Format: Microsoft Word
Your last name must be in the filename of your submitted document according the assignment naming standard. IS3110_Lab2_Lastname_First Email to: SMichnick@itt-tech.edu
Due By: 6:00 PM CDT, Wednesday July 2, 2014
Note: Emails received after Due Date will be marked LATE and subject to a grade penalty of 10% each week it is late.
Pages 11-17 of the IS3220 Student Lab Manual
Lab #2 – Align Risk, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls
Learning Objectives and Outcomes
Upon completing this lab, you will be able to:
Define what COBIT (Control Objectives for Information and related Technology) P09 Risk Management is for an IT infrastructure Describe the 6 control objectives of COBIT P09 which are used as benchmarks for IT risk assessment and risk management Relate how threats and vulnerabilities align to the COBIT PO9 Risk Management definition for the assessment and management of IT risk Use the COBIT PO9 controls as a guide to define the scope of risk management for an IT infrastructure Apply the COBIT PO9 controls to help plan and organize the identified IT risks, threats, and vulnerabilities and the on-going management and remediation operation requirements
Think of the COBIT framework as a giant checklist for what an IT or Risk Management auditors would do if they were going to audit how your organization approaches risk management for your IT infrastructure. COBIT P09 defines 6 control objectives for assessing and managing IT risk within four different focus areas. The first lab task is to align your identified threats and vulnerabilities from Lab #1 – How to Identify Threats and Vulnerabilities in Your IT Infrastructure.
Lab Assessment Questions & Answers
Given the scenario of a healthcare organization, answer the following Lab #1 assessment questions from a risk management perspective:
1. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No More than 5, High/Medium/Low Nessus Risk Factor Definitions for Vulnerabilities a. Denial of service attack on organization e-mail server- High: An attacker can gain a shell on the remote host or execute arbitrary commands.
b. User destroys data in application and deletes all files- Medium: There's a security hole that can lead to privilege escalation.
c. User downloads and unknown email attachment- Medium: There is a security hole that can lead to privilege escalation. d. Fire destroys primary data center- High: Total loss of data could be catastrophic to a company
2. For the above identified threats and vulnerabilities, which of the following COBIT P09 Risk Management control objectives are affected?
PO9.1 IT Risk Management Framework – Yes
PO9.2 Establishment of Risk Context –Yes
PO9.3 Event Identification – Yes
PO9.4 Risk Assessment –Yes
PO9.5 Risk Response – Yes
PO9.6 Maintenance and Monitoring of a Risk Action Plan –Yes All of the controls above would be affected.
3. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No More than 5), specify whether the threat or vulnerability impacts confidentiality – integrity – availability: X= IMPACTED
4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3 and No More than 5) that you have remediated, what must you assess as part of your overall COBIT P09 risk management approach for your IT infrastructure?
Identify events or threats that may compromise your goals.
Assess on a regular basis the likelihood of the threat recurring. Develop a cost effective way to deal with such events.
5. For each of the threats and vulnerabilities from Lab #1 – (List at Least 3 and No More than 5) assess the risk impact or risk factor that it has on your organization in the following areas and explain...
Please join StudyMode to read the full document