Lab #6: Assessment Worksheet

Develop a Risk Mitigation Plan Outline for an IT Infrastructure

Course Name: IAA202

Student Name: DUONG NGOC PHUC

Instructor Name: DINHMH

Lab Due Date: 12.10.2024

Overview
After you have completed your qualitative risk assessment and identification of the critical “1” risks,
threats, and vulnerabilities, mitigating them requires proper planning and communication to executive
management. Students are required to craft a detailed IT risk management plan consisting of the
following major topics and structure:
A. Executive summary
“1” Critical – a risk, threat, or vulnerability that impacts compliance (i.e., privacy law requirement
for securing privacy data and implementing proper security controls, etc.) and places the organization in
a position of increased liabilit.
“2” Major – a risk, threat, or vulnerability that impacts the C-I-A of an organization’s intellectual
property assets and IT infrastructure.
“3” Minor – a risk, threat, or vulnerability that can impact user or employee productivity or
availability of the IT infrastructure.

B. Prioritization of identified risks, threats, and vulnerabilities organized into the seven domains

Risk – Threat – Vulnerability Primary Domain Impacted Risk Impact/Factor

Unauthorized access from LAN-to-WAN Critical
public Internet
User destroys data in Systems/Application Critical
application and deletes all files
Hacker penetrates your IT LAN-to-WAN Critical
infrastructure and gains access
to your internal network
Intra-office employee romance User Minor
gone bad
Fire destroys primary data Systems/Application Major
center
Service provider SLA is not Workstation Major
achieved
Unauthorized access to Workstation Major
organization owned
Workstations
Loss of production data Systems/Application Minor
Denial of service attack on LAN-to-WAN Major
organization DMZ and e-mail
server
Remote communications from Remote Access Major
home office
LAN server OS has a known LAN Critical
software vulnerability
User downloads and clicks on User Critical
an unknown
Workstation browser has Workstation Major
software vulnerability
Mobile employee needs secure User Minor
browser access to sales order
entry system
Service provider has a major WAN Minor
network outage
Weak ingress/egress traffic LAN-to-WAN Minor
filtering degrades Performance
User inserts CDs and USB hard User Minor
drives with personal photos,
music, and videos on
organization owned computers
VPN tunneling between remote Remote Access Major
computer and ingress/egress
router
WLAN access points are LAN Minor
needed for LAN connectivity
within a warehouse
Need to prevent rogue users LAN Major
from unauthorized WLAN
access
DoS/DDoS attack from the WAN Major
WAN/Internet

C. Critical “1” risks, threats, and vulnerabilities identified throughout the IT infrastructure
Unauthorized access from public Internet
User destroys data in application and deletes all files
Hacker penetrates your IT infrastructure and gains access to your internal network
LAN server OS has a known software vulnerability
User downloads and clicks on an unknown
D. Remediation steps for mitigating critical “1” risks, threats, and vulnerabilities
Unauthorized access from public Internet: strengthen firewall security, install IPS and IDS system
to the infrastructure
User destroys data in application and deletes all files: backup data, cloud storage
Hacker penetrates your IT infrastructure and gains access to your internal network: identify and
fixing the vulnerabilities
LAN server OS has a known software vulnerability: Patch or update software
User downloads and clicks on an unknown: Restrict user access and set it up that a user has to get
authorization for downloads.

E. Remediation steps for mitigating major “2” and minor “3” risks, threats, and vulnerabilities
For Major (2) risks:
- Conduct a risk assessment to prioritize threats to intellectual property and critical IT infrastructure.
- Implement encryption and access controls to protect sensitive data and assets.
- Enhance network security by deploying firewalls, IDS/IPS, and regularly updating security
patches.
- Monitor systems continuously for unusual activity and conduct regular security audits.
- Develop an incident response plan to handle breaches quickly.
For Minor (3) risks:
- Improve backup and recovery systems to ensure quick restoration of IT infrastructure.
- Provide regular training to employees on security best practices and phishing awareness.
- Implement redundant systems to maintain productivity during minor outages.
- Monitor system performance to address availability issues before they escalate.

F. On-going IT risk mitigation steps for the seven domains of a typical IT infrastructure
LAN-to-WAN:
Use firewalls and IDS/IPS to filter traffic between internal and external networks.
Encrypt communications and regularly update router/switch firmware.

Systems/Application:
Regularly patch software and update applications.
Implement access controls and monitor for unauthorized access.

User:
Enforce strong password policies and multi-factor authentication (MFA).
Conduct ongoing security awareness training.

Workstation:
Ensure endpoint protection with antivirus, firewalls, and automatic updates.
Enforce least privilege policies for users.

Remote Access:
Require VPNs and MFA for secure remote access.
Monitor for unusual remote login activities.

LAN:
Implement network segmentation and access control lists (ACLs).
Monitor network traffic for anomalies.

WAN:
Ensure data encryption during transmission.
Use redundant links for reliable connectivity.
G. Cost magnitude estimates for work effort and security solutions for the critical risks
Cost estimates for addressing critical risks typically involve the following: technology
solutions like firewalls, IDS/IPS, and encryption software can range from $10,000 to $100,000+
depending on organization size. Labor costs for security experts, including ongoing monitoring and
incident response, can range from $100 to $250 per hour. Additionally, employee training programs and
periodic security audits may add $5,000 to $20,000 annually. Costs will vary based on the complexity
and scale of the organization's infrastructure.

H. Implementation plans for remediation of the critical risks

The implementation plan for remediating critical risks involves first prioritizing risks based
on their impact on C-I-A. Next, deploy immediate security controls like firewalls, encryption, and
access management. Follow with continuous monitoring and regular patching to prevent vulnerabilities
from recurring. Lastly, conduct security awareness training for employees and implement an incident
response plan for quick action in case of breaches.
 Lab #6: Assessment Worksheet

Develop a Risk Mitigation Plan Outline for an IT Infrastructure

Course Name: IAA202

Student Name: DUONG NGOC PHUC

Instructor Name: DINHMH

Lab Due Date: 12.10.2024

Overview
After completing your IT risk mitigation plan outline, answer the following Lab #6 – Assessment
Worksheet questions. These questions are specific to the IT risk mitigation plan outline you crafted as
part of Lab #6 – Develop a Risk Mitigation Plan Outline for an IT Infrastructure.

Lab Assessment Questions

1. Why is it important to prioritize your IT infrastructure risks, threats, and vulnerabilities?
Because we need to determine where the most attention is required to ensure the quality of the IT
infrastructure.

2. Based on your executive summary produced in Lab #4 – Perform a Qualitative Risk Assessment for
an IT Infrastructure, what was the primary focus of your message to executive management?
Establishing security measures using a variety of techniques.

3. Given the scenario for your IT risk mitigation plan, what influence did your scenario have on
prioritizing your identified risks, threats, and vulnerabilities?

Simple things like user activity can be a massive risk so we need to think of all possibilities
as potential risks and prioritize some of them over others.

4. What risk mitigation solutions do you recommend for handling the following risk element?
User inserts CDs and USB hard drives with personal photos, music, and videos on organization
owned computers.
 Using antivirus program to scan all devices when they are plugged in Disable autoplay option for all media
and devices.

5. What is a security baseline definition?

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact
information system.

6. What questions do you have for executive management in order to finalize your IT risk mitigation
plan?
Presenting all the thoughts about the budget and priorities and showing other options.

7. What is the most important risk mitigation requirement you uncovered and want to communicate to
executive management? In your opinion, why is this the most important risk mitigation requirement?
The most important risk mitigation requirement is establishing strong access controls and
authentication mechanisms. This ensures that only authorized personnel can access critical systems,
reducing the risk of data breaches and insider threats. It is crucial because inadequate access
management is a common vulnerability that can lead to severe financial, reputational, and
operational damages. Effective controls minimize potential points of failure and strengthen overall
security. Communicating this priority to executive management highlights its role in protecting core
business assets.

8. Based on your IT risk mitigation plan, what is the difference between short-term and long-term risk
mitigation tasks and on-going duties?
Long-term risks are those that could result in fines if they include compliance issues.
Short-term risks can be quickly remedied and might not have a long-term impact on the
organization.
The everyday tasks that must be completed for the business to operate with the least amount of risk
are known as ongoing duties.

9. Which of the seven domains of a typical IT infrastructure is easy to implement risk mitigation
solutions but difficult to monitor and track effectiveness?
Remote access domain.
 10. Which of the seven domains of a typical IT infrastructure usually contains privacy data within
systems, servers, and databases?

LAN domain.

11. Which of the seven domains of a typical IT infrastructure can access privacy data and also store it on
local hard drives and disks?

User domain.

12. Why is the Remote Access Domain the most risk prone of all within a typical IT infrastructure?
The virus can spread throughout the network when remote users use remote access to connect to the
internal network and they will be infected without being aware of it.

13. When considering the implementation of software updates, software patches, and software fixes, why
must you test this upgrade or software patch before you implement this as a risk mitigation tactic?

To ensure the system’s applications and operations are not impacted, and business services are not
interrupted

14. Are risk mitigation policies, standards, procedures, and guidelines needed as part of your long-term
risk mitigation plan? Why or why not?

Yes. Because it helps in identification hazards and in reduction the impact of a disaster by having
preparation.

15. If an organization under a compliance law is not in compliance, how critical is it for your
organization to mitigate this non-compliance risk element?

In order to fulfill its commitments and avoid being subject to legal action if it does not
follow the law, business should be in compliance.