Lab #2: Assessment Worksheet

Align Risk, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls

Course Name: IA1708

Student Name: Phạm Công Đức Anh

Instructor Name: IAA202

1:

a. Workstation OS has a known software vulnerability - LOW

b. Service provider has a major network outage – LOW
c. User inserts CDs and USB hard drives with personal photos, music, and videos on organization
owned computers – MEDIUM
d. User downloads and unknown email attachment – HIGH
e. User destroys data in application and deletes all files - MEDIUM
a. Workstation OS has a known software vulnerability - LOW

b. Service provider has a major network outage – LOW

c. User inserts CDs and USB hard drives with personal photos, music, and videos on organization

owned computers – MEDIUM

d. User downloads and unknown email attachment – HIGH

e. User destroys data in application and deletes all files - MEDIUM

2:

a. Workstation OS has a known software vulnerability - LOW

b. Service provider has a major network outage – LOW

c. User inserts CDs and USB hard drives with personal photos, music, and videos on organization

owned computers – MEDIUM

d. User downloads and unknown email attachment – HIGH

e. User destroys data in application and deletes all files - MEDIUM

3:

Confidentiality Integrity Availability

a. x x

b. x

c. x

d. x

e. x x
4:

Denial of Service attack of organized e-mail server

User downloads and unknown email attachment

Loss of Production Data

Workstation browser has software vulnerability

Unauthorized access to organization owned Workstation

5: For each of the threats and vulnerabilities from Lab #1 – (List at Least 3 and No More than 5)

assess the risk factor that it has on your organization in the following areas and explain how

this risk can be mitigated and managed:

a. Threat or Vulnerability #1: Denial of Service attack of organized e-mail server

Information –Threat

Applications –Threat

Infrastructure –Threat

People – None

b. Threat or Vulnerability #2: Unauthorized access to organization owned Workstation

Information – Threat

Application – Vulnerability

Infrastructure – Vulnerability

People – Threat

c. Threat and Vulnerability #3: Loss of Production Data

Information – Threat

Applications – Threat

Infrastructure – Threat

People – Threat to someone’s job

d. Threat or Vulnerability #4: Workstation browser has software vulnerability

Information – Vulnerability

Application – Vulnerability

Infrastructure – Vulnerability

People – None

e. Threat or Vulnerability #5: User downloads an unknown e-mail attachment

Information – Vulnerability
Application – Vulnerability

Infrastructure – Vulnerability

6:

True or False – COBIT P09 Risk Management controls objectives focus on assessment

and management of IT risk.

TRUE

7:

Why is it important to address each identified threat or vulnerability from a C-I-A perspective?

Because CIA is a balanced perspective. When it’s too secure, people will not use it, when it’s not secure

enough people run the risk of losing information.

8:

We have to align it because it helps you classify the importance of the information and use. It will
determine the level the risk factor is if it was comprom
We have to align it because it helps you classify the importance of the information and use. It will

determine the level the risk factor is if it was comprom

9:

It is what any high level company works on. Anything less is unacceptable

10:

When assessing the risk impact a threat or vulnerability has on your “people”, we are concerned

with users and employees within the User Domain as well as the IT security practitioners who must

implement the risk mitigation steps identified. How can you communicate to your end-user

community that a security threat or vulnerability has been identified for a production system or

application? How can you prioritize risk remediation tasks?

Send e-mail, memos, setup a training class. The risk that can come to users the quickest or highest threat

must be prioritized first.

11:

What is the purpose of using the COBIT risk management framework and approach?

Comprehensive framework that assists enterprises in achieving their objectives for the governance and
management of enterprise information and technology assets (IT). Simply stated, it helps enterprises

create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk

levels and resource use

12:

Effectiveness is following the instructions of a specific job while

efficiency is doing the instructions in lesser time and cost. They say

Effectiveness is doing what’s right and efficiency is doing things

rightly done.

13:Which three of the seven focus areas pertaining to IT risk

Management are primary focus areas of risk assessment and risk

management and directly relate to information systems security?

Assessing the risk, Mitigating Possible Risk and Monitoring the

Result.

14:

Why is it important to assess risk impact from the four different perspectives as part of the

COBIT P.09 Framework?

The more perspective you have, the better the view of all the risk that are available.

15:

What is the name of the organization who defined the COBIT P.09 Risk Management

Framework definition?

The IT Governance Institute.