Professional Documents
Culture Documents
Lab 2 Assessment Worksheet Align Risk TH
Lab 2 Assessment Worksheet Align Risk TH
Align Risk, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls
Overview
Due to time constrains on the course this lab will be omitted. All students will receive credit for this Lab
Assignment.
Lab #3: Assessment Worksheet
Overview
Answer the following Lab #3 – Assessment Worksheet questions pertaining to your IT risk management
a. To define how risks will be managed, monitored, and controlled throughout the project
a. Risk Planning
b. Risk Identification
c. Risk Assessment
d. Risk Mitigation
e. Risk Monitoring
a. Specialized type of project management. You create a risk management plan to mitigate
risks. It helps you identify the risks and choose the best solutions. It also helps you track
5. True/False: Risk Assessment is the exercise when you are trying to identify an organization’s risk
health.
a. False
6. True/False: Risk Mitigation is the practice that helps reduce or eliminate risk.
a. True
7. True/False: Risk Monitoring is the on-going practice that helps track risk in real-time
a. True
8. Given that an IT risk management plan can be large in scope, why is it a good idea to
a. So no tasks are easily missed and the goal of the project can be completed
9. Within the seven domains of a typical IT infrastructure, which domain is the most difficult to
a. User Domain
10. For risk monitoring, what techniques or tools can you implement within each of the seven
a. User Domain raise user awareness, implement acceptable use policies (AUPs)
to ensure users know what they should and shouldn’t be doing. Use login
banners to remind users of the AUP’s. Send out occasional e-mails with security
tibits to keep security in their minds and use posters in employee areas
functionality. They are commonly located in a wiring closet or server room which
protects it from physical security.Modify ACLs as needed. Practice port security
as a added control. This ensures that only specific computers are able to attach
to the network device. What that means it that an attacker brings his computer he
d. LAN-to-WAN Domain: firewalls that would discriminate and allow only certain
e. WAN Domain: use of a demilitarized zone which uses two firewalls. One firewall
has direct access to the internet and the other to the internet network. When
patches are available test them to ensure it doent have any negative impacts and
f. Remote Access Domain: can use several different controls toprotect servers.
Automatic callback is one with dial-in remote access servers. It hangs up and
calls the home number after she logs on from being prompted to log on. This is
used with people who work from home. Another one is remote access policies.
They’re used to specify the only layer 2 tunneling protocol connections are
the patches they get from the vendors and make sure no negatives and then
Overview
The following risks, threats, and vulnerabilities were found in an IT infrastructure. Your Instructor will
assign you one of four different scenarios and vertical industries each of which is under a unique
compliance law.
1. Scenario/Vertical Industry:
2. Given the list, perform a qualitative risk assessment by assigning a risk impact/risk factor to each
of identified risks, threats, and vulnerabilities throughout the seven domains of a typical IT
3. For each of the identified risks, threats, and vulnerabilities, prioritize them by listing a “1”, “2”,
and “3” next to each risk, threat, vulnerability found within each of the seven domains of a
typical IT infrastructure. “1” = Critical, “2” = Major, “3” = Minor. Define the following qualitative
a. “1” Critical – a risk, threat, or vulnerability that impacts compliance (i.e., privacy law
requirement for securing privacy data and implementing proper security controls, etc.)
c. “3”Minor – a risk, threat, or vulnerability that can impact user or employee productivity
2) User inserts CDs and USB hard drives with personal photos, music, and videos on organization owned
computers.
3) WLAN access points are needed for LAN connectivity within a warehouse.
3) Mobile employee needs secure browser access to sales order entry system.
Overview
Answer the following Lab #4 – Assessment Worksheet questions pertaining to your qualitative IT risk
a. To Identify and evaluate risks. Risks are then quantified based on their importance or
impact severity. Then the risks are prioritized. They are a major part of an overall risk
management program and they help identify which risks are most important.
obtaining accurate cost elements and potential liabilities is difficult to identify for an
organization. Hence, many organizations opt to perform quantitative risk assessments based on
assessing the risk impact/risk factor of identified threats and vulnerabilities to an organization.
a. True
3. True/False: The rationale behind assigning “1” risk impact/risk factor value of “Critical” for an
identified risk, threat, or vulnerability is because anything that impacts an organization’s legal
compliance and potential liabilities from customers for non-compliance is the greatest risk to an
organization.
a. True
4. When you assembled all of the “1” and “2” and “3” risk impact/risk factor values to the
identified risks, threats, and vulnerabilities, how did you prioritize the “1”, “2”, and “3” risk
elements? What would you say to executive management in regards to your final recommended
prioritization?
a. First you identify the risks by surveys and interviewing experts and then assign
probability and impact values to the risks. Then compile and summarize so put in
number value. I would tell the executive management that Risk level 3 needs to be
5. Identify a risk mitigation solution for each of the following risk factors:
The organization should provide training to all employees in the proper handling
Ensure all unused ports are disabled on the edge routers. Use packet tracer
equipment to find and block any suspicious traffic found on WAN circuits.
Update and apply all router OS patches. Build filters to block employees from
music and movie torrent databases. These databases are notorious for having
sources that have been reviewed and are known to launch DDos attacks. If a
DDos is occurring it is vital that the proper engineering resources are notified
immediately so that they can locate the offending IP addresses and block them at
Ensure that all employees are again notified and trained on proper use of the
VPN connections. They should never share the VPN with any public access
terminals such as internet café’s or any unknown wireless networks. They also
need to aware that no usb drives are allowed connection to their home PCs or
laptops. The home PCs have to have the necessary anti-virus/malware programs
to ensure the home PCs do not infect the organizations systems via the VPN.
implemented to remove the corrupted data. Any corrupted data will then be re-
imaged from the back up data the company has been storing at an offsite facility.
The data can also be restored from a stand-alone server that functions as a hot
standby for occasions that the organization finds itself dealing with corrupted
servers.
Lab #5: Assessment Worksheet
Overview
Due to time constrains on the course this lab will be omitted. All students will receive credit for this Lab
Assignment.
Lab #6: Assessment Worksheet
Overview
Answer the following Lab #6 – Assessment Worksheet questions. These questions are specific to an IT
a. It is important to prioritize because you must be aware of what the risks, threats, and
vulnerabilities are to your infrastructure so that you know where the most attention is
needed to make the quality IT Risk Mitigation Plan will include details on costs, risk
compliance law; thus, increasing the organization’s potential liability. These critical risk
a. True
3. What risk mitigation solutions do you recommend for handling the following risk element? User
inserts CDs and USB hard drives with personal photos, music, and videos on organization owned
computers.
a. Disable internal CD drives and USB ports. Enable automatic antivirus scans for inserted
media drives, flies, and e-mail attachments. An antivirus scanning system examines all
new files on your computer’s hard drive for viruses. Set up antivirus scanning for e-
a. Security Control Baseline - The set of minimum security controls defined for a low-
b.
5. What is the most important risk mitigation requirement you uncovered and want to
communicate to executive management? In your opinion, why is this the most important
a.
6. What is the difference between short-term and long-term risk mitigation tasks and on-
going duties?
Short-term are risks that can be fixed rapidly and will (more than likely) not have long term
effects on the company, long term risks are risks that can end in fines if they involve compliance
issues. On-going duties are the daily duties that must be done in order for the company to
perform with minimal risks.
7. True/False: The User Domain is easy to implement risk mitigation solutions but difficult
a. False
8. True/False: The Systems/Application Domain usually contains privacy data within
a. True
9. True/False: The Workstation Domain can access privacy data and also store it on local
a. False
10. Why is the Remote Access Domain the most risk prone of all within a typical IT
infrastructure?
Because it allows users to connect to intranet from remote locations. Users easily connect to
network resources. Users can dial in if the remote access server is a dial-in server. Also you can use
a virtual private network (VPN). A VPN allows a user to access the private network over a public
network such as internet. However, you must also minimize the risk that an attacker can gain
unauthorized access to the same resources. Remote access solutions can dramatically increase the
productivity and flexibility of users who work from home computers or from mobile devices such as
laptops while traveling on the job. However, such solutions also increase the chance that an
attacker will:
Intercept information as it travels between the remote user and your intranet
Gain direct access to information that is stored on computers within your intranet
11. When considering the implementation of software updates, software patches, and
software fixes, why must you test this upgrade or software patch before you implement
systems.
12. Are risk mitigation policies, standards, procedures, and guidelines needed as part of
a. Yes So no everything is done in an order to make sure its complete and to make
13. If an organization under a compliance law is not in compliance, how critical is it for your
a. It is important that an organization knows what laws apply to them. Once these are
Noncompliance can have serious consequences. Some laws asses hefty fines on an
organization. Other laws can result in jail time. Some can negatively affect an
organization’s ability to do business. For example: HIPAA fines can be as high as $25,000
a year for mistakes. An internal compliance program can ensure these costly mistakes
don’t happen.