Lab #6: Assessment Worksheet Develop a Risk

Mitigation Plan Outline for an IT Infrastructure

Course Name: Risk Management in Information Systems (IAA202)

Student Name: Nguyễn Hoàng Quân – SE184732

Instructor Name: Mai Hoàng Đỉnh

Lab Due Date: 2024-10-12 23:00:00 (GMT+07)

Overview
After you have completed your qualitative risk assessment and
identification of the critical “1” risks, threats, and vulnerabilities,
mitigating them requires proper planning and communication to executive
management. Students are required to craft a detailed IT risk management
plan consisting of the following major topics and structure:

A. Executive summary
• The detected threats, vulnerabilities, and hazards have been categorized as
critical, significant, and minor. Each risk, hazard, and vulnerability belongs to a
certain domain and is categorized into several categories. A risk, hazard, or
vulnerability that affects compliance (e.g., privacy legislation requirements for
safeguarding privacy data and installing adequate security measures, etc.) and
puts the company in a position of heightened responsibility is classified as critical
(1). A risk, threat, or vulnerability that affects the C-I-A of an organization's
intellectual property assets and IT infrastructure is referred to as a major (2).
 Minor (3) refers to a risk, threat, or vulnerability that might affect user or staff
productivity or the IT infrastructure's availability. Each risk, hazard, and
vulnerability was assigned to a category, along with thedomain to which it
belonged.

• For each category, the remediation processes for reducing all significant, major,
and minor risks, threats, and vulnerabilities are almost identical. The first step is
to double-check that all of your equipment is operational. If any of the equipment
fails, your network will be exposed to risks, threats, and vulnerabilities. The
second stage is for users to be compelled to use complicated passwords and
even a dual-factor authentication mechanism, which requires both a password
and a token to get access to the system. Encrypting all sensitive data would be
the third stage. The next step is to ensure that your anti-virus software is up to
date, as well as that all of your software is patched. The next step is to add layers
of protection by installing a host-based and network-based firewall. The third step
would be for all workers to participate in some form of security awareness
training to ensure that no passwords are shared.

• Ongoing IT risk mitigation for the seven domains displayed per domain and the
company's current mitigation plan. HIPPA compliance regulations must be
followed by the firm. The business is a medical school that handles medical
records. The medical records of patients must be kept private. The cost
magnitude determines how much effort firms are willing to put in. The medical
firm prefers to stick to a reasonable budget. As a result, everything will be in the
middle, not too expensive but not too cheap. The medical firm is looking for the
finest for the greatest price. The implementation plan is a list of all themajor
hazards that need to be addressed. The strategy outlines the job, action plan,
time range, and risk priority for each risk. This is a highly thorough strategy that
outlines the steps that will be done.

B. Prioritization of identified risks, threats, and vulnerabilities

organized into the seven domains

Critical – 1
• Unauthorized access from public internet
• Hacker penetrates your IT Infrastructure and gains access to your internal network
• Unauthorized access to organization owned workstations
• Denial of service attack on organization DMZ and e-mail server
• Need to prevent eavesdropping on WLAN due to customer privacy data access
• DoS/DDoS attack from the WAN/ Internet
• Fire destroys primary data center
 • User downloads and clicks on an unknown

Major – 2
• Workstation OS has a known software vulnerability
• Loss of production data
• Service provider has a major network outage
• VPN tunneling between remote computer and ingress/egress router is needed
• Remote communications from home office
• LAN server OS has a known software vulnerability
• User inserts CDs and USB hard drives with personal photos, music, and videos on
organization owned computers

Minor – 3
• Intra-office employee romance gone bad
• Workstation browser has software vulnerability
• Mobile employee needs secure browser access to sales order entry system
• Weak ingress/egress traffic filtering degrades performance
• WLAN access points are needed for LAN connectivity within a warehouse
• User destroys data in application and deletes all files
• Service provider SLA is not achieved

C. Critical “1” risks, threats, and vulnerabilities identified throughout

the IT infrastructure
• Unauthorized access from public internet – Remote Access Domain
• Hacker penetrates your IT Infrastructure and gains access to your internal network –
LAN to WAN Domain
• Unauthorized access to organization owned workstations – Workstation Domain
• Denial of service attack on organization DMZ and e-mail server – LAN to WAN Domain
• Need to prevent eavesdropping on WLAN due to customer privacy data access – LAN to
WAN Domain
• DoS/DDoS attack from the WAN/ Internet – WAN Domain
• Fire destroys primary data center – Systems/Application
D. Remediation steps for mitigating critical “1” risks, threats, and
vulnerabilities

Unauthorized access from public internet

• The first step in preventing this is to set up a difficult password on the network. The next
step would be to install a network-based host-based firewall. If you wanted to add an
extra layer of security, you might install a network-based firewall to make it more difficult
for an attacker to get access to your network. The final step is to ensure that the server
and router both have difficult passwords.

Hacker penetrates your IT Infrastructure and gains access to your

internal network
• The first step in reducing this risk would be to determine how the hacker gained access
to your IT infrastructure. This is a critical phase in the process, since it is at this time that
the IT Infrastructure that was breached must be repaired so that it does not happen
again. The next step is to double-check all of the equipment to ensure that it is up-to-
date and that the vulnerability was not caused by a flaw in the equipment that allowed
the attacker access to the infrastructure. The next step would be to review all of the
event logs to ensure that the breach did not originate from within the company. The final
step wouldbe to reset all passwords and make them more complicated in order to make
it much harder for the hacker to get access to the system.

• Unauthorized access to organization owned workstations

• The first step in reducing this danger will be to figure out how they got into the
workstation in the first place. After that, passwords will need to be updated, and lastly, all
workers will be required to undergo security awareness training.

• Fire destroys primary data center

• Backing up all files and data is one approach to reduce the danger of this situation. Off-
site storage of files and data is recommended. The data and files will not be harmed by
the fire as a result of this.

• Denial of service attack on organization DMZ and e-mail server

• To begin, check to see if your anti-virus software is up to date. If the anti-virus software
is out of current, the DMZ and email server will be vulnerable to attack. The next step is
to double-check that the firewall is still up and running. The DMZ sits between the
 firewall and the server, so if an attack gets past the DMZ and into the server, there's a
chance the firewall isn't working properly.

• Need to prevent eavesdropping on WLAN due to customer privacy data access

• The first step in mitigating this risk would be to encrypt all data in transit and at rest.
Another step would be to verify that the firewalls are operational and that the network is
complicated.

• DoS/DDoS attack from the WAN/ Internet

• The first step in reducing this danger is to ensure that your anti-virus software is up to
date. If your antivirus software is up to date, it should be able to detect a DoS/DDoS
attack and alert you. The next step is to double-check that the firewall is still active. To
assist avoid any further harm to the network and systems caused by this assault, the
WAN/Internet should be unplugged. The next stage is to assess the system and network
to determine how the attack took place and how it may be avoided in the future

E. Remediation steps for mitigating major “2” and minor “3” risks,
threats, and vulnerabilities
The following measures would be taken to minimize significant and small risks,
threats, and vulnerabilities:

• Step 1: Check the equipment to make sure the risk, danger, or vulnerability was not
caused by malfunctioning or failing equipment, such as servers.
• Step 2: Passwords should be needed for all users. Passwords should be long and
difficult to guess. Passwords should never be shared with anyone else. For sensitive
data, it may be advisable to use a two-factor authentication technique.
• Step 3: Encrypt any sensitive information. Data in transit and at rest should both be
encrypted. This will prevent the information from falling into the wrong hands.
• Step 4: Ensure that all anti-virus software is up to date. Guarantee that all fixes are
installed on the system to ensure that no known vulnerabilities exist.
• Step 5: To assure layers of security, install a host-based and network-based firewall, as
well as a hardware firewall.
• Step 6: Ensure that all staff have received security awareness training.
 F. On-going IT risk mitigation steps for the seven domains of a typical
IT infrastructure G. Cost magnitude estimates for work effort and
security solutions for the critical risks
• A policy prohibiting employees from establishing romantic relationships within the firm is
one of the current risk mitigations utilized for the user domain. When a pair ends a
relationship, they often don't want to see one other again, so seeing this person every
day at work might turn sour at any point. One of the persons in the relationship, for
example, may try to get the other in trouble by sending an email to the CEO from their
personal email account. While dating, the pair exchanged passwords. This is why the
firm insisted on enforcing the regulation.
• The operating system is up to date with the latest system on the market, which is the
current on-going risk mitigation in use in the workstation domain. When a new patch is
released by the manufacturer, the IT team will apply it to ensure that the system is free
of known vulnerabilities.
• As of now, there are no ongoing risk mitigations for the LAN domain. Risk mitigation
strategies for the LAN domain, WAN domain, and LAN to WAN domain are required by
the firm.
• All data is backed up regularly as part of the existing risk mitigations for the
system/application domain. Every week, a full backup is performed to guarantee that the
data is not lost. On a daily basis, a partition backup is performed. All backups are kept
off-site in case a natural disaster strikes and destroys the structure.
• Only a single-factor authentication procedure is currently utilized for risk mitigation in the
remote access domain. The user can access the system remotely, but they simply need
a password to do so.

G. Cost magnitude estimates for work effort and security solutions for the
critical risks

Task Plan of Day Started Date to be Priority

Action compiled
Unauthorized -Passwords 1-4-15 5-4-15 HIGH
Access from that are difficult
public Internet to guess

- Network-
Based Firewall

- Based on the
host- Firewall
Hacker -Network- 1-4-15 15-4-15 HIGH
penetrates your Based
IT infrastructure Firewall -
and gains Complex
access to your Passwords
internal network
- Based on the
host Firewall

- Double-check
all of your
equipment.

- Replace
everything
passwords

- Examine the
event logs
Unauthorized -Change all 1-4-15 3-4-15 HIGH
access to passwords
organizations
owned
worksations
Fire in the -Offsite backup 1-4-15 Continuously HIGH
datacenter of all files and
data
User inserts - Disable the 1-4-15 15-4-15 HIGH
CDs and USB optical and
hard drives with USB drives
personal
photos, music,
and videos on
organization
owned
computers
Need to -Set up 1-4-15 15-4-15 HIGH
prevent eaves firewalls
dropping on
WLAN due to -Encrypt all
customer information
privacy data
access
Denial of - Examine all 1-4-15 1-4-15 HIGH
service attack anti-virus
on organization software
DMZ and email
server - Examine
firewalls-
 Double-check
all of your
equipment
DoS/DDoS - Examine all 1-4-15 1-4-15 HIGH
attack from the anti-virus
WAN/ Internet software

- Examine
firewalls-
Double-check
all of your
equipment

H. Implementation plans for remediation of the critical risks

Risk-Threat- Primary Domain Risk Impact/Factor

Vulnerability Impacted
Unauthorized access from Remote Access Domain 1
public Internet
User destroys data in Systems/Application 3
application and deletes all Domain
files
Hacker penetrates your IT LAN-to-WAN Domain 1
infrastructure and gains
access to your internal
network
Intra-office employee User Domain 3
romance gone bad
Fire destroys primary data Systems/Application 1
center Domain
Risk-Threat- Primary Domain Risk Impact/Factor
Vulnerability Impacted
Service provider SLA is not Service provider SLA is not 3
achieved achieved
Workstation OS has a Workstation Domain 2
 known software
vulnerability
Unauthorized access to Workstation Domain 1
organization owned
workstations
Loss of production data Systems/Application 2
Domain
Denial of service attack on LAN-to-WAN Domain 1
organization DMZ e-mail
server
Remote communications Remote Access Domain 2
from home office
LAN server OS has a LAN Domain 2
known software
vulnerability
User downloads and clicks User Domain 1
on an unknown
Workstation browser has a Workstation Domain 3
software vulnerability
Mobile employee needs Remote Access Domain 3
secure browser access to
sales order entry system
Service provider has a WAN Domain 2
major network outage
Weak ingress/egress traffic LAN-to-WAN Domain 3
filtering degrades
performance
User inserts CDs and USB User Domain 2
hard drives with personal
photos, music, and videos
on organization owned
computers
VPN tunneling between LAN-to-WAN Domain 2
remote computer and
ingress/egress router is
needed
WLAN access points are LAN Domain 3
needed for LAN
connectivity within a
warehouse
Need to prevent LAN Domain 1
eavesdropping on WLAN
due to customer privacy
data access
DoS/DDoS attack from the WAN Domain 1
WAN/Internet
 • User Domain Risk Impacts: 3
• Workstation Domain Risk Impacts: 3
• LAN Domain Risk Impacts: 2
• LAN-to-WAN Domain Risk Impacts: 2
• WAN Domain Risk Impacts: 2
• Remote Access Domain Risk Impacts: 1
• Systems/ Applications Domain Risk Impacts: 1

Overview

After completing your IT risk mitigation plan outline, answer the following
Lab #6 – Assessment Worksheet questions. These questions are specific to
the IT risk mitigation plan outline you crafted as part of Lab #6 – Develop a
Risk Mitigation Plan Outline for an IT Infrastructure.

Lab Assessment Questions

1. Why is it important to prioritize your IT infrastructure risks, threats, and

vulnerabilities?

• It is important to prioritize because you must be aware of what the risks, threats, and
vulnerabilities there are to your infrastructure. You need this so that you know where the
most attention needs to be focused on.
• Prioritizing IT infrastructure risks, threats, and vulnerabilities is important because not all
risks have the same potential impact on an organization. Prioritization helps ensure that
resources are focused on the most critical threats first. Without prioritizing, organizations
might waste time on lower-level risks while leaving critical vulnerabilities exposed. It also
allows management to make informed decisions by understanding which risks could
result in severe consequences like data breaches, legal violations, or business downtime.
For example, addressing a vulnerability that could lead to ransomware might be
prioritized over a minor issue that would only cause a small disruption. This helps
balance risk tolerance, budget, and effort.
2. Based on your executive summary produced in Lab #4 Perform a Qualitative
Risk Assessment for an IT infrastructure, what was the primary focus of your
message to executive management?

• In the executive summary produced in Lab #4, the primary focus to executive
management likely emphasized the most pressing risks, along with a strategic outline for
addressing those risks. The goal is to convey the potential impact on business
operations, reputation, and compliance if the risks aren’t addressed. It would also
highlight where immediate actions are necessary, and which risks can be managed over
time. The message likely underscored the need for investment in security measures to
protect critical assets and align the organization's IT infrastructure with best practices
and regulatory requirements.
• Setting up security measures through various means includes the following: * Forcing
users to update password every X number of days. * Educating the users. * Firewalls -
Anti-malware.

3. Given the scenario for your IT risk mitigation plan, what influence did your
scenario have on prioritizing your identified risks, threats, and vulnerabilities?

• The scenario for the IT risk mitigation plan would shape the way risks are prioritized by
considering the organization’s specific context, such as industry, the nature of its data,
and its threat landscape. For instance, if the scenario involves handling sensitive
healthcare information, compliance with regulations like HIPAA becomes a higher
priority, and data breaches or loss of patient information become top risks. This scenario
informs the risk management strategy, ensuring that the most significant threats are
addressed first. Threats with a high likelihood of occurrence or that could cause severe
damage (e.g., financial loss, legal penalties, or loss of reputation) would be placed
higher in the prioritization process.
• Common things such as user activity can be a very big risk, so your best bet is to
consider all options as potential threats. You will have to rank some risk higher than the
others.

4. What risk mitigation solutions do you recommend for handling the following
risk element?

• A user inserts a CD or USB hard drive with personal photos, music, and videos on
organization owned computers. A good antivirus program and have all devices scanned
as soon as they are plugged in. Educate employees Disable optical drives/USB ports.

• Implementing endpoint security solutions to restrict the use of unauthorized removable

media. This can prevent the spread of malware and control data movement.
 • Deploying Data Loss Prevention (DLP) software to monitor data transfer activities and
prevent the exfiltration of sensitive information.
• User awareness training to educate staff about the risks of using personal media on
company systems. This can reduce risky behaviors.
• Group policies or device control policies that can block USB ports or limit them to
authorized devices. This ensures only trusted media can be used, reducing the risk of data
leaks or malware.

5. What is a security baseline definition?

• A security baseline defines a set of basic security objectives which must be met by any
given service or system. The objectives are chosen to be pragmatic and complete, and
do not impose technical means.
• A security baseline definition sets the minimum-security configurations and practices
required for systems to be considered secure. It includes technical settings like
password policies, encryption standards, and firewall configurations, which are applied
across systems to ensure consistency and reduce vulnerabilities. Security baselines are
essential because they provide a starting point for enforcing security policies and
evaluating compliance. They help ensure that no system operates below an acceptable
level of security, minimizing weak points that attackers could exploit.

6. What questions do you have for executive management in order to finalize your
IT risk mitigation plan?

• How did the executive team become acquainted with cutting-edge risk management
techniques?
• Are you utilizing a recognized risk standard or framework to manage risk and uncertainty
in general?
• How have you delegated risk management inside your organizations?

• What is the organization’s risk tolerance? (This determines how aggressive or

conservative the mitigation strategies should be.)
• What budget and resources are available for implementing security controls and
mitigating risks?
• Are there any upcoming regulatory audits or compliance requirements that need to be
addressed within a specific timeline?
• What is the business impact if certain risks materialize, and which areas are considered
mission-critical?
• How does management want to balance between preventive measures (such as training
and policies) versus reactive measures (like incident response)?
7. What is the most important risk mitigation requirement you uncovered and
want to communicate to executive management?

• The most important risk mitigation requirement might be enforcing robust access
controls. This is because improper access management is one of the primary causes of
data breaches. Ensuring that only authorized personnel have access to sensitive
information is critical for protecting the organization from internal and external threats.
Access control includes implementing strong authentication methods (like multi-factor
authentication) and regularly reviewing user permissions. This requirement is key
because data breaches can lead to significant financial, legal, and reputational damage,
making this one of the highest priority areas to address.

8. Based on your IT risk mitigation plan, what is the difference between short-
term and long-term risk mitigation tasks and on-going duties?

• Short-term risks are those that can be rectified quickly and will (most likely) have no
long-term consequences for the firm; long-term risks, on the other hand, are those that
can result in fines if they entail compliance concerns. Ongoing chores are the everyday
tasks that must be completed in order for the firm to operate safely.

The difference between short-term and long-term risk mitigation tasks is in their scope and
focus. Short-term tasks are immediate actions taken to address known vulnerabilities or threats.
These can include:

• Patching known software vulnerabilities.

• Updating firewall rules or reconfiguring access controls.
• Implementing temporary monitoring solution.

9. Which of the seven domains of a typical IT infrastructure is easy to implement

risk mitigation solutions but difficult to monitor and track effectiveness?

• The Workstation Domain of IT infrastructure is generally the easiest to implement risk

mitigation solutions for, as workstations are usually uniform, allowing for standardization
of security settings like anti-virus software, encryption, and system patches. However, it
can be difficult to monitor and track the effectiveness of these solutions due to the large
number of individual devices and users. Human error, such as employees downloading
unapproved software or falling for phishing attacks, can also introduce risks that are hard
to control across numerous workstations.
10. Which of the seven domains of a typical IT infrastructure usually contains
privacy data within systems, servers, and databases?

• The System/Application Domain typically contains privacy data, as it includes systems,

servers, and databases where sensitive information is stored and processed. For
example, this domain holds customer records, financial data, or healthcare information,
depending on the organization. Securing this domain involves implementing access
controls, encryption, regular audits, and data backup solutions.

11. Which of the seven domains of a typical IT infrastructure can access privacy
data and also store it on local hard drives and disks?

• The User Domain can access and store privacy data, especially if employees use local
drives to save sensitive information. This domain includes end-users who interact with
data, often downloading, storing, or transferring files on personal or work devices. Local
storage increases the risk of data loss or theft, making this domain a key area for
enforcing data security policies and encryption.

12. Why is the Remote Access Domain the most risk prone of all within a typical
IT infrastructure?

• Because it enables people to access to the intranet from afar. Users can connect to
network resources with ease. If the remote access server is a dial-in server, users can
connect by dialing in. You can also utilize a virtual private network (VPN) (VPN). A VPN
enables users to connect to a private network over a public network such as the internet.
You must, however, reduce the danger of an attacker gaining unauthorized access to
the same resources. Users who work from home computers or mobile devices such as
laptops while on the job may drastically enhance their productivity and flexibility using
remote access solutions.
• The Remote Access Domain is highly risk-prone because it opens up the organization’s
network to external users who are not physically located within the company’s secured
environment. Remote access, particularly when employees use personal or unsecured
devices, can expose the organization to threats like man-in-the-middle attacks, weak
authentication, and insecure Wi-Fi networks. This domain also increases the complexity
of enforcing security policies uniformly across all remote users.
13. When considering the implementation of software updates, software patches,
and software fixes, why must you test this upgrade or software patch before you
implement this as a risk mitigation tactic?

• To ensure that there are no harmful elements, such as viruses, that might propagate to
other systems.
• Testing software updates, patches, and fixes before implementation is critical because
new code can introduce unintended vulnerabilities or conflicts with existing systems,
leading to instability or new security gaps. By testing in a controlled environment,
organizations can assess whether the update works as intended, does not conflict with
other software, and does not negatively affect business operations. Skipping this step
can result in downtime or create new attack vectors.

14. Are risk mitigation policies, standards, procedures, and guidelines needed as
part of your long term risk mitigation plan? Why or why not?

• Yes, so everything is done in a certain order to ensure completion and accuracy.

• Risk mitigation policies, standards, procedures, and guidelines are essential for
long-term success. Policies and standards provide a clear framework for how risks are to
be managed across the organization. They ensure consistency in how security is
implemented and maintained. Procedures offer step-by-step guidance for specific tasks,
such as responding to a data breach, while guidelines help inform best practices for
different scenarios. Without these, the organization could face inconsistent practices,
lack of accountability, and increased risk of security incidents.

15. If an organization under a compliance law is not in compliance, how critical is

it for your organization to mitigate this non-compliance risk element?

• It is critical for a company to understand which laws apply to them. Once these have
been discovered, it is critical to guarantee that the company is compliant.
Noncompliance might have serious ramifications. Some laws impose significant fines on
organizations. Other laws may result in incarceration. Some can have a detrimental
impact on an organization's capacity to do business. For example, HIPAA violations can
result in fines of up to $25,000 per year. An internal compliance program can help to
prevent these costly blunders.
• If an organization is under a compliance law but not in compliance, mitigating this non-
compliance risk is critical. Non-compliance can result in severe consequences, including
heavy fines, legal sanctions, loss of contracts, and reputational damage. For industries
with strict regulations (e.g., finance, healthcare), failure to comply with laws such as
GDPR, HIPAA, or PCI-DSS can lead to the suspension of operations or the loss of
customer trust. Addressing compliance risks should be a top priority because legal and
financial penalties could far outweigh the costs of implementing compliance measures.