Lab2 IAA202

Lab #2: Assessment Worksheet
Align Risk, Threats, & Vulnerabilities to COBIT P09

Risk Management Controls
Risk Management in Information
Course Name:
Systems (IAA202)
Nguyễn Trí Vương - HE161634
Student Name:
Đào Mạnh Công - HE161422
Instructor Name Hồ Kim Cường
Lab Due Date
1. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No
More than 5, High/Medium/Low Nessus Risk Factor Definitions for Vulnerabilities)
a, workstations OS has a known software vulnerability – low.
b, service provider has a major network outage – low.
c, user inserts cds and usb hard drives with personal photos, music ... on organization
owned computers – medium.
d, user downloads an unknown email attachment - high.
2. For the above identified threats and vulnerabilities, which of the following COBIT P09
Risk Management control objectives are affected?
PO9.1 IT Risk Management Framework - b.
PO9.2 Establishment of Risk Context - b.
PO9 3 event identification – a, e.
P09 4 risk assessment - c, d, e.
P09 5 risk response - none.
P09 6 maintenance and monitoring of risk action plan - none.
3. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No
More than 5), specify whether the threat or vulnerability impacts confidentiality –
integrity – availability:
a. Denial of service attack of organized email server: Integrity, Availability.
b. Loss of production data: Availability, Confidentiality.
c. Unauthorized access to organization owned Workstation: Integrity.
d. User downloads an unknown e-mail attachment: Integrity.
e. Workstation browser has software vulnerability: Confidentiality, Availability.
4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3 and No More
than 5) that you have remediated, what must you assess as part of your overall COBIT
P09 risk management approach for your IT infrastructure?
- Workstation browser has software vulnerability.
- Update browser, check and auto update every day.
- User downloads an unknown e-mail attachment.
- Set strength filtering, send memos.

- Backup data, restore from previous point if necessary.
5. For each of the threats and vulnerabilities from Lab #1 – (List at Least 3 and No More
than 5) assess the risk impact or risk factor that it has on your organization in the
following areas and explain how this risk can be mitigated and managed:
a. Threat or Vulnerability #1:
 Information – Vulnerability
 Applications – Vulnerability
 Infrastructure – Vulnerability
 People – None
b. Threat or Vulnerability #2:
 People – Threat
c. Threat or Vulnerability #3:
 Information – Threat
 Infrastructure – Threat
 People – Vulnerability
d. Threat or Vulnerability #4:
 People – Threat
e. Threat or Vulnerability #5:
 Information – Threat
 Infrastructure – Threat
 People – Vulnerability
6. True or False – COBIT P09 Risk Management controls objectives focus on assessment
and management of IT risk
- True
7. Why is it important to address each identified threat or vulnerability from a C-I-A

perspective?
- Addressing threats and vulnerabilities from a C-I-A (Confidentiality, Integrity, and

Availability) perspective is crucial for effective security management. It enables
organizations to prioritize efforts, allocate resources efficiently, and focus on protecting
critical assets.
- By assessing the potential impact on confidentiality, integrity, and availability,
organizations can identify the most significant risks and develop robust strategies. This
comprehensive approach ensures comprehensive protection, both internally and
externally, aiding in business continuity, compliance, and safeguarding information
assets.
8. When the risk impact impact a threat or vulnerability has on your “information” assets,
why must you align this assessment with your Data Classification Standard? How can a
Data Classification Standard help you assess the risk impact on your “information”
assets?
- We had to align this review because it helped me categorize the importance of the
information, aligning the review would help determine the level of risk factor when it
was compromised.
9. When assessing the risk impact a threat or vulnerability has on your “application” and
“infrastructure”, why must you align this assessment with both a server and application
software vulnerability assessment and remediation plan?
- Because that's the request made by my workplace.
10. When assessing the risk impact a threat or has on your “people”, we are concerned
with users and employees within the User Domain as well as the IT security practitioners
who must implement the risk mitigation steps identified. How can you communicate to
your end-user community that a security threat or vulnerability has been identified for a
production system or application? How can you prioritize risk remediation tasks?
- Send email to inform, create a training course for employees in the company. The
biggest risk or threat must be prioritized first.
11. What is the purpose of using the COBIT risk management framework and approach?
- COBIT is a framework created by ISACA for information technology (IT) management

and IT governance. Simply stated, it helps enterprises create an optimal value from IT by
maintaining a balance between realizing benefits and optimizing risk levels and resource
use.
12. What is the difference between effectiveness versus efficiency when risk and risk
management?
- Effectiveness is following the instructions of a specific job while efficiency is doing the
instructions in lesser time and cost. Effectiveness is doing what's right and efficiency is
doing things rightly done.
13. Which three of the seven focus areas pertaining to IT risk management are primary
focus areas of risk assessment and risk management and directly related to information
systems security?
- Assessing the risk, mitigating possible risk and monitoring the result.
14. Why is it important to assess risk impact from four different perspectives as part of
the COBIT P.09 Frameworks?
- Because the more different points of view, the better we can see all the possible risk
factors.
15. What is the name of the organization who defined the COBIT P.09 Risk Management
Framework Definition?
- The IT Governance Institute

Lab2 IAA202

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab2 IAA202

Uploaded by

Copyright:

Available Formats

Lab #2: Assessment Worksheet

Align Risk, Threats, & Vulnerabilities to COBIT P09

Instructor Name Hồ Kim Cường

Lab Due Date

a, workstations OS has a known software vulnerability – low.

b, service provider has a major network outage – low.

d, user downloads an unknown email attachment - high.

PO9.2 Establishment of Risk Context - b.

PO9 3 event identification – a, e.

P09 4 risk assessment - c, d, e.

P09 5 risk response - none.

P09 6 maintenance and monitoring of risk action plan - none.

a. Denial of service attack of organized email server: Integrity, Availability.

b. Loss of production data: Availability, Confidentiality.

c. Unauthorized access to organization owned Workstation: Integrity.

d. User downloads an unknown e-mail attachment: Integrity.

e. Workstation browser has software vulnerability: Confidentiality, Availability.

- Workstation browser has software vulnerability.

- Update browser, check and auto update every day.

- User downloads an unknown e-mail attachment.

- Set strength filtering, send memos.

a. Threat or Vulnerability #1:

b. Threat or Vulnerability #2:

c. Threat or Vulnerability #3:

e. Threat or Vulnerability #5:

7. Why is it important to address each identified threat or vulnerability from a C-I-A

- Addressing threats and vulnerabilities from a C-I-A (Confidentiality, Integrity, and

- Because that's the request made by my workplace.

- COBIT is a framework created by ISACA for information technology (IT) management

- The IT Governance Institute

You might also like