Week 8
Information Security
and Risk Mitigation Action Plan
The need and importance of a
regularly tested ISRM (information security and risk mitigation} action plan in
an organization is underscored. This helps in ensuring a periodic review of the
company’s cybersecurity strategy plan. If an organization fails to conduct
regular “checkups, odds are good that today’s fast-changing threat landscape
has left (it) vulnerable” (Rackspace.com, 2017). A good cybersecurity action
plan combines people, processes and technology to deliver a cost-effective,
responsive, and timely breach detection and risk/incident remediation program.
The action plan for cybersecurity and risk management of an
organization is to help identify critical assets that are vulnerable to threat
element exploitation or risk exposure, understand the likelihood of an impact
to business operations, and put in place appropriate security controls to
mitigate, accept, avoid or transfer the identified “risks to a level acceptable
to the organization” (Lebanidze, E., 2011). It’s imperative, therefore, that
the action plan be periodically updated to accommodate recent and current risk,
threats and vulnerabilities that are exposed through ongoing evaluation and
risk/vulnerabilities assessment as to implement appropriate, cost-effective up
to date robust controls and incident response, disaster recovery and business
continuity plans that would ensure assurance on CIA (Confidentiality, Integrity,
and Availability) of critical organization resources. For this to be achieved,
the organization needs an agile, responsive and experienced IT/IS team.
However, the cybersecurity action plan should be aligned to
the business objectives, mission, operations and culture of the company. It’s
also necessary to secure the commitment, involvement, interest, sponsorship and
support of the board of directors, c-level managers and the compliance of all
members of staff for effective organization-wide information security program.
The action plan would also address and meet federal, state and local
regulations, industry standards and best practices. It’s a requirement of best
practices that “known and perceived risks be analyzed according to the degree
and likelihood of the adverse results that are anticipated to take place” (Cantoria,
S., C., 2011). The analysis, documentation and prioritization of such identified
risks is embodied in the risk mitigation plan. When this is developed and
integrated into its risk mitigation strategy, it is then referenced with the
risk management plan. Risk management plan forms the framework for the risk
mitigation plan. In essence, the risk mitigation action plan serves as a checklist
of anticipated risks, degree of probability, categorized either as High,
Medium, low, or Most Likely, Likely, Unlikely. Strategies to mitigate each
identified threat, vulnerabilities, or risk are included in the action plan.
References
Rackspace.
(2017). Retrieved (2017-24-7) from
Lebanidze, E. Guide to Developing a Cyber
Security and Risk Mitigation Plan. (2011).
Retrieved (2017-24-7) from https://www.smartgrid.gov/files/CyberSecurityGuideforanElectricCooperativeV11-21.pdf
Cantoria,
S., C. Anticipated Risks. What Comprises a Risk Mitigation Plan? (2011-28-2).
Retrieved (2017-24-7) from http://www.brighthubpm.com/risk-management/47934-risk-mitigation-strategies-and-risk-mitigation-plan/#imgn_0