Laboratory #6

Lab #6: Develop a Risk Mitigation Plan Outline for an IT Infrastructure

Learning Objectives and Outcomes
Upon completing this lab, students will be able to:
 Identify the scope for an IT risk mitigation plan focusing on the seven domains of a typical
IT infrastructure
 Align the major parts of an IT risk mitigation plan within each of the seven domains of a typical
IT infrastructure
 Define the tactical risk mitigation steps needed to remediate the identified risk, threats,
and vulnerabilities commonly found in the seven domains of a typical IT infrastructure
 Define procedures and processes needed to maintain a security baseline definition for on-
going risk mitigation within the seven domains of a typical IT infrastructure
 Create a table of contents for an IT risk mitigation plan encompassing the seven domains of
a typical IT infrastructure

Required Setup and Tools

This is a paper-based lab and does not require the use of a “mock” IT infrastructure or virtualized
server farm.

The standard Instructor and Student VM workstation with Microsoft Office 2007 or higher is required for
this lab. Students will need access to their completed Lab #4 –Assessment Worksheet, Part A – Perform a
Qualitative Risk Assessment for an IT Infrastructure prioritizing the risks, threats, and vulnerabilities
identified from the qualitative risk assessment.

In addition, Microsoft Word is a required tool for the student to craft a table of contents for an IT
risk mitigation plan and for answering and submitting the Lab #6 – Assessment Worksheet questions
and answers.
Recommended Procedures
Lab #6 – Student Steps:
Student steps needed to perform Lab #6 – Develop a Risk Mitigation Plan Outline for an
IT Infrastructure:
1. Connect your removable hard drive or USB hard drive to a classroom workstation.
2. Boot up your classroom workstation and DHCP for an IP host address.
3. Login to your classroom workstation and enable Microsoft Word.
4. Obtain the results of your Lab #4 – Assessment Worksheet, Part A – Perform a Qualitative
Risk Assessment for an IT Infrastructure.
5. Identify the scenario and vertical industry you were assigned in Lab #4:
a. Healthcare provider under HIPPA compliance law
b. Regional bank under GLBA compliance law
c. Nationwide retailer under PCI DSS standard requirements
d. Higher-education institution under FERPA compliance law
6. Review the results of your Lab #4 – Perform a Qualitative Risk Assessment for an IT
infrastructure. Identify the prioritization of critical, major, and minor risk elements for the IT
infrastructure
7. Organize your qualitative risk assessment data according to the following:
 Review your executive summary from Lab #4 - Perform a Qualitative Risk Assessment for
an IT infrastructure
 Organize all critical “1” risks, threats, and vulnerabilities identified throughout the
seven domains of a typical IT infrastructure
8. Conduct a high-level narrative discussion and review of the elements of an IT risk mitigation
plan outline to consist of the following major topics/elements:
a. Executive summary
b. Prioritization of identified risks, threats, and vulnerabilities organized into the seven domains
c. Critical “1” risks, threats, and vulnerabilities identified throughout the IT infrastructure
d. Short-term remediation steps for critical “1” risks, threats, and vulnerabilities
e. Long-term remediation steps for major “2” and minor “3” risks, threats, and vulnerabilities
f. On-going IT risk mitigation steps for the seven domains of a typical IT infrastructure
g. Cost magnitude estimates for work effort and security solutions
h. Implementation plans for remediation

9. Craft a detailed IT risk mitigation plan outline by inserting appropriate sub-topics and sub-bullets
in the IT risk mitigation plan outline using the framework provided in step #8.
Deliverables
Upon completion of the Lab #6 – Develop a Risk Mitigation Plan Outline for an IT Infrastructure,
students are required to provide the following deliverables:
1. Lab #6 – An IT risk management plan outline using the framework provided. Students are to
insert appropriate details in the IT risk management plan outline to provide executive
management with a clear picture of what, where, and how risks, threats, and vulnerabilities
must be mitigated
2. Lab #6 - Assessment Questions and Answers

Evaluation Criteria and Rubrics

The following are the evaluation criteria and rubrics for Lab #6 that the students must perform:
1. Was the student able to relate the scope for an IT risk mitigation plan to the seven domains of
a typical IT infrastructure? – [20%]
2. Was the student able to align the major parts of an IT risk mitigation plan within each of
the seven domains of a typical IT infrastructure? – [20%]
3. Was the student able to define the tactical risk mitigation steps needed to remediate the identified
risk, threats, and vulnerabilities commonly found in the seven domains of a typical IT
infrastructure? – [20%]
4. Was the student able to define procedures and processes needed to maintain a security baseline
definition for on-going risk mitigation within the seven domains of a typical IT infrastructure?
– [20%]
5. Was the student able to create a table of contents for an IT risk mitigation plan encompassing the
seven domains of a typical IT infrastructure? – [20%]
 Lab #6: Assessment Worksheet

Develop a Risk Mitigation Plan Outline for an IT Infrastructure

Course Name: _____________________________________________________________

Student Name: _____________________________________________________________

Instructor Name: ___________________________________________________________

Lab Due Date: _____________________________________________________________

Overview
After you have completed your qualitative risk assessment and identification of the critical “1” risks,
threats, and vulnerabilities, mitigating them requires proper planning and communication to
executive management. Students are required to craft a detailed IT risk management plan consisting
of the following major topics and structure:
A. Executive summary

B. Prioritization of identified risks, threats, and vulnerabilities organized into the seven domains

C. Critical “1” risks, threats, and vulnerabilities identified throughout the IT infrastructure

D. Remediation steps for mitigating critical “1” risks, threats, and vulnerabilities

E. Remediation steps for mitigating major “2” and minor “3” risks, threats, and vulnerabilities

F. On-going IT risk mitigation steps for the seven domains of a typical IT infrastructure

G. Cost magnitude estimates for work effort and security solutions for the critical risks

H. Implementation plans for remediation of the critical risks

 Lab #6: Assessment Worksheet

Develop a Risk Mitigation Plan Outline for an IT Infrastructure

Course Name: _____________________________________________________________

Student Name: _____________________________________________________________

Instructor Name: ___________________________________________________________

Lab Due Date: _____________________________________________________________

Overview
After completing your IT risk mitigation plan outline, answer the following Lab #6 – Assessment
Worksheet questions. These questions are specific to the IT risk mitigation plan outline you crafted
as part of Lab #6 – Develop a Risk Mitigation Plan Outline for an IT Infrastructure.

Lab Assessment Questions

1. Why is it important to prioritize your IT infrastructure risks, threats, and vulnerabilities?

2. Based on your executive summary produced in Lab #4 – Perform a Qualitative Risk Assessment
for an IT Infrastructure, what was the primary focus of your message to executive management?

3. Given the scenario for your IT risk mitigation plan, what influence did your scenario have on
prioritizing your identified risks, threats, and vulnerabilities?

4. What risk mitigation solutions do you recommend for handling the following risk element?
User inserts CDs and USB hard drives with personal photos, music, and videos on organization
owned computers.

5. What is a security baseline definition?

6. What questions do you have for executive management in order to finalize your IT risk
mitigation plan?
7. What is the most important risk mitigation requirement you uncovered and want to communicate to
executive management? In your opinion, why is this the most important risk mitigation requirement?

8. Based on your IT risk mitigation plan, what is the difference between short-term and long-term
risk mitigation tasks and on-going duties?

9. Which of the seven domains of a typical IT infrastructure is easy to implement risk

mitigation solutions but difficult to monitor and track effectiveness?

10. Which of the seven domains of a typical IT infrastructure usually contains privacy data
within systems, servers, and databases?

11. Which of the seven domains of a typical IT infrastructure can access privacy data and also store it
on local hard drives and disks?

12. Why is the Remote Access Domain the most risk prone of all within a typical IT infrastructure?

13. When considering the implementation of software updates, software patches, and software fixes, why
must you test this upgrade or software patch before you implement this as a risk mitigation tactic?

14. Are risk mitigation policies, standards, procedures, and guidelines needed as part of your long-
term risk mitigation plan? Why or why not?

15. If an organization under a compliance law is not in compliance, how critical is it for
your organization to mitigate this non-compliance risk element?