T_McKinstry_Risk Assessment Plan Part 2
docx
keyboard_arrow_up
School
Charter Oak State College *
*We aren’t endorsed by this school
Course
MISC
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
9
Uploaded by ChefDanger11876
1
Risk Assessment Plan Thomas McKinstry
Charter Oak State College
CSS 230: Fundamentals of Information Security Systems
Professor Travon Reid
September 19
th
2023
2
The purpose of this risk assessment plan is to reduce the amount of associated risk the company has in its facilities, such as the IT department, in order for its operations to continue uninterrupted and without delay. This document will show the schedule and risk assessment steps that are specific to the company and will serve as a template in order to be constantly revised and revamped when threats and risks change for the company. Scope and Boundaries
The scope of this Risk Assessment Plan is to solve current and potential vulnerabilities within the facility, or at the very least mitigate those vulnerabilities. The boundaries of this Risk Assessment Plan ends after the current and/or potential threat has been resolved. Below are a few examples of basic risk assessment approaches and should be considered when plotting out the next moves in the companies risk assessment plan. However, all of these are dependent on the specific type of risk the company is considering.
3
Risk Assessment Approaches
Description
Avoidance
Risk Avoidance is the practice of not taking part in a risky activity. Simply
put, a company assesses the possibility of risk and decides not to take part in the risky activity. Transference
Risk transfer is
a risk management and control strategy that involves the contractual shifting of a pure risk from one party to another
. Mitigation
Risk mitigation is defined as
the process of reducing risk exposure and minimizing the likelihood of an incident
. Acceptance
Accepting risk, or risk acceptance,
occurs when a business or individual acknowledges that the potential loss from a risk is not great enough to warrant spending money to avoid it
.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
Qualitative Risk Assessment Plan and Schedule
Step 1: Identifying Risk
- Power failure in IT Departments which can lose sensitive documents and make the overall security of the facility vulnerable as firewalls and internet security protocols are nullified during administrative mainframe power failures, or power cycles. Overall the database of the hospital would be reliably unavailable for most hours. Step 2 & Step 3
Risk Register
/
Analyzing Risks
Description
of Risk Likelihood
Impact
Severity Owner Mitigating
Action
Power Failures
Certain
>90% chance
High
(IT Department mainframe goes down)
High
Facilities
Reroute power
Data Loss
Likely
50%- 90%
Medium
(Sensitive data is inaccessible)
Medium
IT Manager
Cloud Storage or backup drives
Cybercrime
Moderate
High
High
Cybersecurit
Temporarily
5
10% - 50%
(Sensitive information is stolen) y Risk & Compliance Manager
shut down facility sites
Step 4: Identifying Risk Triggers
Power failure in IT department caused by faulty electric grid.
Data loss: Missing files in database caused by abrupt power failure
Cybercrime: Hacking and/or security breaches caused by inactive countermeasures from IT department due to power failures. Step 5: Ideating Risk Solutions
Risk Avoidance:
A strategy for this based on the information above the table would be to not add more devices to that faulty power area with the database in order to prevent the potential increases in power failure.
Risk Transference:
In this instance the company can outsource their database to a third party that would be willing to take responsibility for any failures in the database system. This way the database itself would be moved out of the hospital to a neighboring area in order to be accessed remotely, while being managed by a third
6
party. Another way would be by using an insurance policy in case the system gets lost or corrupted by the power failures for data loss to be mitigated. Risk Mitigation:
A strategy for this based on the information above the table would be to reroute power from the data base to an emergency generator. Another way would be to keep physical documents of the database on hand in case the database goes offline. For cybercrime this is in the event it already happened or is happening in the moment. While not ideal, a complete shutdown of the Hospital websites to prevent further cybercrime can mitigate this issue, when the IT department goes down.
Risk Acceptance: A strategy for this would be to accept that some information and security can be lost, but to accept this more cleanly, the company can move more sensitive information elsewhere in the facility. Step 6: Creating an Action Plan-
After each risk is assessed we will make appropriate choices on how to mitigate each risk by using the solutions presented above or other solutions for more specific risks not
identified. Step 7: Risk Monitoring and Responsibility-
The rerouting of power would be carried out by the Facilities Department being that they
physically control the flow of power from the grid and or generators. Data loss would be
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
7
mitigated by the IT manager utilizing backup drives or cloud services. Lastly, the Cybersecurity Risk & Compliance Manager would mitigate any and all ongoing cybercrime activity by temporarily shutting down website services until the IT Department is fully back up and running.
Assets
The assets to be assessed within the data center is all sensitive information and data, as well as facility websites. The activities to be assessed is any and all suspicious events occurring within the internet domain of the facility.
Controls
The controls that would be the most relevant in this particular situation would be preventative and corrective. Preventative measures being backup generators and corrective measures being temporarily shutting down websites.
8
References
CNA Insurance. (2016). Risk Transfer: A Strategy to Help Protect Your Business
. CNA Insurance. https://www.cna.com/web/wcm/connect/b7bacbf0-b432-4e0c-97fa-
ce8730b329d5/
RC_Guide_RiskTransferStrategytoHelpProtectYou+Business_CNA.pdf?
MOD=AJPERES#:~:text=Risk%20transfer%20is%20a%20risk,the%20policyholder
%20to%20the%20insurer
. Common Risk Management Strategies: Risk Avoidance vs. Risk Mitigation
. Risk Optics.
(2022, June 22). https://reciprocity.com/blog/risk-avoidance-vs-risk-mitigation/#:~:text=Risk
%20avoidance%20aims%20to%20completely,mitigation%20follows%20from
%20risk%20acceptance
. Staff, A. T. (2023, May 16). Risk response strategies: Mitigation, transfer, avoidance, acceptance - twproject: Project Management Software,Resource Management, time tracking, planning, Gantt, Kanban
. Twproject. https://twproject.com/blog/risk-
response-strategies-mitigation-transfer-avoidance-acceptance/
What is risk mitigation? . ERM Software. (2023, April 18). https://www.logicmanager.com/resources/erm/risk-mitigation-guide/#:~:text=Risk
%20mitigation%20is%20defined%20as,your%20business%20is%20fully
%20protected
.
9
Kenton, W. (n.d.). Accepting Risk: Definition, How It Works, and Alternatives
. Investopedia. https://www.investopedia.com/terms/a/accepting-
risk.asp#:~:text=Accepting%20risk%2C%20or%20risk%20acceptance,the
%20business%20or%20investment%20fields
.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help