Lab #6: Assessment Worksheet

Develop a Risk Mitigation Plan Outline for an IT Infrastructure

Course Name: IA1803

Student Name: Lê Tiến Long – HE171603

Instructor Name: H o à n g M ạ n h Đ ứ c

Lab Due Date:

Overview
After you have completed your qualitative risk assessment and identification of the critical “1” risks,
threats, and vulnerabilities, mitigating them requires proper planning and communication to executive
management. Students are required to craft a detailed IT risk management plan consisting of the
following major topics and structure:
A. Executive summary
ANSWER : Provide a concise overview of the IT risk management plan, highlighting the critical
risks, proposed remediation steps, and the importance of addressing these risks to enhance the
organization's overall security posture and resilience.

B. Prioritization of identified risks, threats, and vulnerabilities organized into the seven domains
ANSWER : Organize and prioritize the identified risks, threats, and vulnerabilities according to the
seven domains of a typical IT infrastructure (e.g., Network, Endpoint, Data, Application, Identity
and Access Management, Physical, and Remote Access).

C. Critical “1” risks, threats, and vulnerabilities identified throughout the IT infrastructure
ANSWER : List and detail the critical "1" risks, threats, and vulnerabilities identified in each
domain, emphasizing their potential impact on the organization if exploited.

D. Remediation steps for mitigating critical “1” risks, threats, and vulnerabilities
ANSWER : Outline specific remediation steps and actions required to mitigate the critical "1" risks,
threats, and vulnerabilities identified. Include timelines, responsible parties, and resource requirements.

E. Remediation steps for mitigating major “2” and minor “3” risks, threats, and vulnerabilities
ANSWER : Provide a summary of remediation steps for major "2" and minor "3" risks, threats, and
vulnerabilities, focusing on reducing their likelihood and impact through appropriate controls and
measures.

F. On-going IT risk mitigation steps for the seven domains of a typical IT infrastructure
ANSWER : Detail ongoing IT risk mitigation steps for each domain, including continuous
monitoring, periodic risk assessments, regular updates to security controls, and user awareness
programs.
G. Cost magnitude estimates for work effort and security solutions for the critical risks
ANSWER : Estimate the costs associated with implementing the remediation steps and security
solutions for addressing the critical risks. Break down costs by domain and include factors such as
personnel, technology investments, training, and potential operational impacts.

H. Implementation plans for remediation of the critical risks

ANSWER : Provide a detailed implementation plan for each critical risk, outlining phases,
milestones, dependencies, and key deliverables. Include testing and validation procedures to ensure
effectiveness post-implementation.
 Lab #6: Assessment Worksheet

Develop a Risk Mitigation Plan Outline for an IT Infrastructure

Course Name: IA1803

Student Name: Lê Tiến Long – HE171603

Instructor Name: H o à n g M ạ n h Đ ứ c

Lab Due Date:

Overview
After completing your IT risk mitigation plan outline, answer the following Lab #6 – Assessment
Worksheet questions. These questions are specific to the IT risk mitigation plan outline you crafted as
part of Lab #6 – Develop a Risk Mitigation Plan Outline for an IT Infrastructure.

Lab Assessment Questions

1. Why is it important to prioritize your IT infrastructure risks, threats, and vulnerabilities?
ANSWER : By aligning the potential risks, threats, and vulnerabilities to the prioritized IT infrastructure
components and assets, management can make sound business decisions based on the value or criticality of that
IT asset and the potential risk, threats, and vulnerabilities that are known

2. Based on your executive summary produced in Lab #4 – Perform a Qualitative Risk Assessment for
an IT Infrastructure, what was the primary focus of your message to executive management?
ANSWER: To inform him / her of risks that affected the business in more than just a monetary value.
The qualitative risk assessment focuses of risks that can affect your reputation or your credibility.

3. Given the scenario for your IT risk mitigation plan, what influence did your scenario have on
prioritizing your identified risks, threats, and vulnerabilities?
ANSWER: Common things such as user activity can be a very big risk, so your best bet is to
consider all options as potential threats. You will have to rank some risk higher than the others

4. What risk mitigation solutions do you recommend for handling the following risk element?
User inserts CDs and USB hard drives with personal photos, music, and videos on organization
owned computers.
ANSWER: The computer needs to be taken off of the network to isolate the computer. A virus scan needs to
be conducted on it before it is put back on the network. Last the user needs to go through training on what the
company polices are for users on the network.
5. What is a security baseline definition?

ANSWER: A security baseline is a standard set of security settings that are established for each type of
computer or network component in your organization.

6. What questions do you have for executive management in order to finalize your IT risk mitigation
plan?
ANSWER: By asking these questions, you can gather valuable insights and guidance from executive
management to finalize a robust IT risk mitigation plan that addresses organizational needs, aligns with
strategic objectives, and secures necessary support and resources for implementation.

7. What is the most important risk mitigation requirement you uncovered and want to communicate to
executive management? In your opinion, why is this the most important risk mitigation requirement?
ANSWER: implementing a robust cybersecurity framework is crucial for protecting the
organization's data, ensuring regulatory compliance, maintaining business continuity, and fostering
stakeholder confidence. This comprehensive approach to cybersecurity is fundamental in mitigating
the increasing risks associated with cyber threats.

8. Based on your IT risk mitigation plan, what is the difference between short-term and long-term risk
mitigation tasks and on-going duties?
ANSWER: Short-term risks are those that can be addressed quickly and will not have long-term
consequences for the organization; long-term risks are those that can result in fines if they involve
compliance issues. Ongoing duties that must be completed in essential for the business to work safely.

9. Which of the seven domains of a typical IT infrastructure is easy to implement risk mitigation
solutions but difficult to monitor and track effectiveness?
ANSWER: The domain of a typical IT infrastructure that is often considered easy to implement
risk mitigation solutions but difficult to monitor and track effectiveness is the Remote Access
Domain.

10. Which of the seven domains of a typical IT infrastructure usually contains privacy data within
systems, servers, and databases?
ANSWER: The domain of a typical IT infrastructure that usually contains privacy data within
systems, servers, and databases is the Data Domain.

11. Which of the seven domains of a typical IT infrastructure can access privacy data and also store it on
local hard drives and disks?
 ANSWER: The domain of a typical IT infrastructure that can access privacy data and store it on local
hard drives and disks is the Workstation Domain.

12. Why is the Remote Access Domain the most risk prone of all within a typical IT infrastructure?

ANSWER: The Remote Access Domain is the most risk-prone within IT infrastructures due to its
exposure to external threats, challenges with authentication and authorization, vulnerabilities in remote
access technologies, endpoint security risks, data privacy concerns, compliance issues, and potential
user awareness gaps. These factors combine to create a heightened risk environment, requiring robust
security measures such as strong authentication, encryption, regular audits, user training, and continuous
monitoring to mitigate risks effectively.
13. When considering the implementation of software updates, software patches, and software
fixes, why must you test this upgrade or software patch before you implement this as a risk
mitigation tactic?
ANSWER: Because you do not know how it will react to the already implemented software. Just
because there is a security does not mean you install it to the live servers. You basically need to
know how well it plays with the rest of the system.

14. Are risk mitigation policies, standards, procedures, and guidelines needed as part of your
long-term risk mitigation plan? Why or why not?
ANSWER: Yes, because you want a reference point. Knowing the laws/policies behind an
implementation is just as important

15. If an organization under a compliance law is not in compliance, how critical is it for
your organization to mitigate this non-compliance risk element?
ANSWER: This is very crucial because compliance laws can be strict and carry heavy
penalties if not followed. You do not want the company to incur fines because of laws
that can be avoided.