Week 2: Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk Management Controls Lab #2 Lab Report File: Risk Management – IS355 Sherry Best Nicole Goodyear January 23, 2018 Describe the primary goal of the COBIT v4.1 framework. Define COBIT. The purpose of COBIT is to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT with understanding and managing the risks associated with IT. COBIT also bridges the gaps between control requirements, business risk, and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems by developing good practices for IT control for organization. …show more content…
Process Controls (PC) each COBIT process has genetic control requirements that are identified by PCn for process control number. They should be considered together with the process control objectives to have a complete view of control requirements. 6. Application Controls(AC) COBIT assumes the design and implementation of automated application controls to be responsibility of IT, which is covered in the Acquire and Implement domain based on business requirements defined using COBIT’s information criteria. The COBIT IT processes cover general IT controls, but only the development aspects of application controls. View value and Risk Driver, describe what these objective covers. The value and risk driver provide an informative basis for the achievement of control objectives and therefore for the realization and support of the risk management. Value drives can be interpreted as examples for upcoming business benefits through an adequate control coverage, where as the risk driver can be seen as examples for avoiding or handling risks. In your Lab Report file, explain how you use the P09 Control Objectives to organize identified IT risks, threats, and vulnerabilities so you can then manage and remediate the risks, threats, and vulnerabilities in a typical infrastructure. …show more content…
For each of the threats and vulnerabilities from the Identifying Threats and Vulnerabilities in an IT Infrastructure lab in this lab manual (list at least three and no more than five) that you have remediated, what must you assess as part of your overall COBIT P09 risk management approach for your IT infrastructure? Denial of service attack- close the ports and change the passwords. Loss of Production Data- Backup the data and restore the data from the most recent known safe point. Unauthorized access Workstation- Implement a policy where employees must adjust their passwords every sixty days and that they must set a screen lock out when they step away from their workstation 4. True or false: COBIT P09 risk management control objectives focus on assessment and management of IT risk. True 5. What is the name of the organization that defined the COBIT P09 Risk Management Framework? Information Systems Audit and Control Association (ISACA). 6. Describe three of the COBIT P09 control objectives. • Plan and Organize is the domain that deals with the strategy and tactics and concerns the identification of the way information technology can best provide to the accomplishment of the business
What is a process control block, and what is it used for? A process block control is a data structure containing information about an active process. PCB is used for storing the collected information about the processes and allows the OS to locate key information about a process such as the name, state of the process, resources that are allocated to the process, scheduling information, process ID, and input/output devices that are used by the process. 7.
Executives should work towards minimizing those activities that inhibit alignment and maximize those activities that bolster it (Luftman & Brier, 1999) (as cited, Hsin Yien Laxamana, Discussion 1, 11:43 PM). Alignment is not a one-time event, it is a behavior that needs to be developed, cultivated, and sustained. My role as the CIO would be ensure the long-term development of alignment behavior, assessment of the company’s alignment maturity, and realign the IT department as necessary to maintain
FISMA act gives a great importance to risk based rules that helps in defining cost-effective security solutions to the organization. FISMA standard should be executed with the help of senior security officials, chief information security officers and security director who can help to conduct different annual reviews of the organization`s information security program and produce the report in front of management about its findings. The management will use this data in order to identify different security loopholes and apply the proper security measures in order to make the organization security compliant. It`s
As a member of the Homeland Security Assessment Team for our organization, we will attempt to build a program that will allow us to meet the goals of our business plan as well as the needs of our Homeland Security Assessment that we will create from the results of our evaluation of our organization (Fisher, 2004). We will utilize the Baldridge Criteria to combine our two-goal seeking areas of our business plan as well as our Homeland Security Assessment goals that we are identified at the conclusion of our Homeland Security Assessment. When we do our Baldridge Criteria measurements of our organization we will be able to determine the areas of our organization that we are already protected from weaknesses and vulnerabilities; and will be able
Empowerment and accountability are taking responsibility for your own actions and acting as an expert in the industry. The last value is agility, meaning to challenge each other and have an open mind. (Grainger, About Us, 2015) W. W. Grainger uses these values as a road map to
• take advantage of Information Technology to further corporate gains. • gain operational excellence by availing of technology. • make sure that the risk around computing is monitored correctly. • make best use of IT that has been heavily invested in. • remain compliant with any contracts, regulations and other compliance laws.
Based on benchmarking of the team, what are the key components to consider for your organization in a homeland security assessment? Why? I think before we go into this question that it is imperative that a definition of benchmark be given. A simple definition of benchmark is nothing more than this, to benchmark is to compare performance against a standard (Azevedo, Newman, & Pungiluppi, 2010).
• Deployment of intrusion detection system (IDS): as cited by Carasik and Shinder (2003), An Intrusion Detection System (IDS) is the high-tech equivalent of a burglar alarm—a burglar alarm configured to monitor access points, hostile activities, and known intruders. Though there was a firewall in the network architecture, but the present of a network intrusion detection device prevents unauthorized traffic to the network hosts. • Establishing an information security management system (ISMS): According to Iso.org, (2014), An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
We have many comprise in our IT department that can comprise our company and our customer's records. These are the key weakness and inefficiency that need to be addressed by you Chris: separation of duties, mandatory vacations, job rotation policies, agreements with vendors, including password and other login information, and IT confidentiality agreements. To address this issue, this executive summary outlines a plan to improve the IT department. the plan will focus on improving the IT department’s processes and procedures. This includes streamlining existing processes, implementing new technologies, and training staff on the latest technologies and best
o Develop and implement incident response plans to ensure business continuity in the event of a security incident. o Facilitate security audits and compliance assessments, ensuring compliance with industry standards such as SOC2 and PCI. o Maintain and update security policies, procedures, and documentation to ensure adherence to regulatory
There are many different type of IT problems, which an organization will have to address, but it is important to note that an effective security plan starts with the management team. The management team has to be committed to developing a workforce trained to handle different types of security threats. The process starts with management developing a strong security policy, which explains which security is important, provides guidelines for meeting industry standards and complying with government regulations and it must provide a clear outcome of what will happen when an employee does not comply with the policy. Management should also provide a central leader who will provide command and control for the entire security requirement listed in
1.2.3 Strategies • Review IT organizational structure • Review IT policies and
The purpose of this publication is to provide guidance for conducting risk assessments of federal information systems and organizations. In addition to identifying the steps in the risk assessment process, it also provides guidance in identifying risk factors to watch and courses of action that should be taken. Risk assessments provide the senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks. The target audience includes individuals with oversight responsibilities for risk management, organizational missions/business functions, acquiring information technology products, services, or information systems, information system/security design, development, and implementation,
· Ensureing that the IT infrastructure guarantees availability and reliability of the available
Worth noting is that, IT governance and its mechanisms such as; IT organizational structure, governance committees, approvals and budgeting processes (Weill, 2004) can be found in every enterprise but the only difference is that, enterprises with an effective proactive governance also have in place active IT governance mechanisms which enables their appropriate behavioural patterns to be fitted into the organization’s goals, strategy, values, norms, mission, and culture, to crown it all successful. Therefore from the above description of IT governance one can now easily pin-point the key issues related to an effective IT governance mechanisms, highlighted in Galliers & Leidner chapter 12, (2009, p. 303-4) by Weill, (2004) as explained below: