Student Lab Manual

Laboratory #6

Lab #6: Develop a Risk Mitigation Plan Outline for an IT Infrastructure Learning
Objectives and Outcomes

Upon completing this lab, students will be able to:

• Identify the scope for an IT risk mitigation plan focusing on the seven domains of a typical IT
infrastructure
• Align the major parts of an IT risk mitigation plan within each of the seven domains of a typical
IT infrastructure
• Define the tactical risk mitigation steps needed to remediate the identified risk, threats, and
vulnerabilities commonly found in the seven domains of a typical IT infrastructure
• Define procedures and processes needed to maintain a security baseline definition for on-going
risk mitigation within the seven domains of a typical IT infrastructure
• Create a table of contents for an IT risk mitigation plan encompassing the seven domains of a
typical IT infrastructure

Required Setup and Tools

This is a paper-based lab and does not require the use of a “mock” IT infrastructure or virtualized server
farm.

The standard Instructor and Student VM workstation with Microsoft Office 2007 or higher is required for
this lab. Students will need access to their completed Lab #4 –Assessment Worksheet, Part A – Perform a
Qualitative Risk Assessment for an IT Infrastructure prioritizing the risks, threats, and vulnerabilities
identified from the qualitative risk assessment.

In addition, Microsoft Word is a required tool for the student to craft a table of contents for an IT risk
mitigation plan and for answering and submitting the Lab #6 – Assessment Worksheet questions and
answers.

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-39-
 Student Lab Manual

Recommended Procedures
Lab #6 – Student Steps:
Student steps needed to perform Lab #6 – Develop a Risk Mitigation Plan Outline for an IT
Infrastructure:
1. Connect your removable hard drive or USB hard drive to a classroom workstation.
2. Boot up your classroom workstation and DHCP for an IP host address.
3. Login to your classroom workstation and enable Microsoft Word.
4. Obtain the results of your Lab #4 – Assessment Worksheet, Part A – Perform a Qualitative Risk
Assessment for an IT Infrastructure.
5. Identify the scenario and vertical industry you were assigned in Lab #4:
a. Healthcare provider under HIPPA compliance law
b. Regional bank under GLBA compliance law
c. Nationwide retailer under PCI DSS standard requirements
d. Higher-education institution under FERPA compliance law
6. Review the results of your Lab #4 – Perform a Qualitative Risk Assessment for an IT
infrastructure. Identify the prioritization of critical, major, and minor risk elements for the IT
infrastructure
7. Organize your qualitative risk assessment data according to the following:
• Review your executive summary from Lab #4 - Perform a Qualitative Risk Assessment for an
IT infrastructure
• Organize all critical “1” risks, threats, and vulnerabilities identified throughout the seven
domains of a typical IT infrastructure
8. Conduct a high-level narrative discussion and review of the elements of an IT risk mitigation plan
outline to consist of the following major topics/elements: a. Executive summary
b. Prioritization of identified risks, threats, and vulnerabilities organized into the seven domains
c. Critical “1” risks, threats, and vulnerabilities identified throughout the IT infrastructure
d. Short-term remediation steps for critical “1” risks, threats, and vulnerabilities
e. Long-term remediation steps for major “2” and minor “3” risks, threats, and vulnerabilities
f. On-going IT risk mitigation steps for the seven domains of a typical IT infrastructure
g. Cost magnitude estimates for work effort and security solutions

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-40-
 Student Lab Manual

h. Implementation plans for remediation

9. Craft a detailed IT risk mitigation plan outline by inserting appropriate sub-topics and sub-bullets
in the IT risk mitigation plan outline using the framework provided in step #8.

Deliverables
Upon completion of the Lab #6 – Develop a Risk Mitigation Plan Outline for an IT Infrastructure,
students are required to provide the following deliverables:
1. Lab #6 – An IT risk management plan outline using the framework provided. Students are to
insert appropriate details in the IT risk management plan outline to provide executive
management with a clear picture of what, where, and how risks, threats, and vulnerabilities must
be mitigated
2. Lab #6 - Assessment Questions and Answers

Evaluation Criteria and Rubrics

The following are the evaluation criteria and rubrics for Lab #6 that the students must perform:
1. Was the student able to relate the scope for an IT risk mitigation plan to the seven domains of a
typical IT infrastructure? – [20%]
2. Was the student able to align the major parts of an IT risk mitigation plan within each of the seven
domains of a typical IT infrastructure? – [20%]
3. Was the student able to define the tactical risk mitigation steps needed to remediate the identified
risk, threats, and vulnerabilities commonly found in the seven domains of a typical IT
infrastructure? – [20%]
4. Was the student able to define procedures and processes needed to maintain a security baseline
definition for on-going risk mitigation within the seven domains of a typical IT infrastructure? –
[20%]
5. Was the student able to create a table of contents for an IT risk mitigation plan encompassing the
seven domains of a typical IT infrastructure? – [20%]

Lab #6: Assessment Worksheet Develop a Risk Mitigation Plan Outline for an IT
Infrastructure

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-41-
 Student Lab Manual

Course Name: IAA202-SU25_____________________________________________________________

Student Name: Huỳnh Lê Anh Khoa, Trần Hữu Thịnh, Trần Quốc Trung, Đỗ Thành Đạt, Bùi Đăng Duy
_____________________________________________________________

Instructor Name: _ Nguyễn Trọng Hoàng

__________________________________________________________

Lab Due Date: _29th June,

2025____________________________________________________________

Overview
After you have completed your qualitative risk assessment and identification of the critical “1” risks,
threats, and vulnerabilities, mitigating them requires proper planning and communication to executive
management. Students are required to craft a detailed IT risk management plan consisting of the
following major topics and structure:
A. Executive summary
"1" Critical - a risk, threat, or vulnerability that impacts compliance (i.e., privacy law
requirement for securing privacy data and implementing proper security controls, etc.) and
places the organization in a position of increased liability.
"2" Major - a risk, threat, or vulnerability that impacts the C-I-A of an organization's
intellectual property assets and IT infrastructure.
"3" Minor - a risk, threat, or vulnerability that can impact user or employee productivity or
availability of the IT infrastructure.
B. Prioritization of identified risks, threats, and vulnerabilities organized into the seven domains

Risk – Threat – Primary Domain Risk Explanation

Vulnerability Impacted Impact/Factor
Unauthorized LAN-to-WAN Critical Unauthorized access from
access from the public, especially from
public Internet hackers, may lead to data
breaches and harm internal
systems, violating
compliance.

User destroys Systems/Application Critical This leads to mass data

data in loss and affects the
application and integrity of systems.

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-42-
 Student Lab Manual

deletes all files

Hacker LAN-to-WAN Critical Hackers inside the internal
penetrates your network can exploit data,
IT infrastructure disrupt services, and
damage trust.
and gains access
to your internal
network
Intra-office User Minor Employee distraction from
employee personal issues may
romance gone increase the likelihood of
human error.
bad
Fire destroys Systems/Application Major Without a backup, this
primary data results in complete loss of
center data and services.

Service provider Workstation Major Degrades service delivery

SLA is not and affects business
achieved operations.

Unauthorized Workstation Major Data on workstations may

access to be leaked or misused.
organization
owned
Workstations
Loss of Systems/Application Minor Disrupts operations
production data temporarily and affects
productivity.

Denial of service LAN-to-WAN Major Prevents access to services

attack on and disrupts
organization communications.
DMZ and e-mail
server
Remote Remote Access Major If insecure, can provide
communications attackers entry to internal
from home office networks.

LAN server OS LAN Critical Vulnerabilities can be

has a known exploited, compromising
software internal systems and data.
vulnerability
User downloads User Critical Can introduce malware

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-43-
 Student Lab Manual

and clicks on an and compromise the

unknown network.

Workstation Workstation Major Vulnerable browsers can be

browser has used for malware injection
software or phishing.
vulnerability
Mobile employee User Minor Risk is low if secured, but
needs secure potential exists if access is
browser access to not properly managed.
sales order entry
system
Service provider WAN Minor Can disrupt services but
has a major usually recoverable.
network outage
Weak LAN-to-WAN Minor Reduces system
ingress/egress performance and increases
traffic filtering exposure to threats.
degrades
Performance
User inserts CDs User Minor Potential for malware
and USB hard introduction; manageable
drives with through policy.
personal photos,
music, and
videos on
organization
owned computers
VPN tunneling Remote Access Major Unsecured or
between remote misconfigured VPNs can
computer and allow unauthorized access.
ingress/egress
router
WLAN access LAN Minor Require secure
points are needed configuration, otherwise
for LAN risk of open access.
connectivity
within a
warehouse
Need to prevent LAN Major It prevents data exposure
rogue users and unauthorized entry via

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-44-
 Student Lab Manual

from WLAN.
unauthorized
WLAN access
DoS/DDoS WAN Major Overwhelm systems and
attack from the interrupts service
WAN/Internet availability.

C. Critical “1” risks, threats, and vulnerabilities identified throughout the IT infrastructure
Unauthorized access from public Internet User destroys data in application and deletes all
files
Hacker penetrates your IT infrastructure and gains access to your internal network
LAN server OS has a known software vulnerability
User downloads and clicks on an unknown
D. Remediation steps for mitigating critical “1” risks, threats, and vulnerabilities
Unauthorized access from public Internet: strengthen firewall security, install IPS and ID
System to the infrastructure
User destroys data in application and deletes all files: backup data, cloud storage
Hacker penetrates your IT infrastructure and gains access to your internal network:
identify and fixing the vulnerabilities
LAN server OS has a known software vulnerability: Patch or update software
User downloads and clicks on an unknown: Restrict user access and set it up that a user has
to get authorization for downloads.
E. Remediation steps for mitigating major “2” and minor “3” risks, threats, and vulnerabilities
- Conduct a risk assessment to prioritize threats to intellectual property and critical IT
infrastructure.
- Implement encryption and access controls to protect sensitive data and assets.
- Enhance network security by deploying firewalls, IDS/IPS, and regularly updating
security patches.
- Monitor systems continuously for unusual activity and conduct regular security audits.
- Develop an incident response plan to handle breaches quickly. For Minor (3) risks:
- Improve backup and recovery systems to ensure quick restoration of IT infrastructure.
- Provide regular training to employees on security of best practices and phishing
awareness.
- Implement redundant systems to maintain productivity during minor outages.
- Monitor system performance to address availability issues before they escalate.

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-45-
 Student Lab Manual

F. On-going IT risk mitigation steps for the seven domains of a typical IT infrastructure
Use firewalls and IDS/IPS to filter traffic between internal and external networks.
Encrypt communications and regularly update router/switch firmware.

Systems/Application:
 Regularly patch software and update applications.
 Implement access controls and monitor for unauthorized access.
User:
 Enforce strong password policies and multi-factor authentication
(MFA). Conduct ongoing security awareness training.
Workstation:
 Ensure endpoint protection with antivirus, firewalls, and automatic
updates. Enforce least privileged policies for users.
Remote Access:
 Require VPNs and MFA for secure remote
access. Monitor for unusual remote login
activities.
LAN:
 Implement network segmentation and access control lists
(ACLs). Monitor network traffic for anomalies.
WAN:
 Ensure data encryption during transmission.
 Use redundant links for reliable connectivity.

G. Cost magnitude estimates for work effort and security solutions for the critical risks
Cost estimates for addressing critical risks typically involve the following: technology
solutions like firewalls, IDS/IPS, and encryption software can range from $10,000 to
$100,000+ depending on organization size. Labor costs for security experts, including ongoing
monitoring and incident response, can range from $100 to $250 per hour. Additionally,
employee training programs and periodic security audits may add $5,000 to $20,000
annually. Costs will vary based on the complexity and scale of the organization's
infrastructure.

H. Implementation plans for remediation of the critical risks

The implementation plan for remediating critical risks involves first prioritizing risks based
on their impact on C-I-A. Next, deploy immediate security controls like firewalls, encryption,
and access management. Follow with continuous monitoring and regular patching to prevent
vulnerabilities from recurring. Lastly, conduct security awareness training for employees and
implement an incident response plan for quick action in case of breaches.

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-46-
 Student Lab Manual

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-47-