StudyDaddy Article Writing In this Lab #6, you reviewed the article titled "Risk Impact Assessment and Prioritization. "  You also reviewed the results of the assessments in the table and noted how the risks were categorized an

In this Lab #6, you reviewed the article titled "Risk Impact Assessment and Prioritization. "  You also reviewed the results of the assessments in the table and noted how the risks were categorized an

INSTRUCTOR VERSION Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. Introduction Identifying and assessing risks is challenging but treating them is another matter entirely. Treating risks means making changes based on a risk assessment and probably a few hard decisions. When treating even the most straightforward of risks, practice du e diligence by documenting what steps you are taking to mitigate the risk. If you don’t document the change and the reasoning behind it, it’s possible that your organization could reverse the mitigation and reintroduce the risk based on the notion of “but that’s how we always did it before.” After you’ve addressed a risk, appoint someone to make certain that the risk treatment is being regularly applied. If a security incident arises even with the change in place, having a single person in charge will ensu re that any corrective action aligns with the risk -mitigation plan. You’re not appointing some body so you can blame that person if things go wrong; you are instead investing that individual with the autonomy to manage the incident effectively. The purpose of a risk -mitigation plan is to define and document procedures and processes to establish a baseline for ongoing mitigation of risks in the seven domains of an IT infrastructure. In this lab, you will review an article titled “Risk impact assessment and prioritization”. You will review results of an assessment and note how the risks were categorized and prioritized for the IT infrastructure. You will review functional controls and you will review NIST Control families. You will go into our classroom and answer question in our Week #11 discussion board pertaining to the information in this Lab #6. Learning Objectives Upon completing this lab, you will be able to: Identify the scope for an IT risk -mitigation plan foc using on the seven domains of a typical IT infrastructure. Identify the purpose of prioritizing the risks prior to creating a risk -mitigation plan. Identify the difference between Preventive Controls, Detective Controls and Corrective controls Identify NIT Control Families Lab #6 Developing a Risk -Mitigation Plan for an IT Infrastructure Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 1. Review the seven domains of a typical IT infrastructure (see Figure 1). Figure 1 Seven domains of a typical IT infrastructure 3. Review the results of the assessments in the following table. Note how the risks are categorized and prioritized for the IT infrastructure . Risks, Threats, and Vulnerabilities Primary Domain Impacted Risk Impact/ Factor Unauthorized access from public Internet Remote Access Domain 1 User destroys data in application and deletes all files System/Application Domain 3 Hacker penetrates your IT infrastructure and gains access to your internal network LAN -to-WAN Domain 1 Intraoffice employee romance gone bad User Domain 3 Fire destroys primary data center System/Application Domain 1 Service provider service level agreement (SLA) is not achieved WAN Domain 3 Workstation operating system (OS) has a known software vulnerability Workstation Domain 2 Unauthorized access to organization owned workstations Workstation Domain 1 Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. Loss of production data System/Application Domain 2 Denial of service attack on organization Demilitarized Zone (DMZ) and e -mail server LAN -to-WAN Domain 1 Remote communications from home office Remote Access 2 Local Area Network (LAN) server OS has a known software vulnerability LAN Domain 2 User downloads and clicks on an unknown e-mail attachment User Domain 1 Workstation browser has a software vulnerability Workstation Domain 3 Mobile employee needs secure browser access to sales -order entry system Remote Access 3 Service provider has a major network outage WAN Domain 2 Weak ingress/egress traffic -filtering degrades performance LAN -to-WAN Domain 3 User inserts CDs and USB hard drives with personal photos, music, and videos on organization -owned computers User Domain 2 Virtual Private Network (VPN) tunneling between remote computer and ingress/egress router is needed LAN -to-WAN Domain 2 Wireless Local Area Network (WLAN) access points are needed for LAN connectivity within a warehouse LAN Domain 3 Need to prevent eavesdropping on WLAN due to customer privacy data access LAN Domain 1 Denial of service (DoS)/distributed denial of service (DDoS) attack from the Wide Area Network (WAN)/Internet User Domain 1 Fighting Fear In the real world, some managers will accept risk rather than make changes to mitigate it. If they offer up only vague reasons for sticking with the status quo, then their decision is likely based on fear of change. Don’t let their fear stop you from treating the risk. Here are two tips to fight a manager’s fear: Prepare for your manager’s “What if?” questions. Example of a manager’s question: “What if we apply the firewall but it also stops network traffic we want, such as from our applications?” Your answer: “We’ve tested nearly all applications with the chosen firewall. And we’re prepared to minimize unforesee n outages.” Know, in concrete terms, what will happen if the risk is not treated. Example of a manager’s question: “What is supposed to happen that hasn’t happened already?” Your answer will come from the risk assessment you’ve performed, which will calcu late the risk’s likelihood and consequences. Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 6. On your local computer, open a new Internet browser window . 7. In the address box of your Internet browser, type the URL https://www.mitre.org/publications/systems -engineering -guide/acquisition -systems - engineerin g/risk -management/risk -impact -assessment -and -prioritization and press Enter to open the Web site. 8. Read the article titled “Risk Impact Assessment and Prioritization.” 9. Review Chapter 9 in our text Managing Risk in Information Systems pg. 226 NIST Control fa milies and Pg. 227 Functional Controls. 10. Describe the purpose of prioritizing the risks prior to creating a risk -mitigation plan. (You will complete this portion in our week #11 discussion Board) 11. Des cribe the difference between Preventive Controls, Detective Controls and Corrective controls. (Be sure to define each type of functional control in your own words) (You will complete this portion in our week #11 discussion Board) 12. Provide an overview for any 2 (out of the 18 listed in our text) control fam ilies. Please be sure to mention how each of the 2 controls you identified helps an organization. (You will complete this portion in our week #11 discussion Board) Please complete the Week 11 Discussion Board to complete this Lab # 6

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!