CYB-: Risk Management and Information Technology Security
I will provide the book link if needed.
Getting Started
Risk Management Plan
As discussed so far in this course, risk management is an importantprocess for all organization. This is particularly true for informationsystems, which provide critical support for organizational missions. Theheart of risk management is a formal risk management plan.
This part of the project is a continuation of the Project 1, Part 1where you prepared RA plan and a risk mitigation plan for the DLIS.Senior management at DLIS decided that the risk manager and his/her teamshould continue and develop a RA plan based on inputs provided by theteam in earlier project deliverables. Management has also allocatedfunds for a risk mitigation plan and a BIA plan. Because of theimportance of risk management to the organization, senior management iscommitted to and supportive of the project to develop a new plan. Youhave been assigned to develop this new plan.
Upon successful completion of this assignment, you will be able to:
- Explain the basic concepts of and need for risk management.
- Identify compliancy laws, standards, best practices, and policies of risk management.
- Describe the components of an effective organizational risk management program.
- Describe techniques for identifying relevant threats, vulnerabilities, and exploits.
- Identify risk mitigation security controls.
- Describe concepts for implementing risk mitigation throughout an organization.
- Perform a business impact analysis for a provided scenario.
- Create a business continuity plan (BCP) based on the findings of a given risk assessment for an organization.
- Create a disaster recovery plan (DRP) based on the findings of a given risk assessment for an organization.
- Create a Computer Incident Response Team (CIRT) plan for an organization in a given scenario.
Resources
- Textbook: Managing Risk in Information Systems (Chapters 4-6)
- ISO References:
- ISO/IEC 22399:2007 Guideline for incident preparedness and operational continuity management.
- ISO/IEC 24762:2008 Guidelines for information and communications technology disaster recovery services.
- Supplemental (Optional) Book References:
- James C. Barnes, A Guide to Business Continuity Planning
- Kenneth L. Fulmer, Business Continuity Planning, A Step-by-Step Guide with Planning Forms
- Judy Bell, Disaster Survival Planning: A Practical Guide for Businesses
Background Information
The scenario remains the same as it was in the first part of the project (see 2.5 Assignment: Project 1, Part 1).
Scenario:
You are an information technology (IT) intern working for the DefenseLogistics Information Service (DLIS) in Battle Creek, Michigan. DLIS isan organization within the Defense Logistics Agency (DLA), which is thelargest logistics combat support agency for the Department of Defense.DLIS creates, manages, and disseminates logistics information tomilitary and government customers using the latest technology.
Senior management at DLIS decided that the existing risk managementplan for the organization is out of date, and that a new risk managementplan must be developed. Because of the importance of risk management tothe organization, senior management is committed to and supportive ofthe project to develop a new plan. You have been assigned to developthis new plan.
Instructions
- Review the rubric to make sure you understand the criteria for earning your grade.
- Task 1: Introduction and Business Impact Analysis Plan
- As discussed so far in this course, risk management is an importantprocess for all organization. This is particularly true for informationsystems, which provide critical support for organizational missions. Theheart of risk management is a formal risk management plan.
- This part of the project is a continuation of the Project 1, Part 1where you prepared RA plan and a risk mitigation plan for the DLIS.Senior management at DLIS decided that the risk manager and his/her teamshould continue and develop a RA plan based on inputs provided by theteam in earlier project deliverables. Management has also allocatedfunds for a risk mitigation plan and a BIA plan. Because of theimportance of risk management to the organization, senior management iscommitted to and supportive of the project to develop a new plan. Youhave been assigned to develop this new plan.
- Task 2: Business Continuity Plan
- After having reviewed and being impressed by your Project 1, Part 1on Risk Management, the senior management at DLIS decided that your teammust also develop a BCP as your team is doing so well. Management hasalso allocated all funds for a BCP and your team has their full support,as well as free reign to call on any of them for participation orinclusion in your BCP plan. You have been assigned to develop this newplan after taking into consideration the following additionalinformation on DLIS IT infrastructure.
- DLIS has a global reach and at least 50 file servers and variousdatabases (12) running everything from an enterprise resource planning(ERP) system to the organization payroll system that has an electronicfunds transfer (EFT) capability. Other things worth noting are a warmsite within 50 miles of the headquarters data center. No plans exist forit. You will want to use it in your BCP planning. Currently back-upsare done with an outside vendor. However, your team will want torecommend a new process (vendor) and develop a new back-up plan forapproximately five terabyte (TB) of critical classified data. Do notforget to develop a testing plan for your teams BCP.
- You can refer to the following additional resources that will help you and your team to develop a BCP:
- ISO References:
- ISO/IEC 22399:2007 Guideline for incident preparedness and operational continuity management.
- ISO/IEC 24762:2008 Guidelines for information and communications technology disaster recovery services.
- Supplemental (Optional) Book References (links to Amazon.com):
- James C. Barnes, A Guide to Business Continuity Planning
- Kenneth L. Fulmer, Business Continuity Planning: A Step-by-Step Guide with Planning Forms
- Judy Bell, Disaster Survival Planning: A Practical Guide for Businesses
- ISO References:
- Task 3: Disaster Recovery Plan
- Your project on risk management up to this point has been liked andappreciated by the senior management at DLIS. They now want you todevelop a DRP in order to overcome any mishaps that might occur in thefuture. Use your research on NIST templates to develop a DRP plan forDLIS.
- Task 4: Computer Incident Response Team Plan
- By now you should have developed a RA, BIA, BCP, DRP, and a risk mitigation plan.
- In this assignment, you will create a CIRT plan for DLIS afterhaving learned the concepts of CIRT. Remember that the DLIS headquarters(HQ) handles all incidents, so the plan will have its roots at HQ.After creating the CIRT plan, you will have to compile the completed setof your risk management plan together for final submission of theproject. Make sure to incorporate your instructors feedback in yourfinal set of risk management plans.
- After reading the scenario and explanation above, submit your response in a Microsoft Word document following APA Style.Your paper should be four to five pages in length, excluding the APAtitle and Reference pages. Cite any sources utilized in-text and in theReferences following APA style.
- When youve completed your assignment, save a copy for yourself andsubmit a copy to your instructor using the Assignment submission page bythe end of the workshop.