VIBRANTBOOTCAMP.CO.UK

Longest Duration MCSE Boot Camps
98% Success Ratio 
MCSE CCNA camp Back to Back

MCSE Boot Camp

Your organization should now have completed the Assessing Risk phase and developed a prioritized list of risks to its most valuable assets. Now you must address the most significant risks by determining appropriate actions to mitigate them. This phase is known as Conducting Decision Support. During the previous phase, the Security Risk Management Team identified assets, threats to those assets, vulnerabilities that those threats could exploit to potentially impact assets, and the controls already established to help protect the assets. The Security Risk Management Team then created a prioritized list of risks.

The decision support process includes a formal cost-benefit analysis with defined roles and responsibilities across organizational boundaries. The cost-benefit analysis provides a consistent, comprehensive structure for identifying, scoping, and selecting the most effective and cost efficient mitigation solution to reduce risk to an acceptable level. Similar to the risk assessment process, the cost-benefit analysis requires strict role definitions in order to operate effectively. Also, before conducting the cost-benefit analysis, the Security Risk Management Team must ensure that all stakeholders, including the Executive Sponsor, have acknowledged and agreed to the process.

During the Conducting Decision Support phase, the Security Risk Management Team must determine how to address the key risks in the most effective and cost efficient manner. The end result will be clear plans to control, accept, transfer, or avoid each of the top risks identified in the risk assessment process. The six steps of the Conducting Decision Support phase are:

1. Define functional requirements.
2. Select control solutions.
3. Review solutions against the requirements.
4. Estimate the degree of risk reduction that each control provides.
5. Estimate costs of each solution.
6. Select the risk mitigation strategy.

When comparing the value of a particular control to that of another, there are no simple formulas. The process can be challenging for a variety of reasons. For example, some controls impact multiple assets. The Security Risk Management Team must agree on how to compare the values of controls that impact different combinations of assets. Additionally, there are costs associated with controls that extend beyond the implementation of those controls. Related questions to consider include:

• How long will the control be effective?
• How many person hours per year will be required to monitor and maintain the control?
• How much inconvenience will the control impose on users?
• How much training will be needed for those responsible for implementing, monitoring, and maintaining the control?
• Is the cost of the control reasonable, relative to the value of the asset?

The remainder of this chapter will discuss answers to these questions.

You will attain success during the decision support process if you follow a clear path and if participants understand their respective roles at each step. The following diagram illustrates how the Security Risk Management Team conducts the decision support process. Mitigation Owners are responsible for proposing controls that will lessen the risk and then determining the cost of each control. For each proposed control, the Security Risk Management Team estimates the degree of risk reduction that the control can be expected to provide. With these pieces of information, the team can then conduct an effective cost-benefit analysis for the control to determine whether to recommend it for implementation. The Security Steering Committee then decides which controls will be implemented.