Lab #3: Assessment Worksheet

Define the Scope & Structure for an IT Risk Management Plan

Course Name: IAA202_______________________________________
Student Name: Trần Mỹ Linh, Lê Mạnh Hải_______________________
Instructor Name: Hồ Kim Cường_______________________________
Lab due date:_______________________________________________
Overview
Answer the following Lab #3 – Assessment Worksheet questions
pertaining to your IT risk management plan design and table of contents.
Lab Assessment Questions
1. What is the goal or objective of an IT risk management plan?
To define how risks will be managed, monitored and controlled
throughout the project
2. What are the five fundamental components of an IT risk management plan?
 Risk planning
 Risk identification
 Risk assessment
 Risk response
 Risk monitoring
3. Define what risk planning is.
Specialized type of project management. You create a risk management
plan to mitigate risks. It helps you identify the risks and choose the best
solutions. It also helps you track the solutions to ensure they are implemented on
budget and on schedule.
4. What is the first step in performing risk management?
Risk Identification is the first step in performing risk management.
5. What is the exercise called when you are trying to identify an organization’s
risk health?
Health Risk Assessment
6. What practice helps reduce or eliminate risk?
 One practice that helps reduce or eliminate risk is risk management. Risk
management involves identifying, assessing, and prioritizing risks, and then
implementing strategies to mitigate or control those risks. This can include
measures such as implementing safety protocols, conducting regular inspections
and audits, training employees on risk awareness and prevention, and having
contingency plans in place. By actively managing risks, organizations can
minimize the likelihood and impact of potential negative events or incidents.
7. What on-going practice helps track risk in real-time?
To track risks in real-time, it is essential to implement an ongoing risk
management practice. One effective approach is to establish a risk register and
regularly update it. Here are the key steps involved:
Identify Risks: Begin by identifying potential risks that could impact your
project, business, or organization. This can be done through brainstorming
sessions, historical data analysis, expert opinions, and industry research.
Assess Risks: Evaluate the likelihood and impact of each identified risk.
This can be done using qualitative or quantitative methods. Qualitative
assessment involves assigning subjective ratings (e.g., low, medium, high) to the
likelihood and impact of each risk. Quantitative assessment involves assigning
numerical values to these factors.
Prioritize Risks: Prioritize the identified risks based on their potential
impact and likelihood. This helps in focusing resources on managing the most
critical risks first.
Develop Risk Response Strategies: For each prioritized risk, develop
appropriate response strategies. These strategies can include risk avoidance, risk
mitigation, risk transfer, or risk acceptance. The chosen strategy should align
with the organization's risk appetite and objectives.
Implement Risk Controls: Put in place controls and measures to monitor
and manage the identified risks. This can include establishing monitoring
systems, implementing preventive measures, and creating contingency plans.
Monitor and Review: Continuously monitor the identified risks and their
associated controls. Regularly review the risk register to ensure it remains up-to-
date. This allows for timely identification of new risks, changes in risk levels,
and the effectiveness of risk response strategies.
 Communicate and Report: Maintain open communication channels to
share risk-related information with stakeholders. Regularly report on the status
of risks, their impact, and the effectiveness of risk management efforts. This
helps in maintaining transparency and ensuring that appropriate actions are
taken.
By following these steps and maintaining an ongoing risk management
practice, you can effectively track risks in real-time and take proactive measures
to mitigate their impact.
8. Given that an IT risk management plan can be large in scope, why is it
a good idea to development a risk management plan team?
Developing a risk management plan team is a good idea for several
reasons:
Expertise and Diverse Perspectives: By forming a team, you can bring
together individuals with different areas of expertise and perspectives. This
diversity can help in identifying and assessing risks from various angles,
ensuring a comprehensive risk management plan.
Collaboration and Brainstorming: A team approach encourages
collaboration and brainstorming sessions. Team members can share their
knowledge, experiences, and insights, leading to a more thorough understanding
of potential risks and effective risk mitigation strategies.
Efficiency and Division of Labor: A risk management plan can be a
complex and time-consuming task. By forming a team, you can distribute the
workload among team members, making the process more efficient. Each team
member can focus on specific areas of risk, allowing for a more detailed
analysis.
Risk Identification and Assessment: A team-based approach enhances the
identification and assessment of risks. Different team members can contribute
their unique perspectives, increasing the chances of identifying risks that may
have been overlooked by an individual. This comprehensive risk assessment
helps in prioritizing risks and allocating appropriate resources for mitigation.
Risk Mitigation Strategies: Developing a risk management plan team
enables the generation of a wider range of risk mitigation strategies. Team
members can pool their knowledge and expertise to develop creative and
effective strategies to minimize the impact of identified risks.
Continuous Improvement: A risk management plan team can facilitate
continuous improvement by regularly reviewing and updating the plan. As new
risks emerge or existing risks evolve, the team can adapt the plan accordingly,
ensuring its relevance and effectiveness over time.
In summary, forming a risk management plan team brings together
diverse expertise, promotes collaboration and efficiency, enhances risk
identification and assessment, facilitates the development of effective risk
mitigation strategies, and enables continuous improvement of the plan.
9. Within the seven domains of a typical IT infrastructure, which domain
is the most difficult to plan, identify, assess, remediate, and monitor?
Among the seven domains of a typical IT infrastructure, the most difficult
domain to plan, identify, assess, remediate, and monitor is the Security Domain.
The Security Domain encompasses all aspects related to protecting the IT
infrastructure from unauthorized access, data breaches, and other security
threats. It involves implementing security measures, policies, and procedures to
ensure the confidentiality, integrity, and availability of data and systems.
10. From your scenario perspective, with which compliance law or
standard does your organization have to comply? How did this impact the scope
and boundary of your IT risk management plan?
Compliance Law or Standard
Our organization is required to comply with the General Data Protection
Regulation (GDPR). The GDPR is a European Union (EU) law that regulates
the processing of personal data of individuals within the EU. It applies to all
organizations that collect, store, or process personal data of EU citizens,
regardless of their location.
Impact on IT Risk Management Plan
The GDPR has a significant impact on the scope and boundary of our IT
risk management plan. It requires us to implement appropriate technical and
organizational measures to ensure the security and protection of personal data.
This means that our IT risk management plan needs to address specific
requirements outlined in the GDPR, such as:
 Data Protection Impact Assessments (DPIAs): We need to conduct DPIAs
for high-risk processing activities that involve personal data. These assessments
help identify and mitigate potential risks to individuals' privacy.
Data Breach Notification: In the event of a personal data breach, we are
required to notify the relevant supervisory authority and affected individuals
without undue delay. Our IT risk management plan needs to include procedures
for detecting, reporting, and responding to data breaches.
Privacy by Design and Default: The GDPR emphasizes the importance of
incorporating privacy and data protection measures from the outset of any
system or process development. Our IT risk management plan should include
measures to ensure privacy by design and default, such as data minimization,
pseudonymization, and access controls.
Vendor Management: We need to ensure that our third-party vendors and
service providers also comply with the GDPR. Our IT risk management plan
should include processes for assessing and monitoring the compliance of
vendors and service providers.
Data Subject Rights: The GDPR grants individuals certain rights
regarding their personal data, such as the right to access, rectify, and erase their
data. Our IT risk management plan needs to address these rights and provide
mechanisms for individuals to exercise them.
In summary, the GDPR's requirements have expanded the scope of our IT
risk management plan to include specific measures for protecting personal data
and ensuring compliance with the regulation. It has also necessitated the
inclusion of processes and procedures to address data breach notification,
privacy by design, vendor management, and data subject rights.
11. How did the risk identification and risk assessment of the identified
risks, threats, and vulnerabilities contribute to your IT risk management plan
table of contents?
The risk identification and risk assessment process play a crucial role in
developing an effective IT risk management plan. These activities help in
identifying, analyzing, and prioritizing risks, threats, and vulnerabilities that
could impact an organization's IT systems and operations. The outcomes of
these processes contribute to the development of the IT risk management plan's
table of contents in the following ways:
Risk Identification: This process involves identifying potential risks,
threats, and vulnerabilities that could affect the organization's IT environment.
The identified risks are categorized and documented, providing a comprehensive
list of potential risks that need to be addressed. This information forms the basis
for the risk management plan's table of contents, as it outlines the specific risks
that will be addressed in the plan.
Risk Assessment: Once the risks are identified, a risk assessment is
conducted to evaluate their potential impact and likelihood of occurrence. This
assessment helps in prioritizing risks based on their significance and the
organization's risk appetite. The results of the risk assessment inform the table of
contents by highlighting the high-priority risks that require immediate attention
and mitigation strategies.
Contributing Sections: The risk identification and assessment processes
contribute to several sections of the IT risk management plan's table of contents,
including:
Executive Summary: A summary of the identified risks, threats, and
vulnerabilities, along with their potential impact on the organization's IT
systems and operations.
Introduction: An overview of the risk management process, including the
purpose, scope, and objectives of the plan. This section may also include a
summary of the risk identification and assessment activities conducted.
Risk Register: A detailed list of identified risks, threats, and
vulnerabilities, along with their descriptions, potential impacts, likelihood of
occurrence, and risk ratings. This section provides a comprehensive overview of
the risks that will be managed and mitigated.
Risk Analysis: An analysis of the identified risks, including their potential
impact on the organization's IT assets, systems, and operations. This section
may include quantitative or qualitative assessments of the risks, helping
prioritize them for further action.
Risk Mitigation Strategies: A description of the strategies and controls
that will be implemented to mitigate the identified risks. This section may
include risk treatment plans, control measures, and risk response strategies based
on the outcomes of the risk assessment.
Monitoring and Review: A plan for monitoring and reviewing the
effectiveness of the risk management activities. This section outlines the
ongoing monitoring of risks, periodic risk assessments, and the review of risk
mitigation measures.
By incorporating the outcomes of risk identification and risk assessment
processes into the table of contents, the IT risk management plan becomes a
comprehensive document that addresses the specific risks, threats, and
vulnerabilities faced by the organization. It provides a structured approach to
managing and mitigating these risks, ensuring the organization's IT systems and
operations are protected.
12. What risks, threats, and vulnerabilities did you identify and assess that
require immediate risk mitigation given the criticality of the threat or
vulnerability?
To identify and assess risks, threats, and vulnerabilities that require
immediate risk mitigation, you need to consider the criticality of each threat or
vulnerability. Here are some examples:
Data breaches: Unauthorized access to sensitive data can lead to financial
loss, reputational damage, and legal consequences. Immediate risk mitigation
measures include implementing strong access controls, encryption, and regular
security audits.
Malware attacks: Malicious software can infect systems, steal data, or
disrupt operations. Immediate risk mitigation involves deploying antivirus
software, keeping systems up to date with security patches, and educating users
about safe browsing habits.
Physical security breaches: Unauthorized access to physical assets, such
as servers or data centers, can result in data loss or service disruption. Immediate
risk mitigation measures include implementing access controls, surveillance
systems, and physical barriers.
Social engineering: Manipulating individuals to gain unauthorized access
to systems or sensitive information is a common threat. Immediate risk
mitigation involves training employees to recognize and report suspicious
activities, implementing multi-factor authentication, and conducting regular
security awareness campaigns.
Insider threats: Employees or contractors with authorized access can
intentionally or unintentionally cause harm to an organization. Immediate risk
mitigation measures include implementing strict access controls, monitoring
user activities, and conducting background checks.
Software vulnerabilities: Unpatched or insecure software can be exploited
by attackers. Immediate risk mitigation involves regularly updating software
with security patches, conducting vulnerability assessments, and implementing
secure coding practices.
Denial of Service (DoS) attacks: Overwhelming a system or network with
excessive traffic can disrupt services. Immediate risk mitigation measures
include implementing traffic filtering, load balancing, and DoS protection
mechanisms.
Remember, risk mitigation should be an ongoing process, and regular risk
assessments should be conducted to identify new threats and vulnerabilities.
13. For risk monitoring, what techniques or tools can you implement
within each of the seven domains of a typical IT infrastructure to help mitigate
risk?
Risk monitoring is crucial for identifying and mitigating potential risks
within an IT infrastructure. Here are some techniques and tools that can be
implemented within each of the seven domains of a typical IT infrastructure to
help mitigate risk:
1. User Domain:
User Training and Awareness: Conduct regular training sessions to
educate users about security best practices and potential risks.
Security Policies: Implement and enforce security policies that define
acceptable use of IT resources.
User Access Controls: Use tools like identity and access management
systems to control user access to sensitive data and resources.
2. Workstation Domain:
 Endpoint Protection: Install and regularly update antivirus and anti-
malware software on workstations.
Patch Management: Implement tools to ensure workstations are up to date
with the latest security patches.
Host Intrusion Detection/Prevention Systems (HIDS/HIPS): Deploy
HIDS/HIPS tools to monitor and protect workstations from unauthorized
activities.
3. LAN Domain:
Network Monitoring Tools: Use network monitoring tools to detect and
analyze network traffic for any suspicious activities.
Firewalls: Implement firewalls to control incoming and outgoing network
traffic.
Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS tools
to detect and prevent network-based attacks.
4. LAN-to-WAN Domain:
Virtual Private Networks (VPNs): Use VPNs to secure communication
between remote locations and the main network.
Network Segmentation: Implement network segmentation to isolate
critical systems and limit the impact of potential breaches.
Network Access Control (NAC): Deploy NAC tools to authenticate and
authorize devices connecting to the network.
5. WAN Domain:
Encryption: Use encryption protocols (e.g., SSL/TLS) to secure data
transmitted over wide area networks.
Traffic Monitoring: Implement tools to monitor and analyze network
traffic for any anomalies or potential threats.
Redundancy and Failover: Set up redundant connections and failover
mechanisms to ensure continuous network availability.
6. Remote Access Domain:
Multi-Factor Authentication (MFA): Require users to authenticate using
multiple factors (e.g., passwords, tokens) to access remote resources.
 Remote Access Policies: Define and enforce policies for remote access,
including secure VPN connections and strong authentication.
Remote Desktop Protocol (RDP) Security: Implement secure
configurations and access controls for remote desktop connections.
7. System/Application Domain:
Vulnerability Scanning: Conduct regular vulnerability scans to identify
and patch security vulnerabilities in systems and applications.
Log Monitoring and Analysis: Implement tools to monitor and analyze
system logs for any suspicious activities or security incidents.
Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS tools
to detect and prevent attacks targeting systems and applications.
Remember, risk monitoring is an ongoing process, and it's important to
regularly review and update your risk mitigation strategies and tools to adapt to
evolving threats.
14. For risk mitigation, what processes and procedures are needed to help
streamline and implement risk mitigation solutions to the production IT
infrastructure?
To streamline and implement risk mitigation solutions to the production
IT infrastructure, several processes and procedures are needed. Here are some
key steps to consider:
Risk Assessment: Conduct a thorough risk assessment to identify potential
risks and vulnerabilities in the IT infrastructure. This involves analyzing the
system, identifying potential threats, and assessing the impact and likelihood of
each risk.
Risk Prioritization: Prioritize risks based on their potential impact and
likelihood. This helps allocate resources effectively and focus on addressing the
most critical risks first.
Risk Mitigation Strategies: Develop risk mitigation strategies to address
identified risks. This may involve implementing technical controls, such as
firewalls and intrusion detection systems, as well as operational controls, such as
access controls and security policies.
 Change Management: Implement a robust change management process to
ensure that any changes to the production IT infrastructure are properly assessed
for potential risks and approved before implementation. This helps prevent
unauthorized or risky changes that could introduce vulnerabilities.
Incident Response: Establish an incident response plan to effectively
respond to and mitigate any security incidents or breaches. This includes
defining roles and responsibilities, establishing communication channels, and
conducting regular drills and exercises to test the effectiveness of the plan.
Monitoring and Logging: Implement a comprehensive monitoring and
logging system to detect and track any suspicious activities or anomalies in the
IT infrastructure. This helps identify potential risks and respond to them in a
timely manner.
Regular Audits and Assessments: Conduct regular audits and assessments
to evaluate the effectiveness of the risk mitigation measures and identify any
gaps or areas for improvement. This helps ensure that the risk mitigation
processes and procedures are up to date and aligned with industry best practices.
Training and Awareness: Provide regular training and awareness
programs to educate employees about the importance of risk mitigation and their
roles and responsibilities in maintaining a secure IT infrastructure. This helps
create a culture of security and ensures that everyone is aware of the risks and
how to mitigate them.
By following these processes and procedures, organizations can
streamline and implement effective risk mitigation solutions to their production
IT infrastructure, reducing the likelihood and impact of potential risks and
vulnerabilities.
15. How does risk mitigation impact change control management and
vulnerability management?
Risk mitigation plays a crucial role in both change control management
and vulnerability management. Let's explore how it impacts each of these areas:
Change Control Management:
Change control management involves implementing and managing
changes to systems, processes, or infrastructure in a controlled manner. Risk
mitigation helps in the following ways:
 Identifying Risks: Risk mitigation involves identifying potential risks
associated with changes. By conducting risk assessments, organizations can
identify and evaluate the potential impact of changes on the system's stability,
security, and performance.
Prioritizing Changes: Risk mitigation helps in prioritizing changes based
on their potential risks. Changes with higher risks can be given more attention
and resources to ensure proper planning, testing, and implementation.
Implementing Controls: Risk mitigation involves implementing controls
to minimize the impact of potential risks. These controls can include
implementing backup and recovery mechanisms, conducting thorough testing,
and ensuring proper documentation and communication.
Monitoring and Reviewing: Risk mitigation involves continuously
monitoring and reviewing the implemented changes to identify any new risks or
issues. This helps in ensuring that the changes are effective and do not introduce
new vulnerabilities or disruptions.
Vulnerability Management:
Vulnerability management focuses on identifying, assessing, and
mitigating vulnerabilities in systems or applications. Risk mitigation is closely
related to vulnerability management in the following ways:
Assessing Vulnerabilities: Risk mitigation involves assessing
vulnerabilities to determine their potential impact and likelihood of exploitation.
This assessment helps in prioritizing vulnerabilities based on their risk level and
allocating resources for their mitigation.
Implementing Controls: Risk mitigation involves implementing controls
to mitigate vulnerabilities. These controls can include patching systems,
updating software, configuring firewalls, and implementing intrusion detection
systems.
Monitoring and Remediation: Risk mitigation involves continuously
monitoring systems for new vulnerabilities and promptly remediating them. This
includes regularly scanning systems for vulnerabilities, applying patches and
updates, and monitoring for any signs of exploitation.
 Incident Response: Risk mitigation includes having an incident response
plan in place to address any vulnerabilities that are exploited. This plan outlines
the steps to be taken in case of a security incident and helps in minimizing the
impact and recovering from any potential breaches.
In summary, risk mitigation is essential in both change control
management and vulnerability management as it helps in identifying,
prioritizing, implementing controls, and monitoring risks and vulnerabilities. It
ensures that changes are implemented in a controlled manner and vulnerabilities
are addressed effectively to minimize potential impacts.