ISRM W11 L6

udontneedmyname

Lab6Assignmenttobecompleted.pdf

Home >Information Systems homework help >ISRM W11 L6

INSTRUCTOR VERSION

Introduction

Identifying and assessing risks is challenging but treating them is another matter entirely.

Treating risks means making changes based on a risk assessment and probably a few hard

decisions. When treating even the most straightforward of risks, practice due diligence by

documenting what steps you are taking to mitigate the risk. If you don’t document the change

and the reasoning behind it, it’s possible that your organization could reverse the mitigation and

reintroduce the risk based on the notion of “but that’s how we always did it before.”

After you’ve addressed a risk, appoint someone to make certain that the risk treatment is being

regularly applied. If a security incident arises even with the change in place, having a single

person in charge will ensure that any corrective action aligns with the risk-mitigation plan.

You’re not appointing somebody so you can blame that person if things go wrong; you are

instead investing that individual with the autonomy to manage the incident effectively. The

purpose of a risk-mitigation plan is to define and document procedures and processes to establish

a baseline for ongoing mitigation of risks in the seven domains of an IT infrastructure.

In this lab, you will review an article titled “Risk impact assessment and prioritization”. You

will review results of an assessment and note how the risks were categorized and prioritized for

the IT infrastructure. You will review functional controls and you will review NIST Control

families. You will go into our classroom and answer question in our Week #11 discussion board

pertaining to the information in this Lab #6.

Learning Objectives

Upon completing this lab, you will be able to:

Identify the scope for an IT risk-mitigation plan focusing on the seven domains of a typical

IT infrastructure.

Identify the purpose of prioritizing the risks prior to creating a risk-mitigation plan.

Identify the difference between Preventive Controls, Detective Controls and Corrective

controls

Identify NIT Control Families

Lab #6 Developing a Risk-Mitigation Plan for an IT

Infrastructure

1. Review the seven domains of a typical IT infrastructure (see Figure 1).

Figure 1 Seven domains of a typical IT infrastructure

3. Review the results of the assessments in the following table. Note how the risks are

categorized and prioritized for the IT infrastructure.

Risks, Threats, and Vulnerabilities Primary Domain Impacted Risk Impact/ Factor

Unauthorized access from public Internet Remote Access Domain 1

User destroys data in application and

deletes all files System/Application

Domain

Hacker penetrates your IT infrastructure

and gains access to your internal network LAN-to-WAN Domain 1

Intraoffice employee romance gone bad User Domain 3

Fire destroys primary data center System/Application

Domain

Service provider service level agreement

(SLA) is not achieved WAN Domain 3

Workstation operating system (OS) has a

known software vulnerability Workstation Domain 2

Unauthorized access to organization owned

workstations Workstation Domain 1

Loss of production data System/Application

Domain

Denial of service attack on organization

Demilitarized Zone (DMZ) and e-mail

server

LAN-to-WAN Domain 1

Remote communications from home office Remote Access 2

Local Area Network (LAN) server OS has a

known software vulnerability LAN Domain 2

User downloads and clicks on an unknown

e-mail attachment User Domain 1

Workstation browser has a software

vulnerability Workstation Domain 3

Mobile employee needs secure browser

access to sales-order entry system Remote Access 3

Service provider has a major network

outage WAN Domain 2

Weak ingress/egress traffic-filtering

degrades performance LAN-to-WAN Domain 3

User inserts CDs and USB hard drives with

personal photos, music, and videos on

organization-owned computers

User Domain 2

Virtual Private Network (VPN) tunneling

between remote computer and

ingress/egress router is needed

LAN-to-WAN Domain 2

Wireless Local Area Network (WLAN)

access points are needed for LAN

connectivity within a warehouse

LAN Domain 3

Need to prevent eavesdropping on WLAN

due to customer privacy data access LAN Domain 1

Denial of service (DoS)/distributed denial of service (DDoS) attack from the Wide Area Network (WAN)/Internet

User Domain 1

Fighting Fear In the real world, some managers will accept risk rather than make changes to mitigate it. If they

offer up only vague reasons for sticking with the status quo, then their decision is likely based on

fear of change. Don’t let their fear stop you from treating the risk.

Here are two tips to fight a manager’s fear:

Prepare for your manager’s “What if?” questions. Example of a manager’s question: “What if we

apply the firewall but it also stops network traffic we want, such as from our applications?”

Your answer: “We’ve tested nearly all applications with the chosen firewall. And we’re

prepared to minimize unforeseen outages.” Know, in concrete terms, what will happen if the risk is not treated. Example of a manager’s

question: “What is supposed to happen that hasn’t happened already?” Your answer will

come from the risk assessment you’ve performed, which will calculate the risk’s likelihood

and consequences.

6. On your local computer, open a new Internet browser window.

7. In the address box of your Internet browser, type the URL

https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-

engineering/risk-management/risk-impact-assessment-and-prioritization and press

Enter to open the Web site.

8. Read the article titled “Risk Impact Assessment and Prioritization.”

9. Review Chapter 9 in our text Managing Risk in Information Systems pg. 226 NIST

Control families and Pg. 227 Functional Controls.

10. Describe the purpose of prioritizing the risks prior to creating a risk-mitigation plan.

(You will complete this portion in our week #11 discussion Board)

11. Describe the difference between Preventive Controls, Detective Controls and Corrective

controls. (Be sure to define each type of functional control in your own words)

(You will complete this portion in our week #11 discussion Board)

12. Provide an overview for any 2 (out of the 18 listed in our text) control families.

Please be sure to mention how each of the 2 controls you identified helps an organization.

(You will complete this portion in our week #11 discussion Board)

Please complete the Week 11 Discussion Board to complete this Lab #6

https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-impact-assessment-and-prioritization