BUSINESS NAME (and Optional Logo)

RISK MITIGATION PLAN

Version 1.0

Prepared By:

May 8, 2020
COMPANY NAME Risk Mitigation Plan

TABLE OF CONTENTS

1. Business Overview...............................................................................................................................3
2. INTRODUCTION...................................................................................................................................3
2.1 Objectives....................................................................................................................................3
2.2 Scope...........................................................................................................................................3
2.3 Legal Compliance.........................................................................................................................3
2.4 Stakeholders................................................................................................................................3
2.5 Fiduciary Relationships................................................................................................................3
2.6 Responsibilities............................................................................................................................4
3. RISK ASSESSMENT................................................................................................................................4
3.1 Threats and Vulnerabilities..........................................................................................................4
3.2 Quantitative Risk Assessment......................................................................................................5
3.3 Qualitative Risk Assessment........................................................................................................5
4. BUSINESS CONTINUITY........................................................................................................................5
4.1 Business Impact Analysis.............................................................................................................5
4.1.1 Critical Business Functions...................................................................................................6
4.1.2 Architecture Diagram...........................................................................................................6
4.1.3 Critical Resources.................................................................................................................6
4.2 Business Continuity......................................................................................................................7
4.3 Disaster Recovery........................................................................................................................9
5. SCHEDULE & CONCLUSION................................................................................................................10

Page 2 of 10
COMPANY NAME Risk Mitigation Plan

1. BUSINESS OVERVIEW

Add your business overview – make any necessary changes to fit the format – make any additional
updates you would like to make.

2. INTRODUCTION

NEW: Provide a brief introduction to your plan. (1 to 3 paragraphs)

(NOTE: The words “business, or company” in this guide mean “business, company, institution,
organization, or system.”)

2.1 Objectives

Include an Objectives section that follows the guidance in Chapter 4 as it relates to your business.

Consider writing a “primary objective” and then list several “enabling” or “supporting” objectives.

2.2 Scope

Include a Scope section that follows the guidance in Chapter 4 as it relates to your business. Briefly
define the scope of your plan.

2.3 Legal Compliance

List the applicable Laws and Standards and for each one, explain its relevance to your business in a few
sentences. (skip for now)

2.4 Stakeholders

List the Stakeholders for your business and for each one, explain its relationship to your business in a
few sentences.

2.5 Fiduciary Relationships

NEW: List at least two fiduciary relationships that your business has. For each, explain the following:

 (Due diligence) Identify the specific risk/s with which the fiduciary can help. (1 paragraph)
 (Due care) What steps will the fiduciary take to protect against the risk. (1 paragraph)

NOTE: Since you are writing about two fiduciary relationships, this section should be a minimum of four
paragraphs.

TIPS:

Page 3 of 10
COMPANY NAME Risk Mitigation Plan

 Review the Organizational Policies for Compliance section in Chapter 3 of the textbook (stop
reading after the first two paragraphs at the top of page 69.
 Still confused? Check out these two videos:

https://ethicsunwrapped.utexas.edu/glossary/fiduciary-duty

https://www.youtube.com/watch?v=ANSBmmbHh7g

2.6 Responsibilities

FROM OUTLINE: List the people (by role) in your company that you have recruited to be on your Risk
Management team.

3. RISK ASSESSMENT

3.1 Threats and Vulnerabilities

NEW:

<Add your own brief intro here>

To do this section, select the two IT Security domains (from the seven domains in Chapter 1) that are
most relevant to your business, and create a Threats and Vulnerabilities table for each one. Please use
the empty tables below. You may tweak them if you wish. For each row in the table:

 Enter a threat
 Enter a vulnerability related to the threat
 Very briefly describe the related risk (potential loss)
 Enter the asset or assets that are a risk
 Enter a recommended mitigation
Table 1: Threats and Vulnerabilities in the <Enter the name of the first domain you select – for example
“Workstation”> Domain

Threat Vulnerability Risk (Potential Loss) Associated Asset/s Recommended Mitigation

Table 2: Threats and Vulnerabilities in the <Enter the name of the 2nd domain you select> Domain

Threat Vulnerability Risk (Potential Loss) Associated Asset/s Recommended Mitigation

Page 4 of 10
COMPANY NAME Risk Mitigation Plan

TIP: Unsure of your businesses vulnerabilities? Check out this video:

https://youtu.be/qw2lznJ3emg

3.2 Quantitative Risk Assessment

<Add your own brief intro here>

To create the content for this section, you will use content from Table 1 in the previous section (section
3.1). Perform a Quantitative Risk Assessment for of the three risks you identified in

NOTE: Be sure to review Quantitative Risk Assessments in the Book before completing this table.

Table <insert table number>: Quantitative Risk Assessment for the <enter domain name> Domain

Risk (From Associated Asset Asset Cost of ARO after ALE after
Table 1) (From Table 1) Value SLE ARO ALE Mitigation Mitigation Mitigation Residual Risk

3.3 Qualitative Risk Assessment

<Add your own brief intro here>

To create the content for this section, you will use content from Table 2 above. Perform a Qualitative
Risk Assessment for of the three risks you identified in Table 2 above.

Use the model at the top of page 124 in the book. Or if you prefer, you can do a risk matrix like the one
at the bottom of page 124.

4. BUSINESS CONTINUITY

TIP: Read Chapter 12 prior to writing this section.

4.1 Business Impact Analysis

Write a two sentence scope statement. The fourth paragraph of p. 319 is a good example.

Page 5 of 10
COMPANY NAME Risk Mitigation Plan

TIP: Review pages 318 and 319 before writing your statement.

4.1.1 Critical Business Functions

List three of your business’s Critical Business Functions (CBFs). The third paragraph on p. 322 is a good
example (just a simple bulleted list is all you need).

TIP: Review pages 322 and 323 before making your list.

4.1.2 Architecture Diagram

Create a diagram that shows where CBFs occur. Use the diagrams on pages 318 and 319 as examples.

4.1.3 Critical Resources

For each CBF you listed in section 4.1.1, list at least two critical resources.

CBF 1 <write out the name of the CBF>

 resource 1
 resource 2

CBF 2

 Sample resource 1
 Sample resource 2

CBF 3

 Sample resource 1
 Sample resource 2

Maximum Allowable Outages complete the table below (replace blue and green text)

Critical Business Function MAO Impact Level

<CBF 1> Customer Accesses How long can that functionality High
Website (for example) be down without damaging
business
<CBF 2> Web Server Accesses How long can that functionality High
Database (for example) be down without damaging
business
<CBF 3> Med

Critical Business Function MAO Impact Level

The <your first CBF>… <enter an amount of time in <enter the impact level [High,
seconds, fractions of seconds, Medium, or Low]> In other
minutes, hours, etc.> words, how bad it would be if
this CBF went down longer than

Page 6 of 10
COMPANY NAME Risk Mitigation Plan

the MAO. Really bad = High etc.

The <CBF number 2>… <enter an amount of time in <enter the impact level>
seconds, etc.>
The <CBF 3>… <enter an amount of time in <enter the impact level>
seconds, etc.>

Recovery Objectives

RTOs - complete the table below (replace blue and green text)

Critical Business Function RTO Comments

The <your first CBF>… <enter an amount of time in Immediate after purchase and
seconds, fractions of seconds, installation of redundant server
hours, etc. that is less than or
equal to the MAO for this CBF>
The <CBF number 2>… <enter an amount of time that ….
is <= the MAO for this CBF>
The <CBF 3>… <enter an amount of time that …
is <= the MAO for this CBF>

RPOs - complete the table below (replace blue and green text)

Critical Business Function RPO Comments

<CBF 1> Customer Accesses 48 Hours N/A
Website (for example)
<CBF 2> Web Server Accesses …
Database (for example)
<CBF 3> …

4.2 Business Continuity

TIP: Read Chapter 13 prior to writing this section.

Main Concept – The BIA drives the Business Continuity Plan (or in this case, the Business Continuity
Section). The CBFs you identified are what needs to continue during a disruptions

Purpose

Tailor 1st 2 sentences of p.345

Scope

State that your business continuity strategy Categories of disruption (use these)

o Internet Loss
o Power Loss

Page 7 of 10
COMPANY NAME Risk Mitigation Plan

o Facility Damage

BCP Team – see page 353 & 357

ROLE RESPONSIBILITIES
BCP Coordinator 2 Sentences
EMT Lead …
DAT Lead …
TRT Lead …

Call List

Name & Title Contact Info

Strategy

For each disruption type, create a table like Table 13-1 in the book p.356

Internet Disruption

Timeframe Action
Immediate Activate
 Call list
 Assemble Team
First 24 Hours Recovery

48 – 64 Hours Reconstitution


Power Outage

Timeframe Action
Immediate Activate

First 24 Hours Recovery

48 – 64 Hours Reconstitution


Facility Damage

Timeframe Action
Immediate Activate

Page 8 of 10
COMPANY NAME Risk Mitigation Plan

 Call list
 Assemble Team
 EMT ….
 DAT …
First 24 Hours Recovery

48 – 64 Hours Reconstitution


4.3 Disaster Recovery

TIP: Read Chapter 13 prior to writing this section.

NOTE: A Disaster Recovery Plan (DRP) is a business continuity plan for disasters where employees
cannot work in their normal environment, and some or all of a businesses servers, workstations, and
network infrastructure are not recoverable. Businesses often write DRPs as separate documents, but for
this project, you will take a more concise approach, and make disaster recovery a section in your Risk
Management Plan. Below is a guide for creating your Disaster Recovery section;

Purpose

<Use the following verbatim if you like> This section provides a strategy for business continuity in the
event of a disaster. A disaster is defined in this context, as any situation where our employees cannot
work in their normal environment, and some or all of our servers, workstations, and network
infrastructure are not recoverable. This section focuses only on the recovery of our primary core
business function (CBF1) and its related resources. This section also outlines the costs associated with
implementing this disaster recovery strategy. <end of what can be verbatim>

Recovery of <CBF 1> (write out the name of CBF 1)

Review “Alternate Locations” on pages 379-382 – this section discusses Hot Sites, Warm Sites, and Cold
Sites. Some suggestion for alternate locations include:

 Regional offices (if you have them)

 Leased office space (you can lease a much smaller space, provided that it can support your
hardware
 Maybe employees can work at home, but an alternate site is still needed for the LAN.
 Sometimes you can share space with another business if you have a good relationship with them

Should you use at Hot Site, Warm Site, or Cold Site? Hot sites are usually the right choice for CBF1, but it
is the most expensive and it may not be right for your business. just pick the best type of alternate
location for your business.

<Use the following verbatim if you like>

To recover the services provided by CBF 1 <restate it – for example, “Customer Accesses Website”>, our
company will implement a <choose Hot Site, Warm Site, or Cold Site>.

Page 9 of 10
COMPANY NAME Risk Mitigation Plan

This site will be implemented as follows: <end of what can be verbatim>

 Location: <In one paragraph, describe the type of facility you will use, where it is located, and
how far it is in miles, from the normal location where CBF 1 is supported. NOTE the alternate
location must be at least 30 mile from the normal location>.
 Strategy: For each sample resource you listed for CBF 1 (in section 4.1.1). Explain how the
resource will be implemented at the alternate location. For example, Lets say two resources at
the usual location are two computers, the Web Server, Database Server. At the alternate
location, you could replicate the exact setup, or, you could use just one computer that runs the
Web Server and the Database server as virtual machines.
Write one paragraph for each resource.
 Cost: Estimate the cost it will take to implement each of your CBF resources at the alternate
facility, then provide a total
o Cost to implement <resource 1>:
o Cost to implement <resource 2>:
o Total Cost:

5. SCHEDULE & CONCLUSION

Write one sentence stating that your Risk Management Plan will be reviewed and updated annually.
State how you will review it. For example, you will probably:

 Have your CBFs changed?

 Are there new risks:
 What adjustments will be made to accommodate growth

This section will be about three paragraphs.

**** CONGRATUTIONS You have reached the end!! ****

Page 10 of 10