Assessment Worksheet
Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk
Management Controls
Course Name and Number: _____________________________________________________
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you defined COBIT P09, you described COBIT P09’s six control objectives, you
explained how the threats and vulnerabilities align to the definition for the assessment and
management of risks, and you used COBIT P09 to determine the scope of risk management for
an IT infrastructure.
Lab Assessment Questions & Answers
1. What is COBIT P09’s purpose?
2. Name three of COBIT’s six control objectives.
3. For each of the threats and vulnerabilities from the Identifying Threats and Vulnerabilities in an
IT Infrastructure lab in this lab manual (list at least three and no more than five) that you have
remediated, what must you assess as part of your overall COBIT P09 risk management approach
for your IT infrastructure?
4. True or false: COBIT P09 risk management control objectives focus on assessment and
management of IT risk.
17
5. What is the name of the organization that defined the COBIT P09 Risk Management Framework?
6. Describe three of the COBIT P09 control objectives.
7. Describe three of the COBIT P09.1 IT Risk Management Framework control objectives.
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LL
Lab #2©NOT
Aligning
Risks, Threats, and Vulnerabilities
to
NOT FOR SALE OR DISTRIBUT
FOR SALE OR DISTRIBUTION
COBIT P09 Risk Management Controls
© Jones & Bartlett Learning, LLC
Introduction
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
Ask any IT manager about the challenges in conveying IT risks in terms of business risks, or
about translating business goals into IT goals. It’s a common difficulty, as the worlds of business
and IT do not inherently align. This lack of alignment was unresolved until ISACA developed a
framework
called COBIT,
ISACA&isBartlett
an IT professionals’
association
© Jones & Bartlett
Learning,
LLC first released in 1996.
© Jones
Learning, LLC
centered
on
auditing
and
IT
governance.
This
lab
will
focus
on
the
COBIT
framework.
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION The lab
uses the latest two versions: COBIT 4.1, which is currently the most implemented version, and
COBIT 5, which is the latest version released in June 2012.
Because COBIT 4.1 is freely available at the time of this writing, the lab uses this version to
& Bartlett Learning,
& Bartlett
present handling©ofJones
risk management.
PresentationLLC
is done making use of a ©
setJones
of COBIT
control Learning, LL
NOT FOR for
SALE
SALE
OR
DISTRIBUTION
objectives calledNOT
P09.FOR
COBIT
P09’s
purpose
is to guide the scope of risk management
an ITOR DISTRIBUT
infrastructure. The COBIT P09 risk management controls help organize the identified risks,
threats, and vulnerabilities, enabling you to manage and remediate them. This lab will also
present how COBIT shifts from the term “control objectives” to a set of principles and enablers
© version
Jones 5.
& Bartlett Learning, LLC
© Jones & Bartlett Learning, LLC
in
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
In this lab, you will define COBIT P09, you will describe COBIT P09’s six control objectives,
you will explain how the threats and vulnerabilities align to the definition for the assessment and
management of risks, and you will use COBIT P09 to determine the scope of risk management
for an IT infrastructure.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
Learning Objectives
Upon completing this lab, you will be able to:
© Jones
& (Control
BartlettObjectives
Learning,for
LLC
Jones & Bartlett
Learning, LL
Define what
COBIT
Information and related©Technology)
P09
NOT
FOR
SALE
OR
DISTRIBUT
NOT
FOR
SALE
OR
DISTRIBUTION
risk management is for an IT infrastructure.
• Describe COBIT P09’s six control objectives that are used as benchmarks for IT risk
assessment and risk management.
• Explain how threats and vulnerabilities align to the COBIT P09 risk management
© Jones
& Bartlett
Learning,
LLC
© Jones & Bartlett Learning, LLC
definition
for the
assessment
and management of IT risks.
NOT
FOR
SALE
OR
DISTRIBUTION
SALE
OR DISTRIBUTION
• Use the COBIT P09 controls as a guide to define the NOT
scopeFOR
of risk
management
for an IT
infrastructure.
• Apply the COBIT P09 controls to help organize the identified IT risks, threats, and
vulnerabilities.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
•
10
© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.
11
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
Deliverables
© of
Jones
& Bartlett
Learning,
LLC the following deliverables
© Jones
Bartlett Learning, LL
Upon completion
this lab,
you are required
to provide
to &
your
NOT
FOR
SALE
OR DISTRIBUT
NOT
FOR
SALE
OR
DISTRIBUTION
instructor:
1. Lab Report file;
2. Lab Assessments file.
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LL
NOT FOR SALE OR DISTRIBUT
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LL
NOT FOR SALE OR DISTRIBUT
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett
Learning,
LLC
© Jones
Bartlett Learning, LLC
Copyright © 2015
by Jones & Bartlett
Learning, LLC, an Ascend Learning Company.
All rights&
reserved.
www.jblearning.com
Student Lab Manual
NOT FOR SALE
OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.
12 | LAB #2 Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk
Management
Controls
© Jones & Bartlett Learning, LLC
© Jones & Bartlett
Learning,
LLC
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
Hands-On Steps
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LL
NOT
FOR
SALE OR DISTRIBUT
NOT
FOR
SALE
OR
DISTRIBUTION
This is a paper-based lab. To successfully complete the deliverables for this lab, you will need
access
to Microsoft®
uNote:
Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing
application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab
deliverable files.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
1. On your local computer, create the lab deliverable files.
2. Review the Lab Assessment Worksheet. You will find answers to these questions as you
proceed through the lab steps.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LLC
Review
the seven domains of a typical NOT
IT infrastructure
1).
NOT FOR SALE3.OR
DISTRIBUTION
FOR SALE(see
ORFigure
DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LL
NOT FOR SALE OR DISTRIBUT
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
Figure 1 Seven domains of a typical IT infrastructure
4. On your local computer, open a new Internet browser window.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LL
NOT FOR SALE OR DISTRIBUT
NOT
FOR
SALE
OR
DISTRIBUTION
5. In the address box of your Internet browser, type the URL
http://www.isaca.org/Knowledge-Center/cobit/Pages/FAQ.aspx and press Enter to open the
Web site.
6. Review
the information
on the
COBIT FAQs page. © Jones & Bartlett Learning, LLC
© Jones
& Bartlett
Learning,
LLC
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.
13
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
ISACA—45 Years Serving Auditors and Business
ISACA is a global organization that defines the roles of information systems governance, security, auditing, and
assurance professionals
worldwide.
ISACA standardizes
a level
of understanding of these areas
through&two
well- Learning, LL
© Jones
& Bartlett
Learning,
LLC
© Jones
Bartlett
known certifications, the Certified Information Systems Auditor (CISA) and Certified Information Security Manager
NOT FOR SALE OR DISTRIBUT
NOT FOR SALE OR DISTRIBUTION
(CISM). In recent years, ISACA has expanded its certification offerings to include two other certifications around risk
and IT governance.
ISACA was previously an acronym expanding to Information Systems Audit and Control Association, but today is
known
by the &
name
ISACA alone
to better LLC
serve its wider audience.
© Jones
Bartlett
Learning,
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
Similarly, COBIT was originally an acronym for Control Objectives for Information and related Technology. Now,
ISACA refers to the framework as just COBIT, in part because the concept of “control objectives” ends with COBIT
version 4.1. COBIT 5 focuses on business-centric concepts and definitions, distinguishes between governance and
management, and includes a product family of “enabler guides” and “practice guides.” The recent release of COBIT
© Jones & Bartlett
Learning,
LLCfrom COBIT 4. In addition,©COBIT
Jones
& Bartlett
Learning,
version 5 is
a complete break
5 also
incorporates
other ISACALLC
products, including
Val IT OR
and Risk
IT.
NOT FOR SALE
DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
7. In your Lab Report file, describe the primary goal of the COBIT v4.1 Framework. Define
COBIT. © Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LL
FOR SALE
NOT
SALE
ORWeb
DISTRIBUTION
8. On the left
sideFOR
of the
COBIT
site, click the COBIT 4.1 ControlsNOT
Collaboration
link. OR DISTRIBUT
9. At the top of the page, read about the COBIT Controls area within ISACA’s Knowledge
Center.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LLC
10.
In
your
Lab
Report
file,
describe
the
major
objective
of theFOR
Controls
area.
NOT FOR SALE OR DISTRIBUTION
NOT
SALE
OR DISTRIBUTION
11. Scroll down the Web page to the COBIT Domains and Control Objectives section.
12. Click the Text View tab.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LLC
13. In your Lab Report file, list each of the types of control objectives and briefly describe
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
them based on the descriptions on the Web site. Include the following:
•
•
•
•
•
•
Plan and Organize
Acquire and Implement
© Jones
& Bartlett Learning, LLC
Monitor
and Evaluate
NOT
FOR
SALE OR DISTRIBUTION
Delivery and Support
Process Controls
Application Controls
© Jones & Bartlett Learning, LL
NOT FOR SALE OR DISTRIBUT
14. On &
theBartlett
Web site,
under theLLC
Plan and Organize Control
Objective
description,
click the
© Jones
Learning,
© Jones
& Bartlett
Learning,
LLC
View SALE
all the PO
Objectives link.
NOT FOR
ORControl
DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett
Learning,
LLC
© Jones
Bartlett Learning, LLC
Copyright © 2015
by Jones & Bartlett
Learning, LLC, an Ascend Learning Company.
All rights&
reserved.
www.jblearning.com
Student Lab Manual
NOT FOR SALE
OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.
14 | LAB #2 Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk
Management
Controls
© Jones & Bartlett Learning, LLC
© Jones & Bartlett
Learning,
LLC
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
15. Scroll down and find the P09 Control Objectives, which are labeled Assess and Manage
IT Risks.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LL
NOT FOR
NOT
FOR
SALE
OR
DISTRIBUTION
COBIT 5 is not an evolutionary but a revolutionary change. Naturally, risk management is covered,
but it isSALE
done inOR
a DISTRIBUT
uNote:
holistic, end-to-end business approach, rather than in an IT-centered approach.
© Jones
Bartlett
LLC
16. Click&the
P09.1, Learning,
IT Risk Management
Framework link. © Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
17. Scroll down to about the middle of the page to read about the IT Risk Management
Framework.
18. Expand the View value and Risk Drivers and View Control Practices links to learn more.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LLC
InDISTRIBUTION
your Lab Report file, describe what
thisFOR
objective
covers.
NOT FOR SALE19.
OR
NOT
SALE
OR DISTRIBUTION
20. Click the other P09 Control Objectives by first clicking the back button to return to the
COBIT Domains and Control Objectives section of the COBIT 4.1 Controls
Collaboration page.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LL
NOT FOR SALE OR DISTRIBUT
FORtab.
SALE OR DISTRIBUTION
21. Click theNOT
Text View
22. Click the View all the PO Control Objectives link.
23. Scroll down to the P09 Control Objectives.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LLC
NOT
SALE
24.FOR
Finally,
clickOR
the DISTRIBUTION
P09.2, Establishment of Risk ContextNOT
link. FOR SALE OR DISTRIBUTION
25. Repeat this set of instructions for each of the other P09 listings.
26. Read about each of these.
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LLC
InDISTRIBUTION
your Lab Report file, explain how you
useFOR
the P09
Control
to organize
NOT FOR SALE27.
OR
NOT
SALE
OR Objectives
DISTRIBUTION
identified IT risks, threats, and vulnerabilities so you can then manage and remediate the
risks, threats, and vulnerabilities in a typical IT infrastructure.
uNote:
© Jones & Bartlett Learning, LLC
This completes the NOT
lab. Close
theSALE
Web browser,
if you have not already done so.
FOR
OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LL
NOT FOR SALE OR DISTRIBUT
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.
15
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
Evaluation Criteria and Rubrics
© Jones
& Bartlett
Learning,
LLC
© Jones & Bartlett Learning, LL
The following are
the evaluation
criteria
for this lab
that students must perform:
NOT FOR SALE OR DISTRIBUT
NOT FOR SALE OR DISTRIBUTION
1. Define what COBIT (Control Objectives for Information and related Technology) P09
risk management is for an IT infrastructure. – [20%]
2. Describe COBIT P09’s six control objectives that are used as benchmarks for IT risk
assessment
and Learning,
risk management.
© Jones
& Bartlett
LLC – [20%]
© Jones & Bartlett Learning, LLC
3. FOR
Explain
howOR
threats
and vulnerabilities align to the COBIT
P09 risk
management
NOT
SALE
DISTRIBUTION
NOT FOR
SALE
OR DISTRIBUTION
definition for the assessment and management of IT risks. – [20%]
4. Use the COBIT P09 controls as a guide to define the scope of risk management for an IT
infrastructure. – [20%]
5. Apply the COBIT P09 controls to help organize the identified IT risks, threats, and
© Jones & Bartlett Learning, LLC
© Jones & Bartlett Learning, LLC
vulnerabilities. – [20%]
NOT FOR SALE OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LL
NOT FOR SALE OR DISTRIBUT
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LL
NOT FOR SALE OR DISTRIBUT
© Jones & Bartlett Learning, LLC
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett
Learning,
LLC
© Jones
Bartlett Learning, LLC
Copyright © 2015
by Jones & Bartlett
Learning, LLC, an Ascend Learning Company.
All rights&
reserved.
www.jblearning.com
Student Lab Manual
NOT FOR SALE
OR DISTRIBUTION
NOT FOR SALE OR DISTRIBUTION
© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.
Purchase answer to see full
attachment