• DISCOVER
  • CREATE
IN-FOCUS
CONCEPTS
PROCESS
ROLES
CONTEXT
RATIONALE
HANDS-ON LAB
CHALLENGE
CONTRIBUTING FACTORS
COURSE OF ACTION
Key Concepts:
  • Ways to prioritize risk management requirements
  • Procedure for developing an organizational risk mitigation plan
  • Best practices for planning and implementing risk mitigation security controls
  • Ways to perform cost-benefit analysis (CBA) on risk mitigating security controls

Managing Risk in Information Systems

Strategies for Mitigating Risk

Strategies for Mitigating Risk
Risk Mitigation Concepts
Before you start creating a risk mitigation plan, you need to identify and assess risk mitigation strategies. Senior management may ask the process owners to analyze and assess the potential risks to answer questions such as:
  • When and under what circumstances should we take action?
  • When should we implement these controls to mitigate risk and protect our organization?
The following risk mitigation chart addresses these questions. Appropriate points for the implementation of control actions are indicated wherever a decision point results in a YES. Position the mouse pointer over the output to know the final decision. Click the Next button to read more about risk mitigation concepts. An organization has to invest its resources in mitigating each risk. Therefore, to optimize risk mitigation, the two other factors that the organization needs to consider are the cost and impact of the risk. The cost, impact, and acceptable level of a risk will determine the controls required.

The following cost-benefit analysis chart details a few such circumstances. Appropriate points for implementation of controls are indicated in green. Points where controls are not required are shown in red. Points where an alternate control can be used are indicated in yellow.

Click the ACTIVITY button to attempt a scenario-based exercise on risk mitigation.
Input Output
Find and evaluate the value of controls to mitigate risk Is the system vulnerable to risk? Is risk mitigation cost less than the impact of risk? Find mitigation strategy

No risk

Risk accepted

Risk unaccepted
Next
Back
Cost-Benefit Analysis Chart
Cost of Implementation Cost-effective High Very high High
Impact on the Organization Huge profits Huge profits Moderate profits Moderate profits
Acceptable Level of Organizational Risk Sufficient risk reduction Insufficient risk reduction Cost control more than risk reduction Risk reduction more than needed
Controls (Included/Excluded) Included Alternative controls sought Excluded Less expensive controls sought
Risk mitigation strategies are not required if no risk exists.
Risk mitigation strategies are not implemented when you accept a risk.
Risk mitigation strategies are implemented when you don’t accept a risk.
Planning Risk Mitigation
A risk mitigation plan communicates how specific risks are being identified and how they will be addressed. It gives management a clear understanding of what actions are being taken to minimize project risks. In most cases, an organization aims to address the biggest risks and strives for sufficient risk mitigation at the lowest cost, with minimal impact on other mission capabilities.

Position the mouse pointer over the following risk mitigation steps in control implementation. Next, click the ACTIVITY button to attempt a process exercise.
Risk assessment
report NIST SP 800-53
Prioritize actions
Evaluate recommended control options
Conduct a cost-benefit analysis
Select controls
Assign responsibilities
Develop a safeguard implementation plan
Implement selected controls
Actions ranking from high to low
List of possible controls
Cost-benefit analysis
Selected controls
List of responsible persons
Safeguard implementation plan
Residual risks
Prioritize actions

On the basis of the risk levels presented in the risk assessment report, implementation actions are prioritized. In allocating resources, top priority should be given to risk items with unacceptably high risk rankings. Evaluate recommended control options

In this step, the feasibility, such as compatibility, user acceptance, and effectiveness, such as degree of protection and level of risk mitigation, of the recommended control options are analyzed. The objective is to select the most appropriate control option for minimizing risk. Conduct a cost-benefit analysis

To aid management in decision making and to identify cost-effective controls, a cost-benefit analysis is conducted. Select controls

On the basis of the results of the cost-benefit analysis, management determines the most cost-effective controls for reducing risk. Controls are selected from the National Institute of Standards and Technology (NIST) SP 800-53, which covers extensive documentation on controls. Assign responsibilities

Appropriate people—in-house personnel or external contracting staff—who have the appropriate expertise and skill sets to implement the selected controls are identified, and responsibility is assigned to them. Develop a safeguard implementation plan

This plan must contain the following information:
  • Risks and associated risk levels
  • Prioritized actions
  • Recommended controls
  • Selected planned controls
  • Responsible people
  • Start date
  • Target completion date
  • Maintenance requirements
Implement selected controls

Depending on the situation, the implemented controls may lower the risk level but not eliminate the risk.
Key Roles Involved in Risk Mitigation
Frequently, the cost of implementing a control is more tangible than the cost of not implementing it. As a result, senior management plays a critical role in decisions concerning the implementation of control measures to protect the organizational mission. Read the given scenario to learn how senior managers and functional managers help in risk mitigation.
Consider an e-commerce site. A critical risk for such an organization is the uptime of the site. Suppose the Web server fails and cannot process sales. The sales lost during the time the server is being repaired are direct costs. Indirect costs include the loss of customer goodwill and the cost to restore the goodwill. As these losses are a high-level risk, senior management will need to recommend an appropriate control for risk mitigation. The functional manager will identify the maximum acceptable outage (MAO).

The senior and functional managers need to address the following key questions:
  • How does this service affect the organization's profitability?
  • How does this service affect the organization's survivability?
  • How does this service affect the organization's image?
  • How will an outage affect employees and customers?
  • When does this service need to be available?
  • What is the MAO of the service?
Senior management, in this case, recommends that functional managers use the least-cost approach and implement the most appropriate controls to decrease the mission risk to an acceptable level, with a minimal adverse impact.
Risk Mitigation Best Practices
When creating any risk management plan, it is essential that the following seven best practices be considered and that checks be in place to ensure that risk mitigation costs do not outweigh risk-materializing costs. Click each keyword to read more about the best practices.

Next, click the ACTIVITY button to attempt an exercise based on the best practices followed by Ken, a network administrator.
  • Stay within the scope.
  • Redo the cost-benefit analysis.
  • Prioritize countermeasures.
  • Include current countermeasures in the analysis.
  • Control costs.
  • Control the schedule.
  • Follow up.
Ensure the scope of the mitigation plan does not go beyond the scope of the risk assessment.
Redo the cost-benefit analysis if new costs are identified. You commonly complete a cost-benefit analysis for a countermeasure as part of the risk assessment.
Ensure the countermeasures must be prioritized, depending on their importance.
When scoring countermeasures, ensure that current countermeasures are considered.
Ensure the costs stay within the allocated budget.
Ensure the schedule is not delayed; otherwise, the costs might go up.
Implement approved countermeasures and ensure that they mitigate the risk as expected.
Importance of Prioritization
Risk, threats, and vulnerabilities adversely affect the business of an organization and can be assessed as:
  • Costs associated with the loss of a business component or process
  • Loss of customer confidence
  • Lack of compliance
  • Lack of insurance to mitigate or transfer risk
Therefore, it is important to prioritize risks and implement controls to mitigate them. You can do so by using a threat/vulnerability matrix. Study the following threat likelihood impact matrix to learn how to use it to prioritize threats. Click the Next button to read more. Attacks with the highest scores need to be dealt with first. For example, in this case, the biggest threats are the two with a score of 50. Therefore, the organization would find risk mitigation strategies for these two risks on priority.
Next
A threat/likelihood-impact matrix. High threat likelihood 100 percent (1.0) Medium threat likelihood 50 percent (.50) Low threat likelihood 10 percent (.10)
LOW IMPACT (10) 10 x 1 = 10 10 x .5 = 5 10 x .1 = 1
MEDIUM IMPACT (50) 50 x 1 = 50 50 x .5 = 25 50 x .1 = 5
HIGH IMPACT (100) 100 x 1 = 100 100 x .5 = 50 100 x .1 = 10
Back
Threat scores used to prioritize threats. THREAT Attacks on DMZ servers
Servers in the DMZ are currently updated only once every six months. Loss of data on key database server
Backups are currently done on the database server daily but recent restore attempts were not successful. Loss of data due to fire
Backups are done regularly but stored in the server room. Malware infection
Antivirus software is currently installed on all systems.
LIKELIHOOD High Value of 100 percent Medium Value of 50 percent Low Value of 10 percent Low Value of 10 percent
IMPACT Medium Value of 50 High Value of 100 High Value of 100 Low Value of 10
SCORE 50 50 10 1

In this section, you will have an opportunity to practice the concepts and processes that you have explored in this lesson.

The Hands-On Lab provides you with an engaging learning experience that is diagnostic and flexible. Following the instructions provided in the Lab Manual, you will be able to practice the steps IT Security Specialists perform on a daily basis and develop the skills required for effective execution and management of IT Security operations.

In this section, you will have an opportunity to apply what you’ve learned in this lesson in the context of analyzing a business situation. Although simplified, a problem scenario provided here depicts the challenges often faced by professionals in the workplace.

In this interactive case study, you will explore a business situation, review critical information related to the problem discussed in the case, decide on the course of action, and receive a decision analysis summary that discusses the implications of your decision. Once you analyze the impact of your decision, explore alternative solutions to learn about other potential ways to address the issue in the case. Complete your work on the case by submitting the graded assignment that will reflect on your process of analyzing the business situation and defining an appropriate course of action.

You need to develop a risk mitigation plan for Defense Logistics Information Service (DLIS) from the given risk assessment plan.

Click the image of the system and information owner to view instructions.

After you have gone through the challenge, navigate to Contributing Factors from the panel at the top of your screen.
Senior management at DLIS has reviewed the risk assessment plan and given the go-ahead to create a risk mitigation plan based on inputs provided. Senior management has also approved a budget for the risk mitigation plan and is committed to supporting the project, given the plan’s importance to the organization.

You need to develop a risk mitigation plan based on the previous findings. The project is critical for the organization’s health; therefore, you need to complete it as quickly as possible. To help you complete this project on time, we have assigned Bob as the project manager. I have already explained to him the requirements. He is creating a timeline and will share it with you soon.
Contributing Factors
Click each contributing factor below to review its content and gather inputs for the risk mitigation plan. After you have gone through the contributing factors, navigate to Course of Action from the panel at the top of your screen.

Review Critical Considerations
Research the Internet

Select the icons from the top to receive additional
information related to the situation

  • Analyze and evaluate the threat and vulnerability areas you identified for Health Network.
  • Make a list of personnel (job roles) you should interviews to gain insight into possible new issues.
  • Consider what should be the elements of this plan, which elements are essential, and which elements could be optional.
Consider what information you need to provide about the layers of security. Answers to the following questions will help you complete this assignment:
  • What are the vulnerabilities for the Web server?
  • What tools, applications, and best practices are available for providing the layers of security to a Linux system?
  • Which tools or applications are secure and stable?
  • What modifications are required in SELinux?
  • What rules can be specified in TCP wrappers?
  • Should a firewall be software or hardware?
  • If hardware, should it be configured as a bastion host?
  • If not a bastion host, what other application or process should be configured along with the firewall?
Use google.com to view sample risk mitigation plans. Read and understand the objectives and requirements of each risk mitigation plan.
Course of Action
Use the following checklist as a guide to complete this assignment. Note that the tasks that you have completed are already checked in the list.

Tasks

  • Read the case scenario of Health Network.
  • Understand your task for this assignment from the system and information owner in the meeting room.
  • Consider all the factors that contribute to the challenge.
  • Explain the purpose and scope of your risk mitigation plan.
  • Explain the key roles involved in your plan and their respective responsibilities.
  • Analyze and write a proposed schedule for your plan.
  • Research and summarize risk mitigation approaches and justify your final recommendations.
  • Collate all information in a Microsoft Word (or compatible) document.
  • Conduct a self-review of your report with respect to the evaluation criteria mentioned in the assignment requirements.
  • Submit Project Part 1 Task 3 to your instructor.
At the end of this lesson, you should be able to:
  • Explain the best practices in planning risk mitigation throughout an organization.
  • Explain the steps in developing an organizational risk mitigation plan from a risk assessment plan.
  • Explain the best practices in enabling a risk mitigation plan from a risk assessment plan.
  • Perform a cost-benefit analysis for implementing a security control in a provided scenario.
In this lesson, you will learn how to develop a risk mitigation plan from a risk assessment plan. You will examine the strategies and phases of risk mitigation. In addition, you will learn about risk mitigation best practices and the importance of prioritizing risks.