Lab #3 - Assessment Worksheet

Course Name: IAA202

Student Name: Dương Chí Hùng - SE151235
Instructor Name: Nguyễn Tấn Danh
Lab Due Date: 4/6/2021

Overview
1. Circle the scenario and industry vertical your Instructor assigned to
your group:
a. Healthcare provider under HIPPA compliance law
b. Regional bank under GLBA compliance law
c. Nationwide retailer under PCI DSS standard requirements
d. Higher-education institution under FERPA compliance law

2. Make sure your table of contents addresses your scenario and

vertical industry.
I’m sure.
3. Make sure your table of contents includes at a minimum, the five
major parts of IT risk management:
Risk planning
Risk identification
Risk assessment
Risk mitigation
Risk monitoring

3. Make sure your table of contents is executive management ready

and addresses all the risk topics and issues needed for executive
management awareness.
I’m sure.
5. Answer Lab #3 – Assessment Worksheet questions and submit as
part of your Lab #3 deliverables.
The worksheet is below this page.
 Lab #3 - Assessment Worksheet

Course Name: IAA202

Student Name: Dương Chí Hùng - SE151235
Instructor Name: Nguyễn Tấn Danh
Lab Due Date: 4/6/2021

Lab Assessment Questions

1. What is the goal or objective of an IT risk management plan?
To define how risks will be managed, monitored, and controlled
throughout the project.

2. What are the five fundamental components of an IT risk

management plan?
- Risk Planning
- Risk Identification
- Risk Assessment
- Risk Mitigation
- Risk Monitoring

3. Define what risk planning is.

Specialized type of project management. You create a risk
management plan to mitigate risks. It helps you identify the risks and
choose the best solutions. It also helps you track the solutions to
ensure they are implemented on budget and on schedule.

4. What is the first step in performing risk management?

Risk Identification

5. Risk Assessment is the exercise when you are trying to identify an

organization’s risk health.
Risk

6. What is the practice that helps reduce or eliminate risk.

Risk Mitigation

7. What is the on-going practice that helps track risk in real-time

Risk Monitoring
8. Given that an IT risk management plan can be large in scope, why is
it a good idea to development a risk management plan team?
So no tasks are easily missed and the goal of the project can be
completed.

9. Within the seven domains of a typical IT infrastructure, which

domain is the most difficult to plan, identify, assess, remediate, and
monitor?
User Domain

10. From your scenario perspective, with which compliance law

or standard does your organization have to comply? How did this
impact the scope and boundary of your IT risk management
plan?
Honorring that the law requires a student to recieves grades from
instructors physically.

11. How did the risk identification and risk assessment of the
identified risks, threats, and vulnerabilities contribute to your IT
risk management plan table of contents?
It was detailed properly to locate provided information needed.

12. What risks, threats, and vulnerabilities did you identify and
assess that require immediate risk mitigation given the criticality
of the threat or vulnerability?
Unauthorized access from public Internet; hacker penetrates IT
Infrastructure; Communication circuit outages; user destroys data; fire
destroys data; loss of production server; service provider has a major
network outage.

13. For risk monitoring, what techniques or tools can you

implement within each of the seven domains of a typical IT
infrastructure to help mitigate risk?
a. User Domain: raise user awareness, implement acceptable use
policies (AUPs) to ensure users know what they should and shouldn’t
be doing. Use login banners to remind users of the AUP’s. Send out
occasional e-mails with security tibits to keep security in their minds
and use posters in employee areas
 b. Workstation Domain: Install Antivirus software, and update it
regularly, keep operating systems up to date, evaluat and deploy
security patches when needed as they become available.
c. LAN Domain: Routesr have ACL’s (access control lists) which
controls what traffic is allowed though them. Switches can be
programmed for specific functionality. They are commonly located in a
wiring closet or server room which protects it from physical
security.Modify ACLs as needed. Practice port security as a added
control. This ensures that only specific computers are able to attach to
the network device. What that means it that an attacker brings his
computer he wont be able to connect that computer to the network.
d. LAN-to-WAN Domain: firewalls that would discriminate and allow
only certain types of traffic through. Training admins to understand
the importance of limiting the number of firewall rules.
e. WAN Domain: use of a demilitarized zone which uses two
firewalls. One firewall has direct access to the internet and the other
to the internet network. When patches are available test them to
ensure it doent have any negative impacts and then deploy to the
servers.
f. Remote Access Domain: can use several different controls
toprotect servers. Automatic callback is one with dial-in remote access
servers. It hangs up and calls the home number after she logs on from
being prompted to log on. This is used with people who work from
home. Another one is remote access policies. They’re used to specify
the only layer 2 tunneling protocol connections are allowed.
Additionally Internet Protocol Security (IPSec) could be required to
ensure the connection encrypted.
g. Systems/Applications Domain: ensure administrators have
adequate training and knowledge. Configuration and change
management practices are helpful configuration management ensures
the systems are configured using sound security practices. Change
management ensures that the configuration is not modified without
adequate review. Administrators of these systems need to test the
patches they get from the vendors and make sure no negatives and
then send them out.

14. For risk mitigation, what processes and procedures are needed to
help streamline and implement risk mitigation solutions to the
production IT infrastructure?
 Qualitative Riskk Assessment - Subjecttive; based on opinions of
experts; quicker & cheaper; word values Low, Medium, High; required
a definition of scales used in the risk assessment; and Quantitive
Assessment - Objective, numeric values i.e., dollar amount consuming;
access to large amount of historical data necessary is not always
accessible; based on SLE, ARO, and ALE formulas shows clear losses
and savings with dollar values; data can be used for benefit analysis.

15. How does risk mitigation impact change control management and
vulnerability management?
Change control is a systematic way to approaching change, within an
organization, it can prevent the possibility of services becoming
interrupted and if so, provide a plan to bring them back up as soon as
possible.