As the NIST Special Publication 800-30 states, Risk Planning is to manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains control. Being that humans are the weakest link to the CIA triad and humans need access to the data, controls must be set in place. However, it is imperative that the organizational functional impact of data accessibility, data integrity, and data confidentiality not be impacted in a negative manner when considering risk. In a Risk Management Plan, consider Organizational Risks, Technical Risks, and Resource Risks.
Organizational Risks to consider are personnel’s environment and procedures. Having open employee communication will not harm the CIA triad yet will mitigate the Organization Risk. A Technical Risk is anything that can threaten the Information Technology infrastructure of the organization and the CIA triad. Risk assessment includes understanding the topography to be able to identify threats, analyzing user information and access for least privilege controls, identifying system missions and architecture, and embracing safeguards for the related gathered information. Resource Risk is an entity necessary to the organization such as personnel, equipment, or facilities. Humans have the critical factor to both keep the CIA triad safe as well as bring it to a detrimental downfall.