Scribd
Upload
266 views

Lab 4: Perform A Qualitative Risk Assessment For An IT Infrastructure

This document contains a qualitative risk assessment performed for the IT infrastructure of a healthcare provider. Various risks were identified across seven domains: user, workstation, LAN, LAN-to-WAN, WAN, remote access, and systems/applications. Each risk was assigned a priority level of 1, 2, or 3 based on its potential impact. Risks rated 1 were critical and involved compliance or liability issues. Risks rated 2 impacted the confidentiality, integrity and availability of assets. Risks rated 3 involved user productivity or availability. The assessment aims to identify and prioritize risks to help secure systems and data.

Uploaded by

Bí Rẩy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
266 views

Lab 4: Perform A Qualitative Risk Assessment For An IT Infrastructure

This document contains a qualitative risk assessment performed for the IT infrastructure of a healthcare provider. Various risks were identified across seven domains: user, workstation, LAN, LAN-to-WAN, WAN, remote access, and systems/applications. Each risk was assigned a priority level of 1, 2, or 3 based on its potential impact. Risks rated 1 were critical and involved compliance or liability issues. Risks rated 2 impacted the confidentiality, integrity and availability of assets. Risks rated 3 involved user productivity or availability. The assessment aims to identify and prioritize risks to help secure systems and data.

Uploaded by

Bí Rẩy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Lab 4: Perform a Qualitative Risk Assessment for

an IT Infrastructure
Name: Nguyễn Huỳnh Minh Đan
MSSV: SE159145

Part A – Perform a Qualitative Risk Assessment


for an IT Infrastructure
1. Scenario/Vertical Industry:
Healthcare provider under HIPPA compliance law
Risk – Threat – Vulnerability Primary Domain Risk Impact/Factor
Impacted
Unauthorized access from Wan 1
public Internet
User destroys data in User 2
application and deletes all
files
Hacker penetrates your IT LAN 1
infrastructure and gains
access to your internal
network
Intra-office employee User 3
romance gone bad
Fire destroys primary data System/Application 1
center
Service provider SLA is not Wan 1
achieved
Workstation OS has a known Workstation 2
software vulnerability
Unauthorized access to Workstation 3
organization owned
workstations
Loss of production data System/Application 2
Denial of service attack on System/Application 1
organization DMZ and e-
mail server
Remote communications Remote Access 3
from home office
LAN server OS has a known LAN 1
software vulnerability
User downloads and clicks User 3
on an unknown
Workstation browser has Workstation 2
software vulnerability
Mobile employee needs User 3
secure browser access to
sales order entry system
Service provider has a major WAN 1
network outage
Weak ingress/egress traffic LAN 3
filtering degrades
performance
User inserts CDs and USB User 3
hard drives with personal
photos, music, and videos
on organization owned
computers
VPN tunneling between Remote Access 2
remote computer and
ingress/egress router is
needed
WLAN access points LAN-to-WAN 2
are needed for LAN
connectivity within a
warehouse
Need to prevent LAN-to-WAN 3
eavesdropping on WLAN
due to customer privacy
data access
DoS/DDoS attack from the WAN 1
WAN/Internet
3. For each of the identified risks, threats, and vulnerabilities, prioritize them
by listing a “1”, “2”, and “3” next to each risk, threat, vulnerability found
within each of the seven domains of a typical IT infrastructure.
“1” = Critical, “2” = Major, “3” = Minor. Define the following qualitative risk
impact/risk factor metrics:
“1” Critical – a risk, threat, or vulnerability that impacts compliance (i.e.,
privacy law requirement for securing privacy data and implementing proper
security controls, etc.) and places the organization in a position of increased
liability.
“2”Major – a risk, threat, or vulnerability that impacts the C-I-A of an
organization’s intellectual property assets and IT infrastructure.
“3”Minor – a risk, threat, or vulnerability that can impact user or employee
productivity or availability of the IT infrastructure.
User Domain Risk Impacts: 3
Workstation Domain Risk Impacts: 3
LAN Domain Risk Impacts: 2
LAN-to-WAN Domain Risk Impacts: 2
WAN Domain Risk Impacts: 2
Remote Access Domain Risk Impacts: 1
Systems/Applications Domain Risk Impacts: 1

Part B – Perform a Qualitative Risk Assessment


for an IT Infrastructure
Lab Assessment Questions:
1. What is the goal or objective of an IT risk assessment?
Risk assessment - to identify potential risks and vulnerabilities to the security,
availability, and integrity that an organization creates, receives, maintains, or
transmits.
2. Why is it difficult to conduct a qualitative risk assessment for an IT
infrastructure?
For infrastructure devices, we should only evaluate the risk on a quantitative
basis, if assessed by qualitative, it must be based on a lot of infrastructure to
infer the final result is the rate of risk possible risks.
3. What was your rationale in assigning “1” risk impact/ risk factor value of
“Critical” for an identified risk, threat, or vulnerability?
The "1" risk, threat, or vulnerability has an influence on compliance and
exposes the organization to greater liability, but it is not as serious as the "2"
or "3."
4. When you assembled all of the “1” and “2” and “3” risk impact/risk factor
values to the identified risks, threats, and vulnerabilities, how did you
prioritize the “1”, “2”, and “3” risk elements?
What would you say to executive management in regards to your final
recommended prioritization?
By determining the importance of the danger to the infrastructure and the
urgency with which it must be managed. The 1 and 2 must be mitigated as
quickly as feasible, while the 3 can be mitigated or left alone at the discretion
of management.
5. Identify a risk mitigation solution for each of the following risk factors:
– User downloads and clicks on an unknown e-mail attachment: Set up user
access restrictions and make it such that downloads require authorization.
– Workstation OS has a known software vulnerability: Regularly update
software, install anti-malware software
– Need to prevent eavesdropping on WLAN due to customer privacy data
access: Enhance WLAN security using encryptions such as: WPA2 and AES
– Weak ingress/egress traffic filtering degrades performance: Strengthen
firewall filtering
– DoS/DDoS attack from the WAN/Internet: Always enable firewall security,
install IPS and IDS systems into the infrastructure.
– Remote access from home office: Make sure the VPN is in place and secure
– Production server corrupts database: Restore database from last non-corrupt
backup, and remove corruption from system.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy