Risk mitigation, which is part of the risk management plan, takes place once you have identified and analyzed your risks. Risk mitigation is identifying

SEC 4301, IS Disaster Recovery 1

Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to:

1. Explain the business continuity procedures. 1.1 Research the laws and regulations that impact the business continuity procedures.

2. Develop an asset ranking report.

2.1 Summarize the five business functions for the risk management scope.

3. Analyze an impact assessment for organization threat analysis. 3.1 Assess the control countermeasures to be implemented in the risk management planning

phase. Required Unit Resources Chapter 10: Planning Risk Mitigation Throughout an Organization Chapter 11: Turning a Risk Assessment into a Risk Mitigation Plan Unit Lesson

Scope Management Mitigating the risks throughout the organization is paramount to the success of any business. These past few lessons on the elements of threats, vulnerabilities, and exploits were dissected as to the definition, implementation, and identification within the seven domains to include some areas outside the domain, such as physical controls. The organization as a whole is driven by the business strategy, which encapsulate the business operations and functions of the organization. Controls and compliances are two factors that must be planned for risk mitigation within the organization as a whole. Risk mitigation planning involves examining the risk management scope within the five areas of the organization as illustrated below in Figure 5.1.

UNIT V STUDY GUIDE Risk Mitigation Strategies

SEC 4301, IS Disaster Recovery 2

UNIT x STUDY GUIDE Title

According to Gibson (2015), there are five areas in which risk management scope needs to be applied.

Figure 5.1: Risk Management Scope

(Gibson, 2015)

• Critical business operations identify the critical operations pertaining to the business flow of the organization through the use of the business impact analysis (BIA) tool.

• Service delivery is a critical component as this provides services to the organizational customers. These services are documented in a service level agreement of the services that are to be provided and the maximum uptime and minimum downtime that is to be expected.

• Business systems, applications, and data access are mission items that are driven by the critical business functions, which describes the functions of the organization, and the critical success factors, which designates those elements needed to operate the business.

• Seven domains are the User Domain, Workstation Domain, LAN Domain, LAN-to-WAN Domain, Remote Access Domain, WAN Domain, and the System/Applications Domain. Each of the domains must identify the risk management scope.

• Security gaps are those areas in which the organizational assets have been identified to use certain security controls that are critically needed for the operations of the business.

Legalities

Organizations must be in compliance and stay within the realm of legal aspects of the business process to effectively mitigate threats and vulnerabilities (Gibson, 2015). With the growth and maturity of the Internet, many organizations conduct business and services over the Internet as well as through brick and mortar stores. This increasing demand has prompted many laws and regulations to be set forth by congress to protect the information encapsulated within the electronic paradigm. Some of the standard laws and compliances are illustrated in this interactive activity, but these are just the tip of the iceberg. View the Unit V Laws Presentation.

SEC 4301, IS Disaster Recovery 3

UNIT x STUDY GUIDE Title

The scope of the business or organization will impact which laws and compliances need to be met; in turn, this will determine how the organizational assets such as the seven domains are organized (Gibson, 2015). The selected compliance or law will determine how the security controls should be implemented within the business processes. All of these laws and compliances have their own consequences depending on how they are implemented. Of course, the wrong implementation would be disastrous, and a correct installation of the security controls and compliances will create a healthy security environment for the organization (Gibson, 2015). Risk Assessment Countermeasures The risk assessment plan is a living document; this means the threats and vulnerabilities will change over time. Therefore, the risks identified must be re-checked to see if they are still valid or need an additional assessment. When reviewing the risk assessment for the mitigation plan, countermeasures need to be examined as shown in the Figure 5.2.

Figure 5.2: Countermeasures

(Gibson, 2015) As depicted in the Figure 5.2, the in-place, planned, and approved countermeasure steps have two things in common. First, they have had a risk assessment, second, all three have control countermeasures identified. In-place countermeasures may need to be updated depending on the information gathered (Gibson, 2015). For planned countermeasures, upon its implementation, the countermeasures should be checked to see if they are still needed or if they need to be updated since the evaluation (Gibson, 2015). The approved countermeasures are those controls that have been approved and are awaiting implementation into the system. The controls need to be closely monitored, as additional requirements might be needed when implementation begins (Gibson, 2015).

Pre-Mitigation Plan Once the risk assessment countermeasures have been identified and approved, the risk mitigation plan can be developed. Areas that should be covered in the risk mitigation plan are outlined below.

SEC 4301, IS Disaster Recovery 4

UNIT x STUDY GUIDE Title

Figure 5.3: Pre-Mitigation Plan

(Gibson, 2015) An important factor in the pre-mitigation plan is to prioritize the risks. Figure 5.4 provides an example from Table 11-2 in Chapter 11 of your textbook of conducting a risk priority matrix. Priority Risk Matrix: A Threat/Likelihood-Impact Matrix (Table 11-2)

Threat likelihood level Low Impact (10) Medium Impact (50) High Impact (100) High threat likelihood 100% (1.0)

10 X 1 = 10 50 X 1 = 50 100 X 1 = 100

Medium threat likelihood 50% (.50)

10 X .5 = 5 50 X .5 = 25 100 X .5 = 50

Low threat likelihood 10% (.10)

10 X .1 = 1 50 X .1 = 5 100 X .1 = 10

Figure 5.4

Summary In summary, the scope must be identified within the risk assessment along with the required controls and compliances that are subjugated by the strategy of the type of business the organization services. The countermeasures must be monitored closely to ensure if the countermeasures are needed or should be upgraded to meet compliances. The identification of threats and likelihood of impacts should be closely scrutinized when prioritizing risks within the pre-mitigation plan development. As mentioned before, the risk assessment plan is a living document and will change often. This is also true for the risk mitigation plan when controls and countermeasures need to be adjusted based on the threats and vulnerabilities encountered with the assets.

Reference Gibson, D. (2015). Managing risk in information systems (2nd ed.). Jones and Bartlett Learning.

https://online.vitalsource.com/#/books/9781284107753

SEC 4301, IS Disaster Recovery 5

UNIT x STUDY GUIDE Title

Suggested Unit Resources In order to access the following resources, click the links below. The following presentations will summarize and reinforce the information from Chapters 10 and 11 in your textbook. Chapter 10 PowerPoint Presentation PDF Version of Chapter 10 PowerPoint Presentation Chapter 11 PowerPoint Presentation PDF Version of Chapter 11 PowerPoint Presentation Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. The following learning activities provide additional information that will assist you with the mastery of the learning objectives for this unit. Go to the CSU Online Library, and use the Discovery Search feature. Utilize the Discovery Search feature in the CSU Online Library, and type in the following phrases: “HIPAA, FISMA, FERPA, security controls, control countermeasures, risk assessment plan, risk mitigation plan.” Select and read two articles. Use the criteria of peer-reviewed article (scholarly) and less than 5 years old. Here is a link straight to the CSU Online Library Discovery Search. The internet can provide you with a wealth of information concerning the topics in this unit. For example, the following video is from CSU Films on Demand database and provides additional information about mitigation and evaluation of risks. CNBC LLC (Producer). (2010). Risk assessment and mitigation (Segment 9 of 15) [Video]. In The future of

technology: Meeting of the minds. Films on Demand. https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=http://fod.infobase.com/PortalPla ylists.aspx?wID=273866&xtid=47314&loid=139465

The transcript for this video can be found by clicking the “Transcript” tab to the right of the video in the Films on Demand database. Check Your Knowledge These questions will help you assess whether or not you have mastered the unit content. Can you answer them without looking in the textbook?

• Answer the Chapter 10 Assessment questions at the end of Chapter 10 in your textbook. After you have answered the questions, you can find out how well you did by viewing the Chapter 10 Answer Key.

• Answer the Chapter 11 Assessment questions at the end of Chapter 11 in your textbook. After you have answered the questions, you can find out how well you did by viewing the Chapter 11 Answer Key.

Word Search Some of this unit’s key terms and phrases (written as one word) have been hidden in the word search puzzle. Access the Unit V Word Search puzzle, and see if you can find them.