Lab #3 Defining the Scope and Structure for an IT Risk Management Plan Introduction Every company needs to take risks to thrive, but not too much risk which could be catastrophic. Finding the balanced amount of risk requires identifying what opportunities (or threats) are present, understanding how significant each of them is, recognizing what action to take to Jones & Bartlett smartly handle Learning, both LLC opportunities and risks, and Jones lastly, monitoring & Bartlett all Learning, of the above, LLCincluding NOT FOR SALE discovering OR DISTRIBUTION more prospects and threats. All told, NOT this FOR is called SALE risk OR management. DISTRIBUTION Specific to the seven domains of the IT infrastructure, this lab will cover IT risk management. In this lab, you will define the purpose of an IT risk management plan, you will define the scope for an IT risk management plan that encompasses the seven domains of a typical IT infrastructure, you Jones will relate & Bartlett the risks, Learning, threats, and LLC vulnerabilities to the plan, Jones and you & will Bartlett create Learning, LL an IT risk management NOT FOR plan SALE outline OR that DISTRIBUTION incorporates the five major parts of NOT an IT FOR risk SALE OR DISTRIBUT management process. Learning Jones & Objectives Bartlett Learning, LLC Upon NOT completing FOR SALE this OR lab, DISTRIBUTION you will be able to: Define the purpose and objectives of an IT risk management plan. Define the scope and boundary for an IT risk management plan to encompass the seven Jones & Bartlett domains Learning, of a LLC typical IT infrastructure. NOT FOR SALE OR Relate DISTRIBUTION identified risks, threats, and vulnerabilities NOT FOR SALE to an IT OR risk DISTRIBUTION management plan and risk areas. Incorporate the five major parts of an IT risk management process into a risk management plan s outline. Craft an outline Jones for & an Bartlett IT risk management Learning, LLC plan, which includes the seven Jones domains & Bartlett of a Learning, LL typical IT NOT infrastructure FOR SALE and OR the DISTRIBUTION five major parts of risk management NOT and risk FOR areas. SALE OR DISTRIBUT 18..
19 Deliverables Upon completion of Jones this lab, & Bartlett you are required Learning, to provide LLC the following deliverables Jones to & your Bartlett Learning, LL instructor: 1. Lab Report file; 2. Lab Assessments file. Copyright 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual..
20 LAB #3 Defining the Scope and Structure for an IT Risk Management Plan Hands-On Steps u Note: This is a paper-based NOT lab. FOR To successfully SALE OR complete DISTRIBUTION the deliverables for this lab, you will need NOT access FOR to Microsoft SALE OR DISTRIBUT Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files. 1. On your local computer, create the lab deliverable files. 2. Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps. NOT FOR SALE 3. OR On DISTRIBUTION your local computer, open a new Internet NOT FOR browser SALE window. OR DISTRIBUTION 4. Using your favorite search engine, search for information on the IT risk management process. 5. Briefly review Jones at least & Bartlett five of the Learning, first page results. LLC 6. In the address box of your Internet browser, type the URL http://www.uvm.edu/~erm/riskassessmentguide.pdf and press Enter to open the Web site. 7. Review the PDF titled Guide to Risk Assessment & Response. u Note: Take special note of the University of Vermont s Guide to Risk Assessment & Response document and the insightful sections titled Things to Keep in Mind and Steps to Follow for each of the assessment steps. NOT FOR SALE 8. OR In DISTRIBUTION the address box of your Internet browser, NOT FOR type the SALE URL OR DISTRIBUTION http://www.education.nt.gov.au/ data/assets/pdf_file/0011/4106/risk_management_process.pdf and press Enter to open the Web site. 9. Review the PowerPoint slide deck titled The Risk Management Process. 10. In your Lab NOT Report FOR file, SALE describe OR DISTRIBUTION in what ways the risk management NOT process FOR in both SALE IT OR DISTRIBUT and non-it environments are similar. Briefly describe in your own words the five major steps of risk management: plan, identify, assess, respond, and monitor. Jones 11. In your & Bartlett Lab Report Learning, file, describe LLC the plan. NOT 12. FOR Review SALE the seven OR DISTRIBUTION domains of a typical IT infrastructure NOT (see FOR Figure SALE 1). OR DISTRIBUTION..
21 Figure 1 Seven domains NOT of a FOR typical SALE IT infrastructure OR DISTRIBUTION 13. Using the following table of risks, threats, and vulnerabilities that were found in a health care IT infrastructure servicing patients with life-threatening conditions, review the risks in the following Jones table. & Bartlett Consider Learning, how you might LLC manage each risk and which Jones of & the Bartlett seven Learning, LL domains NOT each FOR one affects: SALE OR DISTRIBUTION Risks, Threats, and Vulnerabilities Unauthorized access from public Internet Hacker penetrates IT infrastructure Communication circuit outages Workstations Workstation operating system (OS) has a known software vulnerability Denial of service attack on organization s e-mail Remote communications from home office Jones & Bartlett Workstation Learning, browser LLC has software vulnerability NOT FOR SALE Weak OR ingress/egress DISTRIBUTION traffic-filtering degrades NOT performance FOR SALE OR DISTRIBUTION Wireless Local Area Network (WLAN) access points are needed for Local Area Network (LAN) connectivity within a warehouse Need to prevent rogue users from unauthorized WLAN access User destroys data in application, deletes all files, and gains access to internal network Fire destroys primary data center Intraoffice employee NOT romance FOR SALE gone OR bad DISTRIBUTION Loss of production data server Unauthorized access to organization-owned workstations LAN server OS has a known software vulnerability User Jones downloads & Bartlett an unknown Learning, e-mail LLC attachment Service NOT FOR provider SALE has OR a major DISTRIBUTION network outage Copyright 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual..
22 LAB #3 Defining the Scope and Structure for an IT Risk Management Plan User inserts CDs and USB hard drives with personal photos, music, and videos on organizationowned computers Virtual Private Network (VPN) tunneling between the remote computer and ingress/egress router 14. In your Lab Report file, for each of the domains, create an outline in the scope of your risk management plan. Include the following topics the five major parts of an IT risk management process for each domain: NOT FOR Risk SALE planning OR DISTRIBUTION Risk identification Risk assessment Risk response Jones & Bartlett Learning, Risk monitoring LLC u Note: This completes the lab. Close the Web browser, if you have not already done so...
23 Evaluation Criteria and Rubrics The following are Jones the evaluation & Bartlett criteria Learning, for this lab LLC that students must perform: 1. Define the purpose and objectives of an IT risk management plan. [20%] 2. Define the scope and boundary for an IT risk management plan to encompass the seven domains of a typical IT infrastructure. [20%] Jones 3. Relate & Bartlett identified Learning, risks, threats, LLCand vulnerabilities to an Jones IT risk management & Bartlett Learning, plan and risk LLC NOT FOR areas. SALE [20%] OR DISTRIBUTION 4. Incorporate the five major parts of an IT risk management process into a risk management plan s outline. [20%] 5. Craft an outline for an IT risk management plan, which includes the seven domains of a typical IT infrastructure and the five major parts of risk management and risk areas. [20%] Copyright 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual..