10.5 Create Risk Mitigation Plans

This activity marks a transition from the strategic view of risk to a more tactical, or operational, view. Rather than identifying long-term initiatives that result in organizational security improvement, you develop risk mitigation plans that directly reduce risks to your organization's critical assets. The focus shifts from the organization to critical assets.

Risk Mitigation Plans

Risk mitigation plans are intended to reduce the risks to critical assets. These plans tend to incorporate actions, or countermeasures, designed to overcome the threats to the assets. In some cases these mitigation actions can be directed toward reducing the impact on the organization, but most often you reduce the risk to a critical asset by addressing the underlying threat.

Mitigation plans are linked to business continuity, or enterprise survivability, because they are based on recognizing or detecting threats as they develop, resisting or preventing threats from developing, and recovering from threats after they develop.

There is no hierarchical relationship between the protection strategy and the mitigation plans. The mitigation plans are generally consistent with the protection strategy, since both are based on security practices (and there might be some overlap between them). However, mitigation plans are not plans to implement the protection strategy. A protection strategy is based on addressing organizational improvement and is strategic in nature, whereas mitigation plans are focused on protecting critical assets and are tactical.

Since a risk mitigation plan includes actions designed to counter the threats to a critical asset, we suggest structuring the mitigation plan for each critical asset according to threat categories that apply to that critical asset. Recall that there are four basic threat categories:

• Human actors using network access

• Human actors using physical access

• System problems

• Other problems

Step 1: Select Mitigation Approach

In this step you determine the mitigation approach for each risk. When you identify a mitigation approach, you decide which risks to accept and which to mitigate. When you accept a risk, you take no action to reduce the risks and accept the consequences should the risk materialize. When you mitigate a risk, you identify actions designed to counter the threat and thereby reduce the risk.

Remember to review the narrative impact descriptions and impact values before you decide whether to accept or mitigate a risk. Will your organization generally accept risks that have low impact values? Will your organization generally mitigate risks that have high impact values? What approach will you take for risks with medium impact values? Your answers to these questions will help you to select a mitigation approach for each risk. Make sure that you use your answers to support your decisions, not as absolute rules. Always remember to use your best judgment based on your review of all background information.

To conduct step 1, decide whether to accept or mitigate the risks to each critical asset. Make sure that you record your decisions in that asset's risk profile. It is also useful to record your rationale for accepting a risk. At the end of this step, you will have selected the risks for which you intend to identify mitigation actions in step 2. You should also record your rationale for any risk you chose to accept.

At MedSite the analysis team members (including the representative from the Strategic Planning department) reviewed the risk profiles and areas of concern for each critical asset. They also reviewed all the narrative impact descriptions they recorded during process 7. (See Appendix A for PIDS areas of concern and impact descriptions.) The team members then set general rules for selecting mitigation approaches. They would generally mitigate risks with high impact values while accepting those with low impact values. The team would make decisions for risks with medium impact values on a case-by-case basis.

Note that the team set general guidelines, not absolute rules, for high and low impact risks, and it made the decisions for medium-impact risks entirely contextual. Team members discussed each risk before selecting a mitigation approach.

Figure 10-6 shows part of the risk profile and associated mitigation plan for PIDS. (Figure 10-6 illustrates mitigation approaches and mitigation plans; we are exploring only mitigation approaches in this step.) The figure highlights the risks in the human actors using network access threat category. All of the risks were judged to have impact values of medium or high. The team quickly decided to mitigate all of the high-impact risks. After some discussion, team members decided to mitigate the medium-impact risks for PIDS, which were related to disclosure of medical information. Since medical organizations must comply with government privacy regulations, the team decided that the organization needed to take measures to prevent the disclosure of personal medical information. The scribe recorded each mitigation approach next to the impact value in Figure 10-6.

Part of the risk profile for ECDS is shown in Figure 10-7. Remember that ECDS contains mainly billing-related information for emergency cases. The figure shows ECDS's risks in the other problems threat category. One risk in this category had a medium-impact value, while all other risks had low-impact values. The team decided to accept all low risks and mitigate the medium risk.

Step 2: Select Mitigation Actions

In this step you select mitigation actions, or countermeasures, designed to overcome the threats to the critical assets. First, make sure that you review the survey results and contextual security practice information. By doing so, you will better understand what your organization is currently doing well and where it needs to improve, providing a basis for selecting mitigation actions. Also, remember to review the actions and recommendations you recorded during process 6. These can be incorporated into your mitigation plans.

You create risk mitigation plans for each critical asset. Recall that you structure each mitigation plan around the threat categories that apply to that critical asset. If there are no risks in a given threat category, you will not need to develop a plan for that category. For each critical asset, answer the following questions as you identify mitigation actions for a threat category:

• What actions could you take to recognize or detect this type of threat as it is developing?

• What actions could you take to resist or prevent this type of threat from developing?

• What actions could you take to recover from this type of threat if it develops?

• What other actions could you take to address this type of threat?

• How will you test or verify that this mitigation plan works and is effective?

As you consider the questions for a given threat category, think about the administrative, physical, and technical practices that you could implement to reduce the risks to the critical asset. Complete and document mitigation plans for all critical assets.

During this activity, you identify a range of mitigation actions. After the evaluation, you prioritize the mitigation actions by examining the costs and benefits of each action and by considering any organizational budget and staff constraints. You then focus on implementing the highest-priority mitigation actions.

When you develop risk mitigation plans, think about any near-term actions that could help you implement the plans. Make sure that you record these action items. You will use these as input for the final activity of process 8A, in which you formally record action items.

The analysis team at MedSite reviewed the survey results and contextual security practice information, as well as the actions and recommendations that it recorded during process 6. Team members considered these data when they created risk mitigation plans for MedSite's critical assets. Figure 10-6 shows part of the risk mitigation plan for PIDS. One of the recommendations from process 6 was to improve the way in which technology vulnerabilities were being managed. As you can see in Figure 10-6, the analysis team included a mitigation action to establish vulnerability management policies and procedures. Note that the team also included measures of success in the mitigation plans.

Figure 10-7 illustrates the risk mitigation plan for the other problems threat category for ECDS. Note that the mitigation action is related to the only risk in that category that is being mitigated.

Step 3: Review Mitigation Plans for Themes and Gaps

Next, look across mitigation plans for common themes and gaps. You want to ensure that the risk mitigation plans are consistent with each other. You must resolve any inconsistencies that you find. In addition, you should also note which mitigation actions might reduce risks to more than one critical asset. These mitigation actions should be high on your list for implementing after the evaluation.

MedSite's analysis team reviewed the mitigation plans for the organization's critical assets. One theme that was consistent across many of the plans was the need for enhanced training—both general security awareness training for users and enhanced training for MedSite's information technology staff—in how to configure and maintain systems and networks securely.

The team also noticed another interesting point when they reviewed mitigation plans across critical assets. Figure 10-8 shows the risks and mitigation plan for other problems threats for PIDS, whereas Figure 10-7 shows the risks and mitigation plan for other problems threats for ECDS. Notice that many of the risks result from the same threat sources. Most of the risks in the other problems category for ECDS were accepted, whereas all of the risks in this category for PIDS were mitigated. The analysis team noted that the following mitigation actions for PIDS also helped mitigate risks in the other problems category for ECDS that were accepted:

• Update contingency plans to include addressing power supply problems.

• Enhance training for IT staff in securely configuring and maintaining systems and networks.

Remember that focus on the critical few is one of the principles of OCTAVE. The above example with ECDS and PIDS shows why it is effective. Think of the assets in your organization as forming a chain. When you identify critical assets, you identify the weakest links in the chain. If the weakest links are stressed too much, the chain could break apart. Likewise, if something happens to your organization's critical assets, your organization could suffer catastrophic consequences. Thus, the critical assets define the level of protection that you need in your organization. You will find that when you improve your organization's security practices based on the risks to critical assets, you improve the way in which you protect all similar assets.

Consider the ECDS and PIDS example above. When MedSite updates its contingency plans to include addressing power supply problems, it will address risks for all assets that are threatened as a result of problems with MedSite's power supply. Likewise, if information technology staff members receive enhanced training in how to configure and maintain systems and networks securely, they can apply that knowledge to all systems and networks. All risks to systems and networks resulting from mistakes and errors made by people who do not have adequate training will be reduced. The improved practice employed by the information technology staff members will thus be applied to both critical and noncritical systems.

Step 4: Incorporate Strategic Themes into Protection Strategy

This is the final step in creating risk mitigation plans. In step 3, you looked across mitigation plans for common themes and gaps to ensure that the risk mitigation plans were consistent with each other. In this step you determine whether any themes that emerged in step 3 need to be incorporated into the protection strategy. Make sure that you update your organization's protection strategy accordingly.

MedSite's analysis team did not find any new themes. However, they did note that security awareness and training was a common theme among the risk mitigation plans and the organization's protection strategy. In the protection strategy for security awareness and training (see Figure 10-4), the team documented the need for security awareness training for system users at MedSite, as well as enhanced training for the information technology staff, in how to configure systems and networks securely. Mitigation actions for PIDS (see Figures 10-6 and 10-8) emphasized the importance of improved security awareness and training as it relates to PIDS. This will likely be a high priority for MedSite after the evaluation.

Thus far, you have created a protection strategy and risk mitigation plans. In the final activity of process 8A, you document near-term action items that your organization needs to address.