Lab #3: Assessment Worksheet
Define the Scope & Structure for an IT Risk Management Plan
Course Name: _____________IAA202___________________________________
Student Name: _______________Nguyen Thu Ngan_________________________
Instructor Name: ___________________Mai Hoang Dinh_____________________
Lab Due Date: ________________________08/02/2025____________________
Overview
Answer the following Lab #3 – Assessment Worksheet questions pertaining to your IT risk management
plan design and table of contents.
Lab Assessment Questions
1. What is the goal or objective of an IT risk management plan?
The goal of an IT Risk Management Plan is to identify, assess, mitigate, and monitor risks associated with
an organization's information technology systems and processes.
2. What are the five fundamental components of an IT risk management plan?
Risk planning - Risk identification - Risk assessment - Risk mitigation - Risk monitoring
3. Define what risk planning is.
Risk planning is the process of identifying, analyzing, and developing strategies to manage potential risks
that could impact a project's success or an organization's operations
4. What is the first step in performing risk management?
The first step in risk management is Risk Identification—recognizing potential threats that could impact a
project or organization. This involves listing risks, categorizing them, gathering insights from experts and data,
and documenting them in a risk register for further assessment and mitigation.
5. What is the exercise called when you are trying to identify an organization’s risk health?
It is called a Risk Assessment. This process involves identifying potential risks, evaluating their likelihood and
impact, and determining the organization's ability to manage them. It helps in understanding vulnerabilities,
prioritizing risks, and developing mitigation strategies to enhance overall risk resilience.
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011
www.jblearning.com All Rights Reserved.
� Student Lab Manual
6. What practice helps reduce or eliminate risk?
The practice that helps reduce or eliminate risk is called Risk Mitigation. It involves implementing strategies to
minimize the impact or likelihood of risks
7. What on-going practice helps track risk in real-time?
Risk Monitoring and Control process involves continuously tracking identified risks, detecting new risks, and
assessing the effectiveness of mitigation strategies
8. Given that an IT risk management plan can be large in scope, why is it a good idea to development a
risk management plan team?
A Risk Management Plan Team is essential due to the broad scope of IT risks. It brings diverse expertise,
improves risk identification, ensures efficient mitigation, enables faster response, and enhances compliance.
A team approach ensures a proactive and organized risk management process.
9. Within the seven domains of a typical IT infrastructure, which domain is the most difficult to plan,
identify, assess, remediate, and monitor?
The User Domain is the most difficult because it involves human behavior, which is unpredictable and prone to errors.
Users can fall victim to phishing attacks, weak passwords, policy violations, and social engineering, making risk
management challenging. Unlike hardware or software, users cannot be "patched," requiring continuous training,
monitoring, and enforcement of security policies.
10. From your scenario perspective, with which compliance law or standard does your organization have
to comply? How did this impact the scope and boundary of your IT risk management plan?
PCI DSS for payment card security - HIPAA for healthcare data protection.
Compliance impacts by requiring stricter data protection measures, access controls, monitoring, and reporting. It also
dictates risk assessment methods, mitigation strategies, and audit processes to ensure regulatory adherence.
11. How did the risk identification and risk assessment of the identified risks, threats, and vulnerabilities
contribute to your IT risk management plan table of contents?
They shape the IT Risk Management Plan Table of Contents by defining key sections. This ensures
comprehensive risk management and effective decision-making.
� Student Lab Manual
12. What risks, threats, and vulnerabilities did you identify and assess that require immediate risk
mitigation given the criticality of the threat or vulnerability?
Immediate risk mitigation is required for high-criticality risks, like Cyber threats – Unpatched software –
Weak access controls – Insider threats – Unsecured remote access. These risks require urgent action,
including patching, user training, access control enforcement, and real-time monitoring to prevent breaches
and operational disruptions
13. For risk monitoring, what techniques or tools can you implement within each of the seven domains of
a typical IT infrastructure to help mitigate risk?
Risk Monitoring Techniques & Tools used to imply each of the 7 domains of IT infrastructure to help mitigate risk:
1. User Domain – Security awareness training, multi-factor authentication (MFA).
2. Workstation Domain – Endpoint detection & response (EDR), patch management.
3. LAN Domain – Network monitoring (IDS/IPS), access controls.
4. LAN-to-WAN Domain – Firewalls, intrusion detection systems (IDS).
5. WAN Domain – Secure VPNs, traffic monitoring tools.
6. Remote Access Domain – Zero Trust security, multi-factor authentication.
7. System/Application Domain – SIEM, vulnerability scanning, access logging.
=> These tools help detect, prevent, and respond to threats in real-time.
14. For risk mitigation, what processes and procedures are needed to help streamline and implement risk
mitigation solutions to the production IT infrastructure?
For risk mitigation, the processes and procedures such as risk identification, risk assessment,
risk response planning, and risk monitoring are needed to help.
15. How does risk mitigation impact change control management and vulnerability management?
Change Control Management
Ensures security risks are assessed before implementing changes.
Requires testing and approval to prevent new vulnerabilities.
Reduces downtime and unintended disruptions.
Vulnerability Management
Prioritizes patching and remediation based on risk severity.
Implements continuous monitoring to detect new threats.
Strengthens security posture by proactively addressing weaknesses.
Overall: Risk mitigation enhances structured change control and vulnerability management,
ensuring secure, stable IT operations.
