Developing a Risk Remediation Plan
1) The table below has a list of Risks Threats and Vulnerabilities. The primary Domain is provided. You are to place the Impact Factor based on the definitions below, and then place a likelihood factor (Low, Medium, High) based on your experience, research or insight.
1 = Critical: A risk, threat or vulnerability that impacts compliance (privacy laws requirements for securing privacy data and implementing proper security controls) and places the organization at increased liability
2 = Major:A risk, threat or vulnerability that impacts confidentiality, integrity or availability of the organization's intellectual property assets and IT infrastructure
3 = Minor: A risk, threat or vulnerability that impacts user or employee productivity or availability of the IT infrastructure.
The first one is done as an example.
Rule 1: If there is a Risk Threat or Vulnerability and it has not been exploited yet, it can only have an Impact of 2 or 3.
Rule 2: There are no more than ten 1's
|
#
|
Risks Threats and Vulnerabilities
|
Domain (primary)
|
Impact Factor
|
Likelihood Factor
|
|
EX
|
Technician (user) uses P2P file sharing on company owned PC
|
#1 - USER domain
|
2 (might be 1 if it was exploited)
|
high
|
|
1
|
Unauthorized access from Internet to corporate servers and applications
|
#7 - Remote Access Domain
|
|
|
|
2
|
User destroys data in application and deletes all files she has access too.
|
#6 Application domain
|
|
|
|
3
|
Hacker penetrates your IT infrastructure and gains access to your internal network because default password is left on router
|
#4 LAN-to-WAN domain
|
|
|
|
4
|
Two employee's relationship goes sour
|
#1 - USER domain
|
|
|
|
5
|
Fire destroys data center
|
#6 Application domain
|
|
|
|
6
|
Workstation OS has known vulnerabilities
|
#2 Workstation domain
|
|
|
|
7
|
Internet Service provider has 2% loss of service which is below the SLA.
|
#5 WAN Domain
|
|
|
|
8
|
Hacker penetrates IT system by a phishing attach
|
#1 - USER domain
|
|
|
|
9
|
LAN switch has default username and password
|
#3 - LAN Domain
|
|
|
|
10
|
Denial of service attack on email server
|
#5 WAN Domain
|
|
|
|
11
|
User turns off screensaver on PC
|
#1 User domain
|
|
|
|
12
|
Corporate Data server has no backups
|
#6 Application domain
|
|
|
|
13
|
VPN tunneling between remote computer and ingress/egress router
|
#4 LAN-to-WAN domain
|
|
|
|
14
|
Internet Service Provider has major outage; no employees can access Internet
|
#5 WAN domain
|
|
|
|
15
|
Web browser vulnerabilities exist on client machines
|
#2 Workstation domain
|
|
|
|
16
|
A general-purpose sniffer is found on organization-controlled client PCs
|
#2 Workstation domain
|
|
|
|
17
|
System admin has found DNS cache poisoning attack
|
#5 WAN Domain
|
|
|
|
18
|
The Telecommunications closet where the switches and routers reside is unlocked and open because the AC is broken.
|
#3 - LAN Domain
|
|
|
|
19
|
Attacker tries brute force attack against Corporate Portal
|
#7 - Remote Access Domain
|
|
|
|
20
|
DDoS attack from the WAN/Internet
|
#5 WAN Domain
|
|
|
|
21
|
WLAN access points are needed for LAN connectivity within warehouse
|
#3 - LAN Domain
|
|
|
|
22
|
WLAN access points need to be protected from eavesdropping
|
#3 - LAN Domain
|
|
|
|
23
|
Weak ingress/egress traffic filtering degrades performance
|
#4 LAN-to-WAN domain
|
|
|
2) Frequency Table
Looking at your table above, count the number of "High-1" and place the number in cell High-1; then High-2, High-3, Med-1 etc. repeat for all cells. The total of all the cells will be 23.
|
Impact
|
1
|
|
|
|
|
2
|
|
|
|
|
3
|
|
|
|
|
|
Low
|
Medium
|
High
|
|
Probability
|
What can you observe about the distribution? Is this company in trouble or are they close to being secure?
3) Remediation plan
For the top 3most critical risks, threats, or vulnerabilities, give a primary and an alternate remediation course of action. The primary course of action is what you recommend to Management, the alternative is usually not as effective but cheaper. Be sure to consider cost in your recommendation to Management. Use references on each.
3-1. State the risk, threat, or vulnerability here
Primary:
Alternate:
3-2. State the risk, threat, or vulnerability here
Primary:
Alternate:
3-3. State the risk, threat, or vulnerability here
Primary:
Alternate:
4) General Questions regarding Risk-Mitigation:
a) What risk-mitigation solutions do you recommend for the problem of: User inserts CDs and USB hard drives with personal photos, music, and videos on organization-owned computers?
b) Why is Continuity of Operations an important risk-mitigation requirement?
c) Why is the Remote Access Domain the most risk-prone of all in a typical IT infrastructure?
d) When considering the implementation of software updates, software patches, and software fixes, why must you test the upgrade or software patch before you implement it?