06 May # Lab 2
10
Introduction
Ask any IT manager about the challenges in conveying IT risks in terms of business risks, or
about translating business goals into IT goals. It’s a common difficulty, as the worlds of business
and IT do not inherently align. This lack of alignment was unresolved until ISACA developed a
framework called COBIT, first released in 1996. ISACA is an IT professionals’ association
centered on auditing and IT governance. This lab will focus on the COBIT framework. The lab
uses the latest two versions: COBIT 4.1, which is currently the most implemented version, and
COBIT 5, which is the latest version released in June 2012.
Because COBIT 4.1 is freely available at the time of this writing, the lab uses this version to
present handling of risk management. Presentation is done making use of a set of COBIT control
objectives called P09. COBIT P09’s purpose is to guide the scope of risk management for an IT
infrastructure. The COBIT P09 risk management controls help organize the identified risks,
threats, and vulnerabilities, enabling you to manage and remediate them. This lab will also
present how COBIT shifts from the term “control objectives” to a set of principles and enablers
in version 5.
In this lab, you will define COBIT P09, you will describe COBIT P09’s six control objectives,
you will explain how the threats and vulnerabilities align to the definition for the assessment and
management of risks, and you will use COBIT P09 to determine the scope of risk management
for an IT infrastructure.
Learning Objectives
Upon completing this lab, you will be able to:
Define what COBIT (Control Objectives for Information and related Technology) P09 risk
management is for an IT infrastructure.
Describe COBIT P09’s six control objectives that are used as benchmarks for IT risk
assessment and risk management.
Explain how threats and vulnerabilities align to the COBIT P09 risk management definition
for the assessment and management of IT risks.
Use the COBIT P09 controls as a guide to define the scope of risk management for an IT
infrastructure.
Apply the COBIT P09 controls to help organize the identified IT risks, threats, and
vulnerabilities.
Lab #2 Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk Management Controls
11
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Student Lab Manual
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Report file; 2. Lab Assessments file.
12 | LAB #2 Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk Management Controls
Hands-On Steps
Note: This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft® Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files.
1. On your local computer, create the lab deliverable files.
2. Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps.
3. Review the seven domains of a typical IT infrastructure (see Figure 1).
Figure 1 Seven domains of a typical IT infrastructure
4. On your local computer, open a new Internet browser window.
5. In the address box of your Internet browser, type the URL http://www.isaca.org/Knowledge-Center/cobit/Pages/FAQ.aspx and press Enter to open the Web site.
6. Review the information on the COBIT FAQs page.
13
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Student Lab Manual
ISACA—45 Years Serving Auditors and Business ISACA is a global organization that defines the roles of information systems governance, security, auditing, and assurance professionals worldwide. ISACA standardizes a level of understanding of these areas through two well- known certifications, the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM). In recent years, ISACA has expanded its certification offerings to include two other certifications around risk and IT governance.
ISACA was previously an acronym expanding to Information Systems Audit and Control Association, but today is known by the name ISACA alone to better serve its wider audience.
Similarly, COBIT was originally an acronym for Control Objectives for Information and related Technology. Now, ISACA refers to the framework as just COBIT, in part because the concept of “control objectives” ends with COBIT version 4.1. COBIT 5 focuses on business-centric concepts and definitions, distinguishes between governance and management, and includes a product family of “enabler guides” and “practice guides.” The recent release of COBIT version 5 is a complete break from COBIT 4. In addition, COBIT 5 also incorporates other ISACA products, including Val IT and Risk IT.
7. In your Lab Report file, describe the primary goal of the COBIT v4.1 Framework. Define COBIT.
8. On the left side of the COBIT Web site, click the COBIT 4.1 Controls Collaboration link.
9. At the top of the page, read about the COBIT Controls area within ISACA’s Knowledge Center.
10. In your Lab Report file, describe the major objective of the Controls area.
11. Scroll down the Web page to the COBIT Domains and Control Objectives section.
12. Click the Text View tab.
13. In your Lab Report file, list each of the types of control objectives and briefly describe them based on the descriptions on the Web site. Include the following:
Plan and Organize
Acquire and Implement
Monitor and Evaluate
Delivery and Support
Process Controls
Application Controls
14. On the Web site, under the Plan and Organize Control Objective description, click the View all the PO Control Objectives link.
14 | LAB #2 Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk Management Controls
15. Scroll down and find the P09 Control Objectives, which are labeled Assess and Manage IT Risks.
Note: COBIT 5 is not an evolutionary but a revolutionary change. Naturally, risk management is covered, but it is done in a holistic, end-to-end business approach, rather than in an IT-centered approach.
16. Click the P09.1, IT Risk Management Framework link.
17. Scroll down to about the middle of the page to read about the IT Risk Management Framework.
18. Expand the View value and Risk Drivers and View Control Practices links to learn more.
19. In your Lab Report file, describe what this objective covers.
20. Click the other P09 Control Objectives by first clicking the back button to return to the COBIT Domains and Control Objectives section of the COBIT 4.1 Controls
Collaboration page.
21. Click the Text View tab.
22. Click the View all the PO Control Objectives link.
23. Scroll down to the P09 Control Objectives.
24. Finally, click the P09.2, Establishment of Risk Context link.
25. Repeat this set of instructions for each of the other P09 listings.
26. Read about each of these.
27. In your Lab Report file, explain how you use the P09 Control Objectives to organize identified IT risks, threats, and vulnerabilities so you can then manage and remediate the
risks, threats, and vulnerabilities in a typical IT infrastructure.
Note: This completes the lab. Close the Web browser, if you have not already done so.
15
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Student Lab Manual
Evaluation Criteria and Rubrics
The following are the evaluation criteria for this lab that students must perform:
1. Define what COBIT (Control Objectives for Information and related Technology) P09 risk management is for an IT infrastructure. – [20%]
2. Describe COBIT P09’s six control objectives that are used as benchmarks for IT risk assessment and risk management. – [20%]
3. Explain how threats and vulnerabilities align to the COBIT P09 risk management definition for the assessment and management of IT risks. – [20%]
4. Use the COBIT P09 controls as a guide to define the scope of risk management for an IT infrastructure. – [20%]
5. Apply the COBIT P09 controls to help organize the identified IT risks, threats, and vulnerabilities. – [20%]
Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteDemy. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.
Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.
About Writedemy
We are a professional paper writing website. If you have searched a question and bumped into our website just know you are in the right place to get help in your coursework. We offer HIGH QUALITY & PLAGIARISM FREE Papers.
How It Works
To make an Order you only need to click on “Order Now” and we will direct you to our Order Page. Fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.
Are there Discounts?
All new clients are eligible for 20% off in their first Order. Our payment method is safe and secure.