Risk Management Plan
Risk Management Plan
Risk Management Plan
Version 1.1
TABLE OF CONTENTS
1 INTRODUCTION..1 1.1 PURPOSE.1 1.2 SCOPE...1 1.3 COMPLIANCE LAWS AND REGULATIONS..1 1.4 ROLES AND RESPONSIBILITIES1 2 RISK MANAGEMENT PROCEDURE..2 2.1 RISK PLANNING2 2.2 RISK MONITORING..2 2.3 RISK REPORTING.2 2.4 ACTION PLAN2 3 TOOLS AND PRACTICES.3 4 RISK MANAGEMENT PLAN APPROVAL4
Version 1.1
Introduction:
Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance. Organizational security status is determined using metrics established by the organization to best convey the security posture of an organizations information and information systems, along with organizational resilience given known threat information. This necessitates:
Maintaining situational awareness of all systems across the organization;
Maintaining an understanding of threats and threat activities; Assessing all security controls; Collecting, correlating, and analyzing security-related information; Providing actionable communication of security status across all tiers of the organization; and Active management of risk by organizational officials.
Purpose:
The purpose of this guideline is to assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities, visibility into organizational assets, and the effectiveness of deployed security controls. The ISCM strategy and program support ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance, as well as the ability to provide the information needed to respond to risk in a timely manner. Senior management at Defense Logistics Information Service has decided that the risk management plan for the organization is out of date. Because of the importance of risk management a new plan needs to be developed. The risk management plan is for the organizations use only. This new risk management plan will not only minimize the amount of risk for future endeavors, but will also be in compliance with regulations such as the Federal Information Security Management Act (FISMA), Department of Defense (DOD), Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST), Control Objects for Information and Technology (COBIT), and Information Assurance Certification and Accreditation Process (DAICAP).
Version 1.1
Scope:
This risk management plan is for the organizations use only and its network including remote access. Any outside sources from the scope and risk management plan may cause the network infrastructure to fail or will make it a high risk structure due to outside sources that are not protected to interact with other outside sources allowing hackers to infiltrate the system is steal important files. The scope of this project will include the planning, scheduling, budgeting, and consultation needed to perform an in depth risk assessment and research to determine which compliance laws this organization must follow. We must identify all the risks and vulnerabilities associated with this organization and create viable solutions that may mitigate these risks as quickly and as inexpensively as possible without compromising the integrity and confidentiality of any business assets. A cost benefit analysis should also be conducted prior to the planning phase of this project as well. Implementing and executing these policies and procedures in order to mitigate these risks is a critical part of this projects process. Security features such as controls, auditing logs, applying patches, etc. will be implemented, monitored, reported, and documented. Other risks such as natural disasters and accidental fires/floods may also be considered risks and should be accommodated accordingly to include a backup and disaster recovery plan.
Risk Analysis
Risks may vary greatly from natural disasters, operational errors, software vulnerabilities, financial hardships, or even human interactions such as; attackers, buffer overflow attacks, syn flood attacks, etc. Network and Server crashes, loss of connectivity, broken or damaged equipment/hardware including workstations, employees calling in sick, hard deadlines not being met, costs, no IDs, and open ports on the firewall can all be considered risks. Not having any anti-virus software, not updating the operating systems, running unneeded services and protocols, and not having any backups of your business assets such as files and applications are some of the risks that should be considered critical to an organization. The severity of the loss/impact will depend greatly on the risk associated with it.
Version 1.1
Threat
Vulnerability
Harmful event/loss Loss of production data and confidentiality Loss of data availability (impact of loss determined by value of data) Infection (impact of loss determined by payload of malware) Loss of service availability
Mitigation
Users
Implement both authentication and access controls Backup data regularly, keep copies of backup offsite Install antivirus software, update definitions at least weekly Implement firewalls, implement intrusion detection systems
Medium
Lack of antivirus software, outdated definitions Public facing servers not protected with firewalls and intrusion detection systems Access controls not properly implemented
Medium
High
Stolen data
Social engineering
Implement both authentication and access controls, use principle of need to know Provide training, raise awareness through posters, occasional e-mails, and minipresentations Install fire detection and suppression equipment. Purchase insurance Purchase insurance, designate alternate backup sites
Medium
Low
Low
Low
Version 1.1
Version 1.1
Authorizing Official (AO). The AO assumes responsibility for ensuring the organizations ISCM program is applied with respect to a given information system. The AO ensures the security posture of the information system is maintained, reviews security status reports and critical security documents and determines if the risk to the organization from operation of the information system remains acceptable. The AO also determines whether significant information system changes require reauthorization actions and reauthorizes the information system when required. Information System Owner (ISO)/Information Owner/Steward. The ISO establishes processes and procedures in support of system-level implementation of the organizations ISCM program. This includes developing and documenting an ISCM strategy for the information system; participating in the organizations configuration management process; establishing and maintaining an inventory of components associated with the information system; conducting security impact analyses on changes to the information system; conducting, or ensuring conduct of, assessment of security controls according to the ISCM strategy; preparing and submitting security status reports in accordance with organizational policy and procedures; conducting remediation activities as necessary to maintain system authorization; revising the system-level security control monitoring process as required; reviewing ISCM reports from common control providers to verify that the common controls continue to provide adequate protection for the information system; and updating critical security documents based on the results of ISCM. Information System Security Officer (ISSO). The ISSO supports the organizations ISCM program by assisting the ISO in completing ISCM responsibilities and by participating in the configuration management process. The common control provider establishes processes and procedures in support of ongoing monitoring of common controls. The common control provider develops and documents an ISCM strategy for assigned common controls; participates in the organizations configuration management process; establishes and maintains an inventory of components associated with the common controls; conducts security impact analyses on changes that affect the common controls; ensures security controls are assessed according to the ISCM strategy; prepares and submits security status reports in accordance with organizational policy/procedures; conducts remediation activities as necessary to maintain common control authorization; updates/revises the common security control monitoring process as required; updates critical security documents as changes occur; and distributes critical security documents to individual information owners/information system owners, and other senior leaders in accordance with organizational policy/procedures. Security Control Assessor. The security control assessor provides input into the types of security- related information gathered as part of ISCM and assesses information system or program management security controls for the organizations ISCM program. The security control assessor develops a security assessment plan for each security control; submits the security assessment plan for approval prior to conducting assessments; conducts assessments of security controls as defined in the security assessment plan; updates the security assessment report as changes occur during ISCM; and updates/revises the security assessment plan as needed.
Version 1.1
Organizations may define other roles (e.g., information system administrator, ISCM program manager) as needed to support the ISCM process. Roles and Responsibilities provided by the National Institute of Standards and Technology (NIST) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, Special Publication 800-137. Provide input to the development of the organizational ISCM strategy including establishment of metrics, policy, and procedures, compiling and correlating Tier 3 data into security-related information of use at Tiers 1 and 2, policies on assessment and monitoring frequencies, and provisions for ensuring sufficient depth and coverage when sampling methodologies are utilized. Review monitoring results (security-related information) to determine security status in accordance with organizational policy and definitions. Analyze potential security impact to organization and mission/business process functions resulting from changes to information systems and their environments of operation, along with the security impact to the enterprise architecture resulting from the addition or removal of information systems. Make a determination as to whether or not current risk is within organizational risk tolerance levels. Take steps to respond to risk as needed (e.g., request new or revised metrics, additional or revised assessments, modifications to existing common or PM security controls, or additional controls) based on the results of ongoing monitoring activities and assessment of risk. Update relevant security documentation. Review new or modified legislation, directives, policies, etc., for any changes to security requirements. Review monitoring results to determine if organizational plans and polices should be adjusted or updated. Review monitoring results to identify new information on vulnerabilities. Review information on new or emerging threats as evidenced by threat activities present in monitoring results, threat modeling (asset- and attack-based), classified and unclassified threat briefs, USCERT reports, and other information available through trusted sources, interagency sharing, and external government sources. Provide input to the development and implementation of the organization-wide ISCM strategy along with development and implementation of the system level ISCM strategy. Support planning and implementation of security controls, the deployment of automation tools, and how those tools interface with one another in support of the ISCM strategy. Determine the security impact of changes to the information system and its environment of operation, including changes associated with commissioning or decommissioning the system. Assess ongoing security control effectiveness.
Version 1.1
Take steps to respond to risk as needed (e.g., request additional or revised assessments, modify existing security controls, implement additional security controls, accept risk, etc.) based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones. Provide ongoing input to the security plan, security assessment report, and plan of action and milestones based on the results of the ISCM process. Report the security status of the information system including the data needed to inform Tiers 1 and 2 metrics. Review the reported security status of the information system to determine whether the risk to the system and the organization remains within organizational risk tolerances.
Version 1.1
After analyzing system management, operational, and technical security controls for the Defense Logistics Agency in its fielded environment, system vulnerabilities are then identified, mitigated, and then monitored and reported. The analysis of the Defense Logistics Agencys systems vulnerabilities, the threats associated with them, and the probable impact of that vulnerability exploitation resulted in a risk rating for each missing or partially implemented control. The risk level was determined on the following two factors:
Version 1.1
Likelihood of Occurrence - The likelihood to which the threat can exploit vulnerabilities given the system environment and other mitigating controls that are in place. Impact The impact of the threat exploiting the vulnerability in terms of loss of tangible assets or resources and impact on the organizations mission, reputation or interest.
To determine overall risk levels, the analyst must first look at how important the availability, integrity, and confidentiality of the system is in relation to it being able to perform its function, and the types of damage that could be caused by the exercise of each threat-vulnerability pair. Exploitation of vulnerability may result in one or more of the following types of damage to a system or its data: Loss of Availability/Denial of Service Access to the system, specific system functionality or data is not available (Asset is not destroyed). Loss of Integrity/Destruction and/or Modification Total loss of the asset either by complete destruction of the asset or irreparable damage, or unauthorized change, repairable damage to the asset, or change to asset functionality. Loss of Confidentiality/Disclosure Release of sensitive data to individuals or to the public who do not have a need to know.
The level of risk on a project will be tracked, monitored and reported throughout the project lifecycle. A Top 10 Risk List will be maintained by the project team and will be reported as a component of the project status reporting process for this project. All project change requests will be analyzed for their possible impact to the project risks. Management will be notified of important changes to risk status as a component to the Executive Project Status Report.
Deliverable 1:
Risk Assessment- a determination of what the company will need will be made outlining what requires attention first and in what priority if multiple items are at risk or vulnerable. The risk assessment will also determine which threat or risk would cause the most expensive/harmful damage to that business and the time required making those repairs.
Deliverable 2:
Security Controls- will identify how the data and resources housing the data will be protected from unauthorized entry.
Deliverable 3:
Disaster Recovery Plan- will include back-up and redundancy; if something breaks/fails or is
Version 1.1
damaged due to fire/floods and other natural disasters this plan will outline how to repair it.
Action Plan
Create a regularly scheduled maintenance plan and include a backup and updating policy. Create redundancy on the servers by using multiple hard drives and raid cards. Create a firewall policy and determine what traffic should be allowed into the network then set up these firewalls on network routers for an added layer of security. Have extra materials onsite along with a 24 hour on call IT support for emergency calls. Create a password policy for the organization to use complex passwords within the network and have employees change their passwords regularly. Security breaches in the network such as user/hacker threats may occur when passwords are stolen because unprotected wireless networks were used. Security may be compromised by failing to change employee login information when an employee leaves or is terminated. Not all former employees may be disgruntled and vindictive, but it only takes one. Human resources should be contacted immediately for legal action in these circumstances. An intrusion detection system should be put in place and monitored. Hackers may use packet sniffers and password cracking software to gain access into the network and create denial of service attacks. In either case security breaches can lead to serious business damages. Identify and correctly implement all system-level preventative security controls (technical, operational, and management controls) and auditing logs to monitor and prevent attacks. Use encryption when sending and receiving data across the network. Business and personal information may be compromised, network services could be interrupted, and damage would depend on the type of attack suffered. Anywhere from network/server crashes to stolen information could result in loss of production, and even loss of revenue. A fire suppression system should be made available in the building in the event of a fire. Create a contingency plan and a policy statement. Create testing, training, and exercising manuals. Create separation of duties.
Version 1.1
Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan. Backup and Recovery warm-sites. Formal Backup and Recovery policies and procedures. Conduct the business impact analysis (BIA). The business impact analysis helps to identify and prioritize critical IT systems and components. Identify preventive controls. These are measures that reduce the effects of system disruptions and can increase system availability and reduce contingency life cycle costs. Develop recovery strategies. Thorough recovery strategies ensure that the system can be recovered quickly and effectively following a disruption. Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system. Plan testing, training and exercising. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements
Version 1.1
Types of Teams Senior Management support Project Manager Technical team members IT Interns for DLIS
Recovery Scenarios
Minor Damage Scenarios Employee theft or fraud Change employee login information when an employee leaves the company. Monitor audit logs and surveillance for more potential employee threats. Major Damage Scenarios Hurricane and water damages Redundancy servers, backups and off-site back-up facilities. Maintain a log of all data stored. Have a temporary or mobile network site available for operations until the site can be brought back online.
Recovery Activities
DLIS will define roles and responsibilities and where to assemble employees if forced to evacuate the building and lists of key contacts and their contact information, purchased for ease of authorizing and launching the disaster recovery plan.
Version 1.1
Date:
Date:
Date: