Lab Qualitative Risk Assessment Scenario The following risks, threats, and vulnerabilities were found in an IT infrastructure of a Healthcare provider Consider HIPPA compliance law and what compliance to HIPPA involves Unauthorized access from public Internet User destroys data in application and deletes all files Hacker penetrates your IT infrastructure and gains access to your internal network Intra office employee romance gone bad Fire destroys primary data center Service provider SLA is not achieved Workstation OS has a known software vulnerability Unauthorized access to organization owned workstations Loss of production data Denial of service attack on organization DMZ and e mail server Remote communications from home office LAN server OS has a known software vulnerability User downloads and clicks on an unknown unknown e mail attachment Workstation browser has software vulnerability Mobile employee needs secure browser access to sales order entry system Service provider has a major network outage Weak ingress egress traffic filtering degrades performance User inserts CDs and USB hard drives with personal photos, music, and videos on organization owned computers VPN tunneling between remote computer and ingress egress router is needed WLAN access points are needed for LAN connectivity within a warehouse Need to prevent eavesdropping on WLAN due to customer privacy data access DoS DDoS attack from the WAN Internet Instructions 1 In a word processing document, perform a qualitative risk assessment First, set up a table with a row for each risk threat vulnerability and three columns as indicated in the partial example below Risk Threat Vulnerability Primary Domain Impacted Risk Impact Factor Unauthorized access from public Internet User destroys data in application and deletes all files 2 In the second column, indicate which typical IT domain is impacted by each risk threat vulnerability 3 In the third column, prioritize the risk threat vulnerability as either Critical, Major, or Minor using the numbers 1, 2, and 3, respectively Use the following qualitative risk impact risk factor metrics A 1 Critical a risk, threat, or vulnerability that impacts compliance (i e , privacy law requirement for securing privacy data and implementing proper security controls, etc ) and places the organization in a position of increased liability B 2 Major a risk, threat, or vulnerability that impacts the C I A of an organizations intellectual property assets and IT infrastructure C 3 Minor a risk, threat, or vulnerability that can impact user or employee productivity or availability of the IT infrastructure Below the table, craft an executive summary for management in four paragraphs A Purpose of the risk assessment summary of risks, threats, and vulnerabilities found throughout the IT infrastructure B Prioritization of critical, major, minor risk assessment elements C Risk assessment and risk impact summary D Recommendations and next steps Below the executive summary, answer the following questions pertaining to the qualitative IT risk assessment you performed a What is the goal or objective of an IT risk assessment B Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure C What was your rationale in assigning 1 risk impact risk factor value of Critical for an identified risk, threat, or vulnerability D When you assembled all of the 1 and 2 and 3 risk impact risk factor values to the identified risks, threats, and vulnerabilities, how did you prioritize the 1, 2, and 3 risk elements What would you say to executive management in regard to your final recommended prioritization

The Answer is in the image, click to view ...

Answered step by step

Verified Expert Solution

Link Copied!

Question

1 Approved Answer

Posted on Sep 25, 2024

Lab: Qualitative Risk Assessment Scenario The following risks, threats, and vulnerabilities were found in an IT infrastructure of a Healthcare provider. Consider HIPPA compliance law

Lab: Qualitative Risk Assessment

Scenario

The following risks, threats, and vulnerabilities were found in an IT infrastructure of a Healthcare provider. Consider HIPPA compliance law and what compliance to HIPPA involves.

Unauthorized access from public Internet

User destroys data in application and deletes all files

Hacker penetrates your IT infrastructure and gains access to your internal network

Intra-office employee romance gone bad

Fire destroys primary data center

Service provider SLA is not achieved

Workstation OS has a known software vulnerability

Unauthorized access to organization owned workstations

Loss of production data

Denial of service attack on organization

DMZ and e-mail server

Remote communications from home office

LAN server OS has a known software vulnerability

User downloads and clicks on an unknown unknown e-mail attachment

Workstation browser has software vulnerability

Mobile employee needs secure browser access to sales order entry system

Service provider has a major network outage

Weak ingress/egress traffic filtering degrades performance

User inserts CDs and USB hard drives with personal photos, music, and videos on

organization owned computers

VPN tunneling between remote computer and ingress/egress router is needed

WLAN access points are needed for LAN connectivity within a warehouse

Need to prevent eavesdropping on WLAN due to customer privacy data access

DoS/DDoS attack from the WAN/Internet

Instructions

1. In a word processing document, perform a qualitative risk assessment. First, set up a table with a row for each risk/threat/vulnerability and three columns as indicated in the partial example below.

Risk Threat Vulnerability	Primary Domain Impacted	Risk Impact/Factor
Unauthorized access from public Internet
User destroys data in application and deletes all files

2. In the second column, indicate which typical IT domain is impacted by each risk/threat/vulnerability.

3. In the third column, prioritize the risk/threat/vulnerability as either Critical, Major, or Minor using the numbers 1, 2, and 3, respectively. Use the following qualitative risk impact/risk factor metrics:

A-1 Critical a risk, threat, or vulnerability that impacts compliance (i.e., privacy law requirement for securing privacy data and implementing proper security controls, etc.) and places the organization in a position of increased liability.

B-2 Major a risk, threat, or vulnerability that impacts the C-I-A of an organizations intellectual property assets and IT infrastructure.

C-3 Minor a risk, threat, or vulnerability that can impact user or employee productivity or availability of the IT infrastructure.

Below the table, craft an executive summary for management in four paragraphs:

A-Purpose of the risk assessment & summary of risks, threats, and vulnerabilities found throughout the IT infrastructure

B-Prioritization of critical, major, minor risk assessment elements

C-Risk assessment and risk impact summary

D- Recommendations and next steps

Below the executive summary, answer the following questions pertaining to the qualitative IT risk assessment you performed.

a. What is the goal or objective of an IT risk assessment?

B- Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure?

C-What was your rationale in assigning 1 risk impact/ risk factor value of Critical for an identified risk, threat, or vulnerability?

D- When you assembled all of the 1 and 2 and 3 risk impact/risk factor values to the identified risks, threats, and vulnerabilities, how did you prioritize the 1, 2, and 3 risk elements? What would you say to executive management in regard to your final recommended prioritization?