IS 3110

Risk Management Plan

10/14/2013

Risk Management Plan

Version 1.1

TABLE OF CONTENTS
1 INTRODUCTION..1
1.1 PURPOSE.1
1.2 SCOPE...1
1.3 COMPLIANCE LAWS AND REGULATIONS..1
1.4 ROLES AND RESPONSIBILITIES1
2 RISK MANAGEMENT PROCEDURE..2
2.1 RISK PLANNING2
2.2 RISK MONITORING..2
2.3 RISK REPORTING.2
2.4 ACTION PLAN2
3 TOOLS AND PRACTICES.3
4 RISK MANAGEMENT PLAN APPROVAL4

Risk Management Plan

Version 1.1

Introduction:
Information security continuous monitoring (ISCM) is defined as maintaining ongoing
awareness of information security, vulnerabilities, and threats to support organizational risk
management decisions. This publication specifically addresses assessment and analysis of
security control effectiveness and of organizational security status in accordance with
organizational risk tolerance. Security control effectiveness is measured by correctness of
implementation and by how adequately the implemented controls meet organizational needs in
accordance with current risk tolerance. Organizational security status is determined using metrics
established by the organization to best convey the security posture of an organizations
information and information systems, along with organizational resilience given known threat
information. This necessitates:
Maintaining situational awareness of all systems across the organization;

Maintaining an understanding of threats and threat activities;

Assessing all security controls;
Collecting, correlating, and analyzing security-related information;
Providing actionable communication of security status across all tiers of the organization; and
Active management of risk by organizational officials.

Purpose:
The purpose of this guideline is to assist organizations in the development of an ISCM strategy
and the implementation of an ISCM program that provides awareness of threats and
vulnerabilities, visibility into organizational assets, and the effectiveness of deployed security
controls. The ISCM strategy and program support ongoing assurance that planned and
implemented security controls are aligned with organizational risk tolerance, as well as the
ability to provide the information needed to respond to risk in a timely manner. Senior
management at Defense Logistics Information Service has decided that the risk management
plan for the organization is out of date. Because of the importance of risk management a new
plan needs to be developed. The risk management plan is for the organizations use only. This
new risk management plan will not only minimize the amount of risk for future endeavors, but
will also be in compliance with regulations such as the Federal Information Security
Management Act (FISMA), Department of Defense (DOD), Department of Homeland Security
(DHS), National Institute of Standards and Technology (NIST), Control Objects for Information
and Technology (COBIT), and Information Assurance Certification and Accreditation Process
(DAICAP).

Risk Management Plan

Version 1.1

Scope:
This risk management plan is for the organizations use only and its network including remote
access. Any outside sources from the scope and risk management plan may cause the network
infrastructure to fail or will make it a high risk structure due to outside sources that are not
protected to interact with other outside sources allowing hackers to infiltrate the system is steal
important files. The scope of this project will include the planning, scheduling, budgeting, and
consultation needed to perform an in depth risk assessment and research to determine which
compliance laws this organization must follow. We must identify all the risks and vulnerabilities
associated with this organization and create viable solutions that may mitigate these risks as
quickly and as inexpensively as possible without compromising the integrity and confidentiality
of any business assets. A cost benefit analysis should also be conducted prior to the planning
phase of this project as well. Implementing and executing these policies and procedures in order
to mitigate these risks is a critical part of this projects process. Security features such as controls,
auditing logs, applying patches, etc. will be implemented, monitored, reported, and documented.
Other risks such as natural disasters and accidental fires/floods may also be considered risks and
should be accommodated accordingly to include a backup and disaster recovery plan.

Risk Management Procedure

The Risk management procedure will start by obtaining senior management support and
involvement, designating focal points, defining procedures, creating a schedule with milestones
and deadlines, involving business and technical experts as consultants, and controlling,
maintaining, monitoring, reporting, analyzing, and documenting results. This procedure will
identify risks, threats, vulnerabilities, and the likelihood of those risks materializing, identify
and rank critical issues and operations, estimate potential damage, identify cost effective
mitigating controls, and document assessment findings. All policies and procedures will support
or be in compliance to the FISMA, COBIT, DIACAP, and PCI standards.

Risk Analysis
Risks may vary greatly from natural disasters, operational errors, software vulnerabilities,
financial hardships, or even human interactions such as; attackers, buffer overflow attacks, syn
flood attacks, etc. Network and Server crashes, loss of connectivity, broken or damaged
equipment/hardware including workstations, employees calling in sick, hard deadlines not being
met, costs, no IDs, and open ports on the firewall can all be considered risks. Not having any
anti-virus software, not updating the operating systems, running unneeded services and
protocols, and not having any backups of your business assets such as files and applications are
some of the risks that should be considered critical to an organization. The severity of the
loss/impact will depend greatly on the risk associated with it.

Risk Management Plan

Threat

Users

Version 1.1

Vulnerability

Lack of access
controls

Workstations/
Equipment
Failure

Data not backed

up

Malware and
viruses

Lack of antivirus software,

outdated
definitions

Denial of Service
(DoS) or
distributed denial
of service
(DDoS) attack

Public facing
servers not
protected with
firewalls and
intrusion
detection
systems
Access controls
not properly
implemented

Stolen data

Social
engineering

Fire and Flood

Hurricane,
earthquake,
tornado

Lack of security
awareness

Lack of fire
detection and
suppression
equipment
Location

Harmful
event/loss
Loss of
production data
and
confidentiality
Loss of data
availability
(impact of loss
determined by
value of data)
Infection (impact
of loss
determined by
payload of
malware)
Loss of service
availability

Mitigation

Implement both
authentication and
access controls
Backup data
regularly, keep
copies of backup offsite
Install antivirus
software, update
definitions at least
weekly

Probability
of
occurrence
High

Medium

Medium

Implement firewalls,
implement intrusion
detection systems
High

Loss of
confidentiality of
data

Loss depends on
the goals and
success of
attacker

Can be total loss

of business

Can be total loss

of business

Implement both
authentication and
access controls, use
principle of need to
know
Provide training,
raise awareness
through posters,
occasional e-mails,
and minipresentations
Install fire detection
and suppression
equipment. Purchase
insurance
Purchase insurance,
designate alternate
backup sites

Medium

Low

Low

Low

Risk Management Plan

Version 1.1

Compliance Laws and Regulation:

Federal Information Security Management (FISMA) compliance is required for federal agencies
to protect their important information. Their other organizations in which standards are given for
risk management projects, including: National Institute of Standards and Technology (NIST),
Department of Defense (DOD), Information Assurance Certification and Accreditation Process
(DAICAP), and Control Objects for Information and related Technology (COBIT) and also the
Department of Homeland Security (DHS) compliance is required for the protection of the United
States against terrorists. Department of Homeland Security compliance is also required for the
protection of the United States against terrorists. The DLIS security and safety risk management
program also encompasses many operational departments and services throughout the
organization including the buildings and grounds, DOD regulatory compliance, disaster
preparation and management, employee health, accident reporting and investigation, budget,
information technology, and human resources.

Roles and Responsibilities:

Head of Agency. The agency head is likely to participate in the organizations ISCM
program within the context of the risk executive (function). Risk Executive (Function).
The risk executive (function) oversees the organizations ISCM strategy and program.
The risk executive (function) reviews status reports from the ISCM process as input to
information security risk posture and risk tolerance decisions and provides input to
mission/business process and information systems tier entities on ISCM strategy and
requirements; promotes collaboration and cooperation among organizational entities;
facilitates sharing of security-related information; provides an organization-wide forum
to consider all sources of risk; and ensures that risk information is considered for
continuous monitoring decisions.
Chief Information Officer (CIO). The CIO leads the organizations ISCM program.
The CIO ensures that an effective ISCM program is established and implemented for the
organization by establishing expectations and requirements for the organizations ISCM
program; working closely with authorizing officials to provide funding, personnel, and
other resources to support ISCM; and maintaining high-level communications and
working group relationships among organizational entities.
Senior Information Security Officer (SISO). The SISO establishes, implements, and
maintains the organizations ISCM program; develops organizational program guidance
(i.e., policies/procedures) for continuous monitoring of the security program and
information systems; develops configuration management guidance for the organization;
consolidates and analyzes POA&Ms to determine organizational security weaknesses and
deficiencies; acquires or develops and maintains automated tools to support ISCM and
ongoing authorizations; provides training on the organizations ISCM program and
process; and provides support to information owners/information system owners and
common control providers on how to implement ISCM for their information systems.

Risk Management Plan

Version 1.1

Authorizing Official (AO). The AO assumes responsibility for ensuring the

organizations ISCM program is applied with respect to a given information system. The
AO ensures the security posture of the information system is maintained, reviews security
status reports and critical security documents and determines if the risk to the
organization from operation of the information system remains acceptable. The AO also
determines whether significant information system changes require reauthorization
actions and reauthorizes the information system when required.
Information System Owner (ISO)/Information Owner/Steward. The ISO establishes
processes and procedures in support of system-level implementation of the organizations
ISCM program. This includes developing and documenting an ISCM strategy for the
information system; participating in the organizations configuration management
process; establishing and maintaining an inventory of components associated with the
information system; conducting security impact analyses on changes to the information
system; conducting, or ensuring conduct of, assessment of security controls according to
the ISCM strategy; preparing and submitting security status reports in accordance with
organizational policy and procedures; conducting remediation activities as necessary to
maintain system authorization; revising the system-level security control monitoring
process as required; reviewing ISCM reports from common control
providers to verify that the common controls continue to provide adequate protection for
the information system; and updating critical security documents based on the results of
ISCM.
Information System Security Officer (ISSO). The ISSO supports the organizations
ISCM program by assisting the ISO in completing ISCM responsibilities and by
participating in the configuration management process.
The common control provider establishes processes and procedures in support of
ongoing monitoring of common controls. The common control provider develops and
documents an ISCM strategy for assigned common controls; participates in the
organizations configuration management process; establishes and maintains an inventory
of components associated with the common controls; conducts security impact analyses
on changes that affect the common controls; ensures security controls are assessed
according to the ISCM strategy; prepares and submits security status reports in
accordance with organizational policy/procedures; conducts remediation activities as
necessary to maintain common control authorization; updates/revises the common
security control monitoring process as required; updates critical security documents as
changes occur; and distributes critical security documents to individual information
owners/information system owners, and other senior leaders in accordance with
organizational policy/procedures.
Security Control Assessor. The security control assessor provides input into the types of
security- related information gathered as part of ISCM and assesses information system
or program management security controls for the organizations ISCM program. The
security control assessor develops a security assessment plan for each security control;
submits the security assessment plan for approval prior to conducting assessments;
conducts assessments of security controls as defined in the security assessment plan;
updates the security assessment report as changes occur during ISCM; and
updates/revises the security assessment plan as needed.

Risk Management Plan

Version 1.1

Organizations may define other roles (e.g., information system administrator, ISCM program
manager) as needed to support the ISCM process. Roles and Responsibilities provided by the
National Institute of Standards and Technology (NIST) Information Security Continuous
Monitoring (ISCM) for Federal Information Systems and Organizations, Special Publication
800-137.

Provide input to the development of the organizational ISCM strategy including

establishment of metrics, policy, and procedures, compiling and correlating Tier 3 data
into security-related information of use at Tiers 1 and 2, policies on assessment and
monitoring frequencies, and provisions for ensuring sufficient depth and coverage when
sampling methodologies are utilized.
Review monitoring results (security-related information) to determine security status in
accordance with organizational policy and definitions.
Analyze potential security impact to organization and mission/business process functions
resulting from changes to information systems and their environments of operation, along
with the security impact to the enterprise architecture resulting from the addition or
removal of information systems.

Make a determination as to whether or not current risk is within organizational risk

tolerance levels.

Take steps to respond to risk as needed (e.g., request new or revised metrics, additional or
revised assessments, modifications to existing common or PM security controls, or
additional controls) based on the results of ongoing monitoring activities and assessment
of risk.

Update relevant security documentation.

Review new or modified legislation, directives, policies, etc., for any changes to security
requirements.

Review monitoring results to determine if organizational plans and polices should be

adjusted or updated.

Review monitoring results to identify new information on vulnerabilities.

Review information on new or emerging threats as evidenced by threat activities present

in monitoring results, threat modeling (asset- and attack-based), classified and
unclassified threat briefs, USCERT reports, and other information available through
trusted sources, interagency sharing, and external government sources.
Provide input to the development and implementation of the organization-wide ISCM
strategy along with development and implementation of the system level ISCM strategy.

Support planning and implementation of security controls, the deployment of automation

tools, and how those tools interface with one another in support of the ISCM strategy.

Determine the security impact of changes to the information system and its environment
of operation, including changes associated with commissioning or decommissioning the
system.
Assess ongoing security control effectiveness.

Risk Management Plan

Version 1.1

Take steps to respond to risk as needed (e.g., request additional or revised assessments,
modify existing security controls, implement additional security controls, accept risk,
etc.) based on the results of ongoing monitoring activities, assessment of risk, and
outstanding items in the plan of action and milestones.

Provide ongoing input to the security plan, security assessment report, and plan of action
and milestones based on the results of the ISCM process.

Report the security status of the information system including the data needed to inform
Tiers 1 and 2 metrics.

Review the reported security status of the information system to determine whether the
risk to the system and the organization remains within organizational risk tolerances.

Risk Management Planning Process:

The Defense Logistics Information Services team will provide detailed documentation that
includes mitigation techniques explaining the risks that have been identified, analyzed, and
essentially mitigated. Our team will also provide a mechanism for reaching consensus, support
for needed controls, and a means for communicating and documenting results. Recommended
solutions for the Defense Logistics Agency will be implemented such as creating a firewall
policy, configuring, managing, testing, and implementing the firewalls, and also determining
what traffic should be allowed. We may also add network and host firewalls, and an added
intrusion detection system along with other administrators for separation of duties as well.
Regularly updating anti-virus software, the operating system and applications will have a
positive effect on this organization. Therefor an update and backup policy, which should include
information about a warm site, will also be created for security purposes.
Each major risk (those falling in the Red & Yellow zones) will be assigned to a project team
member for monitoring purposes to ensure that the risk will not fall through the cracks.
For each major risk, one of the following approaches will be selected to address it:
Avoid eliminate the threat by eliminating the cause
Mitigate Identify ways to reduce the probability or the impact of the risk
Accept Nothing will be done
Transfer Make another party responsible for the risk (buy insurance, outsourcing, etc.)
For each risk that will be mitigated, the project team will identify ways to prevent the risk from
occurring or reduce its impact or probability of occurring. This may include prototyping, adding
tasks to the project schedule, adding resources, etc. For each major risk that is to be mitigated or
that is accepted, a course of action will be outlined for the event that the risk does materialize in
order to minimize its impact.

Risk Management Plan

Version 1.1

RISK MONITORING, CONTROLLING, AND REPORTING:

Vulnerabilities are weaknesses in the environment, system architecture, design, or
implementation; the organizational policies, procedures, or practices; and the management or
administration of hardware, software, data, facility, or personnel resources. Vulnerabilities that
are exploited may cause harm to the system or information processed, transported, or stored by
the system. In accordance with NIST Recommended Security Controls for Federal Information
Systems, SP 800-53, the vulnerability analysis encompasses the following three security control
areas:

Management Controls are safeguards related to the management of security of the

system and management of the risk for a system. Examples of management
vulnerabilities include lack of risk management, life cycle activities, system security
plans, certification and accreditation activities, and security control reviews.

Operational Controls comprise the operational procedures that are performed with
respect to an information system. More often than not, these vulnerabilities stem from
the lack of (or an insufficiency in) the various practices and procedures that are critical to
the secure operation of a system. Examples of operational vulnerabilities include the lack
of (adequate) security awareness and training, security monitoring and detection
provisions, personnel and physical security controls and security auditing, and the
absence of some or all of the procedural documentation critical to an effectively applied
and managed security program.

Technical Controls are countermeasures related to the protection of hardware, software,

system architecture, and modes of communication. Examples of technical vulnerabilities
include insufficient security software controls and mechanisms, faulty operating system
code, lack of virus controls and procedures, and lack of authentication and access
controls. Normally, vulnerabilities are identified during the risk assessment or during
security testing and evaluation. In order to gain an understanding of the system
vulnerabilities, major security certification activities include:

Developing a detailed data collection questionnaire.

Conducting site surveys and visits of representative installation sites.
Interviewing users and maintainers of the system.
Documenting findings.

After analyzing system management, operational, and technical security controls for the Defense
Logistics Agency in its fielded environment, system vulnerabilities are then identified, mitigated,
and then monitored and reported. The analysis of the Defense Logistics Agencys systems
vulnerabilities, the threats associated with them, and the probable impact of that vulnerability
exploitation resulted in a risk rating for each missing or partially implemented control. The risk
level was determined on the following two factors:

Risk Management Plan

Version 1.1

Likelihood of Occurrence - The likelihood to which the threat can exploit vulnerabilities
given the system environment and other mitigating controls that are in place.

Impact The impact of the threat exploiting the vulnerability in terms of loss of tangible
assets or resources and impact on the organizations mission, reputation or interest.

To determine overall risk levels, the analyst must first look at how important the availability,
integrity, and confidentiality of the system is in relation to it being able to perform its function,
and the types of damage that could be caused by the exercise of each threat-vulnerability pair.
Exploitation of vulnerability may result in one or more of the following types of damage to a
system or its data:

Loss of Availability/Denial of Service Access to the system, specific system

functionality or data is not available (Asset is not destroyed).

Loss of Integrity/Destruction and/or Modification Total loss of the asset either by

complete destruction of the asset or irreparable damage, or unauthorized change,
repairable damage to the asset, or change to asset functionality.

Loss of Confidentiality/Disclosure Release of sensitive data to individuals or to the

public who do not have a need to know.

The level of risk on a project will be tracked, monitored and reported throughout the project
lifecycle. A Top 10 Risk List will be maintained by the project team and will be reported as a
component of the project status reporting process for this project. All project change requests
will be analyzed for their possible impact to the project risks. Management will be notified of
important changes to risk status as a component to the Executive Project Status Report.

Deliverable 1:
Risk Assessment- a determination of what the company will need will be made outlining what
requires attention first and in what priority if multiple items are at risk or vulnerable. The risk
assessment will also determine which threat or risk would cause the most expensive/harmful
damage to that business and the time required making those repairs.

Deliverable 2:
Security Controls- will identify how the data and resources housing the data will be protected
from unauthorized entry.

Deliverable 3:
Disaster Recovery Plan- will include back-up and redundancy; if something breaks/fails or is

Risk Management Plan

Version 1.1

damaged due to fire/floods and other natural disasters this plan will outline how to repair it.

Action Plan

Create a regularly scheduled maintenance plan and include a backup and updating policy.

Create redundancy on the servers by using multiple hard drives and raid cards.

Create a firewall policy and determine what traffic should be allowed into the network
then set up these firewalls on network routers for an added layer of security.

Have extra materials onsite along with a 24 hour on call IT support for emergency calls.

Create a password policy for the organization to use complex passwords within the
network and have employees change their passwords regularly. Security breaches in the
network such as user/hacker threats may occur when passwords are stolen because
unprotected wireless networks were used.

Security may be compromised by failing to change employee login information when an

employee leaves or is terminated. Not all former employees may be disgruntled and
vindictive, but it only takes one. Human resources should be contacted immediately for
legal action in these circumstances.

An intrusion detection system should be put in place and monitored. Hackers may use
packet sniffers and password cracking software to gain access into the network and create
denial of service attacks. In either case security breaches can lead to serious business
damages.

Identify and correctly implement all system-level preventative security controls

(technical, operational, and management controls) and auditing logs to monitor and
prevent attacks.

Use encryption when sending and receiving data across the network. Business and
personal information may be compromised, network services could be interrupted, and
damage would depend on the type of attack suffered. Anywhere from network/server
crashes to stolen information could result in loss of production, and even loss of revenue.

A fire suppression system should be made available in the building in the event of a fire.

Create a contingency plan and a policy statement.

Create testing, training, and exercising manuals.

Create separation of duties.

Risk Management Plan

Version 1.1

Tools and Practices:

A Risk Log will be maintained by the project manager and will be reviewed as a standing
agenda item for project team meetings.

Disaster Recovery Plan

An information technology (IT) disaster recovery (DR) plan provides a structured approach
for responding to unplanned incidents that threaten an IT infrastructure, which includes
hardware, software, networks, processes and people. Protecting the Defense Logistics
Information Services (DLIS) investment in its technology infrastructure, and protecting their
ability to conduct business are the key reasons for implementing an IT disaster recovery plan.
We will provide step-by-step procedures for recovering disrupted systems and networks, and
help them resume normal operations in a timely manner. The goal of these processes is to
minimize any negative impacts such as loss of revenue and loss of data and confidentiality to
DLIS operations. The IT disaster recovery process identifies critical IT systems and networks;
prioritizes their recovery time objective; and outlines the steps needed to restart, reconfigure, and
recover them. A comprehensive IT DR plan also includes all the relevant supplier contacts,
sources of expertise for recovering disrupted systems and a logical sequence of action steps to
take for a smooth recovery.

Develop the contingency planning policy statement. A formal policy provides the
authority and guidance necessary to develop an effective contingency plan.
Backup and Recovery warm-sites. Formal Backup and Recovery policies and
procedures.
Conduct the business impact analysis (BIA). The business impact analysis helps to
identify and prioritize critical IT systems and components.
Identify preventive controls. These are measures that reduce the effects of system
disruptions and can increase system availability and reduce contingency life cycle costs.
Develop recovery strategies. Thorough recovery strategies ensure that the system can be
recovered quickly and effectively following a disruption.
Develop an IT contingency plan. The contingency plan should contain detailed guidance
and procedures for restoring a damaged system.
Plan testing, training and exercising. Testing the plan identifies planning gaps, whereas
training prepares recovery personnel for plan activation; both activities improve plan
effectiveness and overall agency preparedness.
Plan maintenance. The plan should be a living document that is updated regularly to
remain current with system enhancements

Risk Management Plan

Version 1.1

Types of Teams

Senior Management support

Project Manager
Technical team members
IT Interns for DLIS

In the Event of a Disaster

The actions taken in the initial minutes of an emergency are critical. A prompt warning to
employees to evacuate, shelter or lockdown can save lives. A call for help to public emergency
services that provides full and accurate information will help the dispatcher send the right
responders and equipment. An employee trained to administer first aid or perform CPR can be
lifesaving. Action by employees with knowledge of building and process systems can help
control a leak and minimize damage to the facility and the environment.

Recovery Scenarios

Minor Damage Scenarios

Employee theft or fraud

Change employee login information when an employee leaves the company. Monitor
audit logs and surveillance for more potential employee threats.

Major Damage Scenarios

Hurricane and water damages

Redundancy servers, backups and off-site back-up facilities. Maintain a log of all data
stored. Have a temporary or mobile network site available for operations until the site can
be brought back online.

Recovery Activities
DLIS will define roles and responsibilities and where to assemble employees if forced to
evacuate the building and lists of key contacts and their contact information, purchased for ease
of authorizing and launching the disaster recovery plan.

Risk Management Plan

Version 1.1

Risk Management Plan Approval:

The undersigned acknowledge they have reviewed the Risk Management Plan for the project.
Changes to this Risk Management Plan will be coordinated with and approved by the
undersigned or their designated representatives.
Signature:

Date:

Print Name:
Title:
Role:

Signature:

Date:

Print Name:
Title:
Role:

Signature:

Date:

Print Name:
Title:
Role:

Signature:
Print Name:
Title:
Role:

Date: