Laboratory #2

Lab 2: Align Risk, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls Learning Objectives

and Outcomes

Upon completing this lab, students will be able to:

 Define what COBIT (Control Objectives for Information and related Technology) P09
Risk Management is for an IT infrastructure
 Describe the 6 control objectives of COBIT P09 which are used as benchmarks for IT
risk assessment and risk management
 Relate how threats and vulnerabilities align to the COBIT PO9 Risk Management
definition for the assessment and management of IT risk
 Use the COBIT PO9 controls as a guide to define the scope of risk management for an
IT infrastructure
 Apply the COBIT PO9 controls to help plan and organize the identified IT risks, threats,
and vulnerabilities and the on-going management and remediation operation
requirements

Required Setup and Tools

This is a paper-based lab. A PDF copy of the COBIT v4.1 Framework from ISACA is needed for
this paper-based lab. ISACA is the global organization that defines the roles of information
systems governance, security, audit and assurance professionals worldwide through its Certified
Information Systems Auditor (CISA) and Certified Information Security Manager (CISM)
professional certifications. ISACA’s website is: www.isaca.org.

The standard Instructor and Student VM workstation with Microsoft Office 2007 or higher is
required for this lab. Students will be required to answer the Lab #2 – Assessment Worksheet
questions as part of this lab.

Recommended Procedures
Lab #2 – Student Steps:
Student steps needed to perform Lab #2 – Align Risk, Threats, & Vulnerabilities to the COBIT Risk
Management Controls:
1. Connect your removable hard drive or USB hard drive to a classroom workstation.
2. Boot up your classroom workstation and DHCP for an IP host address.
3. Login to your classroom workstation and enable Microsoft Word.
4. Conduct a high-level narrative discussion and review of the COBIT v4.1 Framework.
5. Review the COBIT P09 Control Objective definition, scope, and focus areas for assessing
and managing IT risk.
6. Relate how the COBIT (P09) Control Objective definition relates to assessing and
managing IT risk within each of the seven domains of a typical IT infrastructure: User,
Workstation, LAN, LAN-to-WAN, WAN, Remote Access, Systems/Applications Domains
7. Explore the structure and format of how to align risks, threats, and vulnerabilities identified
from your IT infrastructure to the COBIT P09 Control Objective definition, scope, and
focus areas Information, Applications, Infrastructure, and People.
8. Explore the hierarchy for assessing and managing IT risks:
 Step #1: Align the risk, threat or vulnerability assessment to C-I-A primary first and assess
 Step #2: Align the risk, threat, or vulnerability remediation to Effectiveness,
Efficiency, Compliance, and Reliability secondary
 Step #3: Assess the risk impact for each threat or vulnerability in the following focus areas:
o Information – What is the risk impact? How can this be mitigated? How can this
be managed?
o Applications – What is the risk impact? How can this be mitigated? How can this
be managed?
o Infrastructure – What is the risk impact? How can this be mitigated? How can this
be managed?
o People – What is the risk impact? How can this be mitigated? How can this
be managed?
9. Using the list of identified threats and vulnerabilities that were identified from the Lab #1 –
How to Identify Threats and Vulnerabilities in Your IT Infrastructure, align the high, medium,
and low vulnerabilities to the COBIT (P09) Risk Management control objectives for
assessing and managing risk. See Lab #2 – Assessment Worksheet - Part A - COBIT (P09)
Alignment.
10. Answer Lab #2 – Assessment Questions.
Deliverables

Upon completion of the Lab #2 – Align Risk, Threats, & Vulnerabilities to the COBIT Risk
Management Controls, students are required to provide the following deliverables as part of this lab:
1. Lab #2 – Assessment Questions and Answers. This will include details about using the
COBIT (P09) assessment and risk management approach for the identified vulnerabilities
from Lab #1

Evaluation Criteria and Rubrics

The following are the evaluation criteria and rubrics for Lab #2 that the students must perform:
1. Was the student able to define what COBIT (Control Objectives for Information and
related Technology) P09 Risk Management is for an IT infrastructure? – [20%]
2. Was the student able to describe the 6 control objectives of COBIT P09 which are used
as benchmarks for IT risk assessment and risk management? – [20%]
3. Was the student able to relate how threats and vulnerabilities align to the COBIT PO9
Risk Management definition for the assessment and management of IT risk? – [20%]
4. Was the student able to use the COBIT PO9 controls as a guide to define the scope of
risk management for an IT infrastructure? – [20%]
5. Was the student able to apply the COBIT PO9 controls to help plan and organize the
identified IT risks, threats, and vulnerabilities and the on-going management and remediation
operation requirements? – [20%]
 Lab #2: Assessment Worksheet
Align Risk, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls

Course Name: IAA202

Student Name: Hoàng Tuấn Khôi

Instructor Name: Nguyễn Anh Nhật

Lab Due Date: 20/1/2025

Overview
Think of the COBIT framework as a giant checklist for what an IT or Risk Management
auditors would do if they were going to audit how your organization approaches risk
management for your IT infrastructure. COBIT P09 defines 6 control objectives for assessing
and managing IT risk within four different focus areas.

The first lab task is to align your identified threats and vulnerabilities from Lab #1 – How to
Identify Threats and Vulnerabilities in Your IT Infrastructure.

Lab Assessment Questions

1. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No
More than 5, High/Medium/Low Nessus Risk Factor Definitions for Vulnerabilities)

a, workstations OS has a known software vulnerability – low.

b, service provider has a major network outage – low.
c, user inserts cds and usb hard drives with personal photos, music ... on organization owned computers –
medium.
d, user downloads an unknown email attachment - high.
2. For the above identified threats and vulnerabilities, which of the following COBIT
P09 Risk Management control objectives are affected?

PO9.1 IT Risk Management Framework - b.

PO9.2 Establishment of Risk Context - b.
PO9 3 event identification – a, e.
P09 4 risk assessment - c, d, e.
P09 5 risk response - none.
P09 6 maintenance and monitoring of risk action plan - none.

3. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No
More than 5), specify whether the threat or vulnerability impacts confidentiality –
integrity – availability:

a. Denial of service attack of organized email server: Integrity, Availability.

b. Loss of production data: Availability, Confidentiality.
c. Unauthorized access to organization owned Workstation: Integrity.
d. User downloads an unknown e-mail attachment: Integrity.
e. Workstation browser has software vulnerability: Confidentiality, Availability.

4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3 and No More than 5)
that you have remediated, what must you assess as part of your overall COBIT P09 risk
management approach for your IT infrastructure?
a) Workstation browser has software vulnerability.
b) Update browser, check and auto update every day.
c) User downloads an unknown e-mail attachment.
d) Set strength filtering, send memos.
e) Backup data, restore from previous point if necessary.

5. For each of the threats and vulnerabilities from Lab #1 – (List at Least 3 and No More than
5) assess the risk impact or risk factor that it has on your organization in the following
areas and explain how this risk can be mitigated and managed:
a. Threat or Vulnerability #1:

 Information – Vulnerability
 Applications – Vulnerability
 Infrastructure – Vulnerability
 People – None
 b. Threat or Vulnerability #2:

 Information – Vulnerability
 Applications – Vulnerability
 Infrastructure – Vulnerability
 People – Threat

c. Threat or Vulnerability #3:

 Information – Threat
 Applications – Vulnerability
 Infrastructure – Threat
 People – Vulnerability

d. Threat or Vulnerability #4:

 Information – Vulnerability
 Applications – Vulnerability
 Infrastructure – Vulnerability
 People – Threat

e. Threat or Vulnerability #5:

 Information – Threat
 Applications – Vulnerability
 Infrastructure – Threat
 People – Vulnerability

6. True or False – COBIT P09 Risk Management controls objectives focus on

assessment and management of IT risk.

-True. COBIT (Control Objectives for Information and Related Technologies) P09 Risk
Management control objectives indeed focus on the assessment and management of IT risk.

7. Why is it important to address each identified threat or vulnerability from a C-I-A perspective?
 - Addressing threats and vulnerabilities from a C-I-A (Confidentiality, Integrity, and Availability)
perspective is crucial for effective security management. It enables organizations to prioritize
efforts, allocate resources efficiently, and focus on protecting critical assets.
- By assessing the potential impact on confidentiality, integrity, and availability, organizations can
identify the most significant risks and develop robust strategies. This comprehensive approach
ensures comprehensive protection, both internally and externally, aiding in business continuity,
compliance, and safeguarding information assets.

8. When assessing the risk impact a threat or vulnerability has on your “information” assets,
why must you align this assessment with your Data Classification Standard? How can a
Data Classification Standard help you assess the risk impact on your “information”
assets?

- Aligning risk assessment with your Data Classification Standard is crucial because it helps
prioritize data protection, ensures consistency, allocates resources effectively, meets compliance
requirements, and implements appropriate risk mitigation strategies.
-A Data Classification Standard helps assess the risk impact on your information assets by:
a) Prioritizing Protection: It identifies which data needs more protection based on its
classification.
b) Ensuring Consistency: It provides a uniform framework for evaluating risk across all
data.
c) Allocating Resources: It helps allocate resources effectively to protect high-risk data.
d) Meeting Compliance: It ensures compliance with regulations that require data
classification.
e) Implementing Risk Mitigation: It guides the implementation of appropriate risk
mitigation strategies.

9. When assessing the risk impact a threat or vulnerability has on your “application” and
“infrastructure”, why must you align this assessment with both a server and application
software vulnerability assessment and remediation plan?

-Aligning your risk assessment with both a server and application software vulnerability
assessment and remediation plan is essential for several reasons:

a) Comprehensive Coverage: Ensures that all vulnerabilities in both the server and
application layers are identified and addressed.

b) Consistency: Provides a consistent approach to evaluating and mitigating risks across

different components of your IT infrastructure.
 c) Prioritization: Helps prioritize remediation efforts based on the severity and impact of
identified vulnerabilities.

d) Resource Allocation: Allows for effective allocation of resources to address the most
critical vulnerabilities first.

e) Compliance: Ensures compliance with industry standards and regulations that require
regular vulnerability assessments and remediation.

f) Risk Mitigation: Helps implement appropriate risk mitigation strategies to protect your
applications and infrastructure from potential threats.

10. When assessing the risk impact a threat or vulnerability has on your “people”, we are
concerned with users and employees within the User Domain as well as the IT security
practitioners who must implement the risk mitigation steps identified. How can you
communicate to your end-user community that a security threat or vulnerability has been
identified for a production system or application? How can you prioritize risk remediation
tasks?

-Effective communication of security threats or vulnerabilities to the end-user community is

essential for maintaining the integrity and security of production systems and applications. This can
be achieved through the following steps:

a) Immediate Notification: Utilize multiple communication channels such as email, intranet,

and instant messaging to promptly inform users about the identified threat or vulnerability.
b) Clear Instructions: Provide explicit and concise instructions on the necessary actions
users should take, such as changing passwords or avoiding specific applications.
c) Regular Updates: Maintain transparency by regularly updating users on the status of the
threat and the progress of remediation efforts.
d) Training and Awareness: Conduct training sessions and disseminate educational
materials to enhance users' understanding of the threat and the measures they can take to
protect themselves.

-Prioritizing risk remediation tasks is crucial for effectively managing and mitigating the impact of
security threats and vulnerabilities. This can be accomplished through the following steps:

a) Assess Severity: Evaluate the potential impact of the threat or vulnerability on your
systems and data.
b) Identify Critical Assets: Determine which assets are most critical to your operations and
prioritize remediation efforts accordingly.
c) Allocate Resources: Assign appropriate resources, including personnel and tools, to
address the most critical vulnerabilities first.
 d) Implement Quick Wins: Focus on remediation tasks that can be quickly implemented to
reduce immediate risk.
e) Monitor and Review: Continuously monitor the effectiveness of remediation efforts and
adjust priorities as new information becomes available.

11. What is the purpose of using the COBIT risk management framework and approach?

- The purpose of using the COBIT risk management framework and approach is to provide a
structured method for managing IT-related risks. It helps organizations align IT processes with
business goals, manage risks effectively, and achieve regulatory compliance. By using COBIT,
organizations can enhance IT governance, improve decision-making, and ensure the security and
integrity of their IT systems and data.

12. What is the difference between effectiveness versus efficiency when assessing risk
and risk management?

-Effectiveness refers to how well a risk management strategy achieves its intended goals, focusing
on outcomes and the extent to which risks are mitigated or managed. Efficiency refers to the
resources used to achieve the desired outcomes, focusing on the process and how well resources
(time, money, personnel) are utilized to manage risks.

13. Which three of the seven focus areas pertaining to IT risk management are primary focus
areas of risk assessment and risk management and directly relate to information systems
security?
-The three primary focus areas of risk assessment and risk management that directly relate to
information systems security are:
a) Risk Identification
b) Risk Assessment
c) Risk Mitigation

14. Why is it important to assess risk impact from four different perspectives as part of the
COBIT P.09 Framework?
-Assessing risk impact from four different perspectives as part of the COBIT P.09 Framework is
important because it provides a comprehensive understanding of the risks and their potential effects
on the organization. By considering these four perspectives, organizations can develop a holistic
risk management strategy that addresses all aspects of their operations, ensuring resilience and
sustainability.
15. What is the name of the organization who defined the COBIT P.09 Risk Management
Framework Definition?
-The organization that defined the COBIT P.09 Risk Management Framework is ISACA, or
the Information Systems Audit and Control Association