Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 157 views

    Lab #2

    Uploaded by

    Trần Mỹ Linh
    1. The document provides an assessment worksheet for a lab assignment on aligning risks, threats, and vulnerabilities to COBIT P09 risk management controls. 2. Students are asked to identify threats and vulnerabilities from a previous lab and match them to the relevant COBIT P09 control objectives. They then analyze the threats based on confidentiality, integrity and availability impacts. 3. For identified risks, students must assess the risk factor across information, applications, infrastructure and people and explain how each risk can be mitigated according to the COBIT P09 framework.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Lab #2

    Uploaded by

    Trần Mỹ Linh
    157 views5 pages
    1. The document provides an assessment worksheet for a lab assignment on aligning risks, threats, and vulnerabilities to COBIT P09 risk management controls. 2. Students are asked to identify threats and vulnerabilities from a previous lab and match them to the relevant COBIT P09 control objectives. They then analyze the threats based on confidentiality, integrity and availability impacts. 3. For identified risks, students must assess the risk factor across information, applications, infrastructure and people and explain how each risk can be mitigated according to the COBIT P09 framework.

    Original Description:

    IAA202 Lab 2

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    1. The document provides an assessment worksheet for a lab assignment on aligning risks, threats, and vulnerabilities to COBIT P09 risk management controls. 2. Students are asked to identify threats and vulnerabilities from a previous lab and match them to the relevant COBIT P09 control objectives. They then analyze the threats based on confidentiality, integrity and availability impacts. 3. For identified risks, students must assess the risk factor across information, applications, infrastructure and people and explain how each risk can be mitigated according to the COBIT P09 framework.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    157 views5 pages

    Lab #2

    Uploaded by

    Trần Mỹ Linh
    1. The document provides an assessment worksheet for a lab assignment on aligning risks, threats, and vulnerabilities to COBIT P09 risk management controls. 2. Students are asked to identify threats and vulnerabilities from a previous lab and match them to the relevant COBIT P09 control objectives. They then analyze the threats based on confidentiality, integrity and availability impacts. 3. For identified risks, students must assess the risk factor across information, applications, infrastructure and people and explain how each risk can be mitigated according to the COBIT P09 framework.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 5

    Lab #2: Assessment Worksheet

    Align Risk, Threats, & Vulnerabilities to COBIT P09 Risk Management


    Controls

    Course Name: IAA202_______________________________________


    Student Name: Trần Mỹ Linh, Lê Mạnh Hải_______________________
    Instructor Name: Hồ Kim Cường_______________________________
    Lab due date:______________________________________________
    Overview
    Think of the COBIT framework as a giant checklist for what an IT or Risk
    Management auditors would do if they were going to audit how your
    organizations approaches risk management for your IT infrastructure. COBIT
    P09 defines 6 control objectives for assessing and managing IT risk within four
    different focus areas.
    The first lab task is to align your identified threats and vulnerabilities
    from Lab #1 – How to Identify Threats and Vulnerabilities in Your IT
    Infrastructure.

    Lab Assessment Questions:

    1. From the identified threats & vulnerabilities from Lab #1 – (List At


    Least 3 and No More than 5, High/Medium/Low Nessus Risk Factor Definitions
    for Vulnerabilities)
    a. Workstations OS has a known software vulnerability – low
    b. Service provider has a major network outage – low
    c. User inserts cds and usb hard drives with personal photos, music ... on
    organizations owned computers – medium
    d. User downloads an unknown email attachment -high
    2. For the above identified threats and vulnerabilities, which of the
    following COBIT P09 Risk Management control objectives are affected?
    PO9.1 IT Risk Management Framework - b
    PO9.2 Establishment of Risk Context - b
    PO9 3 event identification - a
    P09 4 risk assessment - c,d
    P09 5 risk response - none
    P09 6 maintenance and monitoring of risk action plan - none
    3. From the identified threats & vulnerabilities from Lab #1 – (List At
    Least 3 and No More than 5), specify whether the threat or vulnerability impacts
    confidentiality – integrity – availability:
    A. Denial of service attack of organized email server: integrity,
    availability
    B. Loss of production data: availability, Confidentiality
    C. Unauthorized access to organization owned Workstation :integrity
    D. User downloads an unknown e-mail attachment :integrity
    E. Workstation browser has software vulnerability: confidentiality,
    availability
    4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3
    and No More than 5) that you have remediated, what must you assess as part of
    your overall COBIT P09 risk Management approach for your IT infrastructure?
    Workstation browser has software vulnerability
    Update browser, check and auto update everyday
    User downloads an unknown e-mail attachment
    Set strength filtering, send memos
    Backup data, restore from previous point if necessary
    5. For each of the threats and vulnerabilities from Lab #1 – (List at Least
    3 and No More than 5) assess the risk factor that it has on your organization in
    the following areas and explain how this risk can be mitigated and managed:
    a. Threat or Vulnerability #1: Denial of Service attack of organized e-mail
    server
    Information –Threat
    Applications –Threat
    Infrastructure –Threat
    People – None
    b. Threat or Vulnerability #2: Unauthorized access to organization owned
    Workstation
    Information – Threat
    Application – Vulnerability
    Infrastructure – Vulnerability
    People – Threat
    c. Threat and Vulnerability #3: Loss of Production Data
    Information – Threat
    Applications – Threat
    Infrastructure – Threat
    People – Threat to someone’s job
    d. Threat or Vulnerability #4: Workstation browser has software
    vulnerability
    Information – Vulnerability
    Application – Vulnerability
    Infrastructure – Vulnerability
    People – None
    e. Threat or Vulnerability #5: User downloads an unknown e-mail
    attachment
    Information – Vulnerability
    Application – Vulnerability
    Infrastructure – Vulnerability
    People - Threat
    6. True or False – COBIT P09 Risk Management controls objectives
    focus on assessment and management of IT risk.
    TRUE
    7. Why is it important to address each identified threat or vulnerability
    from a C-I-A perspective?
    Because C-I-A is a balanced viewpoint. People will not use it if it is too
    secure, and if it is not safe enough, they risk losing information.
    8. When assessing the risk impact a threat or vulnerability has on your
    “information “assets, why must you align this assessment with your Data
    Classification Standard? How can a Data Classification Standard help you assess
    the risk impact on your “information” assets?
    We must align it because it assists you in categorizing the value of the
    information and its use. If it is hacked, it will assess the level of risk.
    9. When assessing the risk impact a threat or vulnerability has on your
    “Application“ and “Infrastructure”, why must you align this assessment with
    both a server and application software vulnerability assessment and remediation
    plan?
    Because vulnerabilities in security can allow hackers to gain access to IT
    systems and applications, it is critical for businesses to discover and address
    flaws before they are exploited. A complete vulnerability assessment, combined
    with a management program, can assist businesses in improving the security of
    their systems.
    10. When assessing the risk impact a threat or vulnerability has on your
    “People“, we are concerned with users and employees within the User Domain
    as well as the IT security practitioners who must implement the risk mitigation
    steps identified. How can you communicate to your end-user community that a
    security threat or vulnerability has been identified for a production system or
    application? How can you prioritize risk remediation tasks?
    Send email, memos, set up a training class, the risks that can come to
    users the quickest or highest threat must be prioritized first
    11. What is the purpose of using the cobit risk management “framework
    and approach “?
    Comprehensive framework that aids organizations in attaining their goals
    for the governance and management of enterprise information and technology
    assets (IT). Simply put, it assists organizations in maximizing the value of their
    IT investments by striking a balance between achieving benefits and managing
    risk levels and resource use.
    12. What is the difference between effectiveness versus efficiency when
    assessing risk and risk management?
    Effectiveness is following the instruction of a specific job while efficiency
    is doing the instruction in lesser time and cost. They say effectiveness is doing
    what’s right and efficiency is doing things rightly done.
    13. Which three of the seven focus areas pertaining to IT risk
    Management are primary focus areas of risk assessment and risk management
    and directly relate to information systems?
    Assessing the risk. Mitigating possible risk and monitoring the result
    14. Why is it important to assess risk impact from the four different
    perspectives as part of the COBIT P.09 Framework?
    The more perspective you have, the better the view of all the risk that are
    available
    15. What is the name of the organization who defined the COBIT P.09
    Risk Management Framework definition?
    The IT Governance Institute

    You might also like