Objectives of a Risk Management Plan

One of the important first steps for a risk management plan is to establish the objectives. The objectives become the road map for the plan. They help identify where the plan is going and, just as important, help in knowing when the plan has been achieved. Objectives should be established for the plan as early as possible.

The objectives identify the goals of the project. These objectives outline what should be included in the plan. Some common objectives for a risk management plan are:

  • A list of threats
  • A list of vulnerabilities
  • Costs associated with risks
  • A list of recommendations to reduce the risks
  • Costs associated with recommendations
  • A cost-benefit analysis (CBA)
  • One or more reports

Although the reports document the above items, the risk management plan doesn’t end there. Once top managers receive a report, they will be able to make decisions based on the data. They may accept some recommendations, modify others, and defer still others.

The next phase of the risk management plan covers implementation of the plan. Implementation involves the following tasks:

  • Documenting management decisions
  • Documenting and tracking implementation of accepted recommendations
  • Creating a POAM

Throughout this chapter, two examples are used. They show how a risk management plan can be created for actual projects. The two examples are:

  • Website—A company, Acme Widgets, hosts a website that is used to sell widgets on the Internet. The website is hosted on a web server owned and controlled by Acme Widgets. The website was recently attacked and went down for two days, and the company lost a large amount of money. Additionally, the company lost the goodwill of many customers. This was the second major outage for this website in the past two months, and only two of the many outages in the past three years.
  • Health Insurance Portability and Accountability Act (HIPAA) compliance—A company recently purchased Mini Acme. Mini Acme has not complied with HIPAA. Managers want to identify the risks associated with this noncompliance and to ensure that issues are corrected as soon as possible.

NOTE

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to ensure protection of health information data. Title II of HIPAA covers the protection of health data.

In this chapter, examples are used to show how a portion of the plan could be created. The examples aren’t intended to show the only possible way to create a plan. Plans vary based on the needs of the company.

Objectives Example: Website

The Acme Widgets website has suffered outages. These outages have resulted in unacceptable losses. The losses could have been prevented by managing website threats and risks. The risk management plan can be used to identify these risks.

The objectives of the plan are:

  • Identifying threats—This means any threats that directly affect the website. These threats may include:
    • Attacks from the Internet
    • Hardware or software failures
    • Loss of Internet connectivity
  • Identifying vulnerabilities—Vulnerabilities are weaknesses and may include:
    • Lack of protection from a firewall
    • Lack of protection from an intrusion detection system
    • Lack of antivirus software
    • Lack of updates for the server
    • Lack of updates for the antivirus software
  • Identifying assets—Assets are the important things that the company can lose if there is an attack and may include:
    • Potential losses quantified in terms of sales
    • Potential losses in terms of loss of goodwill or reputation
  • Assigning responsibilities—Responsibilities are assigned to specific departments for collecting data, which will be used to create recommendations. Later, in the plan, responsibilities will be assigned to departments to implement and track the plan.
  • Identifying the costs of an outage—Both direct and indirect costs are included. The direct costs are the lost sales during the outage. The amount of revenue lost if the server is down for 15 minutes or longer will come from sales data. Indirect costs include the loss of customer goodwill and the cost to recover the goodwill.
  • Providing recommendations—A list of recommendations to mitigate the risks is included. The recommendations may reduce the weaknesses. They may also reduce the impact of the threats. For example, a hardware failure threat could be addressed by recommending hardware redundancy. A lack of updates could be addressed by implementing an update plan.
  • Identifying the costs of recommendations—The cost of each recommendation is identified and listed.
  • Providing a CBA—A CBA for each recommendation is included. The CBA will compare the cost of the recommendation against the benefit to the company of implementing the recommendation. The benefit can be expressed in terms of income gained or the cost of the outage reduced.
  • Documenting accepted recommendations—Managers will choose which recommendations to implement. They can accept, defer, or modify recommendations. These choices will then be documented in the plan.
  • Tracking implementation—The plan will track the choices and their implementation.
  • Creating a POAM—A POAM that assigns responsibilities is included. Managers will use the POAM to track and follow up on the project.

NOTE

A firewall filters traffic. Firewall rules are configured to specifically allow certain traffic. Most firewalls block all traffic that is not specifically allowed. Both network and host-based firewalls can be used. A network firewall usually consists of both hardware and software and filters traffic for the network. Individual systems can have a software firewall that filters traffic for a single system.

Objectives Example: HIPAA Compliance

A company recently acquired Mini Acme. An inspection of Mini Acme’s records indicates that health information isn’t protected. The acquiring company is therefore not in compliance with HIPAA, and noncompliance can result in fines and jail time.

The purpose of this plan is to ensure compliance with HIPAA. The objectives of the plan are:

  • Identifying threats—Threats could be both internal and external.
  • Identifying vulnerabilities—Vulnerabilities are weaknesses. They may include:
    • Lack of policies preventing information sharing
    • Lack of protection when the data is stored
    • Lack of protection when the data is transmitted
  • Assigning responsibilities—Responsibilities are assigned to specific departments to identify threats and vulnerabilities. This data will be used to identify corrective actions. Later, responsibilities can be assigned to departments to implement and track the plan.
  • Identifying the costs of noncompliance—Costs include the legal fines associated with noncompliance. Additional costs may result from lawsuits or the loss of customer confidence.
  • Providing recommendations—A list of recommendations is created. This list may include procedural changes, protecting the data with access controls, and encrypting the data during transmissions.
  • Identifying the costs of recommendations—The cost of each recommendation is identified and listed.
  • Providing a CBA—A CBA is completed for each recommendation. It will compare the cost of the recommendation against the cost of the outage.
  • Documenting accepted recommendations—Managers will choose which recommendations to implement. They can accept, defer, or modify recommendations. These choices will be documented in the plan.
  • Tracking implementation—The plan will track the choices and their implementation.
  • Creating a POAM—A POAM that assigns responsibilities is created. Managers will use it to track and follow up on the project.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.231.15