[Jul 17, 2008 14:02] The feature in Xpressions that notifies a user by email when they receive a voice mail is currently not working. Siemens is aware of the problem and is working on it. This does not affect any other aspect of Xpressions.
The aim of risk management is “to aid managers to strike an economic balance between the costs associated with the risks and the costs of protective measures to lessen those risks.” Risk mitigation is the actions or countermeasures taken to reduce risk.
Countermeasure Examples
- Fix known exploitable software flaws
- Enforce operational procedures
- Provide encryption capability
- Improve physical security
- Disconnect unreliable networks
- Train system administrators (Train everybody!)
A department must either take specific actions that will mitigate risks to its mission, or reject countermeasure recommendations and accept risks to its mission. Use the template below to document your decisions regarding:
- Countermeasures you are already taking
- Countermeasures you will implement going forward
- Countermeasures you have identified but decided not to implement
(A copy of this template, as well as all the other templates required to complete your department’s report on the ITS-RM process, is available in Word format here and Adobe PDF format here.)
In most risk management literature, risk is defined as
R = C x L x V (Risk = Criticality x Likelihood x Vulnerability)
The more critical the asset, the more likely the threat and the greater the vulnerability, the more risk your department faces. So you need to look at your most important assets first (identified in Step 1) and then prioritize your actions by likelihood and severity of the threats, attacks and vulnerabilities you face (identified in Step 2.2): What are the consequences to you if this happens? How can you prepare? How does the cost of preparedness compare to the cost of not acting? Then make decisions based on available resources. If resources are not sufficient, your department has prepared a case for additional resources.
The good news is that your selected strategies will often overlap; regular backup with off-site storage is a near universal strategy for threats to your assets. Also strategies do not necessarily need to be complex. For example:
- To protect all the department’s desktops: have a policy requiring all important documents be saved on the departmental file server; back up the server daily; store the backups off-site; and prepare a departmental software image for quick replacement if a desktop fails.
- To meet legal compliance standards for protected data: keep protected data on central systems, and do not download it to local servers or desktops; comply by staying outside the jurisdiction of the standards.
Unit Name: ___________________ Sub-Unit Name: ___________________ |
|||
Security Plan TemplateStrategies (identified in Step 2.2) will overlap, protecting multiple assets. Document your current method of protecting assets against identified threats, attacks and vulnerabilities. Identify and prioritize what additional mitigation efforts you need to take (along with a timeline for completing them), and document justifications for mitigation steps you identified but decided not to implement. |
|||
Asset (by priority) |
Identified Threats (by priority) |
Mitigation Strategies (by priority) |
|
Current: Planned: |
|||
Current: Planned: Not implementing: |
|||
Current: Planned: Not implementing: |
|||
Current: Planned: Not implementing: |
|||
Prepared by: Name: __________________________ |
Name: __________________________ |
||