Module 2

MODULE 2 - RISK PLANNING

Risk Evaluation (Is a risk we can accept?)
• Risk levels are compared against risk acceptance criteria

LIKELIHOOD Assessment Evaluation Criteria

Rating of It is very possible that a security event will occur
Likelihood
Significant probability that a security event will
1 Very likely occur and there is a lot of historical evidence
backing it
2 Likely
3 Probable A security event may occur at some time and there
is some historical evidence backing it
4 Unlikely
5 Rare The occurrence of a security event is not
anticipated but its occurrence is still a little bit
probable

The security event is not projected to occur but
certain circumstances may cause it to happen

PRIORITY Assessment Criteria for Evaluation
Rating Severe To address a risk, instantaneous action is obligatory
of High
Priority Significant Mitigation and monitoring of the risk should be
1-2 Moderate anticipatorily done
3-4 Low
5-7 Trivial These risks don’t really pose a grave threat to the
8-14 organization but should be monitored
15-19

20-25

Purpose of the Risk Management Plan

To identify, assess, respond to, monitor, and report risks is called Risk Management. The
identification, analysis, and management of risks is defined by a Risk Management Plan. The
way risk management activities will be be monitored, performed, and recorded, during the
course of a project are outlined in the Risk Management Plan. The practices and templates for
prioritising and recording risks are also given in the Risk Management Plan. The project
manager creates the Risk Management Plan. During the course of the project, the constant
monitoring and updation of the plan takes place.

Assets Threats Vulnerabilities Risks
Electronic Document
Unauthorised access Misconfigured access Potential loss of
control Confidentiality, Integrity
and Availability.

Disk failure There is no backup Potential loss of
Availability.

Virus Antivirus programme is Potential loss of
missing or misconfigured Confidentiality, Integrity
Paper Document Fire and Availability.
Document not stored in
fireproof cabinet Loss of availability of
information

Fire No backup of the document Potential loss of

Availability.

System administrator Unavailability of the No one to replace Potential loss of

person Availability.

Asset Classification

• According to criticality and value to the organization
• Can be broken into Public, confidential and strictly confidential.

o Public – publications, press releases, switchboard contact number etc.
o Confidential – personal identifiable data, employee contact details, non-

disclosure agreements etc.
o Strictly confidential - Financial records, banks details, disciplinary records,

medical records, students’ transcript, etc.

Risk Planning

For making sure that no risk is missed or goes away unnoticed, a team member of the project
is allocated a major risk so that they can monitor it closely.

Any of the below given tactics can be employed for addressing a risk:

• Mitigate – this method can be used to figure out ways of diminishing the possibility of
a risk occurring or to decrease its impact.

• Transfer – for a particular risk, making someone else accountable, such as an insurance
company, etc.

• Avoid – this involves removing the cause of the risk for removing the threat.
• Accept – if this tactic is followed, then the organisation does nothing and just accepts

the risk.

For preventing the risk from occurring or for reducing the risk's possibility or the impact of
occurring, there are methods that the project team use. This is done for each of the risks that
the team plans on mitigating. Some ways to do this are:

• Adding new tasks to the schedule of the project
• Prototyping
• Adding resources