Describing Procedures and Schedules for Accomplishment
This part of the risk management plan is created after the project has started. A recommended solution is included for threats or vulnerabilities, with the goal of mitigating the associated risk. Though a solution can be summarized in a short phrase, the solution itself will often include multiple steps.
For example, an existing firewall may expose a server to multiple vulnerabilities. The solution could be to upgrade the firewall. This upgrade can be broken down into several steps, such as:
- Determining what traffic should be allowed
- Creating a firewall policy
- Purchasing a firewall
- Installing the firewall
- Configuring the firewall
- Testing the firewall
- Implementing the firewall
NOTE
MITRE includes a risk management toolkit area on its website at http://www.mitre.org/work/sepo/toolkits/risk/index.html. This site includes information on creating affinity diagrams.
Each of these steps can be described in further detail. In addition, a timeline can be included for completion of each of the steps.
There are a couple of things to remember at this point:
- Management is responsible for choosing the controls to implement.
- Management is responsible for residual risk.
Because management has not reviewed the recommendations yet, this schedule will usually not include dates. Instead, the schedule will list how long it may take to complete the recommendations.
For example, a single recommendation may include five tasks. The time required can be listed for each of these tasks. Start and end dates can be added later.
Partial listings of procedures for the website and HIPAA examples are given in the following sections.
Procedures Example: Website
The website is vulnerable to denial of service (DoS) attacks from the Internet. This risk cannot be eliminated. However, several tasks can be completed to mitigate the risk:
- Recommendation—Upgrade the firewall.
- Justification—The current firewall is a basic router. It filters packets but does not provide advanced firewall capabilities.
- Procedures—The following steps can be used to upgrade the new firewall:
- Starting firewall logging—This log can be used to determine what ports are currently being used. Logs should be collected for at least one week.
- Creating a firewall policy—A firewall policy identifies what traffic to allow past the firewall. It is a written document and is based on the content of the firewall logs.
- Purchasing a firewall appliance—A firewall appliance provides a self-contained firewall solution. It includes both hardware and software that provide protection for a network. Firewall appliances range from $200 to more than $10,000. The SS75 model is recommended at a cost of $4,000. It will arrive within 30 days after ordering.
- Installing the firewall—The firewall could be installed in the server room. Existing space and power are available there.
- Configuring the firewall—Technicians will use the firewall policy to configure the firewall.
- Testing the firewall before going live—Testing will ensure normal operations are not impacted. Technicians can complete testing in one week.
- Bringing the firewall online—Technicians can complete this step within a week after completing tests.
FYI
Firewalls labeled as appliances are intended to be easy to use. The implication is that, to get them to work, they only need to be plugged in so that being an expert in how they work is not necessary. They are like a toaster. The bread goes in and the toast comes out. Users don’t have to know how the toaster works to make toast. Similarly, being an expert on firewalls is not necessary to use a firewall appliance.
Procedures Example: HIPAA Compliance
Employees of Mini Acme are not aware of HIPAA. They don’t understand the requirements of the law, nor do they understand the consequences of noncompliance. The following tasks can be completed to mitigate the risk of noncompliance:
- Recommendation—Increase awareness of HIPAA.
- Justification—Make clear that noncompliance can result in fines totaling $25,000 a year for mistakes.
- Procedures—Use the following steps to increase awareness:
- Requiring all employees to read and comply with HIPAA policies—Don’t create new policies. Require Mini Acme employees to read and acknowledge HIPAA policies currently in place. This can be accomplished in 30 days.
- Providing training to all employees on HIPAA compliance—Training will include what data is covered by HIPAA. It will also include consequences of noncompliance. If approved, it will take approximately 60 days to create training materials. Training can be completed in 30 days.