Lab #2: Assessment Worksheet

Align Risk, Threats, & Vulnerabilities to COBIT P09

Risk Management Controls
Student Name: Bạch Quang Lâm
Class: IA1803
StudentID: HE172445

1. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No
More than 5, High/Medium/Low Nessus Risk Factor Definitions for Vulnerabilities)

a, workstations OS has a known software vulnerability  low.

b, service provider has a major network outage  low.

c, user inserts cds and usb hard drives with personal photos, music ... on organization
owned computers  medium.

d, user downloads an unknown email attachment  high.

2. For the above identified threats and vulnerabilities, which of the following COBIT P09
Risk Management control objectives are affected?

PO9.1 IT Risk Management Framework  b.

PO9.2 Establishment of Risk Context  b.

PO9 3 event identification  a, e.

P09 4 risk assessment  c, d, e.

P09 5 risk response  none.

P09 6 maintenance and monitoring of risk action plan  none.

3. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No
More than 5), specify whether the threat or vulnerability impacts confidentiality –
integrity – availability:

a. Denial of service attack of organized email server Integrity, Availability.

b. Loss of production data Availability, Confidentiality.

c. Unauthorized access to organization owned Workstation Integrity.

d. User downloads an unknown e-mail attachment Integrity.

e. Workstation browser has software vulnerability Confidentiality, Availability.

4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3 and No More
than 5) that you have remediated, what must you assess as part of your overall COBIT
P09 risk management approach for your IT infrastructure?

Update browser, check and auto update every day.

Set strength filtering, send memos.

 User downloads an unknown e-mail attachment.

Backup data, restore from previous point if necessary.

 Workstation browser has software vulnerability.

5. For each of the threats and vulnerabilities from Lab #1 – (List at Least 3 and No More
than 5) assess the risk impact or risk factor that it has on your organization in the
following areas and explain how this risk can be mitigated and managed:

a. Threat or Vulnerability #1:

 Information  Vulnerability
 ApplicationsVulnerability
 InfrastructureVulnerability
 People  None

b. Threat or Vulnerability #2:

 Information  Vulnerability
 ApplicationsVulnerability
 InfrastructureVulnerability
 PeopleThreat

c. Threat or Vulnerability #3:

 Information  Threat
 ApplicationsVulnerability
 Infrastructure  Threat
 People  Vulnerability

d. Threat or Vulnerability #4:

  Information  Vulnerability
 Applications Vulnerability
 Infrastructure  Vulnerability
 People  Threat

e. Threat or Vulnerability #5:

 Information  Threat
 Applications Vulnerability
 Infrastructure  Threat
 People  Vulnerability

6. True or False – COBIT P09 Risk Management controls objectives focus on assessment
and management of IT risk

 True

7. Why is it important to address each identified threat or vulnerability from a C-I-A

perspective?

 Addressing threats and vulnerabilities from a C-I-A (Confidentiality, Integrity,

and Availability) perspective is crucial for effective security management. It enables
organizations to prioritize efforts, allocate resources efficiently, and focus on
protecting critical assets.
By assessing the potential impact on confidentiality, integrity, and availability,
organizations can identify the most significant risks and develop robust strategies.
8. When the risk impact impact a threat or vulnerability has on your “information” assets,
why must you align this assessment with your Data Classification Standard? How can a
Data Classification Standard help you assess the risk impact on your “information”
assets?

 We had to align this review because it helped me categorize the importance of the
information.

9. When assessing the risk impact a threat or vulnerability has on your “application” and
“infrastructure”, why must you align this assessment with both a server and application
software vulnerability assessment and remediation plan?

 Because that's the request made by my workplace.

10. When assessing the risk impact a threat or has on your “people”, we are concerned
with users and employees within the User Domain as well as the IT security practitioners
who must implement the risk mitigation steps identified. How can you communicate to
your end-user community that a security threat or vulnerability has been identified for a
production system or application? How can you prioritize risk remediation tasks?

 Send email to inform, create a training course for employees in the company. The
biggest risk or threat must be prioritized first.

11. What is the purpose of using the COBIT risk management framework and approach?

COBIT is a framework created by ISACA for information technology (IT)

management and IT governance. Simply stated, it helps enterprises create an optimal
value from IT by maintaining a balance between realizing benefits and optimizing risk
levels and resource use.

12. What is the difference between effectiveness versus efficiency when risk and risk
management?

 Effectiveness is following the instructions of a specific job while efficiency is doing

the instructions in lesser time and cost. Effectiveness is doing what's right and efficiency
is doing things rightly done.

13. Which three of the seven focus areas pertaining to IT risk management are primary
focus areas of risk assessment and risk management and directly related to information
systems security?

 Assessing the risk, mitigating possible risk and monitoring the result.

14. Why is it important to assess risk impact from four different perspectives as part of
the COBIT P.09 Frameworks?

 Because the more different points of view, the better we can see all the possible risk
factors.

15. What is the name of the organization who defined the COBIT P.09 Risk Management
Framework Definition?

The IT Governance Institute