security systems

User Generated

ZNXZNX

Computer Science

Description

Lab on information security systems and risk management

Unformatted Attachment Preview

Assessment Worksheet Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk Management Controls Course Name and Number: _____________________________________________________ Student Name: ________________________________________________________________ Instructor Name: ______________________________________________________________ Lab Due Date: ________________________________________________________________ Overview In this lab, you defined COBIT P09, you described COBIT P09’s six control objectives, you explained how the threats and vulnerabilities align to the definition for the assessment and management of risks, and you used COBIT P09 to determine the scope of risk management for an IT infrastructure. Lab Assessment Questions & Answers 1. What is COBIT P09’s purpose? 2. Name three of COBIT’s six control objectives. 3. For each of the threats and vulnerabilities from the Identifying Threats and Vulnerabilities in an IT Infrastructure lab in this lab manual (list at least three and no more than five) that you have remediated, what must you assess as part of your overall COBIT P09 risk management approach for your IT infrastructure? 4. True or false: COBIT P09 risk management control objectives focus on assessment and management of IT risk. 17 5. What is the name of the organization that defined the COBIT P09 Risk Management Framework? 6. Describe three of the COBIT P09 control objectives. 7. Describe three of the COBIT P09.1 IT Risk Management Framework control objectives. Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LL Lab #2©NOT Aligning Risks, Threats, and Vulnerabilities to NOT FOR SALE OR DISTRIBUT FOR SALE OR DISTRIBUTION COBIT P09 Risk Management Controls © Jones & Bartlett Learning, LLC Introduction © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Ask any IT manager about the challenges in conveying IT risks in terms of business risks, or about translating business goals into IT goals. It’s a common difficulty, as the worlds of business and IT do not inherently align. This lack of alignment was unresolved until ISACA developed a framework called COBIT, ISACA&isBartlett an IT professionals’ association © Jones & Bartlett Learning, LLC first released in 1996. © Jones Learning, LLC centered on auditing and IT governance. This lab will focus on the COBIT framework. NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION The lab uses the latest two versions: COBIT 4.1, which is currently the most implemented version, and COBIT 5, which is the latest version released in June 2012. Because COBIT 4.1 is freely available at the time of this writing, the lab uses this version to & Bartlett Learning, & Bartlett present handling©ofJones risk management. PresentationLLC is done making use of a © setJones of COBIT control Learning, LL NOT FOR for SALE SALE OR DISTRIBUTION objectives calledNOT P09.FOR COBIT P09’s purpose is to guide the scope of risk management an ITOR DISTRIBUT infrastructure. The COBIT P09 risk management controls help organize the identified risks, threats, and vulnerabilities, enabling you to manage and remediate them. This lab will also present how COBIT shifts from the term “control objectives” to a set of principles and enablers © version Jones 5. & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC in NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION In this lab, you will define COBIT P09, you will describe COBIT P09’s six control objectives, you will explain how the threats and vulnerabilities align to the definition for the assessment and management of risks, and you will use COBIT P09 to determine the scope of risk management for an IT infrastructure. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Learning Objectives Upon completing this lab, you will be able to: © Jones & (Control BartlettObjectives Learning,for LLC Jones & Bartlett Learning, LL Define what COBIT Information and related©Technology) P09 NOT FOR SALE OR DISTRIBUT NOT FOR SALE OR DISTRIBUTION risk management is for an IT infrastructure. • Describe COBIT P09’s six control objectives that are used as benchmarks for IT risk assessment and risk management. • Explain how threats and vulnerabilities align to the COBIT P09 risk management © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC definition for the assessment and management of IT risks. NOT FOR SALE OR DISTRIBUTION SALE OR DISTRIBUTION • Use the COBIT P09 controls as a guide to define the NOT scopeFOR of risk management for an IT infrastructure. • Apply the COBIT P09 controls to help organize the identified IT risks, threats, and vulnerabilities. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION • 10 © Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION. 11 © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Deliverables © of Jones & Bartlett Learning, LLC the following deliverables © Jones Bartlett Learning, LL Upon completion this lab, you are required to provide to & your NOT FOR SALE OR DISTRIBUT NOT FOR SALE OR DISTRIBUTION instructor: 1. Lab Report file; 2. Lab Assessments file. © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones Bartlett Learning, LLC Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights& reserved. www.jblearning.com Student Lab Manual NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION. 12 | LAB #2 Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk Management Controls © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Hands-On Steps © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT NOT FOR SALE OR DISTRIBUTION This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft® uNote: Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 1. On your local computer, create the lab deliverable files. 2. Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Review the seven domains of a typical NOT IT infrastructure 1). NOT FOR SALE3.OR DISTRIBUTION FOR SALE(see ORFigure DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Figure 1 Seven domains of a typical IT infrastructure 4. On your local computer, open a new Internet browser window. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT NOT FOR SALE OR DISTRIBUTION 5. In the address box of your Internet browser, type the URL http://www.isaca.org/Knowledge-Center/cobit/Pages/FAQ.aspx and press Enter to open the Web site. 6. Review the information on the COBIT FAQs page. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION. 13 © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION ISACA—45 Years Serving Auditors and Business ISACA is a global organization that defines the roles of information systems governance, security, auditing, and assurance professionals worldwide. ISACA standardizes a level of understanding of these areas through&two well- Learning, LL © Jones & Bartlett Learning, LLC © Jones Bartlett known certifications, the Certified Information Systems Auditor (CISA) and Certified Information Security Manager NOT FOR SALE OR DISTRIBUT NOT FOR SALE OR DISTRIBUTION (CISM). In recent years, ISACA has expanded its certification offerings to include two other certifications around risk and IT governance. ISACA was previously an acronym expanding to Information Systems Audit and Control Association, but today is known by the & name ISACA alone to better LLC serve its wider audience. © Jones Bartlett Learning, © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Similarly, COBIT was originally an acronym for Control Objectives for Information and related Technology. Now, ISACA refers to the framework as just COBIT, in part because the concept of “control objectives” ends with COBIT version 4.1. COBIT 5 focuses on business-centric concepts and definitions, distinguishes between governance and management, and includes a product family of “enabler guides” and “practice guides.” The recent release of COBIT © Jones & Bartlett Learning, LLCfrom COBIT 4. In addition,©COBIT Jones & Bartlett Learning, version 5 is a complete break 5 also incorporates other ISACALLC products, including Val IT OR and Risk IT. NOT FOR SALE DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 7. In your Lab Report file, describe the primary goal of the COBIT v4.1 Framework. Define COBIT. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LL FOR SALE NOT SALE ORWeb DISTRIBUTION 8. On the left sideFOR of the COBIT site, click the COBIT 4.1 ControlsNOT Collaboration link. OR DISTRIBUT 9. At the top of the page, read about the COBIT Controls area within ISACA’s Knowledge Center. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC 10. In your Lab Report file, describe the major objective of theFOR Controls area. NOT FOR SALE OR DISTRIBUTION NOT SALE OR DISTRIBUTION 11. Scroll down the Web page to the COBIT Domains and Control Objectives section. 12. Click the Text View tab. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC 13. In your Lab Report file, list each of the types of control objectives and briefly describe NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION them based on the descriptions on the Web site. Include the following: • • • • • • Plan and Organize Acquire and Implement © Jones & Bartlett Learning, LLC Monitor and Evaluate NOT FOR SALE OR DISTRIBUTION Delivery and Support Process Controls Application Controls © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT 14. On & theBartlett Web site, under theLLC Plan and Organize Control Objective description, click the © Jones Learning, © Jones & Bartlett Learning, LLC View SALE all the PO Objectives link. NOT FOR ORControl DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones Bartlett Learning, LLC Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights& reserved. www.jblearning.com Student Lab Manual NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION. 14 | LAB #2 Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk Management Controls © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 15. Scroll down and find the P09 Control Objectives, which are labeled Assess and Manage IT Risks. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LL NOT FOR NOT FOR SALE OR DISTRIBUTION COBIT 5 is not an evolutionary but a revolutionary change. Naturally, risk management is covered, but it isSALE done inOR a DISTRIBUT uNote: holistic, end-to-end business approach, rather than in an IT-centered approach. © Jones Bartlett LLC 16. Click&the P09.1, Learning, IT Risk Management Framework link. © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 17. Scroll down to about the middle of the page to read about the IT Risk Management Framework. 18. Expand the View value and Risk Drivers and View Control Practices links to learn more. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC InDISTRIBUTION your Lab Report file, describe what thisFOR objective covers. NOT FOR SALE19. OR NOT SALE OR DISTRIBUTION 20. Click the other P09 Control Objectives by first clicking the back button to return to the COBIT Domains and Control Objectives section of the COBIT 4.1 Controls Collaboration page. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT FORtab. SALE OR DISTRIBUTION 21. Click theNOT Text View 22. Click the View all the PO Control Objectives link. 23. Scroll down to the P09 Control Objectives. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT SALE 24.FOR Finally, clickOR the DISTRIBUTION P09.2, Establishment of Risk ContextNOT link. FOR SALE OR DISTRIBUTION 25. Repeat this set of instructions for each of the other P09 listings. 26. Read about each of these. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC InDISTRIBUTION your Lab Report file, explain how you useFOR the P09 Control to organize NOT FOR SALE27. OR NOT SALE OR Objectives DISTRIBUTION identified IT risks, threats, and vulnerabilities so you can then manage and remediate the risks, threats, and vulnerabilities in a typical IT infrastructure. uNote: © Jones & Bartlett Learning, LLC This completes the NOT lab. Close theSALE Web browser, if you have not already done so. FOR OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION. 15 © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Evaluation Criteria and Rubrics © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LL The following are the evaluation criteria for this lab that students must perform: NOT FOR SALE OR DISTRIBUT NOT FOR SALE OR DISTRIBUTION 1. Define what COBIT (Control Objectives for Information and related Technology) P09 risk management is for an IT infrastructure. – [20%] 2. Describe COBIT P09’s six control objectives that are used as benchmarks for IT risk assessment and Learning, risk management. © Jones & Bartlett LLC – [20%] © Jones & Bartlett Learning, LLC 3. FOR Explain howOR threats and vulnerabilities align to the COBIT P09 risk management NOT SALE DISTRIBUTION NOT FOR SALE OR DISTRIBUTION definition for the assessment and management of IT risks. – [20%] 4. Use the COBIT P09 controls as a guide to define the scope of risk management for an IT infrastructure. – [20%] 5. Apply the COBIT P09 controls to help organize the identified IT risks, threats, and © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC vulnerabilities. – [20%] NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones Bartlett Learning, LLC Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights& reserved. www.jblearning.com Student Lab Manual NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Security systems
Institution:
Student’s Name:
Instructor’s Name
Due Date:

1. Purpose of COBIT P09
The purpose of COBIT P09 is to provide guidance in the assessment and management of
risks in an infrastructure for information technology.
2. The three of the six objectives of COBIT include;
a) Plan.
b) Implement.
c) Evaluate.
3. The threat and vulnerabilities encountered in the IT infrastructure include the following;
a) Unauthorized access to software and hardware. Firms and people should devise
effec...


Anonymous
Goes above and beyond expectations!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags