Lab #6 - Develop A Risk Mitigation Plan Outline For An IT Infrastructure Learning Objectives and Outcomes
Lab #6 - Develop A Risk Mitigation Plan Outline For An IT Infrastructure Learning Objectives and Outcomes
Overview
After you have completed your qualitative risk assessment and identification of the critical “1”
risks, threats, and vulnerabilities, mitigating them requires proper planning and communication to
executive management. Students are required to craft a detailed IT risk management plan
consisting of the following major topics and structure:
A. Executive summary
B. Prioritization of identified risks, threats, and vulnerabilities organized into the seven domains
C. Critical “1” risks, threats, and vulnerabilities identified throughout the IT infrastructure
D. Remediation steps for mitigating critical “1” risks, threats, and vulnerabilities
E. Remediation steps for mitigating major “2” and minor “3” risks, threats, and vulnerabilities
F. On-going IT risk mitigation steps for the seven domains of a typical IT infrastructure
G. Cost magnitude estimates for work effort and security solutions for the critical risks
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date:
05/30/2011
www.jblearning.com
All Rights Reserved.
-42-
Student Lab Manual
Overview
After completing your IT risk mitigation plan outline, answer the following Lab #6 – Assessment
Worksheet questions. These questions are specific to the IT risk mitigation plan outline you
crafted as part of Lab #6 – Develop a Risk Mitigation Plan Outline for an IT Infrastructure.
3. Given the scenario for your IT risk mitigation plan, what influence did your scenario have on
prioritizing your identified risks, threats, and vulnerabilities?
The scenario influenced prioritization by identifying the most pressing security concerns based on the
organization's specific IT environment. It considered factors such as existing vulnerabilities,
likelihood of exploitation, business impact, and regulatory requirements, ensuring a targeted approach
to risk mitigation.
4. What risk mitigation solutions do you recommend for handling the following risk element?
User inserts CDs and USB hard drives with personal photos, music, and videos on
organization-owned computers.
● Implement endpoint security solutions with device control to restrict unauthorized external
media.
● Establish a policy prohibiting the use of unauthorized storage devices.
● Enable Group Policy settings to disable USB ports on corporate computers.
● Educate users on security risks associated with external media.
● Deploy antivirus and malware scanning tools for removable media.
6. What questions do you have for executive management in order to finalize your IT risk
mitigation plan?
7. What is the most important risk mitigation requirement you uncovered and want to
communicate to executive management? In your opinion, why is this the most important risk
mitigation requirement?
The need for comprehensive user awareness training is the most important requirement. Human error
remains one of the leading causes of security breaches. Educating employees on cybersecurity best
practices can significantly reduce risks related to phishing, weak passwords, and improper data
handling.
8. Based on your IT risk mitigation plan, what is the difference between short-term and
long-term risk mitigation tasks and ongoing duties?
9. Which of the seven domains of a typical IT infrastructure is easy to implement risk mitigation
solutions but difficult to monitor and track effectiveness?
The User Domain is easy to implement security controls (e.g., access policies, training) but difficult
to monitor due to human behavior unpredictability and the potential for social engineering attacks.
10. Which of the seven domains of a typical IT infrastructure usually contains privacy data
within systems, servers, and databases?
The System/Application Domain stores sensitive data, including customer and employee
information, making it critical to secure through access controls and encryption.
11. Which of the seven domains of a typical IT infrastructure can access privacy data and also
store it on local hard drives and disks?
The Workstation Domain allows users to store and access sensitive data on their local devices,
making endpoint security essential.
12. Why is the Remote Access Domain the most risk-prone of all within a typical IT
infrastructure?
The Remote Access Domain is highly risk-prone due to external network connections, potential use
of unsecured personal devices, reliance on VPNs, and susceptibility to cyber threats such as
man-in-the-middle attacks and unauthorized access.
13. When considering the implementation of software updates, software patches, and software
fixes, why must you test this upgrade or software patch before you implement this as a risk
mitigation tactic?
Testing ensures compatibility with existing systems, prevents disruptions, verifies effectiveness, and
minimizes the risk of introducing new vulnerabilities or system failures.
14. Are risk mitigation policies, standards, procedures, and guidelines needed as part of your
long-term risk mitigation plan? Why or why not?
Yes, they are essential. These policies provide a structured approach to security, ensure compliance,
establish accountability, and guide employees in implementing best practices for risk management.
15. If an organization under a compliance law is not in compliance, how critical is it for your
organization to mitigate this non-compliance risk element?
It is extremely critical. Non-compliance can result in legal penalties, financial losses, reputational
damage, and operational disruptions. Implementing necessary controls ensures regulatory adherence
and protects the organization from legal consequences.
13.