Lab #2: Assessment Worksheet

Align Risk, Threats, & Vulnerabilities to COBIT P09 Risk

Management Controls

Course Name: IAA202

Student Name: Tran Tien Nam

1. From the identified threats & vulnerabilities from Lab #1 – (List At

Least 3 and No More than 5,

High/Medium/Low Nessus Risk Factor Definitions for Vulnerabilities)

a. User destroys data in application and deletes all files. ===> High:

There's a security hole that can lead to privilege escalation

b. Workstation OS has a known software vulnerability. ===> Low:

Attacker may exploit the vulnerability before its patch

c. User inserts CDs and USB hard drives with personal photos, music,

and videos on organization owned computers. ===> Low: the CDs and

USB may contain some malwares that can destroy the computers or

system

d. Remote communications from home office ===> Medium: the

connection may insecure, or many users work in the same time…

e. Fire destroys primary data center ===> Medium: Total loss of data

could be catastrophic to a company if they do not back up

2. For the identified threats and Vulnerabilities, which of the following
COBIT P09 Risk Management control objectives are affected?

P09.1 Risk Management Framework- D

P09.2 Establishment of Risk Context – E

P09.3 Event Identification – A, C and E

P09.4 Risk Assessment –B, D

P09.5 Risk Response – None

P09.6 Maintenance and Monitoring of a Risk Action Plan – None

3. From the identified threats & vulnerabilities from Lab #1 – (List At

Least 3 and No more than 5), Specify whether the threats or vulnerability
impacts confidentiality – integrity – availability:

a. User destroys data in application and deletes all files. ==> availability

b. Workstation OS has a known software vulnerability. ==>

confidentiality – integrity – availability

c. User inserts CDs and USB hard drives with personal photos, music,

and videos on organization owned computers. ===> confidentiality,

d. Remote communications from home office ===> confidentiality –

integrity – availability

e. Fire destroys primary data center ===> availability

4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3
and No More than 5) that you have remediated, what must you assess as
part of your overall COBIT P09 risk Management approach for your IT
infrastructure?

a. User destroys data in application and deletes all files. ==> Easy to

occur if employee want to betray the organization, it significantly impacts

on the system and only prevented by leadership or backing up data

b. Workstation OS has a known software vulnerability. ==> Softwares

usually have vulnerablity and if it is a know vulnerability, it can easily be
patched or quanranted for security, else, it may significantly impact on
the system

c. User inserts CDs and USB hard drives with personal photos, music,
and videos on organization owned computers. ===> It usually occurs
and and easy to control with filter and anti-virus, if they do not work, it
may significantly impact on the computer and system

d. Remote communications from home office ===> It usually occurs and

and not easily to improve the infrastrure or software in the system but can

hardening by securing the password and encrypted while transfering, if

they do not work, it may significantly impact on the computer and system

e. Fire destroys primary data center ===> seldom to occur and easily to

back up and protect the data center for the disasters, but if it occurs, it

may significantly damage to the assets of organization

5. For each of the threats and vulnerabilities from Lab #1 – (List at Least
3 and No More than 5) assess the risk factor that it has on your
organization in the following areas and explain how this risk can be
mitigated and managed:

a. Threat or Vulnerability #1: User destroys data in application and

deletes all files

Information –Threat
 Applications –Threat

Infrastructure –Threat

People – Vulnerability

=> Backup data, restore from previous point if necessary

b. Threat and Vulnerability #2: Workstation OS has a known software

vulnerability.

Information – Threat

Applications – Vulnerability

Infrastructure – Vulnerability

People – Threat

=> Update browser, check and auto update everyday

c. Threat or Vulnerability #3: User inserts CDs and USB hard drives
with personal photos, music, and videos on organization owned
computers.

Information – Threat

Application – Threat

Infrastructure – Threat

People – Vulnerability

=> Set strength filtering, anti-viruss,…

d. Threat or Vulnerability #4: Remote communications from home

office

Information – Threat

Application – Threat

Infrastructure – Vulnerability

People – Vulnerability
 => Set password to change after 90 days, set screen lockout for 10
minutes, using secure encryption while transfering data

e. Threat or Vulnerability #5: Fire destroys primary data center

Information – Threat

Application – Threat

Infrastructure – Vulnerability

People – Vulnerability

=>Backup data, restore from previous point if necessary, check the

data center for safe from disasters like fire or flood…

6. True or False – COBIT P09 Risk Management controls objectives

focus on assessment and management of IT risk.

TRUE

7. Why is it important to address each identified threat or vulnerability

from a C-I-A perspective?

Because CIA is a balanced perspective. When it’s too secure, people

will not use it, when it’s not secure enough people run the risk of
losing information.

8. When assessing the risk impact a threat or vulnerability has on your

“information “assets, why must you align this assessment with your Data
Classification Standard? How can a Data Classification Standard help
you assess the risk impact on your “information” assets?

We have to align it because it helps you classify the importance of the

information and use. It will determine the level the risk factor is if it
was compromised.

9. When assessing the risk impact a threat or vulnerability has on your

“Application“ and “Infrastructure”, why must you align this assessment
with both a server and application software vulnerability assessment and
remediation plan?
 It is what any high level company works on. Anything less is
unacceptable.

10. When assessing the risk impact a threat or vulnerability has on your
“People“, we are concerned with users and employees within the User
Domain as well as the IT security practitioners who must implement the
risk mitigation steps identified. How can you communicated to your end-
user community that a security threat or vulnerability has been identified
for a production system or application? How can you prioritize risk
remediation tasks?

Send e-mail, memos, setup a training class. The risk that can come to
users the quickest or highest threat must be prioritized first.

11. What is the purpose of using the COBIT risk management framework
and approach?

Comprehensive framework that assists enterprises in achieving their

objectives for the governance and management of enterprise
information and technology assets (IT). Simply stated, it helps
enterprises create optimal value from IT by maintaining a balance
between realizing benefits and optimizing risk levels and resource use.

12. What is the difference between effectiveness versus efficiency when

assessing risk and risk management?

Effectiveness is following the instructions of a specific job while

efficiency is doing the instructions in lesser time and cost. They say
Effectiveness is doing what’s right and efficiency is doing things
rightly done.

13. Which three of the seven focus areas pertaining to IT risk

Management are primary focus areas of risk assessment and risk
management and directly relate to information systems security?

Assessing the risk, Mitigating Possible Risk and Monitoring the

Result.
14. Why is it important to assess risk impact from the four different
perspectives as part of the COBIT P.09 Framework?

The more perspectives you have, the better view of all the risk that are
available.

15. What is the name of the organization who defined the COBIT P.09
Risk Management Framework definition?

The IT Governance Institute