10.1 Overview of Process 8A
Upon completing process 7, you identified the risks to your organization's critical assets and evaluated the potential impact on your organization of those risks. In the first workshop of process 8 (also referred to as process 8A), you analyze all the risk-related information that you gathered throughout the evaluation and decide how to improve your organization's security posture.
Process 8A Workshop
Process 8A is implemented using the core analysis team members and any supplemental personnel that they decide to include. It takes an experienced team about a day to complete the activities in this workshop. Review all activities for this process and decide whether your team collectively has the required knowledge and skills to complete all tasks successfully. We suggest that your team have the following mix of skills in this process:
Understanding of the organization's business environment Understanding of the organization's information technology environment Understanding of the planning practices of the organization Ability to develop plans Good communication skills
Process 8A requires data consolidation prior to the workshop. You need the security practice information gathered during processes 1 to 3 (results of practice surveys and follow-on discussions). If you haven't already compiled this information, you will need to do so prior to the workshop. Table 10-1 summarizes the data consolidation activities, while Table 10-2 summarizes the activities that the analysis team must perform during the workshop.
Table 10-1. Preparation Activities for Process 8A
| Compile survey results |
The survey results from processes 1 to 3 are compiled according to organizational level. |
| Consolidate protection strategy information |
The contextual information (security practices and organizational vulnerabilities) from processes 1 to 3 is consolidated according to organizational level. |
Table 10-2. Process 8A Activities
| Review risk information |
The analysis team members individually review the following information that they have generated during the process:
Threats to critical assets Areas of concern for the critical assets Current security practices and organizational vulnerabilities Potential impact on the organization of each threat and associated impact values Technology vulnerabilities for selected components Recommended actions resulting from the infrastructure vulnerability evaluation |
| Create protection strategy |
The analysis team creates a proposed protection strategy for the organization.A protection strategy defines the strategies that an organization uses to enable, initiate, implement, and maintain its internal security. |
| Create mitigation plans |
The analysis team creates risk mitigation plans for the organization's critical assets. A mitigation plan defines the activities required to mitigate the risks/threats to the critical assets. |
| Create action list |
The analysis team creates an action list. An action list defines any actions that people in the organization can take in the near term without the need for specialized training, policy changes, etc. |
Next, we look at how to prepare for the workshop by consolidating the surveys and the security practice data that you collected during processes 1 to 3.
|
