The following sample findings and mitigation plans illustrate how each plan should be listed and described: Finding: Finding: All internet links are serviced by a single ISP Risk Exposure: High Mitigation Plan: Contract with at least two different service providers in order to maintain availability in the case of a major ISP failure. Responsible Party(ies): IT Department Record your mitigation plans target dates and responsible parties in the space provided below. Reference the finding numbers and your assessments from Assignment 3: Finding 2: Finding: Network connections from the offshore developers' workstations to the code repository server are not encrypted. Risk Exposure: Target Date: End of Q2 2012 Finding: Finding: Not all backup copies of sensitive data are encrypted Risk Exposure: High Mitigation Plan: All stored sensitive data should be encrypted, including backups on-site and off-site. Responsible Party(ies): IT Department Target Date: Within 30 Days Finding: Finding: Updates to the file server are not tested before implementation Risk Exposure: Moderate Mitigation Plan: Establish a small test environment to verify any new updates before installing them in production. This test environment should mimic the production file server configuration as closely as possible. Establish a roll-back plan for each update made to the production system. Target Date: Within 90 Days Responsible Party(ies): QA Testing Team and System Administrators Mitigation Plan: Target Date: Risk Exposure: Mitigation Plan: Finding: Finding: Router brands and software versions are listed on job postings Risk Exposure: Low Mitigation Plan: In job postings, try to limit infrastructure details and desired competencies to generic platform references or specific industry certifications like CCNA. Include this in security guidelines and employee security awareness training. Target Date: End of Q4 2012 Responsible Party(ies): HR Department and Security Team Responsible Party(ies): Finding 4: Finding: Client data is copied from production servers to this server regularly for QA testing. Target Date: Responsible Party(ies): Finding 6: Finding: No one notifies the Help Desk of terminations for support personnel in order to ensure that their access is disabled. Risk Exposure: Mitigation Plan: Target Date: Responsible Party(ies):