11.4 Review and Refine Protection Strategy, Mitigation Plans, and Action List

In the previous activity you set the context for the senior managers. In this activity you have the following two objectives:

• To present the protection strategy, risk mitigation plans, and action list that you developed in process 8A

• To allow the managers to refine each item as appropriate

Remember that your organization's senior managers have a broad, organizationwide perspective that you might not have. Senior managers understand the parameters within which the organization must operate. They have an appreciation for how many organizational resources can be applied to information security improvement efforts, as well as the constraints that must be factored into the protection strategy and risk mitigation plans.

Step 1: Present the Protection Strategy, Risk Mitigation Plans, and Action List

One member of your analysis team should present solutions while the other team members support the lead presenter as appropriate. First you need to establish ground rules for reviewing and refining strategies and plans. We suggest that you ask the managers to wait until they have seen all strategies and plans before they suggest changes. By waiting, they will be able to get a feel for the "big picture." If you think that the managers will nevertheless want to dive into the details of the strategy and plans immediately, you might try to define the big picture right away with a summary of the information. Alternatively, you can temporarily record any potential changes on flip charts and address them later in the workshop. Use your best judgment, be flexible, and manage the activities as best you can.

First, define what constitutes a protection strategy; next, present the one that you developed in process 8A; and then ask the managers if they have any questions about it. Try to postpone discussing any changes to this strategy until after you have also presented the risk mitigation plans and the action list. If the managers insist on making changes before seeing the other items, at most this might require some iteration when they see the mitigation plans or action list.

Now define the term risk mitigation plan, pointing out that there is no hierarchical relationship between the protection strategy and the mitigation plans. (The protection strategy defines long-term organizational initiatives, whereas risk mitigation plans define actions to reduce the risks to the organization's critical assets.) Present each risk mitigation plan to the managers, and ask them if they have any questions. Again, try to postpone discussing any changes to the plans until after you have presented the action list.

Finally, discuss what an action list involves and present the action list you have created. Ask the managers if they have any questions about the list. After this you are ready to ask the managers for their thoughts on refining the protection strategy, risk mitigation plans, and action list.

Step 2: Refine the Protection Strategy, Risk Mitigation Plans, and Action List

Ask the senior managers if they want to propose any refinements or modifications to the protection strategy, risk mitigation plans, and action list. Guide the discussion to cover all proposed changes, and make sure that the managers think about any implications or ripple effects that these might cause. Remember to record any changes to the protection strategy, risk mitigation plans, and action list.

Let's look at how this activity was implemented in the context of our sample scenario. At MedSite the following people were present for the meeting with MedSite's senior managers:

• All analysis team members

• The member of the strategic planning department who participated in process 8A

• The manager of MedSite's information technology department

• One member of MedSite's information technology staff who participated in processes 5 and 6

• One staff member from ABC Systems who led the process 6 vulnerability evaluation

The team used the following approach to present to MedSite's senior managers:

• One of the analysis team members presented the risk information to the managers.

• The staff member from MedSite's strategic planning department presented the strategy, risk mitigation plans, and action list.

The manager of MedSite's information technology department, the information technology staff member, and the representative from ABC Systems were present to participate in any technological discussions that might arise. MedSite's senior managers, upon reviewing the recommendations of the analysis team, made no major changes to the protection strategy, mitigation plans, and action list. Their primary concern was to determine a practical way to implement the recommendations with a limited budget and other resources.

After completing this activity, you have one last evaluation activity to conduct. Your organization's senior managers now need to decide what the organization will do to implement the results of the evaluation.