taken. There may be cases
where the entire team isn’t involved in each recommendation –
only those who are stakeholders to the recommendation will
need to be involved.
Eliminating the National ID involves the users so the Project
Manager would meet individually with them to determine the
process.
Moving the servers and training of the System Administrator
will not require input from the users so they can be excluded
from this discussion.
Once the details are documented and the team agree to the
steps, the team must estimate the time it will take to implement.
In addition, the day-to-day operations must be analyzed so that
a timeline can be established that does not impact operations.
Next, management can be briefed on the Controls and any
Residual risks that may remain after the plan is implemented.
Management must agree to the recommendations and trust their
team members represent their mission goals and requirements.
Remember that in this case, management includes not only the
Asst. V.P. for Enrollment Management and the Deans but also
the CIO who has the responsibility to defend the interests of the
University’s security policies.
13
Reporting Requirements
Present recommendations
Document management response to recommendations
Document and track implementation of accepted
recommendations
Create plan of action and milestones (POAM)
Page ‹#›

Company
www.jblearning.com
Typically the Project Manager is responsible to presenting the
recommendations to management however, if a decision-maker
was assigned to the team by the Enrollment Manager or Dean,
they may also be invited to ensure the presentation covers all
critical points.
The Project Manager also ensures any decisions made are
documented and any exceptions or follow-on questions are
documented.
If the plan or any portion of the plan is accepted, the Project
Manager developed a details Project Management Plan of
Action and Milestone plan to implement the recommendations
and track the progress of the change.
If the plan or any portion of the plan is rejected, the decision is
noted.
If the plan or any portion of the plan is deferred, the Project
Manager works with management to eventually change that
decision into either an acceptance or rejection.
14
Reporting Requirements (Cont.)
Report should include:
Findings
Recommendation cost and time frame
Cost-benefit analysis
Reports are often summarized in risk statements
Use risk statements to communicate a risk and the resulting
impact

Page ‹#›
Company
www.jblearning.com
Although the final report may be very extensive, Project
Managers usually brief the managers together as a group to
allow them to discuss and consider the recommendations and
the impact on their organization. It is assumed that these
managers have already discussed the recommendations with
their respective team members to judge whether they should
accept, reject or defer the plan or parts of the plan. This is why
it is critical to ensure the team members buy-in to the
recommended solutions.
Depending on the level of management, the meeting may be
very short and the briefing may be very concise. If the
president is involved in the decision, there may only have a few
minutes to hear and decide. If a lower level manager makes the
decision, then there may be more time for presentation and
discussion.
Managers need to know how much it will cost and what the
cost-benefit is to the solution. In the case of the servers,
moving them may be relatively inexpensive, requiring more
man-hours over costs. Training of the system admin may
simply be taking a previous training presentation off the shelf.
Removing the National ID may require the rewriting of the
reporting solution which again requires man-hours rather than
actual funding.
In the case of the servers, the report would use risk statements
to communicate the risk – what is the cause (threat), what is the
criteria (vulnerability/weakness) and what is the effect (the
risk).
15

Using a Cause and Effect Diagram
Server risk
Data Risk
Cause/T Theft Destruction Effect:
Room Object breaks Loss of
Server
Unlocked through window
Destruction Data Breach Effect:
Untrained Download Loss or
compromise
SysAdmin National ID of Critical Data
Page ‹#›
Company
www.jblearning.com
These Cause and Criteria OR Cause and Effect diagrams,
visually show the basic problems.
When the room is unlocked, the server can be stolen or
destroyed and the server will be lost.
During a wind storm, objects can break through the window and
the server can be destroyed and lost
An untrained System Administrator can destroy or fail to
protect the data on the server and it will be lost.

The download of the National ID can result in a data breach and
the data can be lost or compromised
16
Plan of Action and Milestones (POAM)
A document used to track progress
Used to assign responsibility and to allow management follow-
up
Is a living document
Page ‹#›
Company
www.jblearning.com
Earlier we said the team needs to provide a detailed list of steps
needed to accomplish the plan. The plan is often broken down
into work elements. In our example, there would have been a
large number of steps for the work elements needed to “move
the server”. There would be a large number of steps for the
work elements to “eliminate the downloading of National ID
numbers”. There would probably be a small number of steps for
the work elements to “training the systems administrators”.
Within each work element, when the last step is finished, it is
considered a Milestone for that work element. A plan may have
so many steps, called tasks, that you might break it down into
segments, each with its own milestone. I.E. for ‘eliminate the
National ID’, the steps needed to rewrite the program would end
with a ‘Program rewritten’ milestone. Then the steps needed to
test the new program would end with a “Testing completed”
milestone; etc.
Plan of Action and Milestones (POAM) vary in structure and

content. The example shown in the book shows Work Elements,
Responsible person and Milestone dates. Some POAM
documents are actually Project Management Plans that include
many rows that identify every step/task, grouped by work
elements that end with a milestone. Typically the PM Plan
includes columns for a Task #, Task Name, Time to complete
the Task, task(s) that must be done before this one
(predecessors) and the resources (people, etc) needed to
complete the task. Since these Plans are often very complex, the
team may forget to add a tasks/steps and later, add that task to
the plan - a living document.
17
Project Management (PM) Plan MOVE SERVERSTask #Task
DescriptionDuration in HoursPredecessorResource1Identify
Enrollment Management servers to be moved40EM-
SysAdmin2Identify software running on the servers801EM-
SysAdmin3Identify peripherals connected to server401EM-
SysAdmin4Identify wireless/wired configuation401EM-
SysAdmin5Export data to external drive81EM-
SysAdmin6Export image of the server to external drive81EM-
SysAdmin7…EM-SysAdmin8Milestone: Server Prep
Completed09Identify new location in data center201IT-
SysAdmin10Run wireless/wired configuation for new
location209IT-SysAdmin11…IT-SysAdmin12Milestone: New
location prep completed013Disconnect server0.58, 12EM-
SysAdmin14Package server and components0.513EM-
SysAdmin;
IT-SysAdmin15Transport system to data center114IT-
SysAdmin16…17Milestone: Server moded018Connect server at
new location0.515IT-SysAdmin19Connect peripherals at new
location0.518IT-SysAdmin20Connect wires/wireless at new
location118IT-SysAdmin21…22Milestone: Server setup at new
location023Test Server OS at new location222IT-SysAdmin26…
Similar steps needed for each Dean’s Systems

Page ‹#›
Company
www.jblearning.com
18
Milestone Plan Chart
Only lists major milestones
Page ‹#›
Company
www.jblearning.com
When using a Project Management software package like MS
Project, there are packaged reports available to provide a visual
representation of the tasks and milestones.
A Milestone Plan Chart only displays the start and end of the
work elements that end with a milestone. This is displayed as a
number of lines that allow the users to quickly see how long the
elements take and the sequence and relationship to other work
elements that start before of after that milestone.
For the ‘eliminating National ID’ plan, you would probably see
the following work elements in sequence
Analyze the requirement to see what programs must be modified

–
Milestone: Analysis completed
Rewrite the programs to eliminate the National ID
Milestone: Program Rewrite completed
Test the programs to ensure they work properly
Milestone: Testing completed
Implement the new programs
Milestone: New system implemented
Train the user on the new program outputs
Milestone: Training completed
Go back to the users to make sure everything is working
properly
Milestone: Evaluation completed
19
Gantt Chart
Shows a full project schedule
Page ‹#›
Company
www.jblearning.com
The Gantt Chart is another visual representation of the project
and all of its steps and shows how the tasks relate to each other,
especially when one task is dependent on the completion of a
previous task. In our discussion of the Milestone Plan chart,
Programming wasn’t started until Analysis was done; Testing
wasn’t done until Programming was completed.

In the Gantt Chart you see the length of time it takes to
complete the tasks and the sequence and timing of the next
tasks.
At the top of the Gantt Chart, a time bar is shown so the user
can see when the task should be started and ends.
20
Critical Path Chart
Identifies critical tasks to be managed
Page ‹#›
Company
www.jblearning.com
The Critical Path chart is another visual presentation showing
the work elements that take the longest to complete. This is
used when multiple work elements are being executed at the
same time.
Looking at all three of the work elements we discussed earlier,
‘move servers’, ‘eliminate National ID’ and ‘train systems
administrators’ they would probably be executed at the same
time because the resources needed to complete them are often
independent of each other (System Admins move servers;
programmers rewrite the programs that display National ID’s,
trainers train the system administrators.
If the goal is to complete all of these work elements by a certain
date, you would want to see which one has the potential to be
late.

In our example, the Enrollment Management and Dean’s
SysAdmins get the servers ready for the move and then the IT
SysAdmins complete the move and setup the systems in the
Data Center. If the Enrollment Managerment and Deans
SysAdmins are scheduled for training at the same time they
should be preparing for the move, it most likely will delay the
finish of the move. The Critical Path would show the move as
the longest ‘path’. By moving the training to a later date, the
finish of the move would be shortened and the deadline would
be easier to accomplish.
21
Summary
Fundamental components of a risk management plan
Objectives of a risk management plan
Boundaries and scope of a risk management plan
Importance of assigning responsibilities in a risk management
plan
Significance of planning, scheduling, and documentation
Page ‹#›
Company
www.jblearning.com
22

Grading rubric
Content
The student does an excellent job organizing each response to
demonstrate an understanding of the concepts. All required
components are included in the response, including a summary
and overview of the issue; and a compare and contrast the
perspective on the issue. How are the articles similar or
different on how they expose the issues? What are the explicit
and implicit issues?
Analysis
Taking from the emergent literature (only journal articles or
textbook), what are some of the implications and
recommendations for conducting international business. The
student does an excellent job analyzing the issue(s) and does
not just provide a conclusion or an opinion without explaining
the reason for the choice. The analysis is supported by
reference(s) to the course material and includes a clear and
well-defined explanation of the relevant principle(s) or
concept(s) from the text.
Inquiry
The student does an excellent job organizing each response to
demonstrate an understanding of the concepts. Write at least

two questions that can be exposed (still without an answer)
from analyzing this issue. These inquiries can be
questions/issues that you were not able to answer or understand.
Clarify where or how do you believe you can obtain this
information. Mention specific sources (do not simply say,
“Searching on the Internet).
ISOL 533 Project Part 1 and part 2
Overview
Write paper in sections
Understand the company
Find similar situations
Research and apply possible solutions
Research and find other issues
Health network inc
You are an Information Technology (IT) intern
Health Network Inc.
Headquartered in Minneapolis, Minnesota
Two other locations
Portland Oregon
Arlington Virginia
Over 600 employees
$500 million USD annual revenue

Data centers
Each location is near a data center
Managed by a third-party vendor
Production centers located at the data centers
Health network’s Three products
HNetExchange
Handles secure electronic medical messages between
Large customers such as hospitals and
Small customers such as clinics
HNetPay
Web Portal to support secure payments
Accepts various payment methods
HNetConnect
Allows customers to find Doctors
Contains profiles of doctors, clinics and patients
Health networks IT network
Three corporate data centers
Over 1000 data severs
650 corporate laptops
Other mobile devices
Management request
Current risk assessment outdated
Your assignment is to create a new one
Additional threats may be found during re-evaluation
No budget has been set on the project
Threats identified

Loss of company data due to hardware being removed from
production systems
Loss of company information on lost or stolen company-owned
assets, such as mobile devices and laptops
Loss of customers due to production outages caused by various
events, such as natural disasters, change management, unstable
software, and so on
Internet threats due to company products being accessible on
the Internet
Insider threats
Changes in regulatory landscape that may impact operations
Part 1 project assignment
Conduct a risk assessment based on the information from this
presentation
Write a 5-page paper properly APA formatted
Your paper should include
The Scope of the risk assessment i.e. assets, people, processes,
and technologies
Tools used to conduct the risk assessment
Risk assessment findings
Business Impact Analysis
Part 2 project
You will add to your findings from part 1 and address with a
risk mitigation plan.
The plan should include
The plans to reduce risk and vulnerabilities
Determine if organization is risk averse or risk tolerant
Future plans to reduce residual risks
The requirements for this half is also 5 pages properly APA
formatted.

Managing Risk in Information SystemsChapter 4Developing a .docx

Managing Risk in Information SystemsChapter 4Developing a .docx

Recommended

Recommended

More Related Content

Similar to Managing Risk in Information SystemsChapter 4Developing a .docx

Similar to Managing Risk in Information SystemsChapter 4Developing a .docx (20)

More from croysierkathey

More from croysierkathey (20)

Recently uploaded

Recently uploaded (20)

Managing Risk in Information SystemsChapter 4Developing a .docx