Student Lab Manual

Lab #2: Assessment Worksheet

Align Risk, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls

Course Name: _____________IAA202___________________________________

Student Name: _______________Nguyen Thu Ngan_________________________

Instructor Name: ___________________Mai Hoang Dinh_____________________

Lab Due Date: ________________________18/01/2025____________________

Overview

Think of the COBIT framework as a giant checklist for what an IT or Risk Management auditors would
do if they were going to audit how your organization approaches risk management for your IT
infrastructure. COBIT P09 defines 6 control objectives for assessing and managing IT risk within four
different focus areas.

The first lab task is to align your identified threats and vulnerabilities from Lab #1 – How to Identify
Threats and Vulnerabilities in Your IT Infrastructure.

Lab Assessment Questions

1. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No More than 5,
High/Medium/Low Nessus Risk Factor Definitions for Vulnerabilities)

a. High Nessus Risk Factor : Service provider has a major network outage
b. High Nessus Risk Factor : User destroys data in application and deletes all files
c. Medium Nessus Risk Factor : Communication circuit outages

2. For the above identified threats and vulnerabilities, which of the following COBIT P09 Risk
Management control objectives are affected?

• PO9.1 IT Risk Management Framework – a

• PO9.2 Establishment of Risk Context – a

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011
www.jblearning.com All Rights Reserved.

-14-
 Student Lab Manual

• PO9.3 Event Identification – b,c

• PO9.4 Risk Assessment – a,b,c
• PO9.5 Risk Response – a,b,c
• PO9.6 Maintenance and Monitoring of a Risk Action Plan – c

3. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No More than 5),
specify whether the threat or vulnerability impacts confidentiality – integrity – availability:

Confidentiality Integrity Availability

a. Service provider has a major No No Yes
network outage

b. User destroys data in application No Yes

and deletes all files
Yes

c. Unauthorized access from the

public Internet Yes Yes Yes

4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3 and No More than 5) that you
have remediated, what must you assess as part of your overall COBIT P09 risk management approach
for your IT infrastructure?

1.Assess the risk impact on:

Data integrity, classification levels, and exposure. The effect on core business
applications. With infrastructure like hardware and connectivity. We should employee
training and response readiness.

2.Mitigation steps include:

Strengthening SLAs (for outages). Implementing robust access control (to prevent
unauthorized access). Regular backups and user education (to mitigate data
destruction).

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011
www.jblearning.com All Rights Reserved.

-15-
 Student Lab Manual

5. For each of the threats and vulnerabilities from Lab #1 – (List at Least 3 and No More than 5) assess
the risk impact or risk factor that it has on your organization in the following areas and explain how
this risk can be mitigated and managed:

a. Threat or Vulnerability #1: Service Provider Has a Major Network Outage

o Information – Data transmission and access may be interrupted.

o Applications – Applications relying on external connectivity could face downtime.

o Infrastructure – Dependency on external networks means potential widespread outages.

o People – Employees relying on the network for tasks may face productivity losses.

b. Threat or Vulnerability #2: Unauthorized Access from Public Internet

o Information – Risk of data theft or exposure

o Applications – Compromise of business-critical systems

o Infrastructure – Increased vulnerability in network architecture.

o People – Users might unknowingly contribute to the breach.

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011
www.jblearning.com All Rights Reserved.

-16-
 Student Lab Manual

c. Threat or Vulnerability #3: User Destroys Data in Application and Deletes All Files

o Information – Loss of critical business data.

o Applications – Operational disruptions due to unavailable data.

o Infrastructure – Recovery processes stress backup systems

o People – Possible insider threat or lack of training.

6. True or False – COBIT P09 Risk Management controls objectives focus on assessment and
management of IT risk.

Answer: True. COBIT P09 focuses on assessing and managing IT risks.

7. Why is it important to address each identified threat or vulnerability from a C-I-A perspective?

Addressing threats from a Confidentiality, Integrity, and Availability perspective ensures

comprehensive risk mitigation, covering data protection, accuracy, and availability.

8. When assessing the risk impact a threat or vulnerability has on your “information” assets, why must
you align this assessment with your Data Classification Standard? How can a Data Classification
Standard help you assess the risk impact on your “information” assets?

Aligning with the Data Classification Standard ensures proper prioritization of risks based
on the sensitivity and importance of data, aiding in targeted mitigation strategies

9. When assessing the risk impact a threat or vulnerability has on your “application” and
“infrastructure”, why must you align this assessment with both a server and application software
vulnerability assessment and remediation plan?

Aligning with a vulnerability assessment plan helps identify and address weaknesses,
ensuring applications and infrastructure remain secure.

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011
www.jblearning.com All Rights Reserved.

-16-
 Student Lab Manual

10. When assessing the risk impact a threat or vulnerability has on your “people”, we are concerned with
users and employees within the User Domain as well as the IT security practitioners who must
implement the risk mitigation steps identified. How can you communicate to your end-user
community that a security threat or vulnerability has been identified for a production system or
application? How can you prioritize risk remediation tasks?

Communicate through internal announcements or security awareness campaigns.

Prioritize risks based on potential impact and assign clear action items

11. What is the purpose of using the COBIT risk management framework and approach?

It ensures IT risks are systematically identified, assessed, and mitigated in alignment with
business objectives.

12. What is the difference between effectiveness versus efficiency when assessing risk and risk
management?
Effectiveness: Achieving desired security outcomes.
Efficiency: Doing so with minimal resources and cost.

13. Which three of the seven focus areas pertaining to IT risk management are primary focus areas of risk
assessment and risk management and directly relate to information systems security?

Risk Identification, Risk Assessment, Risk Mitigation

14. Why is it important to assess risk impact from four different perspectives as part of the COBIT P.09
Framework?

It ensures all aspects of IT operations (Information, Applications, Infrastructure, and People)

are considered for a holistic risk management approach.

15. What is the name of the organization who defined the COBIT P.09 Risk Management Framework
Definition?

ISACA (Information Systems Audit and Control Association) defines the COBIT framework.

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011
www.jblearning.com All Rights Reserved.

-17-