Laboratory #4

Lab 4: Perform a Qualitative Risk Assessment for an IT

Infrastructure Learning Objectives and Outcomes

Upon completing this lab, students will be able to:
• Define the purpose and objectives of an IT risk assessment
• Align identified risks, threats, and vulnerabilities to an IT risk assessment that encompasses the
seven domains of a typical IT infrastructure
• Classify identified risks, threats, and vulnerabilities according to a qualitative risk assessment
template
• Prioritize classified risks, threats, and vulnerabilities according to the defined qualitative risk
assessment scale
• Craft an executive summary that addresses the risk assessment findings, risk assessment impact,
and recommendations to remediate areas of non-compliance

Required Setup and Tools

This is a paper-based lab and does not require the use of a “mock” IT infrastructure or virtualized server
farm.

The standard Instructor and Student VM workstation with Microsoft Office 2007 or higher is required for
this lab for Internet access and Microsoft Word for answering and submitting the Lab #4 – Assessment
Worksheet questions.

The risks, threats, and vulnerabilities identified in Lab #1 – Identify Threats & Vulnerabilities in an IT
Infrastructure will be used as a basis for the scenario in Lab #4. Students are to focus their IT risk
assessment using one of the scenarios and vertical industry examples assigned by the Instructor.

Students will use Microsoft Word to perform a qualitative risk assessment according to pre-defined,
qualitative metrics and definitions. In addition, students will use Microsoft Word to document their
performance of a qualitative risk assessment classifying the risk impact and prioritization for the
identified risks, threats, and vulnerabilities.
Recommended Procedures
Lab #4 – Student Steps:
Student steps needed to perform Lab #4 – Perform a Qualitative Risk Assessment for an IT Infrastructure:
1. Connect your removable hard drive or USB hard drive to a classroom workstation.
2. Boot up your classroom workstation and DHCP for an IP host address.
3. Login to your classroom workstation and enable Microsoft Word.
4. Review Figure 1 – Seven Domains of a Typical IT Infrastructure.
5. Identify the scenario/vertical industry assigned by your Instructor.
a. Healthcare provider under HIPPA compliance law
b. Regional bank under GLBA compliance law
c. Nationwide retailer under PCI DSS standard requirements
d. Higher-education institution under FERPA compliance law
6. Review the Lab #4 – Assessment Worksheet, Part A – Qualitative Assessment Risk Impact/
Risk Factor.
7. Perform a Qualitative Risk Assessment and assign a Risk Impact/Risk Factor for each of the
identified risks, threats, and vulnerabilities using Lab #4 – Assessment Worksheet Part A.
8. Craft a four-paragraph executive summary according to the following outline:
• Purpose of the risk assessment & summary of risks, threats, and vulnerabilities found
throughout the IT infrastructure
• Prioritization of critical, major, minor risk assessment elements
• Risk assessment and risk impact summary
• Recommendations and next steps
9. Work on Lab #4 – Assessment Questions and submit.

Deliverables
Upon completion of Lab #4 – Perform a Qualitative Risk Assessment for an IT Infrastructure, students
are required to provide the following deliverables as part of this lab:

1. Lab #4 – Qualitative Risk Assessment Worksheet with assigned risk impact/risk factors for the
identified domains of a typical IT infrastructure (“1” – Critical, “2” – Major, “3” – Minor)
2. Lab #4 – Qualitative Risk Assessment executive summary
3. Lab #4 - Assessment Questions and Answers
Evaluation Criteria and Rubrics
The following are the evaluation criteria and rubrics for Lab #4 that the students must perform:
1. Was the student able to define the purpose and objectives of an IT risk assessment? – [20%]
2. Was the student able to align identified risks, threats, and vulnerabilities to an IT risk assessment
that encompasses the seven domains of a typical IT infrastructure? – [20%]
3. Was the student able to classify identified risks, threats, and vulnerabilities according to a
qualitative risk assessment template? – [20%]
4. Was the student able to prioritize classified risks, threats, and vulnerabilities according to the
defined qualitative risk assessment scale? – [20%]
5. Was the student able to craft an executive summary that addresses the risk assessment findings,
risk assessment impact, and recommendations to remediate areas of non-compliance? – [20%]
 Lab #4: Assessment Worksheet

Part A – Perform a Qualitative Risk Assessment for an IT Infrastructure

Course Name: Risk Management in Informatio n ( IAA202 )

Student Name: N g u y ễ n X u â n Ph ư ơ n g – HE 1 81 7 0 5

Instructor Name: N g u y ễ n A n h N h ậ t

Lab Due Date: 17/02/2025

Overview
The following risks, threats, and vulnerabilities were found in an IT infrastructure. Your Instructor will
assign you one of four different scenarios and vertical industries each of which is under a unique
compliance law.
1. Scenario/Vertical Industry:

a. Healthcare provider under HIPPA compliance law

b. Regional bank under GLBA compliance law
c. Nationwide retailer under PCI DSS standard requirements
d. Higher-education institution under FERPA compliance law

2. Given the list, perform a qualitative risk assessment by assigning a risk impact/risk factor to each
of identified risks, threats, and vulnerabilities throughout the seven domains of a typical IT
infrastructure that the risk, threat, or vulnerability resides.

Risk – Threat – Primary Domain Risk

Vulnerability Impacted Impact/Factor
Unauthorized access from public Internet LAN-to-WAN Critical
User destroys data in application and
Systems/Application Critical
deletes all files
Hacker penetrates your IT infrastructure
LAN-to-WAN Critical
and gains access to your internal network
Intra-office employee romance gone bad User Minor
Fire destroys primary data center Systems/Application Major
Service provider SLA is not achieved WAN Minor
Workstation OS has a known software
Workstation Major
vulnerability
Unauthorized access to organization
Workstation Major
owned Workstations
Loss of production data Systems/Application Minor
Denial of service attack on
organization DMZ and LAN-to-WAN Major
e-mail server
Remote communications from home
Remote Access Major
office
LAN server OS has a known software
LAN Critical
vulnerability
User downloads and clicks on an
User Critical
unknown
Workstation browser has software
Workstation Major
vulnerability
Mobile employee needs secure browser
User Minor
access to sales order entry system
Service provider has a major network
WAN Minor
outage
Weak ingress/egress traffic filtering
degrades LAN-to-WAN Minor
Performance
User inserts CDs and USB hard drives
with personal photos, music, and videos
User Minor
on organization owned
computers
VPN tunneling between remote computer
and Remote Access Major
ingress/egress router
WLAN access points are needed for LAN
LAN Minor
connectivity within a warehouse
Need to prevent rogue users from
LAN Major
unauthorized WLAN access
DoS/DDoS attack from the
WAN Major
WAN/Internet
3. For each of the identified risks, threats, and vulnerabilities, prioritize them by listing a “1”, “2”,
and “3” next to each risk, threat, vulnerability found within each of the seven domains of a typical
IT infrastructure. “1” = Critical, “2” = Major, “3” = Minor. Define the following qualitative risk
impact/risk factor metrics:
“1” Critical – a risk, threat, or vulnerability that impacts compliance (i.e., privacy law requirement
for securing privacy data and implementing proper security controls, etc.) and places the
organization in a position of increased liability.
“2” Major – a risk, threat, or vulnerability that impacts the C-I-A of an organization’s intellectual
property assets and IT infrastructure.
“3”Minor – a risk, threat, or vulnerability that can impact user or employee productivity or
availability of the IT infrastructure.

User Domain Risk Impacts: 1, 2, 3

Workstation Domain Risk Impacts: 2, 3

LAN Domain Risk Impacts: 1, 2

LAN-to-WAN Domain Risk Impacts:1, 2, 3

WAN Domain Risk Impacts:2, 3

Remote Access Domain Risk Impacts:2, 3

Systems/Applications Domain Risk Impacts:1, 2

4. Craft an executive summary for management using the following 4-paragraph format. The
executive summary must address the following topics:
• Paragraph #1: Summary of findings: risks, threats, and vulnerabilities found throughout the
seven domains of a typical IT infrastructure
• Paragraph #2: Approach and prioritization of critical, major, minor risk assessment elements
• Paragraph #3: Risk assessment and risk impact summary to the seven domains of a typical
IT infrastructure
• Paragraph #4: Recommendations and next steps for executive management
 Lab #4: Assessment Worksheet

Perform a Qualitative Risk Assessment for an IT Infrastructure

Course Name: Risk Management in Informatio n ( IAA202 )

Student Name: N g u y ễ n X u â n Ph ư ơ n g – HE 1 81 7 0 5

Instructor Name: N g u y ễ n A n h N h ậ t

Lab Due Date: 17/02/2025

Overview
Answer the following Lab #4 – Assessment Worksheet questions pertaining to your qualitative IT risk
assessment you performed.

Lab Assessment Questions

1. What is the goal or objective of an IT risk assessment?

- To mitigate risks to prevent security incidents and to define how the
risk will be managed, controlled, and monitored

2. Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure?

- Because a qualitative assessment is based on opinion than actual
fact, and IT risk assessment need to be based on a quantitative
analysis

3. What was your rationale in assigning “1” risk impact/ risk factor value of “Critical” for an identified
risk, threat, or vulnerability?

- The critical needs to be mitigated immediately

4. When you assembled all of the “1” and “2” and “3” risk impact/risk factor values to the identified
risks, threats, and vulnerabilities, how did you prioritize the “1”, “2”, and “3” risk elements? What
would you say to executive management in regards to your final recommended prioritization?
- The risk impact/risk factor which is 1 or 2 need to be mitigated
immediately, 3 can be mitigated after 1 and 2 have done
5. Identify a risk mitigation solution for each of the following risk factors:
User downloads and clicks on an unknown e-mail attachment -
Restrict user access and set it up that a user has to get authorization for
downloads

Workstation OS has a known software vulnerability – Patch or update software

Need to prevent eavesdropping on WLAN due to customer privacy data access – Increase WLAN
security using WPA2 and AES encryption

Weak ingress/egress traffic filtering degrades performance – Strengthen firewall filtering

DoS/DDoS attack from the WAN/Internet – Strengthen firewall security, install IPS and
IDS system to the infrastructure

Remote access from home office – Make sure the VPN is in place and secure

Production server corrupts database – Remote server