Sunday, September 15, 2019
Align Risk, Threats, & Vulnerabilities Essay
a. Unauthorized access from public internet ââ¬â HIGH b. User destroys data in application and deletes all files ââ¬â LOW c. Workstation OS has a known software vulnerability ââ¬â HIGH d. Communication circuit outages ââ¬â MEDIUM e. User inserts CDââ¬â¢s and USB hard drives with personal photos, music and videos on organization owned computers ââ¬â MEDIUM 2. a. PO9.3 Event Identification ââ¬â Identify threats with potential negative impact on the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. b. PO9.4 Risk Assessment ââ¬â Assess the likelihood and impact of risks, using qualitative and quantitative methods. c. PO9.5 Risk Response ââ¬â Develop a response designed to mitigate exposure to each risk ââ¬â Identify risk strategies such as avoidance, reduction, acceptance ââ¬â determine associated responsibilities; and consider risk tolerance levels. a. Unauthorized access from public internet ââ¬â AVAILABILITY b. User destroys data in application and deletes all files ââ¬â INTEGRITY c. Workstation OS has a known software vulnerability ââ¬â CONFIDENTIALITY d. Communication circuit outages ââ¬â AVAILABILITY e. User inserts CDââ¬â¢s and USB hard drives with personal photos, music and videos on organization owned computers ââ¬â INTEGRITY 4. a. Unauthorized access from public internet ââ¬â Operating system, software patches, updates, change passwords often, and hardware or software firewall. b. User destroys data in application and deletes all files ââ¬â Restrict access for users to only those systems, applications, and data needed to perform their jobs. Minimize write/delete permissions to the data owner only. c. Workstation OS has a known software vulnerability ââ¬â Define a workstation application software vulnerability window policy. Update application software and security patches according to defined policies, standards, procedures, and guidelines. d. Communication circuit outages ââ¬â the role of countermeasures against catastrophic failures is not to eliminate them which is impossible, but to reduce their frequency and severity. e. User inserts CDââ¬â¢s and USB hard drives with personal photos, music and videos on organization owned computers ââ¬â Disable internal CD drives and USB ports. Enable automatic antivirus scans for inserted media drives, files and e-mail attachments. An antivirus scanning system examines all new files on your computerââ¬â¢s hard drive for viruses. Set up antivirus scanning for e-mails with attachments. The Risk Management Process a. Step 1 Identify the hazards b. Step 2 Decide who might be harmed and how c. Step 3 Evaluate the risks and decide on precautions d. Step 4 Record your findings and implement them e. Step 5 Review your assessment and update if necessary 5. a. Threat or Vulnerability #1: * Information ââ¬â Social engineering/ install web filtering software. * Application ââ¬â Malicious and non-malicious threats consist of inside attacks by disgruntled or malicious employees and outside attacks by non-employees just looking to harm and disrupt an organization/ computer security, software quality, and data quality programs. * Infrastructure ââ¬â Terrorist organizations, both foreign and domestic/Natural forces such as time, weather and neglect. * People ââ¬â Careless employees/Educating users b. Threat or Vulnerability #2: * Information ââ¬â Intentional/Unintentional Action, battery backup/generator, journaling file system and RAID storage * Application ââ¬â Software bugs/ malicious act, antivirus protection and network firewalls * Infrastructure ââ¬â Power failure, Hardware failure/security fixes and system patches * People ââ¬â malicious act/ Educating users c. Threat or Vulnerability #3: * Information ââ¬â zero-hour or day zero/ Zero-day protection, Secure Socket Layer (SSL) * Application ââ¬â Keeping the computerââ¬â¢s software up-to-date * Infrastructure ââ¬â malicious software/analyze, test, report and mitigate. * People ââ¬â Careless employees/Educating users 6. True or False ââ¬â COBIT P09 Risk Management controls objectives focus on assessment and management of IT risk. 7. Why is it important to addressà each identified threat or vulnerability from a C-I-A perspective? 8. When assessing the risk impact a threat or vulnerability has on your ââ¬Å"informationâ⬠assets, why must you align this assessment with your Data Classification Standard? How can a Data Classification Standard help you assess the risk impact on your ââ¬Å"informationâ⬠assets? 9. When assessing the risk impact a threat or vulnerability has on your ââ¬Å"applicationâ⬠and ââ¬Å"infrastructureâ⬠, why must you align this assessment with both a server and application software vulnerability assessment and remediation plan? 10. When assessing the risk impact a threat or vulnerability has on your ââ¬Å"peopleâ⬠, we are concerned with users and employees within the User Domain as well as the IT security practitioners who must implement the risk mitigation steps identified. How can you communicate to your end-user community that a security threat or vulnerability has been identified for a production system or application? How can you prioritize risk remediation tasks? 11. What is the purpose of using the COBIT risk management framework and approach? Assess the likelihood and impact of risks, using qualitative and quantitative methods. 12. What is the difference between effectiveness versus efficiency when assessing risk and risk management? Effectiveness is following the instruction of a specific job while efficiency is doing the instruction in lesser time and cost. They say Effectiveness is doing whatââ¬â¢s right and efficiency is doing things rightly done. 13. Which three of the seven focus areas pertaining to IT risk management are primary focus areas of risk assessment and risk management and directly relate to information system security? 14. Why is it important to assess risk impact from four different perspectives as part of the COBIT P09 Framework? It assigns responsibility. 15. What is the name of the organization who defined the COBIT P09 Risk Management Framework Definition? Information Systems Audit and Control Association (ISACA).
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.