Risk management begins with first identifying risks, threats, and vulnerabilities to then assess them. Assessing risks means to evaluate risk in terms of two factors. First, evaluate each risk’s likelihood of occurring. Second, evaluate the impact or consequences should the risk occur. Both likelihood and impact are important for understanding how each risk measures up to other risks. How the risks compare with one other is important when deciding which risk or risks take priority. In short, assessing is a critical step toward the goal of mitigation.
Assessing risks can be done in one of two ways: quantitatively or qualitatively. Quantitatively means to assign numerical values or some objective, empirical value. For example, “Less than $1,000 to repair” or “Biweekly.” Qualitatively means to assign wording or some quasi-subjective value. For example, a risk could be labeled critical, major, or minor.
In this lab, you will define the purpose of an IT risk assessment, you will align identified risks, threats, and vulnerabilities to an IT risk assessment that encompasses the seven domains of a typical IT infrastructure, you will classify the risks, threats, and vulnerabilities, and you will prioritize them. Finally, you will write an executive summary that addresses the risk assessment findings, risk assessment impact, and recommendations to remediate areas of noncompliance.
Upon completing this lab, you will be able to:
Define the purpose and objectives of an IT risk assessment. Align identified risks, threats, and vulnerabilities to an IT risk assessment that encompasses the seven domains of a typical IT infrastructure. Classify identified risks, threats, and vulnerabilities according to a qualitative risk assessment template. Prioritize classified risks, threats, and vulnerabilities according to the defined qualitative risk assessment scale. Craft an executive summary that addresses the risk assessment findings, risk assessment impact, and recommendations to remediate areas of noncompliance.
Upon completion of this assignment, you are required to provide the following deliverables to your instructor:
- Fill out the “Risks, Threats, and Vulnerabilities” Table on Page 5 with the “Primary Domain Impacted” and “Risk Impact Factor” for each as 1 – Critical, 2 – Major, or 3 – Minor.
- Write a four-paragraph (1 to 2 page) executive summary covering the following topics:
- Paragraph #1: Summary of findings (risks, threats, and vulnerabilities found throughout the seven domains of a typical IT infrastructure)
- Paragraph #2: Approach and prioritization of critical, major, and minor risk assessment elements
- Paragraph #3: Risk assessment and risk impact summary of the seven domains of a typical IT infrastructure
- Paragraph #4: Recommendations and next steps for executive management
- Answer the five Lab Assessment questions.
- Review the following table for the risks, threats, and vulnerabilities found in a health care IT infrastructure servicing patients with life-threatening conditions:
- Review the seven domains of a typical IT infrastructure (see below).
Qualitative Versus Quantitative
The next step requests that you assign a score to each of the risks in the table from step 6. The scoring is done qualitatively, by assigning one of several labels on a scale. In this case, the scale is provided for you, ranging from Critical to Minor.
Using qualitative scores to assess risks is comparatively easy and quick. The alternative is to assess quantitatively, using actual, numerical scores. Using qualitative words such as “critical” or “major” introduces subjective opinion, while citing numbers such as “Damage to be more than $3 million” or “Will cause an outage of under four hours” introduces quantitative objectivity.
Quantitative scoring is more objective, but calculating risk assessment this way can take much more time. This is because it requires you to dig up hard facts. For instance, you can conduct quantitative scoring by referring to your organization’s history or claims records by answering such questions as “How often has this happened to us, or others?” You can also assess risks numerically by researching the costs to recover from losses.
It is possible to assess risks both quantitatively and qualitatively. For example, you could quantitatively score the likelihood and consequences of each risk, for example, “under 10% chance” and “ ‘X’ number of staff lives harmed or lost.” But you could present the final score qualitatively, for example, “critical” or “needs to be addressed immediately.”
- In your Lab Assessment using the table from Step 1, identify in the table’s Primary Domain Impacted column which of the seven domains of a typical IT infrastructure will be most impacted by each risk, threat, or vulnerability listed.
- In your Lab Assessment, using the table from Step 1, perform a qualitative risk assessment by assigning a risk impact/risk factor to each of the identified risks, threats, and vulnerabilities throughout the seven domains of a typical IT infrastructure where the risk, threat, or vulnerability resides. Assign each risk, threat, and vulnerability a priority number in the table’s Risk Impact/Factor column, where:
- “1” is Critical: A risk, threat, or vulnerability that impacts compliance (that is, privacy law requirement for securing privacy data and implementing proper security controls, and so on) and places the organization in a position of increased liability
- “2” is Major: A risk, threat, or vulnerability that impacts the confidentiality, integrity, and availability (C-I-A) of an organization’s intellectual property assets and IT infrastructure
- “3” is Minor: A risk, threat, or vulnerability that can impact user or employee productivity or availability of the IT infrastructure
Keep the following in mind when working on the next step: When suggesting next steps to executive management, consider your recommendations from their point of view. Be prepared to explain costs, both in implementing the controls and then in maintaining the controls.
Remember that costs come in many forms, not least of which is labor. Be sure accountability is thought out in terms of roles and responsibilities. Other potential costs outside the data center include goodwill or reputation, market share, and lost opportunity. Executive management might have these costs topmost in mind.
Assignment #2 – Assessment Worksheet
Performing a Qualitative Risk Assessment for an IT Infrastructure
In this lab, you defined the purpose of an IT risk assessment, you aligned identified risks, threats, and vulnerabilities to an IT risk assessment that encompasses the seven domains of a typical IT infrastructure, you classified the risks, threats, and vulnerabilities, and you prioritized them. Finally, you wrote an executive summary that addresses the risk assessment findings, risk assessment impact, and recommendations to remediate areas of noncompliance.
Lab Assessment Questions & Answers
- What is an IT risk assessment’s goal or objective?
- Why is it difficult to conduct a quantitative risk assessment for an IT infrastructure?
- What was your rationale in assigning a “1” risk impact/risk factor value of “Critical” to an identified risk, threat, or vulnerability?
- After you had assigned the “1,” “2,” and “3” risk impact/risk factor values to the identified risks, threats, and vulnerabilities, how did you prioritize the “1,” “2,” and “3” risk elements? What would you say to executive management about your final recommended prioritization?
- Identify a risk-mitigation solution for each of the following risk factors:
- User downloads and clicks on an unknown e-mail attachment
- Workstation OS has a known software vulnerability
- Need to prevent eavesdropping on WLAN due to customer privacy data access
- Weak ingress/egress traffic-filtering degrades performance
- DoS/DDoS attack from the WAN/Internet
- Remote access from home office
- Production server corrupts database
|Risks, Threats, and Vulnerabilities||Primary Domain Impacted||Risk Impact/ Factor|
|Unauthorized access from public Internet|
|User destroys data in application and deletes all files|
|Hacker penetrates your IT infrastructure and gains access to your internal network|
|Intra-office employee romance gone bad|
|Fire destroys primary data center|
|Service provider service level agreement (SLA) is not achieved|
|Workstation operating system (OS) has a known software vulnerability|
|Unauthorized access to organization owned workstations|
|Loss of production data|
|Denial of service attack on organization Demilitarized Zone (DMZ) and e-mail server|
|Remote communications from home office|
|Local Area Network (LAN) server OS has a known software vulnerability|
|User downloads and clicks on an unknown e-mail attachment|
|Workstation browser has a software vulnerability|
|Mobile employee needs secure browser access to sales-order entry system|
|Service provider has a major network outage|
|Weak ingress/egress traffic-filtering degrades performance|
|User inserts CDs and USB hard drives with personal photos, music, and videos on organization-owned computers|
|Virtual Private Network (VPN) tunneling between remote computer and ingress/egress router is needed|
|Wireless Local Area Network (WLAN) access points are needed for LAN connectivity within a warehouse|
|Need to prevent eavesdropping on WLAN due to customer privacy data access|
|Denial of service (DoS)/distributed denial of service (DDoS) attack from the Wide Area Network (WAN)/Internet|