I want to make a risk management plan for this business

Question Description

I have business look like Amazon to sell goods. I want to make a risk management plan for this business. I want so the sample assessment of this risk management plan. This is an example look like what I want.

RISK MANAGEMENT PLAN: HEALTH
NETWORK, INC
Version 1.0
03/27/2018
This is a class project for IT521 at Hood college
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
VERSION HISTORY
Version
#
1.0
Implemented
By
Revision
Date
Approved
By
Approval
Date
Reason
Initial Risk Management
Plan draft
UP Template Version: 2/20/18
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
TABLE OF CONTENTS
1 INTRODUCTION …………………………………………………………………………………………………….. 1
1.1
Project Background ……………………………………………………………………………………… 1
1.2
Purpose Of The Risk Management Plan …………………………………………………………. 1
1.3
Scope & Context …………………………………………………………………………………………. 1
1.4
Roles & Responsibilities ………………………………………………………………………………. 2
2 RISK MANAGEMENT PROCEDURE …………………………………………………………………….. 4
2.1
Risk Identification ……………………………………………………………………………………….. 4
2.2
Risk Analysis………………………………………………………………………………………………. 7
2.2.1 Qualitative Risk Analysis ………………………………………………………………………… 8
2.2.2 Quantitative Risk Analysis …………………………………………………………………….. 10
2.3
Risk Response Planning ……………………………………………………………………………… 12
2.4
Risk Monitoring, Controlling, And Reporting ……………………………………………….. 13
3 RISK REGISTER …………………………………………………………………………………………………… 14
APPENDIX A: REFERENCES ……………………………………………………………………………………..17
APPENDIX B: KEY TERMS ……………………………………………………………………………………….18
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
1
1.1
Version: 1.0
INTRODUCTION
PROJECT BACKGROUND
The team of this project was assigned to develop a new risk management plan for the
organization demanded by the management at Health Network, Inc to replace an existing
risk management plan that is outdated. The management is committed to and supportive of
developing a new plan. Our team which includes [] are assigned to create this new plan.
Management has not defined the project budget, but management wants to see all material
risks that are identified within the new plan and then decide the next action based on the
recommendations of this plan.
The team is already working for the organization as IT intern. The health services
organization has locations in Minneapolis, Minnesota; Portland, Oregon; Arlington,
Virginia; with Minnesota facility as its headquarter. The company employ over 600
employees and produce $500 million in annual revenue. The Primary products of the
company which this plan is for are HNetExchange, HNetPay, and HNetConnect.
HNetExchange is the primary source of income for the company; its role is handling secure
electronic medical messages between healthcare institutes and clinics. HNetPay is a web
doorway which provides management of secure payments and billing from customers. It is
hosted at Health Network production sites. HNetConnect is an online directory which
contains information about lists doctors, clinics, and healthcare organization to allow the
company customers find the best care related to preferred locations.
1.2
PURPOSE OF THE RISK MANAGEMENT PLAN
The goal or objective of an IT risk management plan is to manage an effective organizational
risk management plan through establish objectives to outline what you should include in the
plan. Those objectives identify the goals of the project. In addition, those objectives are
listing of threats, listing of vulnerabilities, determining costs associated with risks, listing of
recommendations to reduce the risks, assessing costs associated with the proposals, and
analyzing CBA.
A risk is an event or condition that, if it occurs, could have a positive or negative effect on a
project’s objectives. Risk Management is the process of identifying, assessing, responding
to, monitoring, and reporting risks. This Risk Management Plan defines how risks associated
with the development of a new risk management plan for Health Network, Inc project will
be identified, analyzed, and managed. It outlines how risk management activities will be
performed, recorded, and monitored throughout the lifecycle of the project and provides
templates and practices for recording and prioritizing risks.
1.3
SCOPE & CONTEXT
It is very important to identify the scope of a risk management plan because it helps by
defining the boundaries of the plan, and not to fall into scope creep or getting the plan of
control. Uncontrolled changes in the plan can result in cost overruns and missed deadlines.
The acceptable changes are identified by the project manager, management, and
stakeholders.
The purpose of the risk management plan is to re-evaluate the current threats and develop a
new plan. For this plan, the scope can be applied to all locations and servers that can protect
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 1
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
the organization from risks, threats, and vulnerabilities. This plan consists of the process of
identifying and managing risks. Threads recognized early in this project should be addressed
immediately.
The scope of the plan includes:

Security of the server hosting HNetConnect

Identification of all health data related to

Identification of all company hardware assets

Databases and storage of health data

Services and usage of health data

Transmission of health data with HNetExchange

The integrity of transmitted data

Security of the Website itself

Availability of the Website

The integrity of the Web site’s data
For any additional activities outside the scope of this plan, a Written approval is required.
1.4
ROLES & RESPONSIBILITIES
Assign roles and responsibility to specific departments for collecting data and identify threats
and vulnerabilities is an essential part of the RMP. This data will be used to create
recommendations and to identify corrective actions. Each department within the
organization should support and participate in implementing the plan. Developing a team
would be a good idea for controlling the scope of the plan. An organized team with clear
objectives will help to prevent losses cussed by uncontrolled changes to the scope, losses
like cost overruns and missed deadlines. In addition, developing a team would delegate
responsibilities between the team members and help in organizing the work better. Without
a team, the scope could get out of control and under a scope creep circumstance.
The description of the roles related to this project which form the risk management plan
project team is as follows:
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 2
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
ROLES
Version: 1.0
RESPONSIBILITIES
The most senior executive in Health Network, Inc. he or she is
responsible for the information technology and all related
technology like computer systems.
Chief Information
Officer (CIO)
From the technical perspective, the CIO will be responsible for
overseeing and approving of all IT projects. The CIO will
accomplish this by reviewing and making sure that all goals
and requirements criteria are met, and to keeps track of them
throughout the lifecycle of the projects.
he or she is responsible for managing the company’s finances,
which includes financial planning, management of financial
risks, record-keeping, and financial reporting.
Chief Financial Officer
(CFO)
Based on the CIO recommendation, the CFO will be
responsible for approving the IT project. Senior management
has not defined the budget for this project, but that does not
mean it is unlimited. The funding will be provided by or
through the CFO.
Business Managers
is responsible for driving the work and progress of this plan, an
essential role in implement the plan. In addition, awareness and
education of the team on security policies is a part of the
responsibilities of the Business Managers. He or she is also
responsible for determining if the Risk is unique, verifies if a
risk is internal or external to this project, assigns risk
classification and tracking number.
Human Resource
Management (HR)
Are responsible for the management of people within the
organizations and maximize employees performance. With the
help of business managers, HR will implement a yearly
training plan for employees to educate them on the security risk
and protection of company’s assets.
Chief Information
Security Officer (CISO)
The CISO is a senior-level executive within the company. He
or she is responsible for establishing and maintaining the
enterprise vision, strategy, and program. In addition, he or she
is responsible for overseeing the company’s security. The
CISO should be a part of any decision making with the IT
infrastructure.
Chief Technology
Officer (CTO)
The CTO is an executive-level within the company report to
the CIO. He or she focuses on technological issues within the
organization and will be managing the Information
Technology Managers of each department.
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 3
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
2
Version: 1.0
RISK MANAGEMENT PROCEDURE
This section describes the risk management process and provides an overview of the risk
management approach.
2.1
RISK IDENTIFICATION
Risk identification will involve the project team, appropriate stakeholders, and will include
an evaluation of environmental factors, organizational culture and the project management
plan including the project scope. A Risk Register will be generated and updated as needed
in Section 3.
To identify risks, the project team will to take three steps:
• Identify threats
• Identify vulnerabilities
• Estimate the likelihood of a threat exploiting a vulnerability
In this section, the project team will identify threats, risks, and vulnerabilities that could
cause any loss or damage to data of the Health Network, Inc. through the seven domains of
a typical IT infrastructure.
The User Domain includes people. They can be users such as employees, contractors, and
consultants, so the user covers all the users who have access to the other six domains.
The workstation Domain is the end user’s computer. It is susceptible to malicious software,
also known as malware. Moreover, if the workstation does not have antivirus software, the
workstation becomes vulnerable.
The LAN Domain is the area inside the firewall which has a few systems linked together in
a small home network or large network. Also, it has hubs, switches, and routers. The internal
LAN is generally considered a trusted zone, but if hubs are utilized instead of switches, it
will raise the risks of sniffing attacks.
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 4
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
The LAN to WAN Domain links the local area network to the wide area network WAN.
The LAN Domain is considered a safe zone since it is controlled by a company while The
WAN Domain is regarded as an unsafe zone because it is not controlled and is accessible by
attackers
The WAN Domain contains any servers which have direct access to the Internet. Also, it
comprises any server that has a public (IP) address. Furthermore, The WAN Domain means
the Internet as stated in the LAN to WAN Domain; the Internet is an unsafe zone because
any host on the Internet with a public IP address is at significant risk of attack as well as any
servers in the WAN have significantly higher risks.
Remote Access Domain provides users access to an internal network by an external
location. Direct dial-up or (VPN) can do this. When a VPN is utilized, the VPN server has a
public IP address available on the Internet.
The System/Application Domain contains any server-based applications which include
email servers, database servers, and any server or system which has a devoted application.
Database servers can be subject to SQL injection attacks.
There are some threats and vulnerabilities which we will identify them depend on the
company’s profile and plan of their business. Thus we can separate them into steps.
Threats Identified
▪ Viruses or worms attack that cause losing of data, and transfer to other domains
▪ Losing of customers’ information by users.
▪ Loss of company data due to hardware being removed from production systems
▪ Loss of company information on lost or stolen company-owned assets, such as
mobile devices and laptops
▪ Loss of customers due to production outages caused by various events, such as
natural disasters, change management, unstable software, and so on
▪ Internet threats due to company products being accessible on the Internet
▪ Insider threats
▪ Changes in regulatory landscape that may impact operations
Identification of Vulnerabilities
➢ There are no antivirus software
➢ Lack of training
➢ no policy to prevent information sharing, and stealing devices
➢ Loss of data
➢ There is no protection and firewall is not updated
➢ Shortage of knowledge of the application and abuse of devices such as thumb
drives and CDs
➢ Lack of backups and updates for servers, and damage to devices
➢ There are no rules and regulations to maintain the organizational architecture
strength
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 5
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Risks
Any type of
malicious
software, such as
viruses or worms,
enters the network.
Miss use of
company’s
application
Threats
Version: 1.0
Vulnerabilities
Viruses or worms attack
that cause losing of data, There are no antivirus
and transfer to other
software
domains
Losing of customers’
information by user.
Lack of training
Domain
Impacted
Workstation
Domain
User Domain
Hardware failure
Loss of company data
due to hardware being
removed from
production systems
Loss of data
LAN
Domain
Employee steal
compony laptop
Loss of company
information on lost or
stolen company-owned
assets, such as mobile
devices and laptops
no policy to prevent
information sharing, and
stealing devices
Workstation
Domain
Communication
and Network
outage
Loss of customers due
to production outages
caused by various
events, such as natural
disasters, change
management, unstable
software, and so on
Lack of backups and
updates for servers
WAN
Domain
Unauthorized
access from the
public internet
Internet threats due to
company products being
accessible on the
Internet
There is no protection
and firewall is not
updated
LAN to
WAN
Domain
Abuse of devices
and exploiting
Identity
Insider threats
Shortage of knowledge
of the application,
Shortage of antivirus
program and updates
them, and abuse of
devices such as thumb
drives and CDs
System
Application
Domain
Remodeling
organizational
architecture by
anyone
Changes in regulatory
landscape that may
impact operations
There are no rules and
regulations to maintain
the organizational
architecture strength.
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
WAN
Domain
Page 6
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
2.2
Version: 1.0
RISK ANALYSIS
All risks identified will be assessed to identify the range of possible project outcomes.
Qualification will be used to determine which risks are the top risks to pursue and respond
to and which risks can be ignored.
Risk analysis is the check of the risks connected with a particular event or action. It is utilized
to projects, information technology, and security issues. Moreover, risks might be analyzed
on a quantitative and qualitative basis. Thus, we can break it down into the following steps:
1. Specify the scope of the analysis.
6. Define the potential impact of threat
occurrence.
2. Collecting data.
7. Define the level of risk.
3. Define and document potential threats
and vulnerabilities.
8. Specify security measures and finalize
documentation.
4. Assess current security measures.
5. Define the
occurrence.
probability
of
threat
Likelihood:
Critical – The percentage is between 75% and 100% a probability of an event.
Major
– The percentage is between 45% and 74% a probability of an event.
Minor
– The percentage is below 44% a likelihood of an event.
Impact:
Critical – If the risk happens, it will have a high impact on the company. It will
impact critical data or systems and cause substantial losses.
Major
– If the risk happens, it will have a moderate impact on the company. It may
impact critical data or systems, but not to a large extent.
Minor
– If the risk happens, it will have minimal impact on the company. The
attack will not impact any critical data or systems
Likelihood
Critical
3
3
6
9
Major
2
2
4
6
Minor
1
1
2
3
Minor
1
Major
2
Critical
3
Impact
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 7
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
6 to 9 ➔ Critical
3 to 5 ➔ Major
1 to 2 ➔ Minor
2.2.1 Qualitative Risk Analysis
The probability and impact of occurrence for each identified risk will be assessed by the
project manager, with input from the project team using the Risk Scoring Matrix. Risks that
fall within the RED and YELLOW zones will have risk response planning which may include
both a risk mitigation and a risk contingency plan.
Qualitative is a subjective method. It utilizes relative values based on opinions from experts.
Experts give their input on the probability and impact of a risk. A qualitative RA can be
completed rather quickly. The evaluation generally depends on the severity of the threats.
Critical or Major threats have been addressed as soon as possible while Minor threats might
be addressed after all the major threats are addressed as they do not do much damage. In this
section, we will determine any threat or risk to the project of Health Network, Inc. Then put
them in which level High or Medium or Low, to begin with.
N
Risks
Threats
Vulnerabilities
Matrix
Value
Any type of
malicious
software, such as
1
viruses or worms,
enters the
network.
viruses or worms attack that
cause losing of data, and
transfer to other domains
There are no antivirus
software
4
miss use of
2 company’s
application
Losing of customers’
information by users.
Lack of training
4
3 Hardware failure
Loss of company data due
to hardware being removed
from production systems
Loss of data
9
4
Employee steal
compony laptop
Loss of company
information on lost or stolen no policy to prevent
company-owned assets,
information sharing,
such as mobile devices and and stealing devices
laptops
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
9
Page 8
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
Communication
5 and Network
outage
Loss of customers due to
production outages caused
by various events, such as
natural disasters, change
management, unstable
software, and so on
Lack of backups and
updates for servers
9
Unauthorized
6 access from
public internet
Internet threats due to
company products being
accessible on the Internet
There is no protection
and firewall is not
updated
4
Abuse of devices
7 and exploiting
Identity
Insider threats
Shortage of knowledge
of the application,
Shortage of antivirus
program and updates
them, and abuse of
devices such as thumb
drives and CDs
2
Remodeling
organizational
8
architecture by
anyone
Changes in regulatory
landscape that may impact
operations
There are no rules and
regulations to maintain
the organizational
architecture strength.
6
Based on this table, the following is the Risk matrix graph:
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 9
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
2.2.2 Quantitative Risk Analysis
Analysis of risk events that have been prioritized using the qualitative risk analysis process
and their effect on project activities will be estimated, a cost applied to each risk based on
this analysis, and then documented in this section of the risk management plan.
As we know, the quantitative risk analysis uses numbers, such as dollar values. We collect
data and then enter it into standard formulas, which is ALE=SLE x ARO. Thus, the results
can help us to identify the priority of risks. Moreover, we can also utilize the results to
determine the effectiveness of controls.
There are some key terms associated with quantitative risk analyses, which are:
• Single Loss Expectancy (SLE), which is the total loss expected from a single incident.
An incident happens when a threat exploits weakness.
• Annual Rate of Occurrence (ARO) that is the number of times an incident is expected
to happen in a year.
• Annual Loss Expectancy (ALE), which is the expected loss for a year.
• Safeguard value
Background:
In our project plan, Health Network has over 600 employees and 1,000 production servers
and 650 corporate laptops and company-issued mobile devices for its employees. Health
Network generates $500 million USD in annual revenue. Management is responsible for
making the decisions on how to manage the risks. An accurate Cost-Benefit Analysis (CBA)
allows management to make intelligent decisions.
The CBA = Loss before AV software – loss after AV software – cost of AV software
The CBA for all threats is as follows:
1. Viruses or worms attack that cause losing of data, and transfer to other domains
a. The recommendation is to install an antivirus
b. Previous loss: if we assume that direct loss and indirect loss is $10,000,000.
direct loss + indirect loss = Previous loss
c. Future loss: the software is expected to reduce the losses by 97 percent
($10,000,000 – ($10,000,000 x 0.97) = $300,000
d. Cost of Recommendation: $20 per device, we have 1650 devices that needs
antivirus software. The total cost is $20 x 1650 = $33000
e. CBA = $10,000,000 – $300,000 – $33,000 = $9,667,000
2. Losing of customers’ information by users
a. The recommendation is to train employees
b. Previous loss: if we assume that direct loss and indirect loss is $3,000,000.
direct loss + indirect loss = Previous loss
c. Future loss: the software is expected to reduce the losses by 96 percent
($3,000,000 – ($3,000,000 x 0.96) = $120,000
d. Cost of Recommendation: $0, because it is the responsibility of Human
Resource and the head of each department.
e. CBA = $3,000,000 – $120,000 – 0 = $2,880,000
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 10
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
3. Loss of company data due to hardware being removed from production systems
a. The recommendation is to backup hardwires
b. Previous loss: if we assume that direct loss and indirect loss is $7,000,000.
direct loss + indirect loss = Previous loss
c. Future loss: the software is expected to reduce the losses by 98 percent
($7,000,000 – ($7,000,000 x 0.98) = $140,000
d. Cost of Recommendation: $20,000, assumption
e. CBA = $7,000,000 – $140,000 – $20,000 = $6,840,000
4. Loss of company information on lost or stolen company-owned assets, such as mobile
devices and laptops
a. The recommendation is to implement a new policy
b. Previous loss: if we assume that direct loss and indirect loss is $20,000.
direct loss + indirect loss = Previous loss
c. Future loss: the software is expected to reduce the losses by 90 percent
($20,000 – ($20,000 x 0.90) = $2,000
d. Cost of Recommendation: $0, because it is the responsibility of Human
Resource and the head of each department.
e. CBA = $20,000 – $2,000 – 0 = $18,000
5. Loss of customers due to production outages caused by various events, such as natural
disasters, change management, unstable software, and so on
a. The recommendation sales department reach out to affected customers
b. Previous loss: if we assume that direct loss and indirect loss is $30,000,000.
direct loss + indirect loss = Previous loss
c. Future loss: the software is expected to reduce the losses by 85 percent
($30,000,000 – ($30,000,000 x 0.80) = $6,000,000
d. Cost of Recommendation: $0, because it is the sales department employees.
e. CBA = $30,000,000 – $6,000,000 – 0 = $24,000,000
6. Internet threats due to company products being accessible on the Internet
a. The recommendation is to update the firewall
b. Previous loss: if we assume that direct loss and indirect loss is $15,000,000.
direct loss + indirect loss = Previous loss
c. Future loss: the software is expected to reduce the losses by 98 percent
($15,000,000 – ($15,000,000 x 0.98) = $300,000
d. Cost of Recommendation: $5,000 per unit, we have 1000 servers that needs
update to its firewall. The total cost is $5,000 x 1000 = $5,000,000
e. CBA = $15,000,000 – $300,000 – $5,000,000 = $9,700,000
7. Insider threats
a. The recommendation is to implement strict security policies
b. Previous loss: if we assume that direct loss and indirect loss is $3,000,000.
direct loss + indirect loss = Previous loss
c. Future loss: the software is expected to reduce the losses by 50 percent
($3,000,000 – ($3,000,000 x 0.50) = $1,500,000
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 11
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
d. Cost of Recommendation: $1,000,000, (assumption) even though it is the
responsibility of Human Resource and the head of each department, but it may
need external assistance.
e. CBA = $3,000,000 – $1,500,000 – $1,000,000 = $500,000
8. Changes in regulatory landscape that may impact operations
a. The recommendation is to implement Gap Analysis and Remediation Plan
b. Previous loss: if we assume that direct loss and indirect loss is $1,000,000.
direct loss + indirect loss = Previous loss
c. Future loss: the software is expected to reduce the losses by 95 percent
($1,000,000 – ($1,000,000x 0.95) = $50,000
d. Cost of Recommendation: $500,000, (assumption) because it depends on the
time it takes to develop the document.
e. CBA = $1,000,000 – $50,000 – $1,000,000 = $450,000
Total cost-benefit analysis (CBA) if all are applied
Total Previous loss: $69,020,000
Total Future loss: $8,412,000
Total Cost of Recommendation: $6,553,000
CBA = $69,020,000 – $8,412,000 – $6,553,000= $54,055,000
2.3
RISK RESPONSE PLANNING
Each major risk (those falling in the Red & Yellow zones) will be assigned to a project team
member for monitoring purposes to ensure that the risk will not “fall through the cracks”.
For each major risk, one of the following approaches will be selected to address it:
• Avoid – eliminate the threat by eliminating the cause
• Mitigate – Identify ways to reduce the probability or the impact of the risk
• Accept – Nothing will be done
• Transfer – Make another party responsible for the risk (buy insurance, outsourcing, etc.)
The responsibility of the project team is to select a risk response for each risk. The responses
would be with the consideration that the budget for assigned to this project by management
is not defined. The following is the responses for each risk and its proper approach:
1.The appropriate for this threat “Viruses or worms attack that cause losing of data, and transfer
to other domains” is Avoid. To mitigate it by using antiviruses software and make sure it is
up to date.
2.The appropriate for this threat “Losing of customers’ information by users” is Mitigate.
To mitigate it by train employees if there is a new version of application.
3.The appropriate for this threat “Loss of company data due to hardware being removed
from production systems” is Mitigate. Production systems for Health Network are
located and managed by a third-party data center hosting vendor. It can be mitigated by
ensuring that backups are created anytime hardware is being replaced, moved, or
removed.
4.The appropriate for this threat “Loss of company information on lost or stolen companyowned assets, such as mobile devices and laptops” is Mitigate. To mitigate it by making
a new policy to maintain company assets safety.
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 12
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
5.The appropriate for this threat “Loss of customers due to production outages caused by
various events, such as natural disasters, change management, unstable software, and so
on” is Transfer. To mitigate it by making sales department reach out to affected
customers.
6.The appropriate for this threat “Internet threats due to company products being accessible
on the Internet” is Mitigate. To mitigate it by updating the firewall or install a new
version if they need it.
7.The appropriate for this threat “Insider threats” is Accept.
8. The appropriate for this threat “Changes in regulatory landscape that may impact
operations” is Mitigate. To mitigate it by implementing Gap Analysis and Remediation
Plan.
2.4
RISK MONITORING, CONTROLLING, AND REPORTING
Risk Monitoring and Control is the process of identifying, analyzing, and planning for newly
identified risks, monitoring previously identified risks, and reevaluating existing risks to
verify the planned risks response strategies for their effectiveness. The level of risk on a
project will be tracked, monitored, and reported throughout the project lifecycle.
looking for ways to modify and simplify and strengthen the security to better manage the
solutions and mitigations. Adding and improving hardware, patches, policies and processes
are just few examples for that.
After implementing controls and safeguards, check and monitoring those controls is an
essential part of knowing wither those controls are working effectively. As it known that
Security work is never finished. monitoring ensures that the systems stay secure. Monitoring
includes checking regulations for changes, risks for changes, and the plan to ensure it is still
used. An example of monitoring would be an Intrusion Detection System (IDS) that monitor
the network or system and send an alert when an intrusion is detected. Another example is a
physical video system camera like using a Closed-circuit television (CCTV). Business
Managers are ultimately responsible for managing risks. In addition, updating and reviewing
already identified risk.
After indenting what risks to address, the best control methods are then selected to the
addressed risk. Control methods are also called countermeasures. There are Administrative
Controls such as creating policies and procedures, establishing data loss prevention
programs, and spreading awareness and training in the organization; Technical Controls
such as control the traffic by using Firewalls in networks, use data range to help ensure that
data received is valid data, logging events through the use of system logs and audit trails to
investigate security events, and include session timeout to ensure unauthorized users doesn’t
have access to a session without providing credentials; Physical Controls that can be
implemented such as using security doors, installing fire detection systems, and installing
temperature and humidity detection systems.
For reporting, Business Managers are also responsible for compiling reports and presenting
it to higher executive officers and management.
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 13
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
3
Version: 1.0
RISK REGISTER
In the risk register, we will be recorded specifics of all risks, threats, and vulnerabilities that
identified through and at the beginning of the project. Furthermore, the risk register will be
maintained by the project manager and will be reviewed as a standing agenda item for project
team meetings. Here is the table of the risk register:
Identifier
Status
Risk Description
Risk
Probability
Any type of malicious
software, such as viruses
or worms, enters the
network.
closed
Losing data and viruses or worms
will be transferred to other six
domains.
Major
Risk Impact
Risk Score
Risk Assignment
Agreed
Response
Risk Response Plan
Major
4
Chief Technology
Officer (CTO)
Avoid
install an antivirus
Identifier
Status
Risk Description
Risk
Probability
miss use of company’s
application
closed
Losing of customers’ information
by users.
Major
Risk Impact
Risk Score
Risk Assignment
Agreed
Response
Risk Response Plan
Major
4
Human Resource
Management (HR)
Mitigate
train employees
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 14
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Identifier
The organization might be
bankrupt, if they lose their
data constantly
Version: 1.0
Status
Risk Description
Risk
Probability
active
Loss of company data due to
hardware being removed from
production systems
Critical
Risk Impact
Risk Score
Risk Assignment
Agreed
Response
Risk Response Plan
Critical
9
Chief Technology
Officer (CTO)
Mitigate
backup hardwires
Identifier
Data manipulation, loss of
security information and
loss of devices
Risk Impact
Risk
Probability
closed
Loss of company information on
lost or stolen company-owned
assets, such as mobile devices and
laptops
Critical
Risk Assignment
Agreed
Response
Risk Response Plan
9
Chief Information
Security Officer
(CISO)
Mitigate
implement a new
policy
Identifier
Communication and
Network outage
Critical
Risk Description
Risk Score
Critical
Risk Impact
Status
Status
Risk Description
Risk
Probability
closed
Loss of customers due to
production outages caused by
various events, such as natural
disasters, change management,
unstable software, and so on
Critical
Risk Score
Risk Assignment
9
Chief Technology
Officer (CTO)
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Agreed
Response
Risk Response Plan
Transfer
sales department
reach out to affected
customers
Page 15
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Identifier
Unauthorized access from
public internet
Version: 1.0
Status
Risk Description
Risk
Probability
active
Internet threats due to company
products being accessible on the
Internet
Major
Risk Impact
Risk Score
Risk Assignment
Agreed
Response
Risk Response Plan
Major
4
Chief Technology
Officer (CTO)
Mitigate
update the firewall
Identifier
Status
Risk Description
Risk
Probability
Abuse of devices and
exploiting Identity
closed
Insider threats
Minor
Risk Impact
Risk Score
Risk Assignment
Agreed
Response
Risk Response Plan
Major
2
Chief Information
Security Officer
(CISO)
Accept
implement strict
security policies
Identifier
Status
Risk Description
Risk
Probability
Remodeling organizational
architecture by anyone
closed
Changes in regulatory landscape
that may impact operations
Critical
Risk Impact
Critical
Risk Score
Risk Assignment
6
Chief Information
Officer (CIO)
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Agreed
Response
Risk Response Plan
Mitigate
implement Gap
Analysis and
Remediation Plan
Page 16
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
APPENDIX A: REFERENCES
The following table summarizes the documents referenced in this document.
Document Name
and Version
Description
Managing Risk in
Information
Systems, 2nd
edition
Gibson, Darril. (Managing
Risk in Information
Systems), 2nd edition.
Burlington, MA: Jones &
Bartlett, 2015. ISBN-13:
9781284055955
HIPAA Security
SERIES
6 Basics of Risk Analysis
and Risk Management
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Location
https://www.hhs.gov/sites/defau
lt/files/ocr/privacy/hipaa/admini
strative/securityrule/riskassessm
ent.pdf
Page 17
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
APPENDIX B: KEY TERMS
The following table provides definitions for terms relevant to the Risk Management Plan:
HEALTH NETWORK, INC.
Term
Accept
Definition
One of the techniques used to manage risk. When the
cost to reduce the risk is greater than the potential loss,
the risk is accepted. A risk is also accepted if
management considers the risk necessary and tolerable
for business.
Annual loss
expectancy (ALE)
Total expected loss from a given risk for a year. ALE
is calculated by multiplying SLE X ARO. ALE is part
of a quantitative risk assessment.
Annualized rate of
occurrence (ARO)
Number of times loss from a given threat is expected
to occur in a year. It is used with the SLE to calculate
the ALE. ARO is part of a quantitative risk assessment.
Audit trail
A series of events recorded in one or more logs. Audit
trail events record who, what, where, and when. They
can be in operating system logs like the Microsoft
Security log, or application logs like a firewall log.
AV
Anti Virous
Avoid
One of the techniques used to manage risk. A risk can
be avoided by eliminating the source of the risk or
eliminating the exposure of assets to the risk. A
company can either stop the risk activity or move the
asset.
CCTV
Closed-Circuit Television
CD
Compact Disc
CFO
Chief Financial Officer
Change
management
A formal process requiring that changes be made only
after they have been reviewed and submitted. This
reduces outages caused by unauthorized changes.
CIO
Chief Information Officer
CISO
Chief Information Security Officer
Control
An action or change put in place to reduce a weakness
or potential loss. A control is also referred to as a
countermeasure.
Cost-benefit
analysis (CBA)
A process used to determine how to manage a risk. If
the benefits of a control outweigh the costs, the control
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 18
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
can be implemented to reduce the risk. If the costs are
greater than the benefits, the risk can be accepted.
Countermeasure
A security control or safeguard. It is put into place to
reduce a risk. It reduces the risk by reducing the
vulnerability or threat impact.
CTO
Chief Technology Officer
Exploit
The act of initiating a vulnerability. It occurs when a
command or program is executed to take advantage of
a weakness. Some examples are buffer overflows, DoS
attacks, and DDoS attacks.
Firewall
A firewall filters traffic. Rules are configured on the
firewall to define what traffic is allowed and what
traffic is blocked. A network firewall is a combination
of hardware and software. Individual systems can
include a single software-based firewall
HHS
Health and Human Services
HIPAA
Health Insurance Portability and Accountability Act
HR
Human Resource Management
Impact
The amount of the loss resulting from a threat
exploiting a vulnerability. The loss can be expressed in
monetary terms or a relative value. The impact
identifies the severity of the loss. Impact is derived
from the opinions of experts.
Intrusion detection
system (IDS)
A system that can monitor a network and send an alert
if an intrusion is detected. Both host-based IDS (HIDS)
and network-based IDS (NIDS) systems are commonly
used. A passive IDS logs and alerts on events. An
active IDS can block a detected attack.
IP
Internet Protocol
IT
Information Technology
LAN
Local Area Network
Malware
Malicious software. This includes viruses, worms,
Trojan horses, or any other type of malicious software.
Mitigate
One of the techniques used to manage risk. Mitigation
is also known as risk reduction. Vulnerabilities are
reduced by implementing controls or countermeasures.
Physical controls
Controls that restrict physical access to areas or
systems. Examples include locked rooms, guards, and
cameras.
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 19
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
Probability
Used in a qualitative risk assessment. It refers to the
likelihood that a risk will occur. A risk occurs when a
threat exploits a vulnerability. It is derived from the
opinions of experts.
Qualitative risk
assessment
A subjective method used for RAs. It uses relative
values based on opinions from experts. A qualitative
RA can be completed rather quickly. Qualitative RAs
do not have predefined formulas.
Quantitative risk
assessment
An objective method used for RAs. It uses numbers
such as actual dollar values. Quantitative RAs require a
significant amount of data that can sometimes be
difficult to obtain. The data is then entered into a
formula.
Risk
An uncertainty that may lead to a loss. Losses occur
when a threat exploits a vulnerability. Risk is often
expressed as: Risk = Threat x Vulnerability.
Risk assessment
(RA)
A process used to identify and evaluate risks based on
an analysis of threats and vulnerabilities to assets.
Risks are quantified based on their importance or
impact severity. These risks are then prioritized.
RMP
Risk Management Plan
Safeguard
Another term for a control. Safeguards and controls are
used to mitigate risk. They can mitigate the risk by
reducing the impact of the threat. They can also
mitigate the risk but reducing the vulnerabilities.
Scope
The boundaries of a risk management plan. It defines
what the plan should cover. Defining the scope helps
prevent scope creep.
Scope creep
A problem with projects resulting from uncontrolled
changes. Scope creep should be avoided. It results in
cost overruns and missed deadlines.
Single loss
expectancy (SLE)
Total loss resulting from a single incident. The loss is
expressed as a dollar value. It will include the value of
hardware, software, and data. It is used to help
calculate ALE (ALE = SLE x ARO). SLE is part of a
quantitative risk assessment.
Social engineering
Tactics used to trick people into revealing sensitive
information or taking unsafe actions. Social
engineering tactics include conning people over the
phone or in person. It also includes phishing and other
technical tactics.
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 20
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Version: 1.0
SQL
Structured Query Language
Stakeholder
An individual or group that has a stake, or interest, in
the success of a project. A stakeholder has some
authority over the project. Additionally, a stakeholder
can provide resources for the project.
Technical controls
Controls that use technology to reduce vulnerabilities.
Examples include anti-virus software, intrusion
detection systems, access controls, and firewalls.
Threat
Any activity that represents a possible danger. This
includes any circumstances or events with the potential
to adversely impact confidentiality, integrity, or
availability of a business’s assets.
Transfer
One of the techniques used to manage risk. The risk is
transferred by shifting responsibility to another party.
This can be done by purchasing insurance or
outsourcing the activity.
USD
United States Dollar
VPN
Virtual Private Network
Vulnerability
A weakness or exposure to a threat. The weakness can
be weakness in an asset or the environment. A
vulnerability can be mitigated with a control.
WAN
Wide Area Network
Revision Date: 03/27/2018
RISK MANAGEMENT PLAN: HEALTH NETWORK, INC
Page 21

We offer the bestcustom writing paper services. We have done this question before, we can also do it for you.

Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.