1 / 10

Building a Risk Management Program

The Plan!. A Risk Management Plan is needed to define the authority, responsibility, procedures, and awareness training needed to build a successful management program from the information gathering to the assessment report. Without this, disaster recovery and continuity planning are only exercise

hank
Télécharger la présentation

Building a Risk Management Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Building a Risk Management Program Alfred Barker Asst. Dir., Information Security and Network Services

    2. The Plan! A Risk Management Plan is needed to define the authority, responsibility, procedures, and awareness training needed to build a successful management program from the information gathering to the assessment report. Without this, disaster recovery and continuity planning are only exercises with little usable and pertinent information. A successful plan describes the policy, the procedures by phases, the reporting requirements, and the awareness training needed to have a successful Risk Management Plan.

    3. The Policy The establishment of a College Risk Management Plan is by direction of the Board of Regents in the form of a policy titled, USG Information Technology (IT) & Information Security (IS) Risk Management dated 16-Feb-09. The policy states, Each USG Institution that employs information technology must establish risk management and disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets. The planning process begins with the establishment of a College Risk Management Policy, which describes the who, what when, where, and why of risk management.

    4. The Procedures The creation of the Risk Management Procedures guide follows, which describes the how of risk management. This document is based on the NIST SP800-30 Risk Management Guide for Information Technology Systems. This model was chosen because the Governor of Georgia declared within an Executive Order that all State agencies were to adopt the Federal Information Security Management Act (FISMA) as the security and reporting standard. This process is broken into three distinct phases: Risk Assessment Risk Mitigation Evaluation and Assessment In addition, awareness training in the form of lecture notes and PowerPoint is available.

    5. PHASE I: Forms/Worksheets Characterization Questionnaire To begin the information gathering process Business Impact Analysis Questionnaire To perform, identify, prioritize identified systems and their risks In addition, awareness training in the form of lecture notes and PowerPoint is available. Information Technology Threats, Risk Assessment Worksheet To support the information gathering of the BIA Cost-Benefit Analysis Worksheet To support the information gathering of the BIA

    6. PHASE II After the BIA is complete and submitted to the Office of Information Security, phase two titled Risk Mitigation begins. This phase of the processes focuses on the controls needed to protect the information systems and processes where data is stored, processed, or transmitted. The goal is to protect the datas: Confidentiality Integrity Availability In support of this process are the Risk Management Procedures guide, Information Technology Threats, Risk Assessment Worksheet, Cost-Benefit Analysis Worksheet and the BIA.

    7. PHASE III: Forms/Worksheets Risk Assessment Report Prepared by the Information Security Office from the work submitted in the interview process. This report is to be provided to: The unit being interviewed so that the unit may use the information in the creation of their COOP/BCP. Public Safety College-wide EOP/BCP

    8. Assessment/Audit Information Security Risk Assessment Checklist a High-Level Tool to Assist USG Institutions with Risk Analysis This Checklist should be completed by the institutions Information Security Officer (ISO) or designee, in cooperation with the Chief Information Officer. A response to the items in each section should be prepared to accurately reflect the point in time picture of the institutions security posture. Identify the levels of risk associated with any of the items that result in a no response. Develop an appropriate action plan to mitigate the identified risk. Assign roles and responsibilities for implementing and monitoring timely completion of the action plan. Plan-of-Action & Milestones.

    9. Assessment/Audit The topics covered within the audit are: Institutional and Management Practices Personnel Practices Physical Security Practices Data Security Practices Information Integrity Practices Software Integrity Practices Personal Computer Security Practices Network Protection Practices Incident Response Practices

    10. Questions?

More Related