ITT-Technical Institute, West Palm Beach, FL

Part-A Lab #4 Perform a Qualitative Risk Assessment for an IT Infrastructure Part-B Lab #4 Perform a Qualitative Risk Assessment for an IT Infrastructure IS3110 Risk Management in Information Technology Security

October 18, 2014

Part-A

1. Healthcare provider under HIPPA compliance law.

2.

3.

• User Domain Risk Impacts: 5

  
  

• Workstation Domain Risk Impacts: 3

• LAN Domain Risk Impacts: 2

  
  

• LAN-to-WAN Domain Risk Impacts: 2

  
  

• WAN Domain Risk Impact: 4

  
  

• Remote Access Domain Risk Impact: 2

  
  

• Systems/Applications Domain Risk Impacts: 3

4. The finding of the risk assessments is to inform your organization of the following risks, threats, and vulnerabilities that were found within the organization. The findings of this assessment was there were issues with all of the seven domains of the IT infrastructure the User Domain Risk Impacts was about five; Workstation Domain Risk Impacts was about three; LAN Domain Risk Impacts were about two; LAN-to-WAN Domain Risk Impacts were about two; WAN Domain Risk Impact were about four; Remote Access Domain Risk Impact were about two; and Systems/Applications Domain Risk Impacts were about two. These risk, threats and vulnerabilities that were found within your IT infrastructure ranged from the critical to the minor in nature. These risk, threats and vulnerabilities will be discussed later in more detail within this summary of my finds for your organization.

The following risks, threats and vulnerabilities were found to within the organization of these there were six with a rating critical; unauthorized access from public Internet; fire destroys primary data center; denial of service attack on organization DMZ and e-mail server; Hackers penetrates your IT infrastructure and gain access to your internal network; service provider has a major network outage; LAN server OS has a known software vulnerability and DoS/DDoS attack from the WAN/Internet. These critical range risks, threats and vulnerabilities need to be

addressed first before any others. There needs to be plans put into motion to address these issues start with IT department and the way up to upper management. The following risks, threats and vulnerabilities were found to within the organization of these there were five with a rating major; user destroys data in application and deletes all files; user destroys data in application and deletes all files; loss of production data; workstation browser has software vulnerability; VPN tunneling between remote computer and ingress/egress router is needed and WLAN access points are needed for LAN connectivity within a warehouse. These critical range risks, threats and vulnerabilities need to be addressed second before any others. There needs to be plans put into motion to address these issues start with IT department and the way up to upper management. Minor range risks, threats and vulnerabilities need to be addressed second before any others. There needs to be plans put into motion to address these issues start with IT department and the way up to upper management.

The findings of the assessment found that there was sufficient impact on all of the IT domains for this organization. Some of these risks, threats and vulnerabilities could have a negative impact on organization resulting in loss of data, profits and company integrity.

The next steps would be to address the critical issues first base on the impact to the IT network of the organization and weighting the cost of these issues.

Part-B

1. What is the goal or objective of an IT risk assessment?

   
   

   It’s used to identify and evaluate risks based on an analysis of threats and vulnerabilities to assets. Risks are quantified based on their importance or impact severity. These risks are then prioritized.

2. Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure?

   
   

   This is based on the probability and impact of a risk. It is not based on dollar values; it instead is done by gathering opinions of experts. They could all have a different opinion or priority which could cause an issue.

3. What was your rationale in assigning “1” risk impact/risk factor value of “Critical” for an identified risk, threat, or vulnerability?

   1 was given to a risk, threat or vulnerability that impacts compliance and places the organization in a position of increased liability.

4. When you assembled all of the “1” and “2” and “3” risk impact/ risk factor values to the identified risks, threats and vulnerabilities, how did you prioritize the “1”, “2” and “3” risk element? What would you say to executive management in regards to your final recommended prioritization?

   First I did it by category, the 1’s, 2’s then 3’s. Then I prioritized them within that category. I prioritized them within the category by which ones I thought would have the biggest impact. They should be approached in a top to bottom manner as the list has been sorted twice.

5. Identify a risk mitigation solution for each of the following risk factors:

User downloads and clicks on an unknown e-mail attachment- Disconnect the workstation from the network, then run a virus scan to check for issues and make fixes, then provide training to the employee on email polices.

Workstation OS has known software vulnerability- Find the patch to fix the vulnerability and push it out to all workstations.

Need to prevent eavesdropping on WLAN due to customer privacy data access- First a password needs to be set on the Wi-Fi. Next the Wi-Fi can be hidden so that only someone that knows the exact name can pull it up. The distance that the Wi-Fi extends to should not exceed the exterior walls. Depending on how many devices are allowed access, MAC filtering can also be set up.

Weak ingress/egress traffic filtering degrades performance- New filtering methods need to be implemented.

DoS/DDoS attack from the WAN/Internet- Make sure there is a firewall in place, have it set up so that after 3 failed attempts to lock out that IP, or a third party software can be purchased to monitor DoS attacks.

Remote access from home office- I will use digital certificate technology to simplify the authentication process required to establish multiple IP tunnels. I can use IPsec VPN or SSL VPN. Delete staff remote access privileges once they are not needed,

Production server corrupts database- You can increase the performance of your external firewall. Although there are viruses that are undetected, which means if your server becomes corrupted, then you would have to rely on backups. That means backing up more frequently.