Posted: August 3rd, 2022

Risk Management Plan

Directions using:
NIST Risk Management Guide for Information Technology Systems (Links to an external site.)
https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002-07-01

and/or

Department of Homeland’s Security
https://www.dhs.gov/xlibrary/assets/nipp_it_baseline_risk_assessment.pdf
(DHS) Risk Assessment (Links to an external site.) as a resource,

-Develop and provide an introduction to the plan by explaining its purpose and importance.
-Create an outline for the completed risk management plan.
-Define the scope and boundaries of the plan.
-Research and summarize compliance laws and regulations that pertain to the organization.
-Identify the key roles and responsibilities of individuals and departments within the organization as they pertain to risk management.
-Develop a proposed schedule for the risk management planning process.

Ace my homework – Write an initial draft of the risk management plan as detailed in the instructions above. If the company has a risk management plan and you were granted an access to it, analyze and aligned the plan with the NIST and/or DHS standards following the detailed instructions above.
—

Risk Management Plan
Name
Institution

Risk Management Plan
Introduction
Risk management involves a process of identifying, assessing, mitigating risks. The importance of the risk management plan to the organization is that it will allow the organization to determine the extent of potential risks, threats, and vulnerabilities associated with the IT systems. The risk management plan helps the organization to identify appropriate mitigation measures to be implemented to reduce or eliminate the risk identified.
Risk Management Plan Outline
The plan will include nine major activities accomplished in a nine step procedure. They include:
1. System characterization – hardware, software, system interface, data and information, people, and system mission.
2. Threat identification – history of system attack, data from intelligence agencies, mass media, NIPG, and OIG.
3. Vulnerability identification – reports from prior risk assessments, nay audit comments, security test results, and security requirements.
4. Control analysis – current controls and planned controls.
5. Likelihood determination – treat-source motivation, threat capacity, nature of vulnerability, and current controls.
6. Impact analysis – mission impact analysis, data criticality, data sensitivity, asset criticality assessment, and loss of integrity, availability, and confidentiality.
7. Risk determination – likelihood of threat exploitation, magnitude of impact, and adequacy of planed or current controls.
8. Control recommendation – recommended controls.
9. Result documentation – risk assessment report (Stoneburner et al., 2002).
Scope and Boundaries of the Plan
The Risk Management plan will operate within certain environment, risk management context, and criteria. The scope and boundaries of the plan include IT sector baseline risk profile that provides the IT infrastructure risk profile within the organization environment. The plan will also cover identity management systems, which are used in issuing and identifying documents and credentials under the authority of the company (DHS, 2009). The plan will also operate within the company IT sector that produce and provide internet-based content, information, and communication. This sector is essential to ensure the national. Economic security, and public health, safety, and confidence are achieved by the company. The company IT sector offers internet routing, access, and connection service to outside world, which creates the need for risks assessment to ensure the services are provided within a secure content.
Compliance Laws and Regulations
The laws and regulations regarding risk management plan include the need to repeat the risk assessment procedure after every three years according as provided by the OMB Circular A-130. The laws mandate the employer or organization to ensure the safety of the public and health of their employees by conducting regular risk assessment with regard to health and safety (Kim & Gregg, 2005).

Roles and Responsibilities
Key roles and responsibilities of individuals and departments that would support the implementation of the risk management plan are provided in the table below.
Position/ Role/Department Responsibility
Senior Management Ensure resources are availed and support the risk management program.
Chief Information Officer (CIO) Conducting IT planning, budgeting, and performance.
Business and Functional Managers Making business operation and IT procurement processes to enable the accomplishment of risk management mission.
IT security program managers and computer security officers Responsible for the security program of the organization, including risk management.
IT Security Practitioners (network, system, application, and database administrators; computer specialists; security analysts; security consultants) Responsible for proper implementation of security requirements in their IT systems.

Proposed Schedule
Deliverable Duration
System characterization 8 days
Threat identification 10 days
Vulnerability identification 5 days
Control analysis 15 days
Likelihood determination 5 days
Impact analysis 14 days
Risk determination 10 days
Result documentation 2 days

References
DHS. (2009). Information Technology Sector Baseline Risk Basement. Retrieved from https://www.dhs.gov/xlibrary/assets/nipp_it_baseline_risk_assessment.pdf
Kim, D., & Gregg, M. (2005). Why You Need to Conduct Risk Assessment. InformIT. REttrieved from https://www.informit.com/articles/article.aspx?p=426764&seqNum=2
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management Guide for Information Technology Systems. NIST. Retrieved from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf

Order | Check Discount