Scribd
Upload
47 views3 pages

Lab6 IAA202 HoVietAn

Uploaded by

hovietan2003
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
47 views3 pages

Lab6 IAA202 HoVietAn

Uploaded by

hovietan2003
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Lab #6: Assessment Worksheet

Develop a Risk Mitigation Plan Outline for an IT Infrastructure

Course Name: IAA202


Student Name: Ho Viet An
Instructor Name: Pham Ho Trong Nguyen
Lab Due Date: 14-10-2024

Overview
After you have completed your qualitative risk assessment and identification of the
critical “1” risks, threats, and vulnerabilities, mitigating them requires proper planning
and communication to executive management. Students are required to craft a detailed
IT risk management plan consisting of the following major topics and structure:

A. Executive Summary

The purpose of the plan, the major risks identified, and a summary of the mitigation
strategies. Keep this brief but informative so that executive management can quickly
grasp the essential points.

 Purpose: Explain the goal of the IT risk management plan (e.g., to identify,
prioritize, and mitigate risks in the IT infrastructure).
 Key Findings: Summarize the critical risks and vulnerabilities discovered.
 Mitigation Overview: Highlight the overall approach to addressing these
risks, focusing on critical ones.

B. Prioritization of Identified Risks, Threats, and Vulnerabilities Organized into


the Seven Domains

1. User Domain: Risks related to users' actions or inactions, such as phishing or


weak passwords.
2. Workstation Domain: Threats like malware, outdated software, or
unauthorized installations on workstations.
3. LAN Domain: Vulnerabilities like network misconfigurations or insufficient
segmentation.
4. LAN-to-WAN Domain: Risks in the transition from the internal network to
external (e.g., firewall misconfigurations).
5. WAN Domain: Risks in wide area networks, such as DDoS attacks or weak
encryption.
6. Remote Access Domain: Vulnerabilities in VPN configurations, remote
access protocols, or insufficient multi-factor authentication (MFA).
7. System/Application Domain: Threats related to application security, system
misconfigurations, or unpatched software.

Prioritize risks within each domain, ranking them as critical ("1"), major ("2"), or
minor ("3").

C. Critical “1” Risks, Threats, and Vulnerabilities Identified Throughout the IT


Infrastructure
Identify and list the most critical risks for each of the seven domains. These are the
risks that, if exploited, would have the highest impact on the organization's operations
or data integrity.

Example:

 User Domain: Insider threats, social engineering attacks.


 Workstation Domain: Lack of endpoint detection and response (EDR)
solutions, outdated operating systems.

D. Remediation Steps for Mitigating Critical “1” Risks, Threats, and


Vulnerabilities

The specific steps to mitigate the risk. These could involve technical solutions (e.g.,
software updates, firewall rules) or organizational changes (e.g., user training).

Example:

 Workstation Domain: Implement automated patch management to ensure all


systems are updated in a timely manner.
 User Domain: Introduce mandatory phishing simulation training for all
employees.

E. Remediation Steps for Mitigating Major “2” and Minor “3” Risks, Threats,
and Vulnerabilities

While critical risks take priority, it's essential to address other risks as well. Provide a
plan for addressing major ("2") and minor ("3") risks.

Example:

 Major Risks: Implement MFA for remote access, improve network


monitoring.
 Minor Risks: Standardize password policies, configure printers securely.

F. On-Going IT Risk Mitigation Steps for the Seven Domains of a Typical IT


Infrastructure

Discuss continuous risk management and the steps necessary to maintain the security
posture over time. This includes:

 Regular vulnerability scans and penetration testing.


 Routine security audits and monitoring.
 Employee security awareness programs.
 Regular updates to security policies and procedures.

G. Cost Magnitude Estimates for Work Effort and Security Solutions for the
Critical Risks
Estimate the financial cost of implementing the security measures for critical risks.
Include:

 Software/hardware costs (e.g., firewalls, EDR solutions).


 Personnel costs (e.g., hiring new staff or consultants).
 Training costs for employees.
 Downtime costs for system updates or migrations.

H. Implementation Plans for Remediation of the Critical Risks

Provide a detailed timeline and action plan for implementing remediation efforts for
critical risks. This should include:

 Milestones: Key stages in the implementation process.


 Responsible Parties: Assign teams or individuals for each task.
 Deadlines: Set deadlines for completion to ensure progress is tracked and on
schedule.
 Contingencies: Outline backup plans in case certain efforts face delays or
obstacles.

You might also like