Managing Risk in Information SystemsPowered by vLab SolutionsJONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIESLABORATORY MANUAL TO ACCOMPANYVERSION 2.0INSTRUCTOR VERSIONCopyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.29IntroductionRisk management begins with first identifying risks, threats, and vulnerabilities to then assessthem. Assessing risks means to evaluate risk in terms of two factors. First, evaluate each risk’slikelihood of occurring. Second, evaluate the impact or consequences should the risk occur. Bothlikelihood and impact are important for understanding how each risk measures up to other risks.How the risks compare with one other is important when deciding which risk or risks takepriority. In short, assessing is a critical step toward the goal of mitigation.Assessing risks can be done in one of two ways: quantitatively or qualitatively. Quantitativelymeans to assign numerical values or some objective, empirical value. For example, “Less than$1,000 to repair” or “Biweekly.” Qualitatively means to assign wording or some quasi-subjectivevalue. For example, a risk could be labeled critical, major, or minor.In this lab, you will define the purpose of an IT risk assessment, you will align identified risks,threats, and vulnerabilities to an IT risk assessment that encompasses the seven domains of atypical IT infrastructure, you will classify the risks, threats, and vulnerabilities, and you willprioritize them. Finally, you will write an executive summary that addresses the risk assessmentfindings, risk assessment impact, and recommendations to remediate areas of noncompliance.Learning ObjectivesUpon completing this lab, you will be able to:Define the purpose and objectives of an IT risk assessment.Align identified risks, threats, and vulnerabilities to an IT risk assessment that encompassesthe seven domains of a typical IT infrastructure.Classify identified risks, threats, and vulnerabilities according to a qualitative risk assessmenttemplate.Prioritize classified risks, threats, and vulnerabilities according to the defined qualitative riskassessment scale.Craft an executive summary that addresses the risk assessment findings, risk assessmentimpact, and recommendations to remediate areas of noncompliance.Lab #4 Performing a Qualitative Risk Assessment for an IT InfrastructureCopyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.31Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.www.jblearning.com Instructor Lab ManualHands-On StepsNote: This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft® Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files.3. On your local computer, open a new Internet browser window.4. Using your favorite search engine, search for information on the purpose of IT risk assessment.5. Describe the purpose of IT risk assessment.6. Review the following table for the risks, threats, and vulnerabilities found in a health care IT infrastructure servicing patients with life-threatening conditions:Risks, Threats, and Vulnerabilities Primary Domain ImpactedRisk Impact/ FactorUnauthorized access from public InternetUser destroys data in application and deletes all filesHacker penetrates your IT infrastructure and gains access to your internal networkIntraoffice employee romance gone badFire destroys primary data centerService provider service level agreement (SLA) is not achievedWorkstation operating system (OS) has a known software vulnerabilityUnauthorized access to organization- owned workstationsLoss of production dataDenial of service attack on organization Demilitarized Zone (DMZ) and e-mail serverRemote communications from home officeLocal Area Network (LAN) server OS has aCopyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.GCUNNINGHAM0003
32 | LAB #4 Performing a Qualitative Risk Assessment for an IT Infrastructureknown software vulnerabilityUser downloads and clicks on an unknown e-mail attachmentWorkstation browser has a software vulnerabilityMobile employee needs secure browser access to sales-order entry systemService provider has a major network outageWeak ingress/egress traffic-filtering degrades performanceUser inserts CDs and USB hard drives with personal photos, music, and videos on organization-owned computersVirtual Private Network (VPN) tunneling between remote computer and ingress/egress router is neededWireless Local Area Network (WLAN) access points are needed for LAN connectivity within a warehouseNeed to prevent eavesdropping on WLAN due to customer privacy data accessDenial of service (DoS)/distributed denial of service (DDoS) attack from the Wide Area Network (WAN)/Internet7. Review the seven domains of a typical IT infrastructure (see Figure 1).Figure 1 Seven domains of a typical IT infrastructure8. Using the table from step 6, identify in the table’s Primary Domain Impacted column which of the seven domains of a typical IT infrastructure will be most impacted by each risk, threat, or vulnerability listed.Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.GCUNNINGHAM0003
33Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.www.jblearning.com Instructor Lab ManualQualitative Versus Quantitative The next step requests that you assign a score to each of the risks in the table from step 6. The scoring is done qualitatively, by assigning one of several labels on a scale. In this case, the scale is provided for you, ranging from Critical to Minor.Using qualitative scores to assess risks is comparatively easy and quick. The alternative is to assess quantitatively, using actual, numerical scores. Using qualitative words such as “critical” or “major” introduces subjective opinion, while citing numbers such as “Damage to be more than $3 million” or “Will cause an outage of under four hours” introduces quantitative objectivity.Quantitative scoring is more objective, but calculating risk assessment this way can take much more time. This is because it requires you to dig up hard facts. For instance, you can conduct quantitative scoring by referring to your organization’s history or claims records by answering such questions as “How often has this happened to us, or others?” You can also assess risks numerically by researching the costs to recover from losses.It is possible to assess risks both quantitatively and qualitatively. For example, you could quantitatively score the likelihood and consequences of each risk, for example, “under 10% chance” and “ ‘X’ number of staff lives harmed or lost.” But you could present the final score qualitatively, for example, “critical” or “needs to be addressed immediately.”9. Using the table from step 6, perform a qualitative risk assessment by assigning a risk impact/risk factor to each of the identified risks, threats, and vulnerabilities throughout the seven domains of a typical IT infrastructure where the risk, threat, or vulnerability resides. Assign each risk, threat, and vulnerability a priority number in the table’s Risk Impact/Factor column, where: “1” is Critical: A risk, threat, or vulnerability that impacts compliance (that is, privacy law requirement for securing privacy data and implementing proper security controls,and so on) and places the organization in a position of increased liability “2” is Major: A risk, threat, or vulnerability that impacts the confidentiality, integrity, and availability (C-I-A) of an organization’s intellectual property assets and ITinfrastructure“3” is Minor: A risk, threat, or vulnerability that can impact user or employee productivity or availability of the IT infrastructureNote: Keep the following in mind when working on the next step: When suggesting next steps to executive management, consider your recommendations from their point of view. Be prepared to explain costs, both in implementing the controls and then in maintaining the controls.Remember that costs come in many forms, not least of which is labor. Be sure accountability is thought out in terms of roles and responsibilities. Other potential costs outside the data center include goodwill or reputation, market share, and lost opportunity. Executive management might have these costs topmost in mind.Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.GCUNNINGHAM0003
Pages from 9781284058680_ILMx_Risk20
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more