Laboratory #4

Lab 4: Perform a Qualitative Risk Assessment for

an IT Infrastructure Learning Objectives and

Outcomes
Upon completing this lab, students will be able to:
 Define the purpose and objectives of an IT risk assessment
 Align identified risks, threats, and vulnerabilities to an IT risk assessment that encompasses the
seven domains of a typical IT infrastructure
 Classify identified risks, threats, and vulnerabilities according to a qualitative risk assessment
template
 Prioritize classified risks, threats, and vulnerabilities according to the defined qualitative risk
assessment scale
 Craft an executive summary that addresses the risk assessment findings, risk assessment impact,
and recommendations to remediate areas of non-compliance

Required Setup and Tools

This is a paper-based lab and does not require the use of a “mock” IT infrastructure or virtualized server
farm.

The standard Instructor and Student VM workstation with Microsoft Office 2007 or higher is required for
this lab for Internet access and Microsoft Word for answering and submitting the Lab #4 – Assessment
Worksheet questions.

The risks, threats, and vulnerabilities identified in Lab #1 – Identify Threats & Vulnerabilities in an IT
Infrastructure will be used as a basis for the scenario in Lab #4. Students are to focus their IT risk
assessment using one of the scenarios and vertical industry examples assigned by the Instructor.

Students will use Microsoft Word to perform a qualitative risk assessment according to pre-defined,
qualitative metrics and definitions. In addition, students will use Microsoft Word to document their
performance of a qualitative risk assessment classifying the risk impact and prioritization for the
identified risks, threats, and vulnerabilities.
Recommended Procedures
Lab #4 – Student Steps:

Student steps needed to perform Lab #4 – Perform a Qualitative Risk Assessment for an IT Infrastructure:
1. Connect your removable hard drive or USB hard drive to a classroom workstation.
2. Boot up your classroom workstation and DHCP for an IP host address.
3. Login to your classroom workstation and enable Microsoft Word.
4. Review Figure 1 – Seven Domains of a Typical IT Infrastructure.
5. Identify the scenario/vertical industry assigned by your Instructor.
a. Healthcare provider under HIPPA compliance law
b. Regional bank under GLBA compliance law
c. Nationwide retailer under PCI DSS standard requirements
d. Higher-education institution under FERPA compliance law
6. Review the Lab #4 – Assessment Worksheet, Part A – Qualitative Assessment Risk Impact/
Risk Factor.
7. Perform a Qualitative Risk Assessment and assign a Risk Impact/Risk Factor for each of the
identified risks, threats, and vulnerabilities using Lab #4 – Assessment Worksheet Part A.
8. Craft a four-paragraph executive summary according to the following outline:
 Purpose of the risk assessment & summary of risks, threats, and vulnerabilities found
throughout the IT infrastructure
 Prioritization of critical, major, minor risk assessment elements
 Risk assessment and risk impact summary
 Recommendations and next steps
9. Work on Lab #4 – Assessment Questions and submit.

Deliverables
Upon completion of Lab #4 – Perform a Qualitative Risk Assessment for an IT Infrastructure, students
are required to provide the following deliverables as part of this lab:

1. Lab #4 – Qualitative Risk Assessment Worksheet with assigned risk impact/risk factors for the
identified domains of a typical IT infrastructure (“1” – Critical, “2” – Major, “3” – Minor)
2. Lab #4 – Qualitative Risk Assessment executive summary
3. Lab #4 - Assessment Questions and Answers
Evaluation Criteria and Rubrics
The following are the evaluation criteria and rubrics for Lab #4 that the students must perform:
1. Was the student able to define the purpose and objectives of an IT risk assessment? – [20%]
2. Was the student able to align identified risks, threats, and vulnerabilities to an IT risk assessment
that encompasses the seven domains of a typical IT infrastructure? – [20%]
3. Was the student able to classify identified risks, threats, and vulnerabilities according to a
qualitative risk assessment template? – [20%]
4. Was the student able to prioritize classified risks, threats, and vulnerabilities according to the
defined qualitative risk assessment scale? – [20%]
5. Was the student able to craft an executive summary that addresses the risk assessment findings,
risk assessment impact, and recommendations to remediate areas of non-compliance? – [20%]
 Lab #4: Assessment Worksheet

Part A – Perform a Qualitative Risk Assessment for an IT Infrastructure

Course Name:

Student Name:

Instructor Name:

Lab Due Date:

Overview

The following risks, threats, and vulnerabilities were found in an IT infrastructure. Your Instructor will
assign you one of four different scenarios and vertical industries each of which is under a unique
compliance law.
1. Scenario/Vertical Industry:

a. Healthcare provider under HIPPA compliance law

b. Regional bank under GLBA compliance law
c. Nationwide retailer under PCI DSS standard requirements
d. Higher-education institution under FERPA compliance law

2. Given the list, perform a qualitative risk assessment by assigning a risk impact/risk factor to each
of identified risks, threats, and vulnerabilities throughout the seven domains of a typical IT
infrastructure that the risk, threat, or vulnerability resides.

Risk – Threat – Vulnerability Primary Domain Impacted Risk Impact/Factor

Unauthorized access from public Internet

User destroys data in application and deletes

all files

Hacker penetrates your IT infrastructure

and gains access to your internal network

Intra-office employee romance gone bad

Risk – Threat – Vulnerability Primary Domain Impacted Risk Impact/Factor

Service provider SLA is not achieved

Workstation OS has a known software

vulnerability

Unauthorized access to organization owned

workstations

Loss of production data

Denial of service attack on organization

DMZ and e-mail server

Remote communications from home office

LAN server OS has a known software

vulnerability

User downloads and clicks on an unknown

Workstation browser has software vulnerability

Mobile employee needs secure browser access

to sales order entry system

Service provider has a major network outage

Weak ingress/egress traffic filtering

degrades performance

User inserts CDs and USB hard drives

with personal photos, music, and videos on
organization owned computers

VPN tunneling between remote computer

and ingress/egress router is needed

WLAN access points are needed for LAN

connectivity within a warehouse

Need to prevent eavesdropping on WLAN

due to customer privacy data access

DoS/DDoS attack from the WAN/Internet

3. For each of the identified risks, threats, and vulnerabilities, prioritize them by listing a “1”, “2”,
and “3” next to each risk, threat, vulnerability found within each of the seven domains of a typical
IT infrastructure. “1” = Critical, “2” = Major, “3” = Minor. Define the following qualitative risk
impact/risk factor metrics:
“1” Critical – a risk, threat, or vulnerability that impacts compliance (i.e., privacy law requirement
for securing privacy data and implementing proper security controls, etc.) and places the
organization in a position of increased liability.
“2” Major – a risk, threat, or vulnerability that impacts the C-I-A of an organization’s intellectual
property assets and IT infrastructure.
“3”Minor – a risk, threat, or vulnerability that can impact user or employee productivity or
availability of the IT infrastructure.

User Domain Risk Impacts:

Workstation Domain Risk Impacts:

LAN Domain Risk Impacts:

LAN-to-WAN Domain Risk Impacts:

WAN Domain Risk Impacts:

Remote Access Domain Risk Impacts:

Systems/Applications Domain Risk Impacts:

4. Craft an executive summary for management using the following 4-paragraph format. The
executive summary must address the following topics:
 Paragraph #1: Summary of findings: risks, threats, and vulnerabilities found throughout the
seven domains of a typical IT infrastructure
 Paragraph #2: Approach and prioritization of critical, major, minor risk assessment elements
 Paragraph #3: Risk assessment and risk impact summary to the seven domains of a typical
IT infrastructure
 Paragraph #4: Recommendations and next steps for executive management
 Lab #4: Assessment Worksheet

Perform a Qualitative Risk Assessment for an IT Infrastructure

Course Name:

Student Name:

Instructor Name:

Lab Due Date:

Overview

Answer the following Lab #4 – Assessment Worksheet questions pertaining to your qualitative IT risk
assessment you performed.

Lab Assessment Questions

1. What is the goal or objective of an IT risk assessment?

2. Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure?

3. What was your rationale in assigning “1” risk impact/ risk factor value of “Critical” for an identified
risk, threat, or vulnerability?

4. When you assembled all of the “1” and “2” and “3” risk impact/risk factor values to the identified
risks, threats, and vulnerabilities, how did you prioritize the “1”, “2”, and “3” risk elements? What
would you say to executive management in regards to your final recommended prioritization?
5. Identify a risk mitigation solution for each of the following risk factors:
User downloads and clicks on an unknown e-mail attachment –

Workstation OS has a known software vulnerability – update

Need to prevent eavesdropping on WLAN due to customer privacy data access –

Weak ingress/egress traffic filtering degrades performance –

DoS/DDoS attack from the WAN/Internet –

Remote access from home office –

Production server corrupts database –