• 100 likes • 479 Views
The Plan!. A Risk Management Plan is needed to define the authority, responsibility, procedures, and awareness training needed to build a successful management program from the information gathering to the assessment report. Without this, disaster recovery and continuity planning are only exercise
E N D
1. Building a Risk Management Program Alfred Barker
Asst. Dir., Information Security and Network Services
2. The Plan! A Risk Management Plan is needed to define the authority, responsibility, procedures, and awareness training needed to build a successful management program from the information gathering to the assessment report.
Without this, disaster recovery and continuity planning are only exercises with little usable and pertinent information.
A successful plan describes the policy, the procedures by phases, the reporting requirements, and the awareness training needed to have a successful Risk Management Plan.
3. The Policy The establishment of a College Risk Management Plan is by direction of the Board of Regents in the form of a policy titled, USG Information Technology (IT) & Information Security (IS) Risk Management dated 16-Feb-09. The policy states,
�Each USG Institution that employs information technology must establish risk management and disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets.�
The planning process begins with the establishment of a College Risk Management Policy, which describes the �who, what when, where, and why� of risk management.
4. The Procedures The creation of the Risk Management Procedures guide follows, which describes the �how� of risk management.
This document is based on the NIST SP800-30 Risk Management Guide for Information Technology Systems. This model was chosen because the Governor of Georgia declared within an Executive Order that all State agencies were to adopt the Federal Information Security Management Act (FISMA) as the security and reporting standard.
This process is broken into three distinct phases:
Risk Assessment
Risk Mitigation
Evaluation and Assessment
In addition, awareness training in the form of lecture notes and PowerPoint is available.
5. PHASE I: Forms/Worksheets Characterization Questionnaire
To begin the information gathering process
Business Impact Analysis Questionnaire
To perform, identify, prioritize identified systems and their risks
In addition, awareness training in the form of lecture notes and PowerPoint is available.
Information Technology Threats, Risk Assessment Worksheet
To support the information gathering of the BIA
Cost-Benefit Analysis Worksheet
To support the information gathering of the BIA
6. PHASE II After the BIA is complete and submitted to the Office of Information Security, phase two titled Risk Mitigation begins. This phase of the processes focuses on the controls needed to protect the information systems and processes where data is stored, processed, or transmitted.
The goal is to protect the data�s:
Confidentiality
Integrity
Availability
In support of this process are the Risk Management Procedures guide, Information Technology Threats, Risk Assessment Worksheet, Cost-Benefit Analysis Worksheet and the BIA.
7. PHASE III: Forms/Worksheets Risk Assessment Report
Prepared by the Information Security Office from the work submitted in the interview process.
This report is to be provided to:
The unit being interviewed � so that the unit may use the information in the creation of their COOP/BCP.
Public Safety � College-wide EOP/BCP
8. Assessment/Audit Information Security Risk Assessment Checklist � a High-Level Tool to Assist USG Institutions with Risk Analysis
This Checklist should be completed by the institution�s Information Security Officer (ISO) or designee, in cooperation with the Chief Information Officer. A response to the items in each section should be prepared to accurately reflect the �point in time� picture of the institution�s security posture.
Identify the levels of risk associated with any of the items that result in a �no� response.
Develop an appropriate action plan to mitigate the identified risk.
Assign roles and responsibilities for implementing and monitoring timely completion of the action plan. Plan-of-Action & Milestones.
9. Assessment/Audit The topics covered within the audit are:
Institutional and Management Practices
Personnel Practices
Physical Security Practices
Data Security Practices
Information Integrity Practices
Software Integrity Practices
Personal Computer Security Practices
Network Protection Practices
Incident Response Practices
10. Questions?