Assessment Worksheet Aligning Risks, Threats, and Vuln.docx

Assessment Worksheet
Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk
Management Controls
Course Name and Number:
_____________________________________________________
Student Name:
_____________________________________________________
___________
Instructor Name:
_____________________________________________________
_________
Lab Due Date:
_____________________________________________________
___________
Overview
In this lab, you defined COBIT P09, you described COBIT
P09’s six control objectives, you
explained how the threats and vulnerabilities align to the
definition for the assessment and
management of risks, and you used COBIT P09 to determine the
scope of risk management for
an IT infrastructure.

Lab Assessment Questions & Answers
1. What is COBIT P09’s purpose?
2. Name three of COBIT’s six control objectives.
3. For each of the threats and vulnerabilities from the
Identifying Threats and Vulnerabilities in an
IT Infrastructure lab in this lab manual (list at least three and no
more than five) that you have
remediated, what must you assess as part of your overall COBIT
P09 risk management approach
for your IT infrastructure?
4. True or false: COBIT P09 risk management control objectives
focus on assessment and
management of IT risk.
17
Copyright © 2015 by Jones & Bartlett Learning, LLC, an
Ascend Learning Company. All rights reserved.
www.jblearning.com Student Lab Manual

5. What is the name of the organization that defined the COBIT
P09 Risk Management Framework?
6. Describe three of the COBIT P09 control objectives.
7. Describe three of the COBIT P09.1 IT Risk Management
Framework control objectives.
Course Name and Number: Student Name: Instructor Name: Lab
Due Date: Text16: Text17: Text18: Text19: Text20: Text21:
Text22:
18
Introduction
Every company needs to take risks to thrive, but not too much
risk which could be catastrophic.
Finding the balanced amount of risk requires identifying what
opportunities (or threats) are
present, understanding how significant each of them is,
recognizing what action to take to

smartly handle both opportunities and risks, and lastly,
monitoring all of the above, including
discovering more prospects and threats. All told, this is called
risk management. Specific to the
seven domains of the IT infrastructure, this lab will cover IT
risk management.
In this lab, you will define the purpose of an IT risk
management plan, you will define the scope
for an IT risk management plan that encompasses the seven
domains of a typical IT
infrastructure, you will relate the risks, threats, and
vulnerabilities to the plan, and you will create
an IT risk management plan outline that incorporates the five
major parts of an IT risk
management process.
Learning Objectives
Upon completing this lab, you will be able to:
Define the purpose and objectives of an IT risk management
plan.
Define the scope and boundary for an IT risk management plan
to encompass the seven
domains of a typical IT infrastructure.
Relate identified risks, threats, and vulnerabilities to an IT risk

management plan and risk
areas.
Incorporate the five major parts of an IT risk management
process into a risk management
plan’s outline.
Craft an outline for an IT risk management plan, which includes
the seven domains of a
typical IT infrastructure and the five major parts of risk
management and risk areas.
Lab #3 Defining the Scope and Structure for an IT
Risk Management Plan
Copyright © by Jones & Bartlett Learning, LLC, an Ascend
Learning Company - All Rights Reserved.
19
Deliverables
Upon completion of this lab, you are required to provide the

following deliverables to your
instructor:
1. Lab Report file;
2. Lab Assessments file.
20 | LAB #3 Defining the Scope and Structure for an IT Risk
Management Plan
Hands-On Steps
This is a paper-based lab. To successfully complete the
deliverables for this lab, you will need access to Microsoft®
Word or another compatible word processor. For some labs, you
may also need access to a graphics line drawing
application, such as Visio or PowerPoint. Refer to the Preface
of this manual for information on creating the lab
deliverable files.
1. On your local computer, create the lab deliverable files.
2. Review the Lab Assessment Worksheet. You will find
answers to these questions as you
proceed through the lab steps.
3. On your local computer, open a new Internet browser

window.
4. Using your favorite search engine, search for information on
the IT risk management
process.
5. Briefly review at least five of the first page results.
6. In the address box of your Internet browser, type the URL
http://www.uvm.edu/~erm/RiskAssessmentGuide.pdf and press
Enter to open the Web site.
7. Review the PDF titled “Guide to Risk Assessment &
Response.”
Take special note of the University of Vermont’s “Guide to Risk
Assessment & Response” document and the
insightful sections titled “Things to Keep in Mind” and “Steps
to Follow” for each of the assessment steps.
https://web.archive.org/web/20130418005540/http://www.educa
tion.nt.gov.au/__data/ass
ets/pdf_file/0011/4106/risk_management_process.pdf and press
Enter to open the Web
site.
9. Review the PowerPoint slide deck titled “The Risk
Management Process.”
10. In your Lab Report file, describe in what ways the risk
management process in both IT
and non-IT environments are similar. Briefly describe in your
own words the five major

steps of risk management: plan, identify, assess, respond, and
monitor.
11. In your Lab Report file, describe the plan.
12. Review the seven domains of a typical IT infrastructure (see
Figure 1).
https://web.archive.org/web/20130418005540/http:/www.educat
ion.nt.gov.au/__data/assets/pdf_file/0011/4106/risk_managemen
t_process.pdf
https://web.archive.org/web/20130418005540/http:/www.educat
ion.nt.gov.au/__data/assets/pdf_file/0011/4106/risk_managemen
t_process.pdf
21
Figure 1 Seven domains of a typical IT infrastructure
13. Using the following table of risks, threats, and
vulnerabilities that were found in a health
care IT infrastructure servicing patients with life-threatening
conditions, review the risks

in the following table. Consider how you might manage each
risk and which of the seven
domains each one affects:
Risks, Threats, and Vulnerabilities
Unauthorized access from public Internet
Hacker penetrates IT infrastructure
Communication circuit outages
Workstations
Workstation operating system (OS) has a known software
vulnerability
Denial of service attack on organization’s e-mail
Remote communications from home office
Workstation browser has software vulnerability
Weak ingress/egress traffic-filtering degrades performance
Wireless Local Area Network (WLAN) access points are needed
for Local Area Network (LAN)
connectivity within a warehouse
Need to prevent rogue users from unauthorized WLAN access
User destroys data in application, deletes all files, and gains
access to internal network
Fire destroys primary data center
Intraoffice employee romance gone bad

Loss of production data server
Unauthorized access to organization-owned workstations
LAN server OS has a known software vulnerability
User downloads an unknown e-mail attachment
Service provider has a major network outage
Management Plan
User inserts CDs and USB hard drives with personal photos,
music, and videos on organization-
owned computers
Virtual Private Network (VPN) tunneling between the remote
computer and ingress/egress
router
14. In your Lab Report file, for each of the domains, create an
outline in the scope of your
risk management plan. Include the following topics—the five
major parts of an IT risk
management process—for each domain:

This completes the lab. Close the Web browser, if you have not
already done so.
23
Evaluation Criteria and Rubrics
The following are the evaluation criteria for this lab that
students must perform:

1. Define the purpose and objectives of an IT risk management
plan. – [20%]
2. Define the scope and boundary for an IT risk management
plan to encompass the seven
domains of a typical IT infrastructure. – [20%]
3. Relate identified risks, threats, and vulnerabilities to an IT
risk management plan and risk
areas. – [20%]
4. Incorporate the five major parts of an IT risk management
process into a risk
management plan’s outline. – [20%]
5. Craft an outline for an IT risk management plan, which
includes the seven domains of a
typical IT infrastructure and the five major parts of risk
management and risk areas. –
[20%]
Management Plan
Lab #3 - Assessment Worksheet
Defining the Scope and Structure for an IT Risk Management
Plan

_____________________________________________________
Student Name:
_____________________________________________________
___________
Instructor Name:
_____________________________________________________
_________
Lab Due Date:
_____________________________________________________
___________
Overview
In this lab, you defined the purpose of an IT risk management
plan, you defined the scope for an
IT risk management plan that encompasses the seven domains of
a typical IT infrastructure, you
related the risks, threats, and vulnerabilities to the plan, and
you created an IT risk management
plan outline that incorporates the five major parts of an IT risk
management process.
1. What is the goal or objective of an IT risk management plan?

2. What are the five fundamental components of an IT risk
management plan?
3. Define what risk planning is.
4. What is the first step in performing risk management?
5. What is the exercise called when you are trying to gauge how
significant a risk is?
25
6. What practice helps address a risk?

7. What ongoing practice helps track risk in real time?
8. True or False: Once a company completes all risk
management steps (identification, assessment,
response, and monitoring), the task is done.
9. Given that an IT risk management plan can be large in scope,
why is it a good idea to develop a
risk management plan team?
10. In the seven domains of a typical IT infrastructure, which
domain is the most difficult to plan,
identify, assess, treat, and monitor?
11. Which compliance laws or standards does the health care
organization mentioned in the Hands-
On Steps have to comply with (consider these: Health Insurance
Portability and Accountability
Act [HIPAA], Gramm-Leach-Bliley Act [GLBA], and Family
Educational Rights and Privacy Act
[FERPA])? How does this impact the scope and boundary of its
IT risk management plan?

12. How did the risk identification and risk assessment of the
identified risks, threats, and
vulnerabilities contribute to your IT risk management plan
outline?
13. What risks, threats, and vulnerabilities did you identify and
assess that require immediate risk
mitigation given the criticality of the threat or vulnerability?
14. For risk monitoring, what are some techniques or tools you
can implement in each of the seven
domains of a typical IT infrastructure to help mitigate risk?
Management Plan
15. For risk mitigation, what processes and procedures can help
streamline and implement risk-
mitigation solutions to the production IT infrastructure?
16. What is the purpose of a risk register?

17. How does risk response impact change control management
and vulnerability management?
Assessment Worksheet
Defining the Scope and Structure for an IT Risk Management
Plan
_____________________________________________________
Student Name:
_____________________________________________________
___________
Instructor Name:
_____________________________________________________
_________
Lab Due Date:
_____________________________________________________

___________
Overview
In this lab, you defined the purpose of an IT risk management
plan, you defined the scope for an
IT risk management plan that encompasses the seven domains of
a typical IT infrastructure, you
related the risks, threats, and vulnerabilities to the plan, and
you created an IT risk management
plan outline that incorporates the five major parts of an IT risk
management process.
1. What is the goal or objective of an IT risk management plan?
2. What are the five fundamental components of an IT risk
management plan?
3. Define what risk planning is.
4. What is the first step in performing risk management?
5. What is the exercise called when you are trying to gauge how
significant a risk is?

25
6. What practice helps address a risk?
7. What ongoing practice helps track risk in real time?
8. True or False: Once a company completes all risk
management steps (identification, assessment,
response, and monitoring), the task is done.
9. Given that an IT risk management plan can be large in scope,
why is it a good idea to develop a
risk management plan team?
10. In the seven domains of a typical IT infrastructure, which
domain is the most difficult to plan,
identify, assess, treat, and monitor?

11. Which compliance laws or standards does the health care
organization mentioned in the Hands-
On Steps have to comply with (consider these: Health Insurance
Portability and Accountability
Act [HIPAA], Gramm-Leach-Bliley Act [GLBA], and Family
Educational Rights and Privacy Act
[FERPA])? How does this impact the scope and boundary of its
IT risk management plan?
12. How did the risk identification and risk assessment of the
identified risks, threats, and
vulnerabilities contribute to your IT risk management plan
outline?
13. What risks, threats, and vulnerabilities did you identify and
assess that require immediate risk
mitigation given the criticality of the threat or vulnerability?
14. For risk monitoring, what are some techniques or tools you
can implement in each of the seven
domains of a typical IT infrastructure to help mitigate risk?
15. For risk mitigation, what processes and procedures can help
streamline and implement risk-
mitigation solutions to the production IT infrastructure?

16. What is the purpose of a risk register?
17. How does risk response impact change control management
and vulnerability management?
Course Name and Number: Student Name: Instructor Name: Lab
Due Date: Text23: Text24: Text25: Text26: Text27: Text28:
Text29: Text30: Text31: Text32: Text33: Text34: Text35:
Text36: Text37: Text38: Text39:
10
Introduction
Ask any IT manager about the challenges in conveying IT risks
in terms of business risks, or
about translating business goals into IT goals. It’s a common
difficulty, as the worlds of business
and IT do not inherently align. This lack of alignment was
unresolved until ISACA developed a
framework called COBIT, first released in 1996. ISACA is an
IT professionals’ association
centered on auditing and IT governance. This lab will focus on
the COBIT framework. The lab
uses the latest two versions: COBIT 4.1, which is currently the

most implemented version, and
COBIT 5, which is the latest version released in June 2012.
Because COBIT 4.1 is freely available at the time of this
writing, the lab uses this version to
present handling of risk management. Presentation is done
making use of a set of COBIT control
objectives called P09. COBIT P09’s purpose is to guide the
scope of risk management for an IT
infrastructure. The COBIT P09 risk management controls help
organize the identified risks,
threats, and vulnerabilities, enabling you to manage and
remediate them. This lab will also
present how COBIT shifts from the term “control objectives” to
a set of principles and enablers
in version 5.
In this lab, you will define COBIT P09, you will describe
COBIT P09’s six control objectives,
you will explain how the threats and vulnerabilities align to the
definition for the assessment and
management of risks, and you will use COBIT P09 to determine
the scope of risk management
for an IT infrastructure.
Learning Objectives
Upon completing this lab, you will be able to:
• Define what COBIT (Control Objectives for Information and
related Technology) P09
risk management is for an IT infrastructure.
• Describe COBIT P09’s six control objectives that are used as
benchmarks for IT risk
assessment and risk management.

• Explain how threats and vulnerabilities align to the COBIT
P09 risk management
definition for the assessment and management of IT risks.
• Use the COBIT P09 controls as a guide to define the scope of
risk management for an IT
infrastructure.
• Apply the COBIT P09 controls to help organize the identified
IT risks, threats, and
vulnerabilities.
Lab #2 Aligning Risks, Threats, and Vulnerabilities to
COBIT P09 Risk Management Controls
© Jones & Bartlett Learning, LLC. NOT FOR SALE OR
DISTRIBUTION.
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION

11
Deliverables
Upon completion of this lab, you are required to provide the
following deliverables to your
instructor:
1. Lab Report file;
2. Lab Assessments file.
DISTRIBUTION.

12 | LAB #2 Aligning Risks, Threats, and Vulnerabilities to
COBIT P09 Risk
Management Controls
Hands-On Steps
This is a paper-based lab. To successfully complete the
deliverables for this lab, you will need access to Microsoft®
Word or another compatible word processor. For some labs, you
may also need access to a graphics line drawing
application, such as Visio or PowerPoint. Refer to the Preface
of this manual for information on creating the lab
deliverable files.
1. On your local computer, create the lab deliverable files.

2. Review the Lab Assessment Worksheet. You will find
answers to these questions as you
proceed through the lab steps.
3. Review the seven domains of a typical IT infrastructure (see
Figure 1).
Figure 1 Seven domains of a typical IT infrastructure
4. On your local computer, open a new Internet browser
window.
http://www.isaca.org/Knowledge-Center/cobit/Pages/FAQ.aspx
and press Enter to open the
Web site.
6. Review the information on the COBIT FAQs page.
DISTRIBUTION.

13
ISACA—45 Years Serving Auditors and Business
ISACA is a global organization that defines the roles of
information systems governance, security, auditing, and
assurance professionals worldwide. ISACA standardizes a level
of understanding of these areas through two well-
known certifications, the Certified Information Systems Auditor
(CISA) and Certified Information Security Manager
(CISM). In recent years, ISACA has expanded its certification
offerings to include two other certifications around risk
and IT governance.
ISACA was previously an acronym expanding to Information
Systems Audit and Control Association, but today is

known by the name ISACA alone to better serve its wider
audience.
Similarly, COBIT was originally an acronym for Control
Objectives for Information and related Technology. Now,
ISACA refers to the framework as just COBIT, in part because
the concept of “control objectives” ends with COBIT
version 4.1. COBIT 5 focuses on business-centric concepts and
definitions, distinguishes between governance and
management, and includes a product family of “enabler guides”
and “practice guides.” The recent release of COBIT
version 5 is a complete break from COBIT 4. In addition,
COBIT 5 also incorporates other ISACA products, including
Val IT and Risk IT.
7. In your Lab Report file, describe the primary goal of the
COBIT v4.1 Framework. Define
COBIT.
8. On the left side of the COBIT Web site, click the COBIT 4.1
Controls Collaboration link.
9. At the top of the page, read about the COBIT Controls area
within ISACA’s Knowledge
Center.
10. In your Lab Report file, describe the major objective of the
Controls area.
11. Scroll down the Web page to the COBIT Domains and
Control Objectives section.
12. Click the Text View tab.

13. In your Lab Report file, list each of the types of control
objectives and briefly describe
them based on the descriptions on the Web site. Include the
following:
• Plan and Organize
• Acquire and Implement
• Monitor and Evaluate
• Delivery and Support
• Process Controls
• Application Controls
14. On the Web site, under the Plan and Organize Control
Objective description, click the
View all the PO Control Objectives link.
DISTRIBUTION.

14 | LAB #2 Aligning Risks, Threats, and Vulnerabilities to
COBIT P09 Risk
Management Controls
15. Scroll down and find the P09 Control Objectives, which are
labeled Assess and Manage
IT Risks.
COBIT 5 is not an evolutionary but a revolutionary change.
Naturally, risk management is covered, but it is done in a
holistic, end-to-end business approach, rather than in an IT-
centered approach.
16. Click the P09.1, IT Risk Management Framework link.
17. Scroll down to about the middle of the page to read about
the IT Risk Management
Framework.
18. Expand the View value and Risk Drivers and View Control
Practices links to learn more.
19. In your Lab Report file, describe what this objective covers.

20. Click the other P09 Control Objectives by first clicking the
back button to return to the
COBIT Domains and Control Objectives section of the COBIT
4.1 Controls
Collaboration page.
21. Click the Text View tab.
22. Click the View all the PO Control Objectives link.
23. Scroll down to the P09 Control Objectives.
24. Finally, click the P09.2, Establishment of Risk Context link.
25. Repeat this set of instructions for each of the other P09
listings.
26. Read about each of these.
27. In your Lab Report file, explain how you use the P09
Control Objectives to organize
identified IT risks, threats, and vulnerabilities so you can then
manage and remediate the
risks, threats, and vulnerabilities in a typical IT infrastructure.
This completes the lab. Close the Web browser, if you have not
already done so.
DISTRIBUTION.

15
Evaluation Criteria and Rubrics
The following are the evaluation criteria for this lab that
students must perform:

1. Define what COBIT (Control Objectives for Information and
related Technology) P09
risk management is for an IT infrastructure. – [20%]
2. Describe COBIT P09’s six control objectives that are used as
benchmarks for IT risk
assessment and risk management. – [20%]
3. Explain how threats and vulnerabilities align to the COBIT
P09 risk management
definition for the assessment and management of IT risks. –
[20%]
4. Use the COBIT P09 controls as a guide to define the scope of
risk management for an IT
infrastructure. – [20%]
5. Apply the COBIT P09 controls to help organize the identified
IT risks, threats, and
vulnerabilities. – [20%]
DISTRIBUTION.

Assessment Worksheet Aligning Risks, Threats, and Vuln.docx

Recommended

Recommended

More Related Content

Similar to Assessment Worksheet Aligning Risks, Threats, and Vuln.docx

Similar to Assessment Worksheet Aligning Risks, Threats, and Vuln.docx (20)

More from davezstarr61655

More from davezstarr61655 (20)

Recently uploaded

Recently uploaded (20)

Assessment Worksheet Aligning Risks, Threats, and Vuln.docx