Elizabeth Yanez CSS250 Lab02

Assessment Worksheet Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk Management Controls CSS 250 SECURITY RISK MANAGEMENT Course Name and Number: _____________________________________________________ ELIZABETH YANEZ Student Name: ________________________________________________________________ CHERYL GARVIN Instructor Name: ______________________________________________________________ 10/12/2015 Lab Due Date: ________________________________________________________________

Overview In this lab, you defined COBIT P09, you described COBIT P09’s six control objectives, you explained how the threats and vulnerabilities align to the definition for the assessment and management of risks, and you used COBIT P09 to determine the scope of risk management for an IT infrastructure. Lab Assessment Questions & Answers 1. What is COBIT P09’s purpose? COBIT P09's purpose is to guide the scope of risk management for an IT infrastructure. The COBIT P09 risk management controls help organize the identified risks, threats, and vulnerabilities, enabling you to manage and mediate them.

2. Name three of COBIT’s six control objectives. 1. Plan and Organize; 2. Acquire and Implement; 3. Monitor and Evaluate

3. For each of the threats and vulnerabilities from the Identifying Threats and Vulnerabilities in an IT Infrastructure lab in this lab manual (list at least three and no more than five) that you have remediated, what must you assess as part of your overall COBIT P09 risk management approach for your IT infrastructure? Effectiveness, Efficiency, Compliance & Reliability

4. True or false: COBIT P09 risk management control objectives focus on assessment and management of IT risk. True

17

5. What is the name of the organization that defined the COBIT P09 Risk Management Framework? ISACA

6. Describe three of the COBIT P09 control objectives. Plan and Organize (PO) - PO1 - PO10 This domain covers strategy and tactics, it concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organization as well as technological infrastructure should be put in place.

7. Describe three of the COBIT P09.1 IT Risk Management Framework control objectives.

Acquire and Implement (AI) - AI 1 - AI 7 The framework commonneed and agreed-upon level of IT risks, strategies and residual and risks. To realize the ITdocuments strategy, ITasolutions to be identified, developed or mitigation acquired, as we as implemented integrated into the business process. Additionally, changes in and maintenance of existing systems are covered by this Any potential impact goals ofcontinue the organization caused by an unplanned events is identified, analyzed and domain to make sureon thethe solutions to meet business objectives. assessed. Monitor and Evaluate (ME) - ME 1 - ME 4 Risk areregularly adoptedassessed to minimize residual to quality an accepted level. All ITmitigation processesstrategies need to be over time forrisk their and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance.

Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.

www.jblearning.com

Student Lab Manual