DEVELOPING A RISK

MANAGEMENT PLAN

Flourensia Sapty Rahayu S.T., M.Kom.

Program Studi Sistem Informasi
FTI – UAJY – 2018
 Risk Management Plan
• You create a risk management plan to mitigate
risks.
• This plan helps you identify the risks and choose
the best solutions.
• It also helps you track the solutions to ensure
they are implemented on budget and on
schedule.
• A fully implemented plan will include a plan of
action and milestones (POAM).
Objectives of a Risk Management Plan
• The objectives identify the goals of the project.
• Some common objectives for a risk management
plan are:
– A list of threats
– A list of vulnerabilities
– Costs associated with risks
– A list of recommendations to reduce the risks
– Costs associated with recommendations
– A cost-benefit analysis
– One or more reports
 Case Study: Web Site

Your company, Acme Widgets, hosts a Web site used to sell widgets on
the Internet. The Web site is hosted on a Web server owned and
controlled by your company. The Web site was recently attacked and
went down for two days.
The company lost a large amount of money. Additionally, the
company lost the goodwill of many customers. This was the
second major outage for this Web site in the past two months.
There have been many outages in the past three years.
 Case Study: Web Site
The objectives of the plan are to:
• Identify threats—This means any threats that
directly affect the Web site. These may
include:
– Attacks from the Internet
– Hardware or software failures
– Loss of Internet connectivity
 Case Study: Web Site
• Identify vulnerabilities—These are
weaknesses and may include:
– Lack of protection from a firewall
– Lack of protection from an intrusion detection
system
– Lack of antivirus software
– Lack of updates for the server
– Lack of updates for the antivirus software
 Case Study: Web Site
• Assign responsibilities—Assign responsibility to specific
departments for collecting data. This data will be used to
create recommendations. Later in the plan, you will assign
responsibilities to departments to implement and track
the plan.
• Identify the costs of an outage—Include both direct and
indirect costs. The direct costs are the lost sales during
the outage. The amount of revenue lost if the server is
down for 15 minutes or longer will come from sales data.
Indirect costs include the loss of customer goodwill and
the cost to recover the goodwill.
 Case Study: Web Site
• Provide recommendations—Include a list of
recommendations to mitigate the risks. The
recommendations may reduce the weaknesses.
They may also reduce the impact of the threats.
– For example, you could address a hardware failure
threat by recommending hardware redundancy. You
could address a lack of updates by implementing an
update plan.
• Identify the costs of recommendations—Identify
and list the cost of each recommendation.
 Case Study: Web Site
• Provide a cost-benefit analysis (CBA)—
Include a CBA for each recommendation. The
CBA compares the cost of the
recommendation against the benefit to the
company of implementing the
recommendation. You can express the benefit
in terms of income gained or the cost of the
outage reduced.
 Case Study: Web Site
• Document accepted recommendations—
Management will choose which recommendations to
implement. They can accept, defer, or modify
recommendations. You can then document these
choices in the plan.
• Track implementation—Track the choices and their
implementation.
• Create POAM—Include a POAM. The POAM will
assign responsibilities. Management will use the
POAM to track and follow up on the project.
Scope of A Risk Management Plan
• The scope identifies the boundaries of the
plan.
• The boundaries could include the entire
organization.
• Without defined boundaries, the plan can get
out of control.
• A common problem with many projects is
scope creep.
 Scope Example: Web Site
The purpose of the risk management plan is to
secure the Acme Widgets Web site.
The scope of the plan includes:
• Security of the server hosting the Web site
• Security of the Web site itself
• Availability of the Web site
• Integrity of the Web site’s data
 Scope Example: Web Site
Stakeholders for this project include:
• Vice president of sales
• IT support department head
 Assigning Responsibilities
• The risk management plan specifies
responsibilities.
• This provides accountability.
• You can assign responsibilities to:
– Risk management PM
– Stakeholders
– Departments or department heads
– Executive officers such as CIO or CFO
 Assigning Responsibilities
Individual responsibilities could be assigned for the following
activities:
• Risk identification—This includes threats and vulnerabilities.
The resulting lists of potential risks can be extensive.
• Risk assessment—This means identifying the likelihood and
impact of each risk. A threat matrix is a common method used
to assess risks.
• Risk mitigation steps—These are steps that can reduce
weaknesses. This can also include steps to reduce the impact
of the risk.
• Reporting—Report the documentation created by the plan to
management. The PM is often responsible for compiling
reports.
 Responsibilities Example: Web Site
• The CFO will provide funding to the IT department to hire a security
consultant. This security consultant will assist the IT department.
• The IT department is responsible for providing:
– list of threats
– A list of vulnerabilities
– A list of recommended solutions
– Costs for each of the recommended solutions
• The sales department is responsible for providing:
– Direct costs of any outage for 15 minutes or longer
– Indirect costs of any outage for 15 minutes or longer
• The CFO will validate the data provided by the IT and sales
departments. The CFO will then complete a cost-benefit analysis.
 Describing Procedures and Schedules for
Accomplishment
• You create this part of the risk management plan after the project has
started. You include a recommended solution for any threat or vulnerability,
with a goal of mitigating the associated risk. While you can summarize a
solution in a short phrase, the solution itself will often include multiple steps.
• For example, an existing firewall may expose a server to multiple
vulnerabilities. The solution could be to upgrade the firewall. This upgrade
can be broken down into several steps, such as:
– Determine what traffic should be allowed.
– Create a firewall policy.
– Purchase a firewall.
– Install the firewall.
– Configure the firewall.
– Test the firewall.
– Implement the firewall.
 Describing Procedures and Schedules for
Accomplishment
• You can describe each of these steps in further
detail.
• In addition, you can include a timeline for
completion of each of the steps.
• There are a couple of things to remember at
this point:
– Management is responsible for choosing the
controls to implement.
– Management is responsible for residual risk.
 Procedures Example: Web Site
The Web site is vulnerable to denial of service (DoS)
attacks from the Internet. This risk cannot be eliminated.
However, several tasks can be completed to mitigate the
risk:
• Recommendation—Upgrade the firewall.
• Justification—The current firewall is a basic router. It
filters packets but does not provide any advanced
firewall capabilities.
• Procedures—The following steps can be used to
upgrade the new firewall:
 Procedures Example: Web Site
1. Start firewall logging. This log can be used to determine what ports are currently being
used. Logs should be collected for at least one week.
2. Create a firewall policy. A firewall policy identifies what traffic to allow past the firewall.
This is a written document. It is created based on the content of the fi rewall logs. You
can use the firewall policy to confi gure the firewall.
3. Purchase a firewall appliance. A firewall appliance provides a self-contained firewall
solution. It includes both hardware and software that provides protection for a network.
Firewall appliances range from $200 to more than $10,000. The SS75 model is
recommended at a cost of $4,000. It can be purchased within 30 days of receiving funds.
4. Install the firewall. The firewall could be installed in the server room. Existing space and
power could be available there.
5. Configure the firewall. Configuration would be done using the firewall policy.
6. Test the firewall. Do this before going live. It will ensure normal operations are not
impacted. You can complete testing in one week.
7. Bring the firewall online. This can be done within a week after testing is completed.
 Reporting Requirements

• After you collect data on the risks and

recommendations, you need to include it in a
report.
• You will then present this report to
management.
• The primary purpose of the report is to allow
management to decide on what
recommendations to use.
 Reporting Requirements
There are four major categories of reporting requirements. They
are:
• Present recommendations—These are the risk response
recommendations.
• Document management response to recommendations—
Management can accept, modify, or defer any of the
recommendations.
• Document and track implementation of accepted
recommendations—This becomes the actual risk response plan.
• Plan of action and milestones (POAM)—The POAM tracks the
risk response actions.
 Present Recommendations
• You compile the collected data into a report. It will
include the lists of threats, vulnerabilities, and
recommendations.
• You then present this report to management.
Management will use this data to decide what steps
to take.
• This report should include the following information:
– Findings
– Recommendation cost and time frame
– Cost-benefit analysis
 Present Recommendations
Findings
• The findings list the facts.
• Risk management findings need to include
threats, vulnerabilities, and potential losses.
• These are described as cause, criteria, and
effect.
 Present Recommendations
Findings
• Cause—The cause is the threat. For example, an
attacker may try to launch a DoS attack. In this
case, the threat is the attacker. When you list the
cause, it’s important to identify the root cause. A
successful attack is dependent on an attacker
having access and the system being vulnerable.
Risk management attempts to reduce the impact
of the cause, or reduce the vulnerabilities.
 Present Recommendations
Findings
• Criteria—This identifies the criteria that will allow
the threat to succeed. These are the vulnerabilities.
For example, a server will be susceptible to a DoS
attack if the following criteria are met:
– Inadequate manpower—If manpower isn’t adequate to
perform security steps, the site is vulnerable.
– Unmanaged firewall—Each open port represents a
vulnerability. If ports are not managed on a firewall,
unwanted traffic can be allowed in.
 Present Recommendations
Findings
– No intrusion detection system (IDS)—Depending on the
type of IDS, it can not only detect intrusions but also
respond to intrusions and change the environment.
– Operating system not updated—Apply patches to the
system as they are released and tested. If you don’t
apply updates, the system is vulnerable to new exploits.
– Antivirus software not installed and updated—Antivirus
software can detect malware. You should update it with
definitions to ensure it will detect new malware.
 Present Recommendations
Effect—The effect is often an outage of some
type. For example, the effect on a Web site
could be that the Web site is not reachable any
more.
• A cause and effect diagram can be used to
discover and document the findings.
 Present Recommendations
Recommendation Cost and Time Frame
• In addition to the findings, the report will include a list
of recommendations.
• These recommendations will address the potential
causes and criteria that can result in the negative effect.
• Each item should include the cost required to
implement it.
• Also include the timeline to implement the solution.
Management will use this data to decide if the solution
should be applied.
 Present Recommendations
For example, the following partial list of recommendations could be included
in the Web site risk management plan.
• Upgrade firewall—Initial cost: $4,000. Ongoing costs: $1,000 annually. The initial cost
will cover the purchase of the firewall. The ongoing costs are related to training and
maintenance. Purchase and install the firewall within 30 days of approval.
• Purchase and install IDS—Initial cost: $800. Purchase and install the IDS within 30 days
of approval.
• Create plan to keep system updated—Initial cost: manpower. Ongoing costs:
manpower. Purchase and install the system within 30 days of approval.
• Install antivirus software on server—Initial cost: $75. Ongoing costs: negligible.
Purchase and install the software within 30 days of approval.
• Update antivirus software—Initial cost: negligible. Ongoing costs: negligible. Configure
antivirus software for automatic updates after installation.
• Add one IT administrator—Cost: negotiated salary. Due to the ongoing maintenance
requirements of these recommendations, an additional administrator is required.
 Cost-Benefit Analysis
• It is a process used to determine how to manage a risk. If the
benefits of a control outweigh the costs, the control can be
implemented to reduce the risk. If the costs are greater than the
benefits, the risk can be accepted.
• In this context, the CBA should include two items:
– Cost of the recommendation—The recommendation is the
control intended to manage the risk. If you anticipate that there
will be ongoing costs, you should include them in the
calculation.
– Projected benefits—Calculate benefits in terms of dollars.
Benefits can be expressed as money earned or losses reduced.
• Management is responsible for making the decisions on how to
manage the risks.
 Risk Statements
• Reports are often summarized in risk statements.
• You use risk statements to communicate a risk and the
resulting impact.
• They are often written using “if/then” statements. The “if
” part of the statement identifies the elements of the risk.
The “then” portion of the statement identifies the effect.
• You should be able to match the risk statements to the
scope and objectives of the project. If the statement isn’t
within the scope or objectives, the risk assessment may
be off track.
 Risk Statements
For example, the following risk statement could
be used for the Web site:
“If AV software is not installed on the Web server,
then the likelihood that the server will become
infected is high. The Web server has a constant
connection to the Internet.”
“If the server is infected, then an outage is likely
to occur. Any outage will result in $500 of lost
sales for every 15 minutes of downtime.”
 Document Management Response to
Recommendations
After you present your managers with the
recommendations, they will decide what to do. They can
accept, defer or modify recommendations.
• Accept—Management approves the recommendation.
Approved recommendations are funded and
implemented. They will then be added to a POAM for
tracking.
• Defer—Management can also defer a recommendation.
It may still be implemented at a later time. However, do
not include it in the list of accepted recommendations.
 Document Management Response to
Recommendations
• Modify—Management can also decide to
modify a recommendation. For example, you
may recommend a firewall. Management may
decide on two firewalls to implement a
demilitarized zone (DMZ). On the other hand,
you may recommend a $4,000 firewall.
Management may decide to purchase an $800
firewall instead.
 Document and Track Implementation
of Accepted Recommendations
• It’s important to document the decisions made by management.
• As time passes, the decisions can become distorted if you don’t
document them.
• This is especially true if the recommendations are deferred or
modified.
• Example: You managed the risk management plan for the Web
site. The plan recommended purchase of AV software, but this
recommendation was deferred. Three months later the system is
infected with malware. A four-hour outage results in losses
exceeding $8,000. You may be asked why the software wasn’t
purchased.
 Document and Track Implementation
of Accepted Recommendations
• The documentation doesn’t need to be extensive. It could
be a simple document listing the recommendation and the
decision. It could look similar to this:
– Recommendation to purchase AV software—Accepted Software
is to be purchased as soon as possible.
– Recommendation to hire an IT administrator—Deferred IT
department needs to provide clearer justification for this. In the
interim, the IT department is authorized to use overtime to
ensure security requirements are met.
– Recommendation to purchase SS75 firewall—Modified Two SS75
firewalls are to be purchased as soon as possible. These two
firewalls will be configured as a DMZ.
 Plan of Action and Milestones
• A plan of action and milestones (POAM) is a document
used to track progress.
• A POAM is used to assign responsibility and to allow
management follow-up.
– Assignment of responsibility—The POAM makes it clear who is
responsible for each task. When a task is not completed on
schedule, it also makes clear whom to hold accountable.
– Management follow-up—PMs and upper level management can
use the POAM to follow up on a project. The POAM allows
managers to quickly determine the status of any project. When
project management tools are used, the source of the problem is
often easy to identify.
 Plan of Action and Milestones
• For example, consider the Web site risk
management plan. The Web site has been
attacked. It has suffered two major outages in
the last two months. The cause of these two
incidents is probably well known. However, all
the threats and vulnerabilities are probably
not known. The initial POAM might have the
following generic items:
Plan of Action and Milestones
 Plan of Action and Milestones
• Later, when management approves the
specific recommendations, you can create a
POAM for the approved and modified
recommendations.
• Each recommendation within the POAM could
have multiple line items.
– For example, the task to upgrade the firewall
could be the major milestone. When all of the
tasks are completed, the milestone is met.
Plan of Action and Milestones
 Plan of Action and Milestones
• You can use different tools to assist in tracking
the POAM.
• These tools don’t replace the POAM but instead
provide graphical representations of the POAM
and its progress.
• These tools include:
– Milestone plan chart
– Gantt chart
– Critical path chart
Plan of Action and Milestones
Plan of Action and Milestones
Plan of Action and Milestones