IT Risk Assessment

1. What is the goal or objective of an IT risk assessment? The aim of the risk assessment process is to remove a hazard or reduce the level of its risk by adding precautions or control measures, as necessary. By doing so, you have created a safer and healthier workplace.

2. Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure? It is difficult to conduct a qualitative risk assessment for an IT infrastructure because it determines the level of risk based on the probability and impact of the risk. You determine these values by gathering the opinions of experts.

3. What was your rationale in assigning “1” risk impact/risk factor value of “Critical” for an identified risk, threat or vulnerability? The “1” risk, threat, or vulnerability impacts compliance and places the company in position of increased liability but is not as critical as “2” or ‘3.”

4. When you assembled all of the “1” and “2” and “3” risk impact/risk factor values to the identified risks, threats, and vulnerabilities, how did you prioritize the “1”, “2”, and “3” risk elements? What would you say to the executive management in regards to your final recommended prioritization? a) Critical – a risk, threat, or vulnerability that impacts compliance and i. places the organization in a position of increased liability. b) Major – a risk, threat, or vulnerability that impacts the C-I-A of an organization’s intellectual property assets and IT infrastructure. c) Minor – a risk, threat, or vulnerability that can impact user or employee productivity or availability of the IT infrastructure. This prioritization is what is best because you want to know the highest level of vulnerability to the lowest.

5. Identify a risk mitigation solution for each of the following risk factors: a) User downloads and clicks on an unknown e-mail attachment. – Restrict user access and set it up so the user has to get authorization for downloads b) Workstation OS has a known software vulnerability. – Patch or update software. c) Need to prevent eavesdropping on WLAN due to customer privacy data access. – Increase WLAN security using WPA2 and AES encryption. d) Weak ingress/egress traffic filtering degrades performance. – Strengthen firewall filtering. e) Dos/Ddos attack from the WAN/Internet. – Strengthen firewall security; install IPS and IDS systems to the infrastructure. f) Remote access from home office. – Make sure the VPN is in place and secure. g) Production server corrupts database. – Remove server, restore database from last non-corrupt backup, and remove corruption from system.