...SECURITY RISK MANAGEMENT PLAN Prepared by Jeremy Davis Version control Project title | Security Risk Management Plan Draft | Author | Jeremy Davis | VC | 1.0 | Date | 25/10/10 | Contents Executive summary 4 Project purpose 5 Scope of Risk management 5 Context and background 5 Assumptions 5 Constraints 5 Legislation/Standards/Policies 6 Risk management 6 Identification of risk 7 Analysis of risk 8 Risk Category 9 Review of Matrix 9 Action plan 9 Testing Procedures 11 Maintenance 11 Scheduling 11 Implementation 12 Training 12 Milestones 12 Monitoring and review 13 Definition 13 Authorisation 14 Reference 15 Executive summary A Security Risk Management Plan (SRMP) helps CBS by providing specific guidelines and rules to ensure risk management is considered and included. It provides guidelines for its implementation that can minimise the threats by planning, policies, processes and procedures that can help your business get everything back to normal as soon as possible. This SRMP was designed for the guidelines for its implementation of risk management in CBS and in its operations in order to ensure its security and safety of its staff and assets. Throughout this SRMP it identifies threats, procedures, policies, responsible person and etc which will provide you and your staff information to prepare you with the worst disaster event. Every business these days has a SRMP in case of any events which may occur,...
Words: 2028 - Pages: 9
...Risk Management Plan for Defense Logistics Information Service 1. PURPOSE This Risk Management Plan is an overall look at how Defense Logistics Information Service can protect it’s data. The implication of lost confidential government data is the primary cause for this plan, and will be treated with the utmost importance. 2. GUIDING PRINCIPLES This plan will be presented through a formal, written, written risk management, and security safety program. The Security Safety and Risk Management Program supports the DLIS philosophy that government safety and risk management is everyone’s responsibility. Teamwork and participation among management, providers, and staff are essential for an efficient and effective patient safety and risk management program. The program will be implemented through the coordination of multiple organizational functions and the activities of multiple departments. DLIS supports the establishment of such clauses and best practices. An in depth look at mistakes made and ways we can learn from them will be at the forefront of out investigation. Constructive feedback will play a large part as well. In a just culture, unsafe conditions and hazards are readily and proactively identified, mistakes are openly dicussed, and suggestions for systematic improvements are welcomed. Individuals are still held accountable for compliance with safety and risk management practives. As such, if evaluation and investigation of an error or even reveal reckless behavior...
Words: 829 - Pages: 4
...an organization, yet traditional security practices have either not provided adequate protection of information or have been so restrictive that they have prevented companies from making the maximum use of information to innovate, collaborate, and achieve competitive advantages. The security approach that many organizations have been forced to take in the past have been a reactive approach rather than viewing information security as a business enabler they see it as a inhibitor, designed to prevent bad things from happening. The problem with this is that good efforts in one area can be quickly nullified by failures in another. To help with its security transformation, Global called upon the expertise of CIS, its own security division, CIS’s information risk management strategy brings together, within a global framework, all the components that an organization needs to plan and implement an end-to-end approach for protecting a business’s most critical information assets. Looking a compliance you have to understand that there are certain laws that apply to financial data. The question at hand is looking at reporting from a unsecure network. Bringing in a risk team will first a foremost put that to a stop, finance data should not be reported over unsecured networks, this can a violation of compliance law by letting information out be that either non encrypted or passing it along where it is vulnerable. Assuring the integrity and security of personal information held by banks...
Words: 1132 - Pages: 5
...Senior member of the security team: Keith Kristy How large is Ryerson in geographical, terms of student? - 38 000 undergraduate - 1700 support staff - 780 faculty - intermingle streets • Crew security reports to the security manager • 168 Occupational health and safety ‘ • Brand new position: IT , own firewall and backbone to protect confidential information • Everyone reports to the assistant director manager • Everyone reports to the VP of finance: this is what it comes down to What is the purpose of having a security department: - formulate risk management - protection of people, property and information What is the purpose of the heads of the different heads: - The whole cycle has evolved - Harassment and violence free - Manage the people, place and money, timing for work (for having managers and supervisors) How do you determine the amount of employees should be deployed - deployed during the bussiest time - they have a formula (square footage formula) bases the amount of security that is required - have to look at budgets also affect how to deploy employees What kind of reports are done on the daily - they write about 5000 repors / year - ORCA report writing system - What ever happens there always has to be a report that is written - Daily briefs for any inncidents, basically gives a synopsus on what they did Formal reports that get sent to external agencies - PCR (provision of care reports) medical...
Words: 745 - Pages: 3
...Business and Commercial Awareness ------------------------------------------------- MODULE CODE: 6FBS1261MODULE LEADER: Mr. Neil GodfreyImplementation PlanMember: Jenna Julien ID NUMBER: 13028960Programme Delivered by:CTS College of Business and Computer Science Ltd.Submission Date: 07/01/2013Final Word Count:1302(Excluding, Table of Contents, Tables & References) | Table of Contents Section 1.0 1 OVERVIEW OF INVESTMENT AND IMPACT ON FINANCIAL DEPARTMENT: 1 Section 2.0 2 LINKAGES WITH OTHER DEPARTMENTS: 2 Section 3.0 3 MILESTONES AND TIME PLAN FOR FINANCIAL ACTIVITIES: 3 Section 4.0 4 RISK MANAGEMENT PLAN: 4 TABLE 1: Showing Risk Plan for Implementation Plan 5 TABLE 2: Showing Risk Assessment for Implementation Plan 5 Section 5.0 6 FINANCIAL OVERVIEW OF INVESTMENT: 6 COST-PLAN 6 TABLE 3: SHOWING DETAILED EXPENSE ACCOUNT 7 TABLE 4: SHOWING TOTAL PROJECTED YEARLY INCOME 8 TABLE 5: SHOWING PROJECTED COST-INCOME RATIO 8 TABLE 6: SHOWING TOTAL FORECASTED PROFITS 8 TABLE 7: SHOWING PROJECTED PROFIT-INCOME RATIO 9 TABLE 8: SHOWING PROJECTED BREAK-EVEN PERIOD FOR 9 Section 6.0 10 RESOURCE REQUIREMENTS BY THE FINANCE DEPARTMENT: 10 Section 7.0 11 KEY PERFORMANCE INDICATORS 11 Section 8.0 12 REFERENCES 12 Section 1.0 OVERVIEW OF INVESTMENT AND IMPACT ON FINANCIAL DEPARTMENT: The 3 star new build in Rio de Jainero, Brazil was chosen as the best investment idea by our syndicate...
Words: 2601 - Pages: 11
...RESULTS-BASED PUBLIC SECTOR MANAGEMENT A Rapid Assessment Guide PLAN EVALUATE BUDGET RESULTS MONITOR IMPLEMENT i RESULTS-BASED PUBLIC SECTOR MANAGEMENT A Rapid Assessment Guide © 2012 Asian Development Bank All rights reserved. Published in 2012. Printed in the Philippines ISBN 978-92-9092-838-6 (Print), 978-92-9092-839-3 (PDF) Publication Stock No. TIM124978 Cataloging-In-Publication Data Asian Development Bank Results-based public sector management: A rapid assessment guide. Mandaluyong City, Philippines: Asian Development Bank, 2012. 1. Managing for development results 2. Results-based management 3. Public sector. I. Asian Development Bank. The views expressed in this publication are those of the authors and do not necessarily reflect the views and policies of the Asian Development Bank (ADB), its Board of Governors, or the governments they represent. ADB does not guarantee the accuracy of the data included in this publication and accepts no responsibility for any consequence of their use. By making any designation of or reference to a particular territory or geographic area, or by using the term “country” in this document, ADB does not intend to make any judgments as to the legal or other status of any territory or area. ADB encourages printing or copying information exclusively for personal and noncommercial use with proper acknowledgment of ADB. Users are restricted from reselling, redistributing, or creating...
Words: 5265 - Pages: 22
...Risk Plan Recognizing and Minimizing Tort and Regulatory Risk Plan LAW/531 September 29, 2010 Introduction Alumina, Inc. makes aluminum products and has revenues of over $4 Billion Dollars. The company is based in the United States (US) with operations in eight other countries around the world. The US accounts for 70% of Alumina’s market share. Alumina has business interests in automotive components and manufacture packaging materials, bauxite mining, and Alumina refining and smelting. The company falls under the jurisdiction of Region 6 of the Environmental Protection Agency (EPA) (University of Phoenix, 2010). Recognizing and Minimizing Tort and Regulatory Risk Plan Companies and organizations such as Alumina, Inc. have corporate governances that require them to operate their businesses under government rules, regulations and boundaries. The rules and regulations have been authorized and enacted by major legislation, which are enacted by Congress and enforceable by laws. Minimizing the risk of tort liability is the goal of every organization and company. Five years ago Alumina was in violation of environmental discharge norms in a routine EPA compliance evaluation inspection. The EPA ordered a cleaned up and Alumina complied right away. Now, the case of negligence starts. The government places a high level the importance on the preservation of the environment and enforces environmental regulations. Alumina has to come up with a risk management plan...
Words: 1581 - Pages: 7
...attacks per week in 2010 was only around 50. More than 78 percent of the annual cybercrime can be labeled as denial of service, malicious code, malevolent insiders, and stolen or hijacked devices. Businesses have no choice but to spend an increasing amount of money, time, and energy in order to protect themselves against these cyber-attacks that seem to be reaching unsustainable levels. Even though some companies are finding ways to lower the cost of security measures, the cost of time and energy spent cannot be eased. No matter what the solution is, it will always take time to incorporate any security and energy to maintain those securities. Additional key findings include: * Information theft and business disruption continue to represent the highest external costs. On an annual basis, information theft accounts for 44 percent of total external costs, up 4 percent from 2011. Disruption to business or lost productivity accounted for 30 percent of external costs, up 1 percent from 2011. * Deploying advanced security intelligence solutions can mitigate the...
Words: 1928 - Pages: 8
...Incident Response Plan Gurleen Kaur Sandhu Master of Information Systems Security and Management Concordia University of Edmonton 7128 Ada Boulevard Edmonton, AB gksandhu@student.concordia.ab.ca Abstract— In business oriented organizations, disasters can occur anytime if information security is jeopardized at some point of business operations. Whenever unplanned events happen, incident response plans are must for reducing the extremity and increasing the chances of quick resolution with minimal damage. An incident response plan is an integral part for an enterprise for reducing negative publicity and increasing the confidence of corporate staff.This paper provides steps constituting and utilizing Incident Response Plan. INTRODUCTION As said by an American lawyer Robert Mueller “There are only two types of companies:those that have been hacked and those that will be.” When an organization depends on technology based systems to remain practical,information security and risk management become an unavoidable part of the economic basis for making dicisions in a firm. In this challenging environment of increasing technology,data breaches are also increasing that require enterprises to protect proprietary data and implementing effective measures to prevent a data insecurity. Threats and vulnerabilities, in one form or another, will always affect information technology. Incident is an adverse event that negatively impacts the confidentiality, integrity and availability of...
Words: 1541 - Pages: 7
...[pic] Incident Response Plan Template for Breach of Personal Information Notice to Readers Acknowledgments Introduction Incident Response Plan Incident Response Team Incident Response Team Members Incident Response Team Roles and Responsibilities Incident Response Team Notification Types of Incidents Breach of Personal Information – Overview Definitions of a Security Breach Requirements Data Owner Responsibilities Location Manager Responsibilities When Notification Is Required Incident Response – Breach of Personal Information Information Technology Operations Center Chief Information Security Officer Customer Database Owners Online Sales Department Credit Payment Systems Legal Human Resources Network Architecture Public Relations Location Manager Appendix A MasterCard Specific Steps Visa U.S.A. Specific Steps Discover Card Specific Steps American Express Specific Steps Appendix B California Civil Code 1798.82 (Senate Bill 1386) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Gramm-Leach-Bliley Act (GLBA) Appendix C Escalation Members (VP Level of Management) Auxiliary Members (as needed) External Contacts (as needed) Notification Order Escalation Member Notification List Notice to Readers Incident Response Plan – Template for Breach of Personal Information does not represent an official position of the American Institute...
Words: 8476 - Pages: 34
...The communication and coordination plan is vital to success of the recovery. Now the incident has been discovered the CSIRT team needs to be notified. The team lead needs to roll down the incident response procedures and identify who needs to be contacted. This action will ensure that the proper level of response is applied and minimize and further damage to the organizations networks and reputation. Controlling who knows of the incident will prevent an attacker from being tipped off to your recovery and detection efforts. All communication will be coordinated with Legal and Communication Representative. BMF will develop a comprehensive communication plan that will separately address each of the three audiences and continue to develop...
Words: 1373 - Pages: 6
...that an internal system was conducting a man-in-the-middle attack by spoofing an internal Internet Protocol address, whereby all traffic that was sent to a specific location was involuntarily sent to another system. The culprit was lack of access controls, central reporting systems, authentication controls, and a lack of host based intrusion prevention systems. These controls and systems would have prevented this type or at minimal detected this type of attack and could have saved the company many hours of labor costs. -Identify who needs to be notified based on the type and severity of the incident: In incidents such as this, Management must be notified and kept abreast of the situation each step of the way as they will ultimately be held responsible if fault is identified on their end. The Computer Emergency Response Team or the Emergency Management Team should be notified. They are experts at dealing with similar situations and know the proper processes and procedures required in identifying the cause, the...
Words: 2798 - Pages: 12
...unit 8 Lab1 Craft a security or computer incident Response policy – CIRT Response team 3. Why is it a good idea to include human resource on the incident Response Management Team? Most organizations realize that there is no one solution or panacea for securing systems and data instead a multi-layered security strategy is required. 4. Why is it a good idea to include legal or general counsel in on the Incident Response Team? An incident response must be decisive and executed quickly. Because there is little room for error, it is critical that practice emergencies are staged and response times measured. 5. How does an incident response plan and team help reduce the risk to the organization? While preventing such attacks would be the ideal course of action for organizations, not all computer security incidents can be prevented. 6. If you are reacting to a malicious software attack such as a virus its spreading, during which step in the incident response process are you attempting to minimize its spreading? In most areas of life, prevention is better than cure, and security is no exception. Wherever possible, you will want to prevent security incidents from happening in the first place. However, it is impossible to prevent all security incidents. When a security incident does happen, you will need to ensure that its impact is minimized. To minimize the number and impact of security incidents. 7. If you cannot cease the spreading, what should you do to protect...
Words: 507 - Pages: 3
...consultants, temporary employees, and other workers at Healthcare, including all personnel affiliated with third parties. It applies to all equipment that is owned or leased by Healthcare. Incident Reporting All computer security incidents, including suspicious events, shall be reported immediately either orally or via e-mail to the department IT manager and/or department supervisor by the employee who witnessed or identified the breach. Escalation The department IT manager and/or department supervisor needs to determine the criticality of the incident. The department IT manager and/or department supervisor will refer to their IT emergency contact list for both management personnel and incident response members to be contacted. If the incident is something that will have serious impact, the Chief Information Officer of Healthcare will be notified and briefed on the incident. The Information Security Incident Team Manager will log all communications including: a) The name of the caller. b) Time of the call. c) Contact information about the caller. The CIO or his/her designee will determine if other agencies, departments, or personnel need to become involved in the reporting and resolution of the incident. Containment: Any system, network, or security administrator who observes an intruder on the Healthcare network or system shall take appropriate action to...
Words: 673 - Pages: 3
...know that their personal data may have been compromised”. (Kirk, 2009) After tons of emails sent out the customers asking for their personal email, Aetna was finally alerted that something was going wrong. This would be a 2nd data lost incident, after an employee laptop was stolen back in 2006. According to About.com Business Security, “Although the data theft took place between June 2004 and October 2007, On May 1, 2009, LexisNexis disclosed a data breach to 32,000 customers”. (Kirk, 2009) As many scammers seem to do the thefts set up fake post office boxes, causing an investigation for the USPS. Scammers are usually smart and seem to find a great way to get around the system and began to hack, as far as Aetna case the scammers retrieved the customer’s emails from the website. Could the breach been prevented? After a hack or scam has been done, everyone wants to point a finger at two of the people or person to blame, but in cases like this who can you really blame? Well According to The federal information Security Management Act (FISMA); which is the Federal Information Security Management Act of...
Words: 623 - Pages: 3