1.

Was the student able to define what COBIT (Control Objectives for Information and related
Technology) P09 Risk Management is for an IT infrastructure? – [20%]

COBIT P09 is a risk management tool, which records the level of risk, the ability to reduce risk.
Any violations related to this should be assessed and analyzed to consider the level of risk.

2. Was the student able to describe the 6 control objectives of COBIT P09 which are used as
benchmarks for IT risk assessment and risk management? – [20%]

Plan and Organize, Acquire and Implement, Monitor and Evaluate

3. Was the student able to relate how threats and vulnerabilities align to the COBIT PO9 Risk
Management definition for the assessment and management of IT risk? – [20%]
This requires a high level of experience and expertise to know how threats and vulnerabilities
align to the COBIT PO9 Risk Management

4. Was the student able to use the COBIT PO9 controls as a guide to define the scope of risk
management for an IT infrastructure? – [20%]

Based on COBIT PO9, we can manage risks for IT infrastructure more easily, narrowing the
possibility of attacks.

5. Was the student able to apply the COBIT PO9 controls to help plan and organize the identified IT
risks, threats, and vulnerabilities and the on-going management and remediation operation
requirements? – [20%]

Yes, COBIT PO9 is a tool as well as a standard for risk assessment, so when there is a risk or
predicting risks, we rely on COBIT PO9 to assess risks and provide solutions to prevent and be
ready. for attacks based on those available on COBIT PO9

Lab Assessment Questions

1. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No More than 5,
High/Medium/Low Nessus Risk Factor Definitions for Vulnerabilities)

a. Workstation OS has a known software vulnerability _Low

b. Service provider has a major network outage_ Low

c. User inserts CDs and USB hard drives with personal photos, music, and videos on organization owned
computers _ Medium

d. User downloads an unknown e –mail attachment _High

e. Fire destroys primary data center _High

2. For the above identified threats and vulnerabilities, which of the following COBIT P09 Risk
Management control objectives are affected?

• PO9.1 IT Risk Management Framework – b

• PO9.2 Establishment of Risk Context – b

• PO9.3 Event Identification – a

• PO9.4 Risk Assessment – c, d

• PO9.5 Risk Response – none

• PO9.6 Maintenance and Monitoring of a Risk Action Plan – e

3. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No More than 5),
specify whether the threat or vulnerability impacts confidentiality – integrity – availability:

Confidentiality Integrity Availability

a. y n y

b. n n y

c. n y n

d. n y n

e. y y y

4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3 and No More than 5) that you
have remediated, what must you assess as part of your overall COBIT P09 risk management approach
for your IT infrastructure?

5. For each of the threats and vulnerabilities from Lab #1 – (List at Least 3 and No More than 5) assess
the risk impact or risk factor that it has on your organization in the following areas and explain how this
risk can be mitigated and managed:

a. Threat or Vulnerability #1:

o Information – Vulnerability

o Applications – Vulnerability

o Infrastructure – Vulnerability

o People – none

b. Threat or Vulnerability #2:

o Information – Vulnerability
o Applications – Vulnerability

o Infrastructure – Vulnerability

o People – Threat

c. Threat or Vulnerability #3:

o Information – Threat

o Applications – Vulnerability

o Infrastructure – Threat

o People – Vulnerability

d. Threat or Vulnerability #4:

o Information – Vulnerability

o Applications – Vulnerability

o Infrastructure – Vulnerability

o People – Threat

e. Threat or Vulnerability #5:

o Information – Threat

o Applications – Threat

o Infrastructure – Threat

o People – Threat

6. True or False – COBIT P09 Risk Management controls objectives focus on assessment and
management of IT risk.

True

7. Why is it important to address each identified threat or vulnerability from a C-I-A perspective?

Because CIA is a balanced perspective. When it not secure, people may have risk for their information,
when it too secure, people can not access to use it.

8. When assessing the risk impact a threat or vulnerability has on your “information” assets, why must
you align this assessment with your Data Classification Standard? How can a Data Classification Standard
help you assess the risk impact on your “information” assets?

Because it helps you categorize important data and helps you identify risk factors for data breaches.
9. When assessing the risk impact a threat or vulnerability has on your “application” and
“infrastructure”, why must you align this assessment with both a server and application software
vulnerability assessment and remediation plan?

Assessment of risks to the application and infrastructure needs to be done in a quantitative manner to
protect the users of the application as well as the production company and both parties' data. When an
incident occurs, it is necessary to have appropriate remediation and vulnerability assessment. It is
necessary to change the evaluation criteria continuously so that similar problems or greater risks may
occur with software, applications as well as management servers, ensuring safety for users as well as
servers operating.

10. When assessing the risk impact a threat or vulnerability has on your “people”, we are concerned
with users and employees within the User Domain as well as the IT security practitioners who must
implement the risk mitigation steps identified. How can you communicate to your end-user community
that a security threat or vulnerability has been identified for a production system or application? How
can you prioritize risk remediation tasks?

11. What is the purpose of using the COBIT risk management framework and approach?

Comprehensive framework that assists enterprises in achieving their objectives for the governance and
management of enterprise information and technology assets (IT). Simply stated, it helps enterprises
create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk
levels and resource use.

12. What is the difference between effectiveness versus efficiency when assessing risk and risk
management?

13. Which three of the seven focus areas pertaining to IT risk management are primary focus areas of
risk assessment and risk management and directly relate to information systems security?

Assessing the risk, Mitigating Possible Risk and Monitoring the Result.

14. Why is it important to assess risk impact from four different perspectives as part of the COBIT P.09
Framework?

The bigger your vision, the better view of all available risks.

15. What is the name of the organization who defined the COBIT P.09 Risk Management Framework
Definition

The IT Governance Institute