Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance. Organizational security status is determined using metrics established by the organization to best convey ...view middle of the document...
Because of the importance of risk management a new plan needs to be developed. The risk management plan is for the organization’s use only. This new risk management plan will not only minimize the amount of risk for future endeavors, but will also be in compliance with regulations such as the Federal Information Security Management Act (FISMA), Department of Defense (DOD), Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST), Control Objects for Information and Technology (COBIT), and Information Assurance Certification and Accreditation Process (DAICAP).
This risk management plan is for the organizations use only and its network including remote access. Any outside sources from the scope and risk management plan may cause the network infrastructure to fail or will make it a high risk structure due to outside sources that are not protected to interact with other outside sources allowing hackers to infiltrate the system is steal important files. The scope of this project will include the planning, scheduling, budgeting, and consultation needed to perform an in depth risk assessment and research to determine which compliance laws this organization must follow. We must identify all the risks and vulnerabilities associated with this organization and create viable solutions that may mitigate these risks as quickly and as inexpensively as possible without compromising the integrity and confidentiality of any business assets. A cost benefit analysis should also be conducted prior to the planning phase of this project as well. Implementing and executing these policies and procedures in order to mitigate these risks is a critical part of this projects process. Security features such as controls, auditing logs, applying patches, etc. will be implemented, monitored, reported, and documented. Other risks such as natural disasters and accidental fires/floods may also be considered risks and should be accommodated accordingly to include a backup and disaster recovery plan.
Risk Management Procedure
The Risk management procedure will start by obtaining senior management support and involvement, designating focal points, defining procedures, creating a schedule with milestones and deadlines, involving business and technical experts as consultants, and controlling, maintaining, monitoring, reporting, analyzing, and documenting results. This procedure will identify risks, threats, vulnerabilities, and the likelihood of those risks materializing, identify and rank critical issues and operations, estimate potential damage, identify cost effective mitigating controls, and document assessment findings. All policies and procedures will support or be in compliance to the FISMA, COBIT, DIACAP, and PCI standards.
Risks may vary greatly from natural disasters, operational errors, software vulnerabilities, financial hardships, or even human interactions such as; attackers, buffer overflow attacks,...