Scribd
Upload
6 views7 pages

Lê Công Cảnh SE183750 Lab4

The document outlines a qualitative risk assessment for an IT infrastructure, focusing on various risks, threats, and vulnerabilities across seven domains. It includes a prioritization system for risk impact and factors, ranging from critical to minor, and provides a framework for an executive summary addressing findings, approach, and recommendations. Additionally, it features lab assessment questions that explore the objectives and challenges of conducting risk assessments, along with suggested mitigation solutions for identified risks.

Uploaded by

congcanh30
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views7 pages

Lê Công Cảnh SE183750 Lab4

The document outlines a qualitative risk assessment for an IT infrastructure, focusing on various risks, threats, and vulnerabilities across seven domains. It includes a prioritization system for risk impact and factors, ranging from critical to minor, and provides a framework for an executive summary addressing findings, approach, and recommendations. Additionally, it features lab assessment questions that explore the objectives and challenges of conducting risk assessments, along with suggested mitigation solutions for identified risks.

Uploaded by

congcanh30
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Lab #4: Assessment Worksheet

Part A – Perform a Qualitative Risk Assessment for an IT


Infrastructure

Course Name: IAA202


Student Name: Lê Công Cảnh
Instructor Name: DinhMH
Lab Due Date: 13/06/2025

Overview
The following risks, threats, and vulnerabilities were found in an IT
infrastructure. Your instructor will assign you one of four different
scenarios and vertical industries each of which is under a unique
compliance law.
1. Scenario/Vertical Industry:
a. Healthcare provider under HIPPA compliance law
b. Regional bank under GLBA compliance law
c. Nationwide retailer under PCI DSS standard requirements
d. Higher-education institution under FERPA compliance law
2. Given the list, perform a qualitative risk assessment by assigning a
risk impact/risk factor to each of identified risks, threats, and
vulnerabilities throughout the seven domains of a typical IT
infrastructure that the risk, threat, or vulnerability resides.
Risk – Threat – Primary Domain Risk Impact/Factor
Vulnerability Impacted
Unauthorized access LAN-to-WAN Critical
from public Internet
User destroys data in Systems/Application Critical
application and
deletes all files
Hacker penetrates LAN-to-WAN Critical
your IT infrastructure
and gains access to
your internal network
Intra-office employee User Minor
romance gone bad
Fire destroys primary Systems/Application Major
data center
Service provider SLA WAN Minor
is not achieved
Workstation OS has a Workstation Major
known software
vulnerability
Unauthorized access Workstation Major
to organization
owned Workstations
Loss of production Systems/Application Minor
data
Denial of service LAN-to-WAN Major
attack on
organization DMZ and
e-mail server
Remote Remote Access Major
communications from
home office
LAN server OS has a LAN Critical
known software
vulnerability
User downloads and User Critical
clicks on an unknown
Workstation browser Workstation Major
has software
vulnerability
Mobile employee User Minor
needs secure browser
access to sales order
entry system
Service provider has a WAN Minor
major network
outage
Weak ingress/egress LAN-to-WAN Minor
traffic filtering
degrades
Performance
User inserts CDs and User Minor
USB hard drives with
personal photos,
music, and videos on
organization owned
computers
VPN tunneling Remote Access Major
between remote
computer and
ingress/egress router
WLAN access points LAN Minor
are needed for LAN
connectivity within a
warehouse
Need to prevent LAN Major
rogue users from
unauthorized WLAN
access
DoS/DDoS attack WAN Major
from the
WAN/Internet

3. For each of the identified risks, threats, and vulnerabilities, prioritize


them by listing a “1”, “2” and “3” next to each risk, threat, vulnerability
found within each of the seven domains of a typical IT infrastructure.
“1” = Critical, “2” = Major, “3” = Minor. Define the following qualitative
risk impact/risk factor metrics:
 “1” Critical – a risk, threat, or vulnerability that impacts
compliance (i.e., privacy law requirement for securing privacy
data and implementing proper security controls, etc.) and places
the organization in a position of increased liability.
 “2” Major – a risk, threat, or vulnerability that impacts the C-I-A
of an organization’s intellectual property assets and IT
infrastructure.
 “3” Minor – a risk, threat, or vulnerability that can impact user
or employee productivity or availability of the IT infrastructure.
User Domain Risk Impacts: 1, 2, 3
Workstation Domain Risk Impacts: 2, 3
LAN Domain Risk Impacts: 1, 2
LAN-to-WAN Domain Risk Impacts: 1, 2, 3
WAN Domain Risk Impacts: 2, 3
Remote Access Domain Risk Impacts: 2, 3
Systems/Applications Domain Risk Impacts: 1, 2
4. Craft an executive summary for management using the following 4-
paragraph format. The executive summary must address the following
topics:
 Paragraph #1: Summary of findings: risks, threats, and
vulnerabilities found throughout the seven domains of a typical IT
infrastructure
 Paragraph #2: Approach and prioritization of critical, major, minor
risk assessment elements
 Paragraph #3: Risk assessment and risk impact summary to the
seven domains of a typical IT infrastructure
 Paragraph #4: Recommendations and next steps for executive
management

Answer Lab Assessment Questions

Overview
Answer the following Lab #4 – Assessment Worksheet questions
pertaining to your qualitative IT risk assessment you performed.
Lab Assessment Questions
1. What is the goal or objective of an IT risk assessment?
- To mitigate risks to prevent security incidents and to define how the
risk will be managed, controlled, and monitored.

2. Why is it difficult to conduct a qualitative risk assessment for an IT


infrastructure?
- Because a qualitative assessment is based on opinion than actual fact,
and IT risk assessments need to be based on a quantitative analysis.

3. What was your rationale in assigning “1” risk impact/ risk factor value
of “Critical” for an identified risk, threat, or vulnerability?
- The critical needs to be mitigated immediately.

4. When you assembled all of the “1” and “2” and “3” risk impact/risk
factor values to the identified risks, threats, and vulnerabilities, how did
you prioritize the “1”, “2”, and “3” risk elements? What would you say
to executive management in regards to your final recommended
prioritization?
- The risk impact/risk factor which is “1” or “2” need to be mitigated
immediately, “3” can be mitigated after “1” and “2” have done.

5. Identify a risk mitigation solution for each of the following risk


factors:
User downloads and clicks on an unknown e-mail attachment – Restrict
user access and set it up that a user has to get authorization for
downloads.

Workstation OS has a known software vulnerability – Patch or update


software

Need to prevent eavesdropping on WLAN due to customer privacy data


access – Increase WLAN security using WPA2 and AES encryption

Weak ingress/egress traffic filtering degrades performance –


Strengthen firewall filtering

DoS/DDoS attack from the WAN/Internet – Strengthen firewall security,


install IPS and IDS system to the infrastructure

Remote access from home office – Make sure the VPN is in place and
secure

Production server corrupts database – Remote server

You might also like