a. Unauthorized access from public internet – HIGH
b. User destroys data in application and deletes all files – LOW c. Workstation OS has a known software vulnerability – HIGH d. Communication circuit outages – MEDIUM
e. User inserts CD’s and USB hard drives with personal photos, music and videos on organization owned computers – MEDIUM 2.
a. PO9.3 Event Identification – Identify threats with potential negative impact on the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. b. PO9.4 Risk Assessment – Assess the likelihood and impact of risks, using qualitative and quantitative methods. c. PO9.5 Risk Response – Develop a response designed to mitigate exposure to each risk – Identify risk strategies such as avoidance, reduction, acceptance – determine associated responsibilities; and consider risk tolerance levels.
a. Unauthorized access from public internet – AVAILABILITY
b. User destroys data in application and deletes all files – INTEGRITY c. Workstation OS has a known software vulnerability – CONFIDENTIALITY d. Communication circuit outages – AVAILABILITY
e. User inserts CD’s and USB hard drives with personal photos, music and videos on organization owned computers – INTEGRITY 4.
a. Unauthorized access from public internet – Operating system, software patches, updates, change passwords often, and hardware or software firewall. b. User destroys data in application and deletes all files – Restrict access for users to only those systems, applications, and data needed to perform their jobs. Minimize write/delete permissions to the data owner only. c. Workstation OS has a known software vulnerability – Define a workstation application software vulnerability window policy. Update application software and security patches according to defined policies, standards, procedures, and guidelines. d. Communication circuit outages – the role of countermeasures against catastrophic failures is not to eliminate them which is impossible, but to reduce their frequency and severity. e. User inserts CD’s and USB hard drives with personal photos, music and videos on organization owned computers – Disable internal CD
drives and USB ports. Enable automatic antivirus scans for inserted media drives, files and e-mail attachments. An antivirus scanning system examines all new files on your computer’s hard drive for viruses. Set up antivirus scanning for e-mails with attachments. The Risk Management Process
a. Step 1 Identify the hazards
b. Step 2 Decide who might be harmed and how
c. Step 3 Evaluate the risks and decide on precautions
d. Step 4 Record your findings and implement them
e. Step 5 Review your assessment and update if necessary
a. Threat or Vulnerability #1:
* Information – Social engineering/ install web filtering software. * Application – Malicious and non-malicious threats consist of inside attacks by disgruntled or malicious employees and outside attacks by non-employees just looking to harm and disrupt an organization/ computer security, software quality, and data quality programs. * Infrastructure – Terrorist organizations, both foreign and domestic/Natural forces such as time, weather and neglect. * People – Careless employees/Educating users
b. Threat or Vulnerability #2:
* Information – Intentional/Unintentional Action, battery backup/generator, journaling file system and RAID storage * Application – Software bugs/ malicious act, antivirus protection and network firewalls * Infrastructure – Power failure, Hardware failure/security fixes and system patches * People – malicious act/ Educating users
c. Threat or Vulnerability #3:
* Information – zero-hour or day zero/ Zero-day protection, Secure Socket Layer (SSL) * Application – Keeping the computer’s software up-to-date * Infrastructure – malicious software/analyze, test, report and mitigate. * People – Careless employees/Educating users
6. True or False – COBIT P09 Risk Management controls objectives focus on assessment and management of IT risk. 7. Why is it important to address each identified threat or vulnerability from a C-I-A perspective?
8. When assessing the risk impact a threat or vulnerability has on your “information” assets, why must you align this assessment with your Data Classification Standard? How can a Data Classification Standard help you assess the risk impact on your “information” assets?
9. When assessing the risk impact a threat or vulnerability has on your “application” and “infrastructure”, why must you align this assessment with both a server and application software vulnerability assessment and remediation plan?
10. When assessing the risk impact a threat or vulnerability has on your “people”, we are concerned with users and employees within the User Domain as well as the IT security practitioners who must implement the risk mitigation steps identified.
How can you communicate to your end-user community that a security threat or vulnerability has been identified for a production system or application? How can you prioritize risk remediation tasks?
11. What is the purpose of using the COBIT risk management framework and approach? Assess the likelihood and impact of risks, using qualitative and quantitative methods.
12. What is the difference between effectiveness versus efficiency when assessing risk and risk management? Effectiveness is following the instruction of a specific job while efficiency is doing the instruction in lesser time and cost. They say Effectiveness is doing what’s right and efficiency is doing things rightly done.
13. Which three of the seven focus areas pertaining to IT risk management are primary focus areas of risk assessment and risk management and directly relate to information system security?
14. Why is it important to assess risk impact from four different perspectives as part of the COBIT P09 Framework? It assigns responsibility.
15. What is the name of the organization who defined the COBIT P09 Risk Management Framework Definition? Information Systems Audit and Control Association (ISACA).