Lab 2 Coursework

Week 2 Laboratory

Perform a Qualitative Risk Assessment for an IT Infrastructure

Learning Objectives and Outcomes
Upon completing this lab, students will be able to:
• Define the purpose and objectives of an IT risk assessment
• Align identified risks, threats, and vulnerabilities to an IT risk assessment that encompasses the seven domains of a typical IT infrastructure
• Classify identified risks, threats, and vulnerabilities according to a qualitative risk assessment template
• Prioritize classified risks, threats, and vulnerabilities according to the defined qualitative risk assessment scale
• Craft an executive summary that addresses the risk assessment findings, risk assessment impact, and recommendations to remediate areas of non-compliance

Lab #4: Assessment Worksheet

Perform a Qualitative Risk Assessment for an IT Infrastructure

Overview

The following risks, threats, and vulnerabilities were found in an IT infrastructure. Consider the scenario of a Healthcare provider under HIPPA compliance law and what compliance to HIPPA involves.

1. Given the list below, perform a qualitative risk assessment:
Determine which typical IT domain is impacted by each risk/threat/vulnerability in the “Primary Domain Impacted” column.

Risk – Threat – Vulnerability Primary Domain Impacted Risk Impact/Factor

Unauthorized access from pubic Internet

User destroys data in application and deletes
all files

Hacker penetrates your IT infrastructure
and gains access to your internal network

Intra-office employee romance gone bad

Fire destroys primary data center

Service provider SLA is not achieved

Workstation OS has a known software
vulnerability

Unauthorized access to organization owned
workstations

Risk – Threat – Vulnerability Primary Domain Impacted Risk Impact/Factor

Loss of production data

Denial of service attack on organization
DMZ and e-mail server

Remote communications from home office
LAN server OS has a known software
vulnerability

User downloads and clicks on an unknown
unknown e-mail attachment

Workstation browser has software vulnerability

Mobile employee needs secure browser access
to sales order entry system

Service provider has a major network outage

Weak ingress/egress traffic filtering
degrades performance

User inserts CDs and USB hard drives
with personal photos, music, and videos on
organization owned computers

VPN tunneling between remote computer
and ingress/egress router is needed

WLAN access points are needed for LAN
connectivity within a warehouse

Need to prevent eavesdropping on WLAN
due to customer privacy data access

DoS/DDoS attack from the WAN/Internet

2. Next, for each of the identified risks, threats, and vulnerabilities, prioritize them by listing a “1”, “2”, and “3” next to each risk, threat, vulnerability in the “Risk Impact/Factor” column. “1” = Critical, “2” = Major, “3” = Minor. Use the following qualitative risk impact/risk factor metrics:
“1” Critical – a risk, threat, or vulnerability that impacts compliance (i.e., privacy law requirement for securing privacy data and implementing proper security controls, etc.) and places the organization in a position of increased liability
“2” Major – a risk, threat, or vulnerability that impacts the C-I-A of an organization’s intellectual property assets and IT infrastructure
“3”Minor – a risk, threat, or vulnerability that can impact user or employee productivity or availability of the IT infrastructure

3. Craft an executive summary for management using the following 4-paragraph format. The executive summary must address the following topics:
• Purpose of the risk assessment & summary of risks, threats, and vulnerabilities found throughout the IT infrastructure
• Prioritization of critical, major, minor risk assessment elements
• Risk assessment and risk impact summary
• Recommendations and next steps

Week 2 Lab: Assessment Worksheet

Perform a Qualitative Risk Assessment for an IT Infrastructure

Overview

Answer the following Assessment Worksheet questions pertaining to your qualitative IT risk assessment you performed.

Lab Assessment Questions & Answers

1. What is the goal or objective of an IT risk assessment?

2. Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure?

3. What was your rationale in assigning “1” risk impact/ risk factor value of “Critical” for an identified risk, threat, or vulnerability?

4. When you assembled all of the “1” and “2” and “3” risk impact/risk factor values to the identified risks, threats, and vulnerabilities, how did you prioritize the “1”, “2”, and “3” risk elements? What would you say to executive management in regards to your final recommended prioritization?