Performing a Qualitative Risk Assessment for an IT

Lab #4 Performing a Qualitative Risk Assessment for an IT
Infrastructure
Introduction
Risk management begins with first identifying risks, threats, and vulnerabilities to then assess them.
Assessing risks means to evaluate risk in terms of two factors. First, evaluate each risk’s likelihood
of occurring. Second, evaluate the impact or consequences should the risk occur. Both likelihood and
impact are important for understanding how each risk measures up to other risks. How the risks
compare with one other is important when deciding which risk or risks take priority. In short,
assessing is a critical step toward the goal of mitigation.
Assessing risks can be done in one of two ways: quantitatively or qualitatively. Quantitatively means
to assign numerical values or some objective, empirical value. For example, “Less than $1,000 to
repair” or “Biweekly.” Qualitatively means to assign wording or some quasi-subjective value. For
example, a risk could be labeled critical, major, or minor.
In this lab, you will define the purpose of an IT risk assessment, you will align identified risks,
threats, and vulnerabilities to an IT risk assessment that encompasses the seven domains of a typical
IT infrastructure, you will classify the risks, threats, and vulnerabilities, and you will prioritize them.
Finally, you will write an executive summary that addresses the risk assessment findings, risk
assessment impact, and recommendations to remediate areas of noncompliance.
Learning Objectives
 Upon completing this lab, you will be able to:
 Define the purpose and objectives of an IT risk assessment.
 Align identified risks, threats, and vulnerabilities to an IT risk assessment that encompasses
the seven domains of a typical IT infrastructure.
 Classify identified risks, threats, and vulnerabilities according to a qualitative risk assessment
template.
 Prioritize classified risks, threats, and vulnerabilities according to the defined qualitative risk
assessment scale.
 Craft an executive summary that addresses the risk assessment findings, risk assessment
impact, and recommendations to remediate areas of noncompliance.
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Report file;
2. Lab Assessments file.
1. On your local computer, create the lab deliverable files.
2. Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed
through the lab steps.
3. On your local computer, open a new Internet browser window.
4. Using your favorite search engine, search for information on the purpose of IT risk assessment.
5. In your Lab Report file, describe the purpose of IT risk assessment.
6. Review the following table for the risks, threats, and vulnerabilities found in a health care IT
infrastructure servicing patients with life-threatening conditions:
Risks, Threats, and Vulnerabilities Primary Domain
Impacted
Risk Impact/
Factor
Unauthorized access from public Internet
User destroys data in application and
deletes all files
Hacker penetrates your IT infrastructure
and gains access to your internal network
Intraoffice employee romance gone bad
Fire destroys primary data center
Service provider service level agreement
(SLA) is not achieved
Workstation operating system (OS) has a
known software vulnerability
Unauthorized access to organizationowned workstations
Loss of production data
Denial of service attack on organization
Demilitarized Zone (DMZ) and e-mail
server
Remote communications from home office
Local Area Network (LAN) server OS has a
known software vulnerability
User downloads and clicks on an unknown
e-mail attachment
Workstation browser has a software
vulnerability
Mobile employee needs secure browser
access to sales-order entry system
Service provider has a major network
outage
Weak ingress/egress traffic-filtering
degrades performance
User inserts CDs and USB hard drives with
personal photos, music, and videos on
organization-owned computers
Virtual Private Network (VPN) tunneling
between remote computer and
ingress/egress router is needed
Wireless Local Area Network (WLAN)
access points are needed for LAN
connectivity within a warehouse
Need to prevent eavesdropping on WLAN
due to customer privacy data access
Denial of service (DoS)/distributed denial of
service (DDoS) attack from the Wide Area
Network (WAN)/Internet
7. Review the seven domains of a typical IT infrastructure (see Figure 1).
Figure 1 Seven domains of a typical IT infrastructure
8. In your Lab Report file, using the table from step 6, identify in the table’s Primary Domain
Impacted column which of the seven domains of a typical IT infrastructure will be most
impacted by each risk, threat, or vulnerability listed.
Qualitative Versus Quantitative
The next step requests that you assign a score to each of the risks in the table from step 6. The scoring is done
qualitatively, by assigning one of several labels on a scale. In this case, the scale is provided for you, ranging from
Critical to Minor.
Using qualitative scores to assess risks is comparatively easy and quick. The alternative is to assess quantitatively,
using actual, numerical scores. Using qualitative words such as “critical” or “major” introduces subjective opinion,
while citing numbers such as “Damage to be more than $3 million” or “Will cause an outage of under four hours”
introduces quantitative objectivity.
Quantitative scoring is more objective, but calculating risk assessment this way can take much more time. This is
because it requires you to dig up hard facts. For instance, you can conduct quantitative scoring by referring to your
organization’s history or claims records by answering such questions as “How often has this happened to us, or
others?” You can also assess risks numerically by researching the costs to recover from losses.
It is possible to assess risks both quantitatively and qualitatively. For example, you could quantitatively score the
likelihood and consequences of each risk, for example, “under 10% chance” and “ ‘X’ number of staff lives harmed or
lost.” But you could present the final score qualitatively, for example, “critical” or “needs to be addressed
immediately.”
9. In your Lab Report file, using the table from step 6, perform a qualitative risk assessment by
assigning a risk impact/risk factor to each of the identified risks, threats, and vulnerabilities
throughout the seven domains of a typical IT infrastructure where the risk, threat, or vulnerability
resides. Assign each risk, threat, and vulnerability a priority number in the table’s Risk Impact/Factor
column, where:
• “1” is Critical: A risk, threat, or vulnerability that impacts compliance (that is, privacy law
requirement for securing privacy data and implementing proper security controls, and so on) and
places the organization in a position of increased liability
• “2” is Major: A risk, threat, or vulnerability that impacts the confidentiality, integrity, and
availability (C-I-A) of an organization’s intellectual property assets and IT infrastructure
“3” is Minor: A risk, threat, or vulnerability that can impact user or employee productivity or
availability of the IT infrastructure.
Note:
Keep the following in mind when working on the next step: When suggesting next steps to executive management,
consider your recommendations from their point of view. Be prepared to explain costs, both in implementing the
controls and then in maintaining the controls.
Remember that costs come in many forms, not least of which is labor. Be sure accountability is thought out in terms
of roles and responsibilities. Other potential costs outside the data center include goodwill or reputation, market
share, and lost opportunity. Executive management might have these costs topmost in mind.
10. In your Lab Report file, write a four-paragraph executive summary according to the following
outline:
 Paragraph #1: Summary of findings (risks, threats, and vulnerabilities found throughout the
seven domains of a typical IT infrastructure)
 Paragraph #2: Approach and prioritization of critical, major, and minor risk assessment
elements
 Paragraph #3: Risk assessment and risk impact summary of the seven domains of a typical IT
infrastructure
 Paragraph #4: Recommendations and next steps for executive management
Note:
This completes the lab. Close the Web browser, if you have not already done so.
Evaluation Criteria and Rubrics
The following are the evaluation criteria for this lab that students must perform:
1. Define the purpose and objectives of an IT risk assessment. – [20%] 2. Align identified risks, threats, and vulnerabilities to an IT risk assessment that encompasses the
seven domains of a typical IT infrastructure. – [20%] 3. Classify identified risks, threats, and vulnerabilities according to a qualitative risk assessment
template. – [20%] 4. Prioritize classified risks, threats, and vulnerabilities according to the defined qualitative risk
assessment scale. – [20%] 5. Craft an executive summary that addresses the risk assessment findings, risk assessment impact,
and recommendations to remediate areas of noncompliance. – [20%]