Lab #2: Assessment Worksheet

Align Risk, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls

Chapter 3 of the Text Book

Course Name: IS3110

Student Name: Michelle Ilknur Vonal

Instructor Name: Anthony McCullough

Lab Due Date: 08/26/2013

Overview

Due to time constrains on the course this lab will be omitted. All students will receive credit for this Lab

Assignment.
 Lab #3: Assessment Worksheet

Define the Scope & Structure for an IT Risk Management Plan

Chapter 4 of the Text Book

Course Name: IS3110

Student Name: Michelle Ilknur Vonal

Instructor Name: Anthony McCullough

Lab Due Date: 08/26/2013

Overview

Answer the following Lab #3 – Assessment Worksheet questions pertaining to your IT risk management

plan design and table of contents.

Lab Assessment Questions

1. What is the goal or objective of an IT risk management plan?

a. To define how risks will be managed, monitored, and controlled throughout the project

2. What are the five fundamental components of an IT risk management plan?

a. Risk Planning

b. Risk Identification

c. Risk Assessment

d. Risk Mitigation

e. Risk Monitoring

3. Define what risk planning is.

a. Specialized type of project management. You create a risk management plan to mitigate

risks. It helps you identify the risks and choose the best solutions. It also helps you track

the solutions to ensure they are implemented on budget and on schedule.

4. True/False: Risk Identification is the first step in performing risk management.

 a. True

5. True/False: Risk Assessment is the exercise when you are trying to identify an organization’s risk

health.

a. False

6. True/False: Risk Mitigation is the practice that helps reduce or eliminate risk.

a. True

7. True/False: Risk Monitoring is the on-going practice that helps track risk in real-time

a. True

8. Given that an IT risk management plan can be large in scope, why is it a good idea to

development a risk management plan team?

a. So no tasks are easily missed and the goal of the project can be completed

9. Within the seven domains of a typical IT infrastructure, which domain is the most difficult to

plan, identify, assess, remediate, and monitor?

a. User Domain

10. For risk monitoring, what techniques or tools can you implement within each of the seven

domains of a typical IT infrastructure to help mitigate risk?

a. User Domain raise user awareness, implement acceptable use policies (AUPs)

to ensure users know what they should and shouldn’t be doing. Use login

banners to remind users of the AUP’s. Send out occasional e-mails with security

tibits to keep security in their minds and use posters in employee areas

b. Workstation Domain: : Install Antivirus software, and update it regularly, keep

operating systems up to date, evaluat and deploy security patches when needed
as they become available.
c. LAN Domain: Routesr have ACL’s (access control lists) which controls what

traffic is allowed though them. Switches can be programmed for specific

functionality. They are commonly located in a wiring closet or server room which
 protects it from physical security.Modify ACLs as needed. Practice port security

as a added control. This ensures that only specific computers are able to attach

to the network device. What that means it that an attacker brings his computer he

wont be able to connect that computer to the network.

d. LAN-to-WAN Domain: firewalls that would discriminate and allow only certain

types of traffic through. Training admins to understand the importance of limiting

the number of firewall rules.

e. WAN Domain: use of a demilitarized zone which uses two firewalls. One firewall

has direct access to the internet and the other to the internet network. When

patches are available test them to ensure it doent have any negative impacts and

then deploy to the servers.

f. Remote Access Domain: can use several different controls toprotect servers.

Automatic callback is one with dial-in remote access servers. It hangs up and

calls the home number after she logs on from being prompted to log on. This is

used with people who work from home. Another one is remote access policies.

They’re used to specify the only layer 2 tunneling protocol connections are

allowed. Additionally Internet Protocol Security (IPSec) could be required to

ensure the connection encrypted.

g. Systems/Applications Domain: ensure administrators have adequate training and

knowledge. Configuration and change management practices are helpful

configuration management ensures the systems are configured using sound

security practices. Change management ensures that the configuration is not

modified without adequate review. Administrators of these systems need to test

the patches they get from the vendors and make sure no negatives and then

send them out.

 Lab #4: Assessment Worksheet

Part A – Perform a Qualitative Risk Assessment for an IT Infrastructure

Chapter 5 and Chapter 6 of the Text Book

Course Name: IS3110

Student Name: Michelle Ilknur Vonal

Instructor Name: Anthony McCullough

Lab Due Date: 08/26/2013

Overview

The following risks, threats, and vulnerabilities were found in an IT infrastructure. Your Instructor will

assign you one of four different scenarios and vertical industries each of which is under a unique

compliance law.

1. Scenario/Vertical Industry:

a. Healthcare provider under HIPPA compliance law

b. Regional bank under GLBA compliance law

c. Nationwide retailer under PCI DSS standard requirements

d. Higher-education institution under FERPA compliance law

2. Given the list, perform a qualitative risk assessment by assigning a risk impact/risk factor to each

of identified risks, threats, and vulnerabilities throughout the seven domains of a typical IT

infrastructure that the risk, threat, or vulnerability resides.

Risk-Threat-Vulnerability Primary Domain Impacted Risk Impact/Factor

Unauthorized access from public Internet Remote Access Domain 1

User destroys data in application and deletes all Systems/Application Domain
3
files
Hacker penetrates your IT infrastructure and LAN-to-WAN Domain
1
gains access to your internal network
Intra-office employee romance gone bad User Domain 3
Fire destroys primary data center Systems/Application Domain 1
 Risk-Threat-Vulnerability Primary Domain Impacted Risk Impact/Factor

Service provider SLA is not achieved WAN Domain 3

Workstation OS has a known software Workstation Domain
2
vulnerability
Unauthorized access to organization owned Workstation Domain
1
workstations
Loss of production data Systems/Application Domain 2
Denial of service attack on organization DMZ e- LAN-to-WAN Domain
1
mail server
Remote communications from home office Remote Access Domain 2
LAN server OS has a known software LAN Domain
2
vulnerability
User downloads and clicks on an unknown User Domain 1
Workstation browser has a software Workstation Domain
3
vulnerability
Mobile employee needs secure browser access Remote Access Domain
3
to sales order entry system
Service provider has a major network outage WAN Domain 2
Weak ingress/egress traffic filtering degrades LAN-to-WAN Domain
3
performance
User inserts CDs and USB hard drives with User Domain
personal photos, music, and videos on 2
organization owned computers
VPN tunneling between remote computer and LAN-to-WAN Domain
2
ingress/egress router is needed
WLAN access points are needed for LAN LAN Domain
3
connectivity within a warehouse
Need to prevent eavesdropping on WLAN due to LAN Domain
1
customer privacy data access
DoS/DDoS attack from the WAN/Internet WAN Domain 1

3. For each of the identified risks, threats, and vulnerabilities, prioritize them by listing a “1”, “2”,

and “3” next to each risk, threat, vulnerability found within each of the seven domains of a

typical IT infrastructure. “1” = Critical, “2” = Major, “3” = Minor. Define the following qualitative

risk impact/risk factor metrics:

a. “1” Critical – a risk, threat, or vulnerability that impacts compliance (i.e., privacy law

requirement for securing privacy data and implementing proper security controls, etc.)

and places the organization in a position of increased liability.

 b. “2” Major – a risk, threat, or vulnerability that impacts the C-I-A of an organization’s

intellectual property assets and IT infrastructure.

c. “3”Minor – a risk, threat, or vulnerability that can impact user or employee productivity

or availability of the IT infrastructure.

User Domain Risk Impacts: (refer to previous chart)

1) User downloads and clicks on an unknown e-mail attachment.

2) User inserts CDs and USB hard drives with personal photos, music, and videos on organization owned

computers.

3) Intra-office employee romance gone bad.

Workstation Domain Risk Impacts: (refer to previous chart)

1) Unauthorized access to organization owned workstations.

2) Workstation OS has a known software vulnerability.

3) Workstation browser has software vulnerability.

LAN Domain Risk Impacts: (refer to previous chart)

1) Need to prevent eavesdropping on WLAN due to customer privacy data access.

2) LAN server OS has a known software vulnerability.

3) WLAN access points are needed for LAN connectivity within a warehouse.

LAN-to-WAN Domain Risk Impacts: (refer to previous chart)

1) Denial of service attack on organization DMZ and e-mail server.

2) VPN tunneling between remote computer and ingress/egress router is needed.

3) Weak ingress/egress traffic filtering degrades performance.

WAN Domain Risk Impacts: (refer to previous chart)

1) DoS/DDoS attack from the WAN/Internet.

2) Service provider has a major network outage.

3) Service provider SLA is not achieved.

Remote Access Domain Risk Impacts: (refer to previous chart)

1) Unauthorized access from public Internet.

2) Remote communications from home office.

3) Mobile employee needs secure browser access to sales order entry system.

Systems/Applications Domain Risk Impacts: (refer to previous chart)

1) Fire destroys primary data center.

2) Loss of production data.

3) User destroys data in application and deletes all files.

 Lab #4: Assessment Worksheet

Perform a Qualitative Risk Assessment for an IT Infrastructure

Chapter 5 and Chapter 6 of the Text Book

Course Name: IS3110

Student Name: Michelle Ilknur Vonal

Instructor Name: Anthony McCullough

Lab Due Date: 08/26/2013

Overview

Answer the following Lab #4 – Assessment Worksheet questions pertaining to your qualitative IT risk

assessment you performed.

Lab Assessment Questions

1. What is the goal or objective of an IT risk assessment?

a. To Identify and evaluate risks. Risks are then quantified based on their importance or

impact severity. Then the risks are prioritized. They are a major part of an overall risk

management program and they help identify which risks are most important.

2. True/False: It is difficult to conduct a qualitative risk assessment for an IT infrastructure because

obtaining accurate cost elements and potential liabilities is difficult to identify for an

organization. Hence, many organizations opt to perform quantitative risk assessments based on

assessing the risk impact/risk factor of identified threats and vulnerabilities to an organization.

a. True

3. True/False: The rationale behind assigning “1” risk impact/risk factor value of “Critical” for an

identified risk, threat, or vulnerability is because anything that impacts an organization’s legal

compliance and potential liabilities from customers for non-compliance is the greatest risk to an

organization.
 a. True

4. When you assembled all of the “1” and “2” and “3” risk impact/risk factor values to the

identified risks, threats, and vulnerabilities, how did you prioritize the “1”, “2”, and “3” risk

elements? What would you say to executive management in regards to your final recommended

prioritization?

a. First you identify the risks by surveys and interviewing experts and then assign

probability and impact values to the risks. Then compile and summarize so put in

number value. I would tell the executive management that Risk level 3 needs to be

attended to as soon as possible in order for the others to be completed.

5. Identify a risk mitigation solution for each of the following risk factors:

a. User downloads and clicks on an unknown e-mail attachment –

The organization should provide training to all employees in the proper handling

of e-mail attachments and hyperlinks. Never open any attachments or click on

links from unknown sources.

b. Workstation OS has a known software vulnerability –

Apply the latest OS patches and updates to eliminate software vulnerabilities.

c. Need to prevent eavesdropping on WLAN due to customer privacy data access –

Ensure all unused ports are disabled on the edge routers. Use packet tracer

equipment to find and block any suspicious traffic found on WAN circuits.

d. Weak ingress/egress traffic filtering degrades performance –

Update and apply all router OS patches. Build filters to block employees from

music and movie torrent databases. These databases are notorious for having

spyware, malware and viruses that all degrade network performance.

e. DoS/DDoS attack from the WAN/Internet –

 Ensure the internal systems administrators are aware of any suspicious traffic

sources that have been reviewed and are known to launch DDos attacks. If a

DDos is occurring it is vital that the proper engineering resources are notified

immediately so that they can locate the offending IP addresses and block them at

the organization firewalls.

f. Remote access from home office –remote policies,

Ensure that all employees are again notified and trained on proper use of the

VPN connections. They should never share the VPN with any public access

terminals such as internet café’s or any unknown wireless networks. They also

need to aware that no usb drives are allowed connection to their home PCs or

laptops. The home PCs have to have the necessary anti-virus/malware programs

to ensure the home PCs do not infect the organizations systems via the VPN.

g. Production server corrupts database –

The server needs to be brought down and anti-virus tools need to be

implemented to remove the corrupted data. Any corrupted data will then be re-

imaged from the back up data the company has been storing at an offsite facility.

The data can also be restored from a stand-alone server that functions as a hot

standby for occasions that the organization finds itself dealing with corrupted

servers.
 Lab #5: Assessment Worksheet

Identify Threats and Vulnerabilities in an IT Infrastructure

Chapter 7, Chapter 8, and Chapter 9 of the Text Book

Course Name: IS3110

Student Name: Michelle Ilknur Vonal

Instructor Name: Anthony McCullough

Lab Due Date: 08/26/2013

Overview

Due to time constrains on the course this lab will be omitted. All students will receive credit for this Lab

Assignment.
 Lab #6: Assessment Worksheet

Develop a Risk Mitigation Plan Outline for an IT Infrastructure

Chapter 10 and Chapter 11 of the Text Book

Course Name: IS3110

Student Name: Michelle Ilknur Vonal

Instructor Name: Anthony McCullough

Lab Due Date: 08/26/2013

Overview

Answer the following Lab #6 – Assessment Worksheet questions. These questions are specific to an IT

risk mitigation plan outline.

Lab Assessment Questions

1. Why is it important to prioritize your IT infrastructure risks, threats, and vulnerabilities?

a. It is important to prioritize because you must be aware of what the risks, threats, and

vulnerabilities are to your infrastructure so that you know where the most attention is

needed to make the quality IT Risk Mitigation Plan will include details on costs, risk

prioritization, and accompanying schedule.

2. True/False: Within an executive summary for an IT Infrastructure, the following is a primary

focus of one’s message to executive management: “The organization may be breaking a

compliance law; thus, increasing the organization’s potential liability. These critical risk

elements were identified and prioritized for executive management review.”

a. True
3. What risk mitigation solutions do you recommend for handling the following risk element? User

inserts CDs and USB hard drives with personal photos, music, and videos on organization owned

computers.

a. Disable internal CD drives and USB ports. Enable automatic antivirus scans for inserted

media drives, flies, and e-mail attachments. An antivirus scanning system examines all

new files on your computer’s hard drive for viruses. Set up antivirus scanning for e-

mails with attachments.

4. What is a security baseline definition?

a. Security Control Baseline - The set of minimum security controls defined for a low-

impact, moderate-impact, or high-impact information system.

b.

5. What is the most important risk mitigation requirement you uncovered and want to

communicate to executive management? In your opinion, why is this the most important

risk mitigation requirement?

a.

6. What is the difference between short-term and long-term risk mitigation tasks and on-

going duties?

Short-term are risks that can be fixed rapidly and will (more than likely) not have long term
effects on the company, long term risks are risks that can end in fines if they involve compliance
issues. On-going duties are the daily duties that must be done in order for the company to
perform with minimal risks.

7. True/False: The User Domain is easy to implement risk mitigation solutions but difficult

to monitor and track effectiveness.

a. False
8. True/False: The Systems/Application Domain usually contains privacy data within

systems, servers, and databases.

a. True

9. True/False: The Workstation Domain can access privacy data and also store it on local

hard drives and disks.

a. False

10. Why is the Remote Access Domain the most risk prone of all within a typical IT

infrastructure?

Because it allows users to connect to intranet from remote locations. Users easily connect to

network resources. Users can dial in if the remote access server is a dial-in server. Also you can use

a virtual private network (VPN). A VPN allows a user to access the private network over a public

network such as internet. However, you must also minimize the risk that an attacker can gain

unauthorized access to the same resources. Remote access solutions can dramatically increase the

productivity and flexibility of users who work from home computers or from mobile devices such as

laptops while traveling on the job. However, such solutions also increase the chance that an

attacker will:

Intercept information as it travels between the remote user and your intranet

Make an unauthorized remote access connection by successfully impersonating a legitimate

remote access user

Gain direct access to information that is stored on computers within your intranet

11. When considering the implementation of software updates, software patches, and

software fixes, why must you test this upgrade or software patch before you implement

this as a risk mitigation tactic?

 a. To make sure there are no negatives like viruses that can spread to the other

systems.

12. Are risk mitigation policies, standards, procedures, and guidelines needed as part of

your long-term risk mitigation plan? Why or why not?

a. Yes So no everything is done in an order to make sure its complete and to make

sure that everything is done correctly.

13. If an organization under a compliance law is not in compliance, how critical is it for your

organization to mitigate this non-compliance risk element?

a. It is important that an organization knows what laws apply to them. Once these are

identified, it’s important to ensure that the organization is in compliance.

Noncompliance can have serious consequences. Some laws asses hefty fines on an

organization. Other laws can result in jail time. Some can negatively affect an

organization’s ability to do business. For example: HIPAA fines can be as high as $25,000

a year for mistakes. An internal compliance program can ensure these costly mistakes

don’t happen.