Iaa202 Ia17a Lab3 Team1
Iaa202 Ia17a Lab3 Team1
Iaa202 Ia17a Lab3 Team1
Lab 3: Define the Scope & Structure for an IT Risk Management Plan
• Define the scope and boundary for an IT risk management plan to encompass the seven
• Relate identified risks, threats, and vulnerabilities to an IT risk management plan and risk
areas
• Incorporate the five major parts of an IT risk management process into the table of
• Craft an IT risk management plan table of contents that addresses the seven domains of a
typical IT infrastructure and the five major parts of risk management and risk areas
This is a paper-based lab and does not require the use of a “mock” IT infrastructure or virtualized
server farm.
The standard Instructor and Student VM workstation with Microsoft Office 2007 or higher is
required for this lab for Internet access and Microsoft Word for answering and submitting the Lab #3
– Assessment Worksheet questions.
The risks, threats, and vulnerabilities identified in Lab #1 – Identify Threats & Vulnerabilities in
an IT Infrastructure will be used as a basis for the scenario in Lab #3. Students are to focus their
IT risk management plan table of contents using one of the scenarios and vertical industries
assigned by the Instructor.
In addition, Microsoft Word is a required tool for the student to craft an IT risk management plan
table of contents. The scope and structure of the table of contents will be presented by the Instructor
in the demo overview lab.
Recommended Procedures
Student steps needed to perform Lab #3 – Define the Scope & Structure for an IT Risk Management
Plan:
1. Connect your removable hard drive or USB hard drive to a classroom workstation.
4. Review the risks within each of the seven domains from a risk management
perspective – classroom discussion and interaction.
5. Review the 21 identified risks, threats, and vulnerabilities categorized within one of the
seven domains of a typical IT infrastructure. Refer to your Lab #1 – Assessment
Worksheet, Part A – List of Identified Risks, Threats, and Vulnerabilities.
6. For each of the seven domains incorporate the following outline within the scope of your
risk management plan table of contents:
• Risk planning
• Risk identification
• Risk assessment
• Risk mitigation
• Risk monitoring
7. Obtain your scenario and vertical industry assignment from your Instructor.
8. Work with your group members to delegate various parts of your IT risk management plan.
9. Craft a comprehensive IT risk management plan table of contents using Microsoft Word. Be
sure to encompass the four major risk areas identified in step #6 above.
10. Answer Lab #3 – Assessment Questions and ask your Instructor questions for guidance.
Deliverables
Upon completion of the Lab 3# - Define the Scope & Structure for an IT Risk Management Plan,
students are required to provide the following deliverables as part of this lab:
The following are the evaluation criteria and rubrics for Lab #3 that the students must perform:
1. Was the student able to define the purpose and objectives of an IT risk management
plan? – [20%]
2. Was the student able to define the scope and boundary for an IT risk management
plan to encompass the seven domains of a typical IT infrastructure? – [20%]
3. Was the student able to relate identified risks, threats, and vulnerabilities to an IT
risk management plan and risk areas? – [20%]
4. Was the student able to incorporate the five major parts of an IT risk management process
into the table of contents of the plan? – [20%]
5. Was the student able to craft an IT risk management plan table of contents that addresses the
seven domains of a typical IT infrastructure and the five major parts of risk management and
risk areas? – [20%]
Lab #3: Assessment Worksheet
Overview
The Instructor will assign your group one of the following scenarios and industry verticals. You
must align your IT risk management plan from this scenario and industry vertical perspective
along with any compliance law requirements.
1. Circle the scenario and industry vertical your Instructor assigned to your group:
2. Make sure your table of contents addresses your scenario and vertical industry.
3. Make sure your table of contents includes at a minimum, the five major parts of IT risk
management:
• Risk planning
• Risk identification
• Risk assessment
• Risk mitigation
• Risk monitoring
4. Make sure your table of contents is executive management ready and addresses all the risk
topics and issues needed for executive management awareness.
5. Answer Lab #3 – Assessment Worksheet questions and submit as part of your Lab #3
deliverables.
Overview
Answer the following Lab #3 – Assessment Worksheet questions pertaining to your IT risk
management plan design and table of contents.
- The goal or objective of an IT risk management plan is to identify, assess, and mitigate risks
related to information technology systems and infrastructure within an organization.
- identifying the risk, analyzing the risk, ranking or evaluating the risk, providing a solution,
and reviewing or monitoring the risk.
- identify all the events that can negatively (risk) or positively (opportunity) affect the
objectives of the project.
5. What is the exercise called when you are trying to identify an organization’s risk health?
- Risk assessment.
- One practice that helps reduce or eliminate risk is implementing risk mitigation measures.
Risk mitigation refers to the actions taken to reduce the likelihood or impact of identified
risks. Here are some common practices used for risk mitigation: Risk Avoidance, Risk
Transfer, Risk Reduction, Risk Spreading, Contingency Planning, Training and Awareness,
Regular Monitoring and Evaluation.
- Monitoring.
8. Given that an IT risk management plan can be large in scope, why is it a good idea to
development a risk management plan team?
- So no tasks are easily missed and the goal of the project can be completed.
9. Within the seven domains of a typical IT infrastructure, which domain is the most difficult
to plan, identify, assess, remediate, and monitor?
WAN Domain-> User
10. From your scenario perspective, with which compliance law or standard does your
organization have to comply? How did this impact the scope and boundary of your IT risk
management plan?
The HIPAA policy needs to be in the health care law. HIPAA because of the hospital scenario. This
will impact the risk management plan by identifying a large number of IT security risks see
How HIPAA is involved with keeping personal medical records secure. Our range will have to
involves a large amount of IT security or IT risk management that will need to be outsourced to
mitigate risk
11. How did the risk identification and risk assessment of the identified risks, threats, and
vulnerabilities contribute to your IT risk management plan table of contents?
Develop and implement a risk management plan. Implement security measures. Evaluate and maintain
components
security law. The table of contents will be expanded due to major risks that need to be addressed
12. What risks, threats, and vulnerabilities did you identify and assess that require
immediate risk mitigation given the criticality of the threat or vulnerability?
Unauthorized access from public Internet User destroys data in application and deletes all files
Hackers infiltrate your IT infrastructure and gain access to your internal network.
>Cryptocurrency
13. For risk monitoring, what techniques or tools can you implement within each of the seven
domains of a typical IT infrastructure to help mitigate risk?
- Unauthorized access from public internet, User destroys data in application, delete all files,
and gains access to internal network and hacker penetrates IT infrastructure requires
immediate risk mitigation.
14. For risk mitigation, what processes and procedures are needed to help streamline and
implement risk mitigation solutions to the production IT infrastructure?
- Different ways could be followed to mitigate risk in different domains. Having Strong
procedures and spreading awareness for User domain, strong firewalls and anti-virus for
workstation domain, port security for LAN domain, strong firewall to server forLAN-WAN
domain, VPN client system and encryption for remote access, DMZ for Wanand data backups
and servers for System/Application domain are effective.Overall, any kind of identification
and steps taken to reduce the risks should help in mitigating risk.
15. How does risk mitigation impact change control management and vulnerability management?
- Developing strict schedules with stringent controls, having IT audits and ensuring timely
completion of tasks with proper remediation and reporting can lead to production IT
infrastructure.