Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 222 views

    Lab2 IAA202

    Uploaded by

    Đào Mạnh Công
    This document is a lab assessment worksheet for a course on risk management in information systems. It contains questions assessing the student's understanding of aligning identified threats and vulnerabilities from Lab 1 with COBIT P09 risk management controls. It also addresses assessing the impact of threats and vulnerabilities on confidentiality, integrity and availability, and determining appropriate risk mitigation strategies. The purpose is to help students apply the COBIT P09 risk management framework to assess and manage IT risks.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Lab2 IAA202

    Uploaded by

    Đào Mạnh Công
    222 views7 pages
    This document is a lab assessment worksheet for a course on risk management in information systems. It contains questions assessing the student's understanding of aligning identified threats and vulnerabilities from Lab 1 with COBIT P09 risk management controls. It also addresses assessing the impact of threats and vulnerabilities on confidentiality, integrity and availability, and determining appropriate risk mitigation strategies. The purpose is to help students apply the COBIT P09 risk management framework to assess and manage IT risks.

    Original Description:

    Align Risks, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document is a lab assessment worksheet for a course on risk management in information systems. It contains questions assessing the student's understanding of aligning identified threats and vulnerabilities from Lab 1 with COBIT P09 risk management controls. It also addresses assessing the impact of threats and vulnerabilities on confidentiality, integrity and availability, and determining appropriate risk mitigation strategies. The purpose is to help students apply the COBIT P09 risk management framework to assess and manage IT risks.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    222 views7 pages

    Lab2 IAA202

    Uploaded by

    Đào Mạnh Công
    This document is a lab assessment worksheet for a course on risk management in information systems. It contains questions assessing the student's understanding of aligning identified threats and vulnerabilities from Lab 1 with COBIT P09 risk management controls. It also addresses assessing the impact of threats and vulnerabilities on confidentiality, integrity and availability, and determining appropriate risk mitigation strategies. The purpose is to help students apply the COBIT P09 risk management framework to assess and manage IT risks.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 7

    Lab #2: Assessment Worksheet

    Align Risk, Threats, & Vulnerabilities to COBIT P09


    Risk Management Controls
    Risk Management in Information
    Course Name:
    Systems (IAA202)
    Nguyễn Trí Vương - HE161634
    Student Name:
    Đào Mạnh Công - HE161422

    Instructor Name Hồ Kim Cường

    Lab Due Date

    1. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No
    More than 5, High/Medium/Low Nessus Risk Factor Definitions for Vulnerabilities)

    a, workstations OS has a known software vulnerability – low.

    b, service provider has a major network outage – low.

    c, user inserts cds and usb hard drives with personal photos, music ... on organization
    owned computers – medium.

    d, user downloads an unknown email attachment - high.

    2. For the above identified threats and vulnerabilities, which of the following COBIT P09
    Risk Management control objectives are affected?
    PO9.1 IT Risk Management Framework - b.

    PO9.2 Establishment of Risk Context - b.

    PO9 3 event identification – a, e.

    P09 4 risk assessment - c, d, e.

    P09 5 risk response - none.

    P09 6 maintenance and monitoring of risk action plan - none.

    3. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No
    More than 5), specify whether the threat or vulnerability impacts confidentiality –
    integrity – availability:

    a. Denial of service attack of organized email server: Integrity, Availability.

    b. Loss of production data: Availability, Confidentiality.

    c. Unauthorized access to organization owned Workstation: Integrity.

    d. User downloads an unknown e-mail attachment: Integrity.

    e. Workstation browser has software vulnerability: Confidentiality, Availability.

    4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3 and No More
    than 5) that you have remediated, what must you assess as part of your overall COBIT
    P09 risk management approach for your IT infrastructure?

    - Workstation browser has software vulnerability.

    - Update browser, check and auto update every day.

    - User downloads an unknown e-mail attachment.

    - Set strength filtering, send memos.


    - Backup data, restore from previous point if necessary.

    5. For each of the threats and vulnerabilities from Lab #1 – (List at Least 3 and No More
    than 5) assess the risk impact or risk factor that it has on your organization in the
    following areas and explain how this risk can be mitigated and managed:

    a. Threat or Vulnerability #1:

     Information – Vulnerability
     Applications – Vulnerability
     Infrastructure – Vulnerability
     People – None

    b. Threat or Vulnerability #2:

     Information – Vulnerability
     Applications – Vulnerability
     Infrastructure – Vulnerability
     People – Threat

    c. Threat or Vulnerability #3:

     Information – Threat
     Applications – Vulnerability
     Infrastructure – Threat
     People – Vulnerability
    d. Threat or Vulnerability #4:

     Information – Vulnerability
     Applications – Vulnerability
     Infrastructure – Vulnerability
     People – Threat

    e. Threat or Vulnerability #5:

     Information – Threat
     Applications – Vulnerability
     Infrastructure – Threat
     People – Vulnerability

    6. True or False – COBIT P09 Risk Management controls objectives focus on assessment
    and management of IT risk

    - True

    7. Why is it important to address each identified threat or vulnerability from a C-I-A


    perspective?

    - Addressing threats and vulnerabilities from a C-I-A (Confidentiality, Integrity, and


    Availability) perspective is crucial for effective security management. It enables
    organizations to prioritize efforts, allocate resources efficiently, and focus on protecting
    critical assets.
    - By assessing the potential impact on confidentiality, integrity, and availability,
    organizations can identify the most significant risks and develop robust strategies. This
    comprehensive approach ensures comprehensive protection, both internally and
    externally, aiding in business continuity, compliance, and safeguarding information
    assets.

    8. When the risk impact impact a threat or vulnerability has on your “information” assets,
    why must you align this assessment with your Data Classification Standard? How can a
    Data Classification Standard help you assess the risk impact on your “information”
    assets?

    - We had to align this review because it helped me categorize the importance of the
    information, aligning the review would help determine the level of risk factor when it
    was compromised.

    9. When assessing the risk impact a threat or vulnerability has on your “application” and
    “infrastructure”, why must you align this assessment with both a server and application
    software vulnerability assessment and remediation plan?

    - Because that's the request made by my workplace.

    10. When assessing the risk impact a threat or has on your “people”, we are concerned
    with users and employees within the User Domain as well as the IT security practitioners
    who must implement the risk mitigation steps identified. How can you communicate to
    your end-user community that a security threat or vulnerability has been identified for a
    production system or application? How can you prioritize risk remediation tasks?

    - Send email to inform, create a training course for employees in the company. The
    biggest risk or threat must be prioritized first.
    11. What is the purpose of using the COBIT risk management framework and approach?

    - COBIT is a framework created by ISACA for information technology (IT) management


    and IT governance. Simply stated, it helps enterprises create an optimal value from IT by
    maintaining a balance between realizing benefits and optimizing risk levels and resource
    use.

    12. What is the difference between effectiveness versus efficiency when risk and risk
    management?

    - Effectiveness is following the instructions of a specific job while efficiency is doing the
    instructions in lesser time and cost. Effectiveness is doing what's right and efficiency is
    doing things rightly done.

    13. Which three of the seven focus areas pertaining to IT risk management are primary
    focus areas of risk assessment and risk management and directly related to information
    systems security?

    - Assessing the risk, mitigating possible risk and monitoring the result.

    14. Why is it important to assess risk impact from four different perspectives as part of
    the COBIT P.09 Frameworks?

    - Because the more different points of view, the better we can see all the possible risk
    factors.

    15. What is the name of the organization who defined the COBIT P.09 Risk Management
    Framework Definition?

    - The IT Governance Institute

    You might also like