3. Using your favorite search engine,
search for information on the purpose of IT risk assessment.
4. In your Lab Report file, describe the purpose of IT risk assessment.
5. Review the following table for the risks, threats, and vulnerabilities found in a health care IT infrastructure servicing patients with life-threatening conditions:
Risks, Threats, and Vulnerabilities
Primary Domain Impacted
Risk Impact/ Factor
Unauthorized access from public Internet
User destroys data in application and deletes all files
Hacker penetrates your IT infrastructure and gains access to your internal network
Intraoffice employee romance gone bad
Fire destroys primary data center
Service provider service level agreement (SLA) is not achieved
Workstation operating system (OS) has a known software vulnerability
Unauthorized access to organization-owned workstations
Loss of production data
Denial of service attack on organization Demilitarized Zone (DMZ) and e-mail server
Remote communications from home office
Local Area Network (LAN) server OS has a known software vulnerability
User downloads and clicks on an unknown e-mail attachment
Workstation browser has a software vulnerability
Mobile employee needs secure browser access to sales-order entry system
Service provider has a major network outage
Weak ingress/egress traffic-filtering degrades performance
User inserts CDs and USB hard drives with personal photos, music, and videos on organization-owned computers
Virtual Private Network (VPN) tunneling between remote computer and ingress/egress router is needed
Wireless Local Area Network (WLAN) access points are needed for LAN connectivity within a warehouse
Need to prevent eavesdropping on WLAN
due to customer privacy data access
Denial of service (DoS)/distributed denial of service (DDoS) attack from the Wide Area Network (WAN)/Internet
6. Review the seven domains of a typical IT infrastructure.
7. In your Lab Report file, using the table from step 5, identify in the table’s Primary Domain Impacted column which of the seven domains of a typical IT infrastructure will be most impacted by each risk, threat, or vulnerability listed.
8. In your Lab Report file, using the table from step 6, perform a qualitative risk assessment by assigning a risk impact/risk factor to each of the identified risks, threats, and vulnerabilities throughout the seven domains of a typical IT infrastructure where the risk, threat, or vulnerability resides. Assign each risk, threat, and vulnerability a priority number in the table’s Risk Impact/Factor column, where:
· “1” is Critical: A risk, threat, or vulnerability that impacts compliance (that is, privacy law requirement for securing privacy data and implementing proper security controls, and so on) and places the organization in a position of increased liability.
· “2” is Major: A risk, threat, or vulnerability that impacts the confidentiality, integrity, and availability (C-I-A) of an organization’s intellectual property assets and IT infrastructure.
· “3” is Minor: A risk, threat, or vulnerability that can impact user or employee productivity or availability of the IT infrastructure.
9. In your Lab Report file, write a four-paragraph executive summary according to the following outline:
· Paragraph #1: Summary of findings (risks, threats, and vulnerabilities found throughout the seven domains of a typical IT infrastructure).
· Paragraph #2: Approach and prioritization of critical, major, and minor risk assessment elements.
· Paragraph #3: Risk assessment and risk impact summary of the seven domains of a typical IT infrastructure.
· Paragraph #4: Recommendations and next steps for executive management.
27
Introduction
Risk management begins with first identifying risks, threats, and vulnerabilities to then assess
them. Assessing risks means to evaluate risk in terms of two factors. First, evaluate each risk’s
likelihood of occurring. Second, evaluate the impact or consequences should the risk occur. Both
likelihood and impact are important for understanding how each risk measures up to other risks.
How the risks compare with one other is important when deciding which risk or risks take
priority. In short, assessing is a critical step toward the goal of mitigation.
Assessing risks can be done in one of two ways: quantitatively or qualitatively. Quantitatively
means to assign numerical values or some objective, empirical value. For example, “Less than
$1,000 to repair” or “Biweekly.” Qualitatively means to assign wording or some quasi-subjective
value. For example, a risk could be labeled critical, major, or minor.
In this lab, you will define the purpose of an IT risk assessment, you will align identified risks,
threats, and vulnerabilities to an IT risk assessment that encompasses the seven domains of a
typical IT infrastructure, you will classify the risks, threats, and vulnerabilities, and you will
prioritize them. Finally, you will write an executive summary that addresses the risk assessment
findings, risk assessment
impact, and recommendations to remediate areas of noncompliance.
Learning Objectives
Upon completing this lab, you will be able to:
Define the purpose and objectives of an IT risk assessment.
Align identified risks, threats, and vulnerabilities to an IT risk assessment that encompasses
the seven domains of a typical IT infrastructure.
Classify identified risks, threats, and vulnerabilities according to a qualitative risk assessment
template.
Prioritize classified risks, threats, and vulnerabilities according to the defined qualitative risk
assessment scale.
Craft an executive summary that addresses the risk assessment findings, risk assessment
impact, and recommendations to remediate areas of noncompliance.
Lab #4 Performing a Qualitative Risk Assessment for
an IT Infrastructure
28 | LAB #4 Performing a Qualitative Risk Assessment for an IT Infrastructure
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Report file;
2. Lab Assessments file.
29
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Student Lab Manual
Hands-On Steps
Note:
This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft®
Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing
application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab
deliverable files.
1. On your local computer, create the lab deliverable files.
2. Review the Lab Assessment Worksheet. You will find answers to these questions as you
proceed through the lab steps.
3. On your local computer, open a new Internet browser window.
4. Using your favorite search engine, search for information on the purpose of IT risk
assessment.
5. In your Lab Report file, describe the purpose of IT risk assessment.
6. Review the following table for the risks, threats, and vulnerabilities found in a health care
IT infrastructure servicing patients with life-threatening conditions:
Risks, Threats, and Vulnerabilities Primary Domain
Impacted
Risk Impact/
Factor
Unauthorized access from public Internet
User destroys data in application and
deletes all files
Hacker penetrates your IT
infrastructure
and gains access to your internal network
Intraoffice employee romance gone bad
Fire destroys primary data center
Service provider service level agreement
(SLA) is not achieved
Workstation operating system (OS) has a
known software vulnerability
Unauthorized access to organization-
owned workstations
Loss of production data
Denial of service attack on organization
Demilitarized Zone (DMZ) and e-mail
server
Remote communications from home office
Local Area Network (LAN) server OS has a
30 | LAB #4 Performing a Qualitative Risk Assessment for an IT Infrastructure
known software vulnerability
User downloads and clicks on an unknown
e-mail attachment
Workstation browser has a software
vulnerability
Mobile employee needs secure browser
access to sales-order entry system
Service provider has a major network
outage
Weak ingress/egress traffic-filtering
degrades performance
User inserts CDs and USB hard drives with
personal photos, music, and videos on
organization-owned computers
Virtual Private Network (VPN) tunneling
between remote computer and
ingress/egress router is needed
Wireless Local Area Network (WLAN)
access points are needed for LAN
connectivity within a warehouse
Need to prevent eavesdropping on WLAN
due to customer privacy data access
Denial of service (DoS)/distributed denial of
service (DDoS) attack from the Wide Area
Network (WAN)/Internet
7. Review the seven domains of a typical IT infrastructure (see Figure 1).
Figure 1 Seven domains of a typical IT infrastructure
8. In your Lab Report file, using the table from step 6, identify in the table’s Primary
Domain Impacted column which of the seven domains of a typical IT infrastructure will
be most impacted by each risk, threat, or vulnerability listed.
31
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Student Lab Manual
Qualitative Versus Quantitative
The next step requests that you assign a score to each of the risks in the table from step 6. The scoring is done
qualitatively, by assigning one of several labels on a scale. In this case, the scale is provided for you, ranging from
Critical to Minor.
Using qualitative scores to assess risks is comparatively easy and quick. The alternative is to assess quantitatively,
using actual, numerical scores. Using qualitative words such as “critical” or “major” introduces subjective opinion,
while citing numbers such as “Damage to be more than $3 million” or “Will cause an outage of under four hours”
introduces quantitative objectivity.
Quantitative scoring is more objective, but calculating risk assessment this way can take much more time. This is
because it requires you to dig up hard facts. For instance, you can conduct quantitative scoring by referring to your
organization’s history or claims records by answering such questions as “How often has this happened to us, or
others?” You can also assess risks numerically by researching the costs to recover from losses.
It is possible to assess risks both quantitatively and qualitatively. For example, you could quantitatively score the
likelihood and consequences of each risk, for example, “under 10% chance” and “ ‘X’ number of staff lives harmed or
lost.” But you could present the final score qualitatively, for example, “critical” or “needs to be addressed
immediately.”
9. In your Lab Report file, using the table from step 6, perform a qualitative risk assessment
by assigning a risk impact/risk factor to each of the identified risks, threats, and
vulnerabilities throughout the seven domains of a typical IT infrastructure where the risk,
threat, or vulnerability resides. Assign each risk, threat, and vulnerability a priority
number in the table’s Risk Impact/Factor column, where:
“1” is Critical: A risk, threat, or vulnerability that impacts compliance (that is, privacy
law requirement for securing privacy data and implementing proper security controls,
and so on) and places the organization in a position of increased liability
“2” is Major: A risk, threat, or vulnerability that impacts the confidentiality, integrity,
and availability (C-I-A) of an organization’s intellectual property assets and IT
infrastructure
“3” is Minor: A risk, threat, or vulnerability that can impact user or employee
productivity or availability of the IT infrastructure
Note:
Keep the following in mind when working on the next step: When suggesting next steps to executive management,
consider your recommendations from their point of view. Be prepared to explain costs, both in implementing the
controls and then in maintaining the controls.
Remember that costs come in many forms, not least of which is labor. Be sure accountability is thought out in
terms of roles and responsibilities. Other potential costs outside the data center include goodwill or reputation,
market share, and lost opportunity. Executive management might have these costs topmost in mind.
32 | LAB #4 Performing a Qualitative Risk Assessment for an IT Infrastructure
10. In your Lab Report file, write a four-paragraph executive summary according to the
following outline:
Paragraph #1: Summary of findings (risks, threats, and vulnerabilities found
throughout the seven domains of a typical IT infrastructure)
Paragraph #2: Approach and prioritization of critical, major, and minor risk
assessment elements
Paragraph #3: Risk assessment and risk impact summary of the seven domains of a
typical IT infrastructure
Paragraph #4: Recommendations and next steps for executive management
Note:
This completes the lab. Close the Web browser, if you have not already done so.
33
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Student Lab Manual
Evaluation Criteria and Rubrics
The following are the evaluation criteria for this lab that students must perform:
1. Define the purpose and objectives of an IT risk assessment. – [20%]
2. Align identified risks, threats, and vulnerabilities to an IT risk assessment that
encompasses the seven domains of a typical IT infrastructure. – [20%]
3. Classify identified risks, threats, and vulnerabilities according to a qualitative risk
assessment template. – [20%]
4. Prioritize classified risks, threats, and vulnerabilities according to the defined qualitative
risk assessment scale. – [20%]
5. Craft an executive summary that addresses the risk assessment findings, risk assessment
impact, and recommendations to remediate areas of noncompliance. – [20%]
Info
Security & Risk Management ISOL 5
3
3-05
Describe the purpose of IT Risk Assessment
Risk Assessment is the regular process of assessing the possible risks that may be included in a proposed activity or task. Risk assessment is the description of hazards that could negatively affect an organization’s capacity to handle business. These evaluations help recognize these basic business risks and implement standards, methods, and directions to reduce the influence of these risks to business plans. The reason for IT risk evaluation is to help IT experts distinguish any occasions that could adversely influence their organization. Efficient risk assessment provides forward-looking guidance not only to help a company escape risk but also to provide more concrete risk information and how to cope with it (Spinner, M.
2
0
1
8). Risk assessment in IT is defined as the evaluation of risks, threats, and vulnerabilities in an IT infrastructure. It helps in significant the impact of risk. Qualitative and Quantitative analysis of risk is done in this step.
The risk management method aims at evaluating risks, and moving the danger or raising the risk level by combining control measures when appropriate. This is used to identify and evaluate hazards dependent on a challenges and weaknesses to properties inquiry. Risks are quantified according to their effectiveness or the extent of their effect.
Maintaining the IT infrastructure requires the details or knowledge being collected, interpreted and distributed. Having appropriate plans for a balanced IT program and efficiently aiding with managing IT processes. Prioritizing and splitting the hazards, dangers and weaknesses into the main, small, and vital, depending on their effects. Understanding the gaps or voids of an IT system. After assessment, adequate reviews and correct protection measures are enforced.
Using the Table, Identify in the table’s Primary Domain impacted column which of the seven domains of a typical IT infrastructure and also identify a risk impact/risk factor will be most impacted by each risk, threat, or vulnerability listed.
Risks, Threats, and Vulnerabilities
Primary Domain
Impacted
Risk
Factor
Unauthorized access from public internet
Remote access domain
User destroys data in application and deletes all files
System/Application Domain
Hacker penetrates IT infrastructure and gains access to your internal network
LAN-to-
WAN
Domain
1
Intraoffice romance
gone bad
User Domain
3
Fire destroys primary data center
System/Application Domain
1
Service provider service level agreement is not achieved
3
Workstation Operating System (OS) has known software vulnerability
Workstation Domain
Unauthorized access to organization-owned workstations
1
Loss of production data
System/Application Domain
2
DOS attack on organization’s Demilitarized Zone and email server
LAN-to-
WAN Domain
1
Remote communication from home office
Remote Access Domain
2
LAN server OS has a known software vulnerability
LAN Domain
2
User downloads and clicks on an unknown email attachment
1
Workstation browser has a software vulnerability
Workstation Domain
3
Mobile employee needs secure browser access to sales-order system
3
Service provider has major network outage
2
Weak ingress/egress traffic-filtering degrades performance
3
User inserts CDS and USB hard drives with personal photos, music, and videos on organization owned computers
User Domain
2
Virtual Private Network tunneling between remote computer and ingress/egress router is needed
LAN -to-WAN Domain
2
Wireless Local Area Network access points are needed for LAN connectivity within a warehouse
3
Need to prevent eavesdropping on WLAN due to customer privacy data access
LAN Domain
1
Denial of Service (DOS) attack/distributed denial of service attack from Wide area network (WAN)/Internet
WAN Domain
1
Write a four –paragraph executive summary accordingly
Summary of finding Risks, Threats and Vulnerabilities:
The department discovers risks, threats, and vulnerabilities or organization conducted peculiar project analysis. Evaluation is granted to the framework at different levels. All applications are put into the total including the security protocol devices, and the new work has been performed in different IT application domains. There are very substantial risks to network vulnerabilities and challenges such as a business shift or revenues, previously identified as illicit hacks within the framework. In this step, possible threat or danger will be defined the next benefit in mitigation strategies management.
Approach of Critical, Major, Minor Risk Assessment Plan:
Detecting the hazards, challenges, and weaknesses, the second step is to formulate contingency strategies and specific measures in order to achieve the least danger impact in an IT system. Around the same moment, the danger level is always measured, and the probability of its presence is determined. Depending by recognizing the likelihood of hazard in the early phases, the prevention measures are set forward to mitigate the effect as far as possible.
Critical “1” risks, threats, and vulnerabilities identified throughout the IT infrastructure
Unauthorized access from public Internet
Hacker penetrates your IT infrastructure
Denial of service attack on organization Demilitarized Zone (DMZ) and e-mail server
Unauthorized access to organization owned Workstations
Short-term remediation steps for critical “1” risks, threats, and vulnerabilities
1. Unauthorized access from public Internet – Apply two level securities. Change your passwords frequently, Configure secure Web permissions, Lock down files and folders with restricted NTFS permissions
2. Hacker penetrates your IT infrastructure – Block the traffic away from malicious soft wares. Apply strict security monitoring. also create DMZ and apply IDS appliances also try using proxy servers Use the firewall to its fullest capability and block specific ports that are at risks.
Long-term remediation steps for major “2” and minor “3” risks, threats, and vulnerabilities
Loss of production data – Major 2
1. Try creating backup at different locations, Ensure up to date backup of data
2. Run archiving jobs on prod servers, Restrict downloads
3. Ban use of unencrypted devices
4. Make sure data transfer is done securely
5. Automate security & Introduce security training
6. Monitor data leakage
7. Define data accessibility
Risk Assessment on Seven Domains on IT Infrastructure:
User Domain- Risk can impact the User Domain through personnel if they are not practicing security standards. For instance, plugging a random USB drive-in is an excellent example of risk in the user domain.
Workstation Domain- It is nothing but a user’s computer. It will be at risk if anti-virus protection not kept up to date with recent patches. For instance, if data not backed up, it results in data loss.
LAN Domain- An ordinary risk of the LAN Domain is that the LAN server’s OS could have a software vulnerability. For instance, it would be the software having a bug, or coding error, that would have the OS make an unwanted action.
LAN-to-WAN Domain- WAN is not under the control of the organization/company and is more at risk of attacks. Hackers look for these vulnerabilities in connections.
WAN Domain- This domain is not under organization/company control. The main risk in the WAN Domain is that a server could be attacked via DDOS or other methods.
Remote Access Domain- Remote access will allow the user to work remotely since the Internet is mostly intrusted and has to know attackers; remote access represents a risk. The main threats are attackers can steal your credentials while you are trying your identity.
System/Application Domain- The System/Application domain has risks different from the other areas. Examples of threats in the System/Application Domain would be a fire could destroy data, and a Denial of Service attack could damage a company’s email.
Recommendations and next steps:
For each vulnerability, the risk analysis of an IT asset includes identifying the risks and remunerating regulators to concentrate on the likelihood of abusing the difference. The potential influence can be misused to helplessness. Putting the likelihood and failure factor identification into account. Risk is equal to both the possibility and the possible effect of abuse. The threat thresholds identified and related were used to work on measures to minimize the danger.
Creating a Goal and executing it leads you to a specific success with one phase by phase action. A planning initiative constitutes the next most critical step in implementing management goals. It requires step-by – step analysis to all the duties to be done. Good contact is one of the most effective techniques which are widely used.
References
Spinner, M., & Spinner, M. (1992). elements of Project Management: Plan, schedule, and control. Prentice Hall.
The Purpose of IT Risk Assessment. (n.d.). Retrieved from
https://www.solarwindsmsp.com/content/purpose-of-risk-assessment
We provide professional writing services to help you score straight A’s by submitting custom written assignments that mirror your guidelines.
Get result-oriented writing and never worry about grades anymore. We follow the highest quality standards to make sure that you get perfect assignments.
Our writers have experience in dealing with papers of every educational level. You can surely rely on the expertise of our qualified professionals.
Your deadline is our threshold for success and we take it very seriously. We make sure you receive your papers before your predefined time.
Someone from our customer support team is always here to respond to your questions. So, hit us up if you have got any ambiguity or concern.
Sit back and relax while we help you out with writing your papers. We have an ultimate policy for keeping your personal and order-related details a secret.
We assure you that your document will be thoroughly checked for plagiarism and grammatical errors as we use highly authentic and licit sources.
Still reluctant about placing an order? Our 100% Moneyback Guarantee backs you up on rare occasions where you aren’t satisfied with the writing.
You don’t have to wait for an update for hours; you can track the progress of your order any time you want. We share the status after each step.
Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.
Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.
From brainstorming your paper's outline to perfecting its grammar, we perform every step carefully to make your paper worthy of A grade.
Hire your preferred writer anytime. Simply specify if you want your preferred expert to write your paper and we’ll make that happen.
Get an elaborate and authentic grammar check report with your work to have the grammar goodness sealed in your document.
You can purchase this feature if you want our writers to sum up your paper in the form of a concise and well-articulated summary.
You don’t have to worry about plagiarism anymore. Get a plagiarism report to certify the uniqueness of your work.
Join us for the best experience while seeking writing assistance in your college life. A good grade is all you need to boost up your academic excellence and we are all about it.
We create perfect papers according to the guidelines.
We seamlessly edit out errors from your papers.
We thoroughly read your final draft to identify errors.
Work with ultimate peace of mind because we ensure that your academic work is our responsibility and your grades are a top concern for us!
Dedication. Quality. Commitment. Punctuality
Here is what we have achieved so far. These numbers are evidence that we go the extra mile to make your college journey successful.
We have the most intuitive and minimalistic process so that you can easily place an order. Just follow a few steps to unlock success.
We understand your guidelines first before delivering any writing service. You can discuss your writing needs and we will have them evaluated by our dedicated team.
We write your papers in a standardized way. We complete your work in such a way that it turns out to be a perfect description of your guidelines.
We promise you excellent grades and academic excellence that you always longed for. Our writers stay in touch with you via email.