Team LiB   Previous Section   Next Section

10.6 Create Action List

In the previous two activities you developed a protection strategy for organizational improvement and risk mitigation plans to reduce the risks to your critical assets. In this activity you look for near-term actions that people in your organization can immediately start to implement. By employing a few simple actions, your organization can start to improve in a few areas. By taking these initial steps toward improvement, your organization can start to build the momentum needed to implement its protection strategy and risk mitigation plans.

Action List

An action list defines any action items that people in your organization can take in the near term without the need for specialized training, policy changes, etc. Because items on the action list have little cost associated with them, you can start implementing them immediately after the evaluation. Implementing action items is an easy way to start improving your organization's security posture. Here are two examples of action items that can be placed on the action list:

  • Assign an IT staff member to fix the high-severity vulnerabilities that were identified during phase 2 of OCTAVE.

  • Assign the analysis team and the organization's management an action to define the details of implementing the protection strategy.

An action list typically comprises the following information:

  • Near-term actions that need to be taken

  • The person responsible for completing each action item

  • A completion date for each action item

  • Any management support that is required to facilitate completion of each action item

Step 1: Identify Action Items

As you created the protection strategy and risk mitigation plans, you should have recorded any near-term actions that could help you implement the strategy and plans. Review your list of actions and decide if any are appropriate for the action list.

Think about any additional near-term actions that could help you implement your protection strategy and risk mitigation plans. What near-term actions need to be taken? Remember to document all action items.

Step 2: Assign Responsibility for Action Items

Now that you have identified specific action items for the action list, you need to assign responsibility for completing them as well as a completion date. Answer the following question for each action item on your list and record the results:

  • Who will be responsible for each action item?

  • By what date does the action item need to be addressed?

  • What can management do to facilitate the completion of this action item?

At MedSite the analysis team members reviewed the action items that they recorded when they developed the protection strategy and the risk mitigation plans, as well as the actions and recommendations from process 6. MedSite's action list is shown in Figure 10-9.

Figure 10-9. Action Item List

graphics/10fig09.gif

When the team was developing the protection strategy, it recorded the following action item related to incident management:

Develop a card that tracks administrators and their capabilities. Also establish points of contact for incidents.

The team felt that this action should be included on the action list, and it is the second item in Figure 10-9. The third action item in Figure 10-9 is one of the recommendations from process 6. The last action item was documented during the development of the risk mitigation plan for paper medical records. The team believed that an informal physical security test within the next 90 days was important, because MedSite has encountered some problems with the physical security of medical records. For each action item that team members documented, they also assigned responsibility, established a completion date, and identified any management actions that would facilitate completing that action.

Order of Process 8A Workshop Activities

Note that we present the three major development activities of process 8A in the following order:

  1. Create protection strategy.

  2. Create mitigation plans.

  3. Create action list.

The order in which we present these activities is not mandatory. Different teams will address the activities in different orders, depending on their preferences. This particular sequence requires you to think strategically first. However, if strategic thinking is not one of your team's strengths, you might want to start by identifying near-term action items and then develop risk mitigation plans. You could then look across the action list and mitigation plans to see what strategic themes emerge, providing input for your protection strategy.

On the other hand, you might want to first examine the tactical view of risk by developing risk mitigation plans. Once you have identified tactical actions, you can identify strategic themes and near-term action items.

Make sure you think about how you want to approach the activities and address them in the order that makes most sense for you. However, remember that creating your strategy and plans is not a lockstep process. No matter what order you choose for the activities, you will likely need to iterate among the activities.

This completes the activities of the first workshop of process 8. You now have one more hurdle to complete before the evaluation is over. In the second workshop of process 8, you review the evaluation results with your organization's senior managers and allow the managers to refine the protection strategy, risk mitigation plans, and action list. Before we move on to Chapter 11, we need to complete our discussion of incorporating probability into the evaluation. The next section looks at how to incorporate probability into risk mitigation decisions.

    Team LiB   Previous Section   Next Section