Lab #4: Assessment Worksheet

Part A — Perform a Qualitative Risk Assessment for an IT Infrastructure

Course Name:IAA202
Student Name:Hoàng Tuấn Phong

Overview
The following risks, threats, and vulnerabilities were found in an IT infrastructure. Your
Instructor will assign you one of four different scenarios and vertical industries each of which
is under a unique compliance law.
1. Scenario/Vertical Industry:

Risk — Threat — Vulnerability Primary Domain Impacted Risk Impact/Factor

Unauthorised access from public Internet WAN 1

User destroys data in application and deletes USER 2

all files
Hacker penetrates your IT infrastructure
gains access to your internal network LAN 1

Intra-office employee romance gone bad USER 3

Fire destroys primary data center System/application 1

Service provider SLA is not achieved WAN 1

Workstation OS has a known software WORKSTATION 2

vulnerability

Unauthorised access to organisation owned WORKSTATION 3

workstations

Loss of production data System/application 2

Denial of service attack on organisation System/application 1

DMZ and e-mail server

Remote communications from home office Remote access 3

LAN server OS has a known software LAN 1

vulnerability

User downloads and clicks on an unknown USER 3

Workstation browser has software vulnerability Workstation 2

Mobile employee needs secure browser access USER 3

to sales order entry system
Service provider has a major network outage WAN 1

Weak ingress/egress traffic filtering LAN 3

degrades performance

User inserts CDs and USB hard drives User 3

with personal photos, music, and videos on
organisation owned computers

VPN tunnelling between remote computer Remote access 2

and ingress/egress router is needed

WLAN access points are needed for LAN Lan-to-Wan 2

connectivity within a warehouse

Need to prevent eavesdropping on WLAN Lan-to-Wan 3

due to customer privacy data access

DoS/DDoS attack from the WAN/Internet WAN 1

3. For each of the identified risks, threats, and vulnerabilities, prioritise them by listing a "1",
2",and "3" next to each risk, threat, vulnerability found within each of the seven domains of a
typical IT infrastructure. "1" = Critical, "2" = Major, "3" = Minor. Define the following qualitative
risk impact/risk factor metrics:
"1" Critical — a risk, threat, or vulnerability that impacts compliance (i.e., privacy law
requirement for securing privacy data and implementing proper security controls, etc.) and
places the organisation in a position of increased liability.
"2" Major — a risk, threat, or vulnerability that impacts the C-I-A of an organisation's
intellectual property assets and IT infrastructure.
"3"Minor — a risk, threat, or vulnerability that can impact user or employee productivity or
availability of the IT infrastructure.

User Domain Risk Impacts: 3

Workstation Domain Risk Impacts: 3
LAN Domain Risk Impacts: 2
LAN-to-WAN Domain Risk Impacts:2
WAN Domain Risk Impacts: 2
Remote Access Domain Risk Impacts:1
Systems/Applications Domain Risk Impacts:1

Part B — Perform a Qualitative Risk Assessment for an IT Infrastructure

1. What is the goal or objective of an IT risk assessment?

The primary goal of an IT risk assessment is to identify and prioritise potential threats to an
organisation's IT systems and data. The main objectives are:

1. Identifying Risks: Detecting potential threats and vulnerabilities.

2. Evaluating Impact: Assessing the potential consequences of these risks.
3. Prioritising Risks: Ranking risks based on their likelihood and impact.
4. Mitigating Risks: Developing strategies to reduce or eliminate risks.
5. Ensuring Compliance: Meeting legal, regulatory, and industry standards.
6. Supporting Decision-Making: Informing IT investment and resource allocation.

2. Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure?

Conducting a qualitative risk assessment for an IT infrastructure is challenging due to:

1. Subjectivity: Reliance on expert judgement and opinions can lead to inconsistencies

and bias.
2. Lack of Quantifiable Data: Difficulty in accurately measuring the likelihood and
impact of risks.
3. Complexity of IT Systems: Modern IT infrastructures are intricate and
interconnected.
4. Rapid Technological Changes: Fast-paced advancements and evolving threats can
quickly outdated assessments.
5. Varied Expertise Levels: Differing expertise among stakeholders complicates
consensus on risk ratings.
6. Dynamic Threat Landscape: Continuously changing threats require constant
updates to the assessment.
7. Interdependencies: Dependencies on external systems and third-party services
complicate risk evaluation.
8. Resource Constraints: Thorough assessments require significant time and
resources, often limited.

3. What was your rationale in assigning "1" risk impact/ risk factor value of "Critical" for an
identified risk, threat, or vulnerability?

Assigning a "Critical" value of "1" to a risk, threat, or vulnerability is based on its potential for
severe consequences. This includes significant financial loss, reputational damage,
operational disruption, legal penalties, and impacts on data sensitivity and safety. It signifies
a high likelihood of occurrence and necessitates immediate and substantial resource
allocation for mitigation.

4. When you assembled all of the "1" and "2" and "3" risk impact/risk factor values to the
identified risks, threats, and vulnerabilities, how did you prioritise the "1", "2", and "3" risk
elements? What would you say to executive management in regards to your final
recommended prioritisation?

Our final recommended prioritisation focuses first on addressing the critical risks that could
cause the most significant harm to the organisation. Following this, we will tackle high and
medium risks in sequence, ensuring comprehensive risk management. This approach allows
us to allocate resources effectively and ensure the continued protection and resilience of our
IT infrastructure."

5. Identify a risk mitigation solution for each of the following risk factors:
User downloads and clicks on an unknown e-mail attachment —Set up user
access restrictions and make it such that downloads require authorization.

Workstation OS has a known software vulnerability — Regularly update

software, install anti-malware software

Need to prevent eavesdropping on WLAN due to customer privacy data access —Enhance
WLAN security using encryptions such as: WPAZ and AES
Weak ingress/egress traffic filtering degrades performance —- Strengthen firewall filtering

DoS/DDoS attack from the WAN/Internet —Always enable firewall security,

Remote access from home office —Make sure the VPN is in place and secure
Production server corrupts database —Restore database from last non-corrupt
backup, and remove corruption from system.