Lab #6: Assessment Worksheet

Develop a Risk Mitigation Plan Outline for an IT Infrastructure

Course Name: IAA202 - Risk Management in Information Systems

Student Name: Phạm Đức Tài Lộc

Instructor Name: Mai Hoàng Đỉnh

Lab Due Date: 6/3/2025

Overview
After you have completed your qualitative risk assessment and identification of the critical “1”
risks, threats, and vulnerabilities, mitigating them requires proper planning and communication to
executive management. Students are required to craft a detailed IT risk management plan
consisting of the following major topics and structure:
A.​ Executive summary

B.​ Prioritization of identified risks, threats, and vulnerabilities organized into the seven domains

C.​ Critical “1” risks, threats, and vulnerabilities identified throughout the IT infrastructure

D.​ Remediation steps for mitigating critical “1” risks, threats, and vulnerabilities

E.​ Remediation steps for mitigating major “2” and minor “3” risks, threats, and vulnerabilities

F.​ On-going IT risk mitigation steps for the seven domains of a typical IT infrastructure

G.​ Cost magnitude estimates for work effort and security solutions for the critical risks

H.​ Implementation plans for remediation of the critical risks

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company​ Current Version Date:
05/30/2011
www.jblearning.com
All Rights Reserved.
-42-
 Student Lab Manual

Lab #6: Assessment Worksheet

Develop a Risk Mitigation Plan Outline for an IT Infrastructure

Course Name: IAA202 - Risk Management in Information Systems

Student Name: Phạm Đức Tài Lộc

Instructor Name: Mai Hoàng Đỉnh

Lab Due Date: 6/3/2025

Overview
After completing your IT risk mitigation plan outline, answer the following Lab #6 – Assessment
Worksheet questions. These questions are specific to the IT risk mitigation plan outline you
crafted as part of Lab #6 – Develop a Risk Mitigation Plan Outline for an IT Infrastructure.

Lab Assessment Questions

1. Why is it important to prioritize your IT infrastructure risks, threats, and vulnerabilities?​

Prioritizing IT infrastructure risks, threats, and vulnerabilities ensures that the most critical security
gaps are addressed first, minimizing potential damage. It allows organizations to allocate resources
effectively, focus on high-impact threats, and ensure business continuity while maintaining regulatory
compliance.

2. Based on your executive summary produced in Lab #4 – Perform a Qualitative Risk

Assessment for an IT Infrastructure, what was the primary focus of your message to executive
management?​
The primary focus was to communicate the most significant risks facing the IT infrastructure, their
potential impact, and the recommended mitigation strategies. The summary emphasized the necessity
of proactive security measures to protect sensitive data, ensure system availability, and prevent
financial and reputational loss.

3. Given the scenario for your IT risk mitigation plan, what influence did your scenario have on
prioritizing your identified risks, threats, and vulnerabilities?​
The scenario influenced prioritization by identifying the most pressing security concerns based on the
organization's specific IT environment. It considered factors such as existing vulnerabilities,
likelihood of exploitation, business impact, and regulatory requirements, ensuring a targeted approach
to risk mitigation.

4. What risk mitigation solutions do you recommend for handling the following risk element?
User inserts CDs and USB hard drives with personal photos, music, and videos on
organization-owned computers.
 ●​ Implement endpoint security solutions with device control to restrict unauthorized external
media.
●​ Establish a policy prohibiting the use of unauthorized storage devices.
●​ Enable Group Policy settings to disable USB ports on corporate computers.
●​ Educate users on security risks associated with external media.
●​ Deploy antivirus and malware scanning tools for removable media.

5. What is a security baseline definition?​

A security baseline is a set of minimum security configurations and best practices established to
protect IT systems and infrastructure. It serves as a standard to ensure compliance with security
policies and reduce vulnerabilities.

6. What questions do you have for executive management in order to finalize your IT risk
mitigation plan?

●​ What is the budget allocation for cybersecurity initiatives?

●​ What level of risk is the organization willing to accept?
●​ Are there any legal or compliance obligations that must be prioritized?
●​ How will executive management support security training and awareness programs?
●​ What is the organization's timeline for implementing risk mitigation measures?

7. What is the most important risk mitigation requirement you uncovered and want to
communicate to executive management? In your opinion, why is this the most important risk
mitigation requirement?​
The need for comprehensive user awareness training is the most important requirement. Human error
remains one of the leading causes of security breaches. Educating employees on cybersecurity best
practices can significantly reduce risks related to phishing, weak passwords, and improper data
handling.

8. Based on your IT risk mitigation plan, what is the difference between short-term and
long-term risk mitigation tasks and ongoing duties?

●​ Short-term tasks focus on immediate fixes, such as patching vulnerabilities, updating

software, and enforcing password policies.
●​ Long-term tasks involve strategic security planning, deploying advanced security solutions,
and establishing a cybersecurity culture.
●​ Ongoing duties include regular risk assessments, monitoring, user training, and continuous
security improvements.

9. Which of the seven domains of a typical IT infrastructure is easy to implement risk mitigation
solutions but difficult to monitor and track effectiveness?​
The User Domain is easy to implement security controls (e.g., access policies, training) but difficult
to monitor due to human behavior unpredictability and the potential for social engineering attacks.

10. Which of the seven domains of a typical IT infrastructure usually contains privacy data
within systems, servers, and databases?​
The System/Application Domain stores sensitive data, including customer and employee
information, making it critical to secure through access controls and encryption.

11. Which of the seven domains of a typical IT infrastructure can access privacy data and also
store it on local hard drives and disks?​
The Workstation Domain allows users to store and access sensitive data on their local devices,
making endpoint security essential.

12. Why is the Remote Access Domain the most risk-prone of all within a typical IT
infrastructure?​
The Remote Access Domain is highly risk-prone due to external network connections, potential use
of unsecured personal devices, reliance on VPNs, and susceptibility to cyber threats such as
man-in-the-middle attacks and unauthorized access.

13. When considering the implementation of software updates, software patches, and software
fixes, why must you test this upgrade or software patch before you implement this as a risk
mitigation tactic?​
Testing ensures compatibility with existing systems, prevents disruptions, verifies effectiveness, and
minimizes the risk of introducing new vulnerabilities or system failures.

14. Are risk mitigation policies, standards, procedures, and guidelines needed as part of your
long-term risk mitigation plan? Why or why not?​
Yes, they are essential. These policies provide a structured approach to security, ensure compliance,
establish accountability, and guide employees in implementing best practices for risk management.

15. If an organization under a compliance law is not in compliance, how critical is it for your
organization to mitigate this non-compliance risk element?​
It is extremely critical. Non-compliance can result in legal penalties, financial losses, reputational
damage, and operational disruptions. Implementing necessary controls ensures regulatory adherence
and protects the organization from legal consequences.

13.​