A Risk Mitigation Plan is a report that identifies the actions that need to be taken to reduce the frequency and impact a risk could possibly have on the organization,
The scope of this document is suggest controls for risks that could affect this company in a negative way.
Threat From Inside: The risk of a compromised system, data breeches, or simply a curious employee.
Strong access controls. Base network access on job requirements. Provide reasonable access to facilities. Frequent internal reviews of system and facility access should be completed to ensure that access is controlled.
Social Networks: Employees may divulge to much information to the public. Social networking sites pose a risk of phishing for sensitive information, pose a risk of data breeches (FISMA), and of corporate espionage.
Create policies on social network use at the office (it's your network). Use a firewall and internet restrictions to prevent access on ...view middle of the document...
Employee education on phishing e-mails and other e-mail based attacks.
Inadequate Security Policies: It is Predicted that in the coming years, each business function of an organization will be required to implement their own security policies as they relate to specific department functions in addition to a company wide information security program and policy.
Consistency amongst the company policy and a department policy. A department policy should include specific software and hardware used and how the software and hardware are controlled.
Unpatched software: unpatched software leaves programs and systems open to attacks.
Stay up to date on patches. Secure firewalls in place on the organizations network.
Generation-Y Factor: A new generation of workers enter the field who have grown up with technology and are known as the â€œclick-throughâ€ generation. This generation has always had access to technology and the internet and tends to accept or ignore risks.
Strong controls over internet browsing also uploading/downloading and frequent employee education.
Security Backlash: Organizations stop implementing new security policies because employees and customers feel its to hard and time consuming to comply with current policies.
Employee education about the risks of security and not just what they have to do. Complete training for employees and customers on the security tools in place to ease the strain of use.
Cloud Computing: More and more organizations are putting their networks â€œin the cloudâ€ if the network fails, the entire system is unavailable for the entire organization. Cloud systems are not maintained in the office and access controls need to be implemented.
Have a business continuity plan in place. Consider the need for redundant systems. Make sure the organization understands and has a service level agreement in place. Understand who may have access to your equipment and networks.
Compliance: The ever evolving nature of standards, regulations, and security/privacy laws provides a risk that an organization may not be in compliance with a standard, regulation, or law.
Yearly education of employees who are responsible for compliance. Maintain subscriptions to trade journals and monitor industry news, usually, new standards, regulations, and laws make the news.