USA: +1(669)289-8683 
Sign in
Risk mitigation, which is part of the risk management plan, takes place once you have identified and analyzed your risks. Risk mitigation is identifying the strategies you are going to use to accept, avoid, share/reduce, or work around the identified and analyzed risks. Which of the seven domains do you think will be the easiest to identify, and which will be the hardest? Defend your answer.
Course Textbook(s) Gibson, D., & Igonor, A. (2022). Managing risk in information systems (3rd ed.). Jones & Bartlett Learning. https://online.vitalsource.com/#/books/9781284193633
SEC 4301, IS Disaster Recovery 1
Upon completion of this unit, students should be able to:
1. Explain the business continuity procedures.
1.1 Research the laws and regulations that impact the business continuity procedures.
2. Develop an asset ranking report.
2.1 Summarize the five business functions for the risk management scope.
3. Analyze an impact assessment for organization threat analysis.
3.1 Assess the control countermeasures to be implemented in the risk management planning
phase.
Chapter 10: Planning Risk Mitigation Throughout an Organization
Chapter 11: Turning a Risk Assessment into a Risk Mitigation Plan
Scope Management
Mitigating the risks throughout the organization is paramount to the success of any business. These past few
lessons on the elements of threats, vulnerabilities, and exploits were dissected as to the definition,
implementation, and identification within the seven domains to include some areas outside the domain, such
as physical controls. The organization as a whole is driven by the business strategy, which encapsulate the
business operations and functions of the organization.
Controls and compliances are two factors that must be planned for risk mitigation within the organization as a
whole. Risk mitigation planning involves examining the risk management scope within the five areas of the
organization as illustrated below in Figure 5.1.
UNIT V STUDY GUIDE
Risk Mitigation Strategies
SEC 4301, IS Disaster Recovery 2
UNIT x STUDY GUIDE
Title
According to Gibson (2015), there are five areas in which risk management scope needs to be applied.
Figure 5.1: Risk Management Scope
(Gibson, 2015)
• Critical business operations identify the critical operations pertaining to the business flow of the
organization through the use of the business impact analysis (BIA) tool.
• Service delivery is a critical component as this provides services to the organizational customers.
These services are documented in a service level agreement of the services that are to be provided
and the maximum uptime and minimum downtime that is to be expected.
• Business systems, applications, and data access are mission items that are driven by the critical
business functions, which describes the functions of the organization, and the critical success factors,
which designates those elements needed to operate the business.
• Seven domains are the User Domain, Workstation Domain, LAN Domain, LAN-to-WAN Domain,
Remote Access Domain, WAN Domain, and the System/Applications Domain. Each of the domains
must identify the risk management scope.
• Security gaps are those areas in which the organizational assets have been identified to use certain
security controls that are critically needed for the operations of the business.
Legalities
Organizations must be in compliance and stay within the realm of legal aspects of the business process to
effectively mitigate threats and vulnerabilities (Gibson, 2015). With the growth and maturity of the Internet,
many organizations conduct business and services over the Internet as well as through brick and mortar
stores. This increasing demand has prompted many laws and regulations to be set forth by congress to
protect the information encapsulated within the electronic paradigm.
Some of the standard laws and compliances are illustrated in this interactive activity, but these are just the tip
of the iceberg. View the Unit V Laws Presentation.
https://online.columbiasouthern.edu/bbcswebdav/xid-141586271_1
SEC 4301, IS Disaster Recovery 3
UNIT x STUDY GUIDE
Title
The scope of the business or organization will impact which laws and compliances need to be met; in turn,
this will determine how the organizational assets such as the seven domains are organized (Gibson, 2015).
The selected compliance or law will determine how the security controls should be implemented within the
business processes. All of these laws and compliances have their own consequences depending on how
they are implemented. Of course, the wrong implementation would be disastrous, and a correct installation
of the security controls and compliances will create a healthy security environment for the organization
(Gibson, 2015).
Risk Assessment Countermeasures
The risk assessment plan is a living document; this means the threats and vulnerabilities will change over
time. Therefore, the risks identified must be re-checked to see if they are still valid or need an additional
assessment. When reviewing the risk assessment for the mitigation plan, countermeasures need to be
examined as shown in the Figure 5.2.
Figure 5.2: Countermeasures
(Gibson, 2015)
As depicted in the Figure 5.2, the in-place, planned, and approved countermeasure steps have two things in
common. First, they have had a risk assessment, second, all three have control countermeasures identified.
In-place countermeasures may need to be updated depending on the information gathered (Gibson, 2015).
For planned countermeasures, upon its implementation, the countermeasures should be checked to see if
they are still needed or if they need to be updated since the evaluation (Gibson, 2015). The approved
countermeasures are those controls that have been approved and are awaiting implementation into the
system. The controls need to be closely monitored, as additional requirements might be needed when
implementation begins (Gibson, 2015).
Pre-Mitigation Plan
Once the risk assessment countermeasures have been identified and approved, the risk mitigation plan can
be developed. Areas that should be covered in the risk mitigation plan are outlined below.
SEC 4301, IS Disaster Recovery 4
UNIT x STUDY GUIDE
Title
Figure 5.3: Pre-Mitigation Plan
(Gibson, 2015)
An important factor in the pre-mitigation plan is to prioritize the risks. Figure 5.4 provides an example from
Table 11-2 in Chapter 11 of your textbook of conducting a risk priority matrix.
Priority Risk Matrix: A Threat/Likelihood-Impact Matrix (Table 11-2)
Threat likelihood level Low Impact (10) Medium Impact (50) High Impact (100)
High threat likelihood
100% (1.0)
10 X 1 = 10 50 X 1 = 50 100 X 1 = 100
Medium threat
likelihood 50% (.50)
10 X .5 = 5 50 X .5 = 25 100 X .5 = 50
Low threat likelihood
10% (.10)
10 X .1 = 1 50 X .1 = 5 100 X .1 = 10
Figure 5.4
Summary
In summary, the scope must be identified within the risk assessment along with the required controls and
compliances that are subjugated by the strategy of the type of business the organization services. The
countermeasures must be monitored closely to ensure if the countermeasures are needed or should be
upgraded to meet compliances. The identification of threats and likelihood of impacts should be closely
scrutinized when prioritizing risks within the pre-mitigation plan development. As mentioned before, the risk
assessment plan is a living document and will change often. This is also true for the risk mitigation plan when
controls and countermeasures need to be adjusted based on the threats and vulnerabilities encountered with
the assets.
Reference
Gibson, D. (2015). Managing risk in information systems (2nd ed.). Jones and Bartlett Learning.
https://online.vitalsource.com/#/books/9781284107753
SEC 4301, IS Disaster Recovery 5
UNIT x STUDY GUIDE
Title
In order to access the following resources, click the links below.
The following presentations will summarize and reinforce the information from Chapters 10 and 11 in your
textbook.
Chapter 10 PowerPoint Presentation
PDF Version of Chapter 10 PowerPoint Presentation
Chapter 11 PowerPoint Presentation
PDF Version of Chapter 11 PowerPoint Presentation
Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit
them. If you have questions, contact your instructor for further guidance and information.
The following learning activities provide additional information that will assist you with the mastery of the
learning objectives for this unit.
Go to the CSU Online Library, and use the Discovery Search feature.
Utilize the Discovery Search feature in the CSU Online Library, and type in the following phrases: “HIPAA,
FISMA, FERPA, security controls, control countermeasures, risk assessment plan, risk mitigation plan.”
Select and read two articles. Use the criteria of peer-reviewed article (scholarly) and less than 5 years old.
Here is a link straight to the CSU Online Library Discovery Search.
The internet can provide you with a wealth of information concerning the topics in this unit. For example, the
following video is from CSU Films on Demand database and provides additional information about mitigation
and evaluation of risks.
CNBC LLC (Producer). (2010). Risk assessment and mitigation (Segment 9 of 15) [Video]. In The future of
technology: Meeting of the minds. Films on Demand.
https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=http://fod.infobase.com/PortalPla
ylists.aspx?wID=273866&xtid=47314&loid=139465
The transcript for this video can be found by clicking the “Transcript” tab to the right of the video in the Films
on Demand database.
Check Your Knowledge
These questions will help you assess whether or not you have mastered the unit content. Can you answer
them without looking in the textbook?
• Answer the Chapter 10 Assessment questions at the end of Chapter 10 in your textbook. After you
have answered the questions, you can find out how well you did by viewing the Chapter 10 Answer
Key.
• Answer the Chapter 11 Assessment questions at the end of Chapter 11 in your textbook. After you
have answered the questions, you can find out how well you did by viewing the Chapter 11 Answer
Key.
Word Search
Some of this unit’s key terms and phrases (written as one word) have been hidden in the word search puzzle.
Access the Unit V Word Search puzzle, and see if you can find them.
https://online.columbiasouthern.edu/bbcswebdav/xid-145286832_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286831_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286835_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286834_1
http://libguides.columbiasouthern.edu/?b=p
https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=https://fod.infobase.com/PortalPlaylists.aspx?wID=273866&xtid=47314&loid=139465
https://online.columbiasouthern.edu/bbcswebdav/xid-145286862_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286862_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286863_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286863_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145458183_1
-
Course Learning Outcomes for Unit V
Required Unit Resources
Unit Lesson
Scope Management
Legalities
Pre-Mitigation Plan
Summary
Suggested Unit Resources
Learning Activities (Nongraded)
