Scribd
Upload
21 views5 pages

Lab 3

The document outlines the key components and objectives of an IT risk management plan, emphasizing the importance of identifying, assessing, mitigating, and monitoring IT risks to protect critical data and systems. It details fundamental components such as risk planning, identification, assessment, mitigation, and monitoring, along with specific practices and tools for managing risks across various IT domains. Additionally, it highlights the impact of compliance requirements, particularly HIPAA, on the scope of the risk management plan and the necessity of a dedicated risk management team.

Uploaded by

congcanh30
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
21 views5 pages

Lab 3

The document outlines the key components and objectives of an IT risk management plan, emphasizing the importance of identifying, assessing, mitigating, and monitoring IT risks to protect critical data and systems. It details fundamental components such as risk planning, identification, assessment, mitigation, and monitoring, along with specific practices and tools for managing risks across various IT domains. Additionally, it highlights the impact of compliance requirements, particularly HIPAA, on the scope of the risk management plan and the necessity of a dedicated risk management team.

Uploaded by

congcanh30
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Lab #3: Assessment Worksheet Answers

Course Name: IT Risk


Management Student Name:
[Your Name] Instructor Name:
[Instructor Name] Lab Due
Date: [Due Date]

1. What is the goal or objective of an IT risk management


plan?
The goal of an IT risk management plan is to identify, assess,
mitigate, and monitor risks to an organization’s IT infrastructure to
ensure the confidentiality, integrity, and availability of critical data
and systems, while aligning with regulatory require- ments such as
HIPAA.
2. What are the five fundamental components of an IT risk
management plan?
The five fundamental components are:
• Risk Planning
• Risk Identification
• Risk Assessment
• Risk Mitigation
• Risk Monitoring
3. Define what risk planning is.
Risk planning is the process of developing a structured approach to
manage IT risks, including defining the scope, objectives,
methodologies, roles, and responsibilities for identifying, assessing,
mitigating, and monitoring risks.
4. What is the first step in performing risk management?
The first step in performing risk management is risk planning, which
involves es- tablishing the framework, scope, and objectives for the
risk management process.
5. What is the exercise called when you are trying to identify
an organiza- tion’s risk health?
The exercise is called a risk assessment.
6. What practice helps reduce or eliminate risk?
Risk mitigation helps reduce or eliminate risk by implementing
strategies and con- trols to address identified threats and
vulnerabilities.
7. What on-going practice helps track risk in real-time?
Risk monitoring is the ongoing practice that helps track risk in real-
time through tools, audits, and metrics.
8. Given that an IT risk management plan can be large in
scope, why is it a good idea to develop a risk
management plan team?
A risk management plan team is essential due to the complexity and
scope of IT risks. It ensures diverse expertise, effective
1
coordination, and comprehensive coverage of all risk areas, including
technical, operational, and compliance aspects.

2
9. Within the seven domains of a typical IT infrastructure,
which domain is the most difficult to plan, identify, assess,
remediate, and monitor? The User Domain is often the most
difficult due to human factors, such as insider threats, lack of
awareness, and variable compliance with security policies, making it
challenging to manage consistently.
10. From your scenario perspective, with which compliance
law or standard does your organization have to comply?
How did this impact the scope and boundary of your IT risk
management plan?
The organization must comply with HIPAA. This impacts the scope
by requiring a focus on protecting PHI, implementing
administrative, physical, and technical safeguards, and ensuring
incident response and breach notification processes, which define the
boundaries of the risk management plan.
11. How did the risk identification and risk assessment of the
identified risks, threats, and vulnerabilities contribute to
your IT risk management plan table of contents?
Risk identification and assessment provided the foundation for the table
of contents by pinpointing critical assets, threats, and vulnerabilities
specific to the healthcare provider, such as PHI breaches and system
outages, ensuring the plan addresses these priorities
comprehensively.
12. What risks, threats, and vulnerabilities did you identify
and assess that require immediate risk mitigation given
the criticality of the threat or vulnerability?
Immediate mitigation is required for:
• Unauthorized access to PHI (high criticality due to HIPAA
violations).
• Malware infections targeting EHR systems (potential for data loss).
• Weak encryption of PHI data (risk of interception during
transmission).
13. For risk monitoring, what techniques or tools can you
implement within each of the seven domains of a typical IT
infrastructure to help mitigate risk?

• User Domain: Security awareness training, multi-factor


authentication (MFA).
• Workstation Domain: Antivirus software, endpoint detection
tools.
• LAN Domain: Network segmentation, intrusion detection systems
(IDS).
• LAN-to-WAN Domain: Firewalls, VPNs for secure data
transmission.
• WAN Domain: Encrypted communication protocols, network
monitoring tools.
• System/Application Domain: Patch management, application
whitelist- ing.

3
• Remote Access Domain: Secure remote access solutions,
session monitor- ing.

4
14. For risk mitigation, what processes and procedures are
needed to help streamline and implement risk mitigation
solutions to the production IT infrastructure?
Processes include:
• Change control management to ensure secure deployment of
updates.
• Regular security audits and vulnerability scans.
• Incident response planning for rapid mitigation of breaches.
• Employee training programs to reduce human-related risks.
15. How does risk mitigation impact change control
management and vul- nerability management?
Risk mitigation drives change control by requiring structured processes
to imple- ment security updates without disrupting operations. It
enhances vulnerability management by prioritizing and addressing
critical vulnerabilities through patches, configuration changes, and
monitoring, ensuring alignment with risk reduction goals.

You might also like