Laboratory #4

Lab 4: Perform a Qualitative Risk Assessment for an IT Infrastructure Learning

Objectives and Outcomes

Upon completing this lab, students will be able to:
 Define the purpose and objectives of an IT risk assessment
 Align identified risks, threats, and vulnerabilities to an IT risk assessment that encompasses the
seven domains of a typical IT infrastructure
 Classify identified risks, threats, and vulnerabilities according to a qualitative risk assessment
template
 Prioritize classified risks, threats, and vulnerabilities according to the defined qualitative risk
assessment scale
 Craft an executive summary that addresses the risk assessment findings, risk assessment impact,
and recommendations to remediate areas of non-compliance

Required Setup and Tools

This is a paper-based lab and does not require the use of a “mock” IT infrastructure or virtualized server
farm.

The standard Instructor and Student VM workstation with Microsoft Office 2007 or higher is required for
this lab for Internet access and Microsoft Word for answering and submitting the Lab #4 – Assessment
Worksheet questions.

The risks, threats, and vulnerabilities identified in Lab #1 – Identify Threats & Vulnerabilities in an IT
Infrastructure will be used as a basis for the scenario in Lab #4. Students are to focus their IT risk
assessment using one of the scenarios and vertical industry examples assigned by the Instructor.

Students will use Microsoft Word to perform a qualitative risk assessment according to pre-defined,
qualitative metrics and definitions. In addition, students will use Microsoft Word to document their
performance of a qualitative risk assessment classifying the risk impact and prioritization for the identified
risks, threats, and vulnerabilities.
Recommended Procedures
Lab #4 – Student Steps:
Student steps needed to perform Lab #4 – Perform a Qualitative Risk Assessment for an IT Infrastructure:
1. Connect your removable hard drive or USB hard drive to a classroom workstation.
2. Boot up your classroom workstation and DHCP for an IP host address.
3. Login to your classroom workstation and enable Microsoft Word.
4. Review Figure 1 – Seven Domains of a Typical IT Infrastructure.
5. Identify the scenario/vertical industry assigned by your Instructor.
a. Healthcare provider under HIPPA compliance law
b. Regional bank under GLBA compliance law
c. Nationwide retailer under PCI DSS standard requirements
d. Higher-education institution under FERPA compliance law
6. Review the Lab #4 – Assessment Worksheet, Part A – Qualitative Assessment Risk Impact/
Risk Factor.
7. Perform a Qualitative Risk Assessment and assign a Risk Impact/Risk Factor for each of the
identified risks, threats, and vulnerabilities using Lab #4 – Assessment Worksheet Part A.
8. Craft a four-paragraph executive summary according to the following outline:
 Purpose of the risk assessment & summary of risks, threats, and vulnerabilities found
throughout the IT infrastructure
 Prioritization of critical, major, minor risk assessment elements
 Risk assessment and risk impact summary
 Recommendations and next steps
9. Work on Lab #4 – Assessment Questions and submit.
 Lab #4: Assessment Worksheet

Part A – Perform a Qualitative Risk Assessment for an IT Infrastructure

Course Name: IAA202

Student Name: N g u y e n D u c A n h – H E 1 8 2 5 7 0

Instructor Name: T a n N N 2 4

Lab Due Date: 26/2/2025

Overview
The following risks, threats, and vulnerabilities were found in an IT infrastructure. Your Instructor will
assign you one of four different scenarios and vertical industries each of which is under a unique
compliance law.
1. Scenario/Vertical Industry:

a. Healthcare provider under HIPPA compliance law

b. Regional bank under GLBA compliance law
c. Nationwide retailer under PCI DSS standard requirements
d. Higher-education institution under FERPA compliance law

2. Given the list, perform a qualitative risk assessment by assigning a risk impact/risk factor to each
of identified risks, threats, and vulnerabilities throughout the seven domains of a typical IT
infrastructure that the risk, threat, or vulnerability resides.

Risk – Threat – Vulnerability Primary Domain Impacted Risk Impact/Factor

Unauthorized access from public Internet

User destroys data in application and deletes

all files

Hacker penetrates your IT infrastructure

and gains access to your internal network

Intra-office employee romance gone bad

Fire destroys primary data center

Risk – Threat – Vulnerability Primary Domain Impacted Risk Impact/Factor

Service provider SLA is not achieved

Workstation OS has a known software

vulnerability

Unauthorized access to organization owned

workstations

Loss of production data

Denial of service attack on organization DMZ

and e-mail server

Remote communications from home office

LAN server OS has a known software

vulnerability

User downloads and clicks on an unknown

Workstation browser has software vulnerability

Mobile employee needs secure browser access to

sales order entry system

Service provider has a major network outage

Weak ingress/egress traffic filtering degrades

performance

User inserts CDs and USB hard drives

with personal photos, music, and videos on
organization owned computers

VPN tunneling between remote computer and

ingress/egress router is needed

WLAN access points are needed for LAN

connectivity within a warehouse

Need to prevent eavesdropping on WLAN due

to customer privacy data access

DoS/DDoS attack from the WAN/Internet

 Risk – Threat – Vulnerability Primary Domain Risk Impact/Factor
Impacted
Unauthorized access from Wan 1
public Internet
User destroys data in User 2
application and deletes all files
Hacker penetrates your IT LAN 1
infrastructure and gains
access to your internal
network
Intra-office employee romance User 3
gone bad
Fire destroys primary data System/Application 1
center
Service provider SLA is not Wan 1
achieved
Workstation OS has a known Workstation 2
software vulnerability
Unauthorized access to Workstation 3
organization owned
workstations
Loss of production data System/Application 2
Denial of service attack on System/Application 1
organization DMZ and e-mail
server
Remote communications from Remote Access 3
home office
LAN server OS has a known LAN 1
software vulnerability
User downloads and clicks on User 3
an unknown
Workstation browser has Workstation 2
software vulnerability
Mobile employee needs secure User 3
browser access to sales order
entry system
Service provider has a major WAN 1
network outage
Weak ingress/egress traffic LAN 3
filtering degrades performance
User inserts CDs and USB hard User 3
drives with personal photos,
music, and videos on
organization owned computers
VPN tunneling between Remote Access 2
remote computer and
ingress/egress router is
needed
WLAN access points are LAN-to-WAN 2
needed for LAN connectivity
within a warehouse
 Need to prevent LAN-to-WAN 3
eavesdropping on WLAN due
to customer privacy data
access
DoS/DDoS attack from the WAN 1
WAN/Internet

3. For each of the identified risks, threats, and vulnerabilities, prioritize them by listing a “1”, “2”,
and “3” next to each risk, threat, vulnerability found within each of the seven domains of a typical
IT infrastructure. “1” = Critical, “2” = Major, “3” = Minor. Define the following qualitative risk
impact/risk factor metrics:
“1” Critical – a risk, threat, or vulnerability that impacts compliance (i.e., privacy law requirement for
securing privacy data and implementing proper security controls, etc.) and places the organization in a
position of increased liability.
“2” Major – a risk, threat, or vulnerability that impacts the C-I-A of an organization’s intellectual property
assets and IT infrastructure.
“3”Minor – a risk, threat, or vulnerability that can impact user or employee productivity or availability of
the IT infrastructure.

User Domain Risk Impacts: 3

Workstation Domain Risk Impacts: 3

LAN Domain Risk Impacts: 2

LAN-to-WAN Domain Risk Impacts: 2

WAN Domain Risk Impacts: 2

Remote Access Domain Risk Impacts: 1

Systems/Applications Domain Risk Impacts: 1

4. Craft an executive summary for management using the following 4-paragraph format. The
executive summary must address the following topics:
 Paragraph #1: Summary of findings: risks, threats, and vulnerabilities found throughout the
seven domains of a typical IT infrastructure
 Paragraph #2: Approach and prioritization of critical, major, minor risk assessment elements
 Paragraph #3: Risk assessment and risk impact summary to the seven domains of a typical
IT infrastructure
 Paragraph #4: Recommendations and next steps for executive management
 Lab #4: Assessment Worksheet

Part B - Perform a Qualitative Risk Assessment for an IT Infrastructure

Course Name: IAA202

Student Name: N g u y e n D u c A n h – H E 1 8 2 5 7 0

Instructor Name: T a n N N 2 4

Lab Due Date: 26/2/2025

Overview
Answer the following Lab #4 – Assessment Worksheet questions pertaining to your qualitative IT risk
assessment you performed.

Lab Assessment Questions

1. What is the goal or objective of an IT risk assessment?

Risk assessment - to identify potential risks and vulnerabilities to the security, availability, and integrity that
an organization creates, receives, maintains, or transmits.

2. Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure?

For infrastructure devices, we should only evaluate the risk on a quantitative basis, if assessed by qualitative,
it must be based on a lot of infrastructure to infer the final result is the rate of risk possible risks.

3. What was your rationale in assigning “1” risk impact/ risk factor value of “Critical” for an
identified risk, threat, or vulnerability?

The "1" risk, threat, or vulnerability has an influence on compliance and exposes the organization to greater
liability, but it is not as serious as the "2" or "3."

4. When you assembled all of the “1” and “2” and “3” risk impact/risk factor values to the
identified risks, threats, and vulnerabilities, how did you prioritize the “1”, “2”, and “3” risk
elements? What would you say to executive management in regards to your final
 recommended prioritization?

By determining the importance of the danger to the infrastructure and the urgency with which it must be managed.
The 1 and 2 must be mitigated as quickly as feasible, while the 3 can be mitigated or left alone at the discretion of
management.
 5. Identify a risk mitigation solution for each of the following risk factors:
User downloads and clicks on an unknown e-mail attachment – Set up user access restrictions and make it
such that downloads require authorization.

Workstation OS has a known software vulnerability – Regularly update software, install anti-malware
software

Need to prevent eavesdropping on WLAN due to customer privacy data access – Enhance WLAN security
using encryptions such as: WPA2 and AES

Weak ingress/egress traffic filtering degrades performance – Strengthen firewall filtering

DoS/DDoS attack from the WAN/Internet – Always enable firewall security, install IPS and IDS systems into
the infrastructure.

Remote access from home office – Make sure the VPN is in place and secure

Production server corrupts database – Restore database from last non-corrupt backup, and remove corruption
from system.