97
3
Mitigation Strategies
Migration Strategies
All organizations should prepare for emergency situations.
Part of this preparation process is a review of what is already
in place, what needs to be put in place, who needs to be
contacted when something happens, what they should do
when contacted, and so on. Many organizations have a
wide range of existing procedures for dealing with various
types of unusual situations. These procedures may have
been developed in response to a legal or regulatory require-
ment. This section will review what are considered the most
pertinent procedures for mitigating a disaster situation. It is
by no means an exhaustive list. The BCP should contain a
brief summary of each of these procedures, including the
issues that are relevant in the event of handling an emer-
gency disaster situation. Risk mitigation is a systematic
methodology used by senior management to reduce mission
risk and can be achieved through any of the following risk
mitigation options:
Risk Assumption. This is accepting the potential risk and either con-
tinuing to operating the IT system or implementing controls to lower
the risk to an acceptable level. Even if your procedures are aligned to
your risk assumptions, if your plans are based on the previously avail-
able amount of required resources, it is more than likely that these
requirements have increased. For example, renewal may not be an
option for contracts at alternative sites that are effective for only a
two-month period. After September 11, 2001, many businesses that
recovered operations at commercial “hot sites” found their subscribed
resources were insufficient for their actual needs.
98 Migration Strategies
Risk Avoidance. This is the making an informed decision to not
become involved in or otherwise avoid a risk situation by eliminating
the risk cause and/or consequence. For example, you could forgo cer-
tain functions of the system, or shut down the system when risks are
suspected or known.
Risk Limitation. This is the selective application of appropriate tech-
niques and management principles to reduce the likelihood of an
occurrence, its consequences, or both, limiting the risk by imple-
menting controls that minimize the adverse impact of a threat’s exer-
cising a vulnerability. For example, use supporting, preventive,
detective controls as part of a business continuity plan or emergency
response plans.
Risk Planning. This is the management of risk through the develop-
ment of a risk mitigation plan that prioritizes, implements, and
maintains controls. Uncertainty in life is a certainty. Our lives are in a
constant state of flux, family relations change, government constantly
enacts new and often conflicting laws, and our financial situation is
in a constant state of change. Notwithstanding the constant state of
change we live in, we all plan for the future. In planning for the unex-
pected, five criteria are generally considered:
1. Determine what unexpected events might occur. Many events are
reasonably foreseeable, such as the death of a loved one, divorce,
changes in the economy, financial reversal, and so forth.
2. Determine what “unexpected” events are likely to occur. For
example, if you are a stockbroker, syndicator, real estate devel-
oper, investment banker, physician, accountant, or attorney, there
is a substantial likelihood that you will be named in a lawsuit.
More than half of all marriages end in divorce (the other half end
in death of one of the parties).
3. Analyze the impact that unexpected events could have on your
tentative plans. For example, a savings and loan, into which you
put all of you money, may go broke; you can determine the effect
on your plans and make contingencies (e.g., don’t put more
money in one financial institution than can be federally insured).
4. In advance, plan alternatives in case an unexpected event occurs.
This is also referred to as “don’t put all your eggs in one basket.”
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
