Friday, September 7, 2007

RISK ASSESSMENT On IT Infrastructure

To develop risk assessment method to safeguard or protect of Information System assets of an organization.

Element that identify and analyze the risk forced by an organization and ways these risks can be managed.
The IS auditor or IS security administrator is responsible for developing risk assessment method.
Risk assessment is the process of identifying vulnerabilities and threats to an organization’s information resources or IT infrastructures in achieving business objectives and deciding what counter measures, if any, to take in reducing the level of countermeasures and deciding which, if any, to take in reducing risk to an appropriate acceptable level, based on the value of the information resource to the organization. A summary of this concept is shown in the equation as follows:

Mathematical Equation:
Total Risk = Threats x Vulnerability x Asset Value

Generally, risk can be transferred, reject, reduced or accepted at high, medium and low level risk, but risk never eliminated.

Existing Risk Assessment:
Developing a Risk Assessment Program:
To develop a risk management and assessment program in the following ways:
A: Establish the purpose and objective of the risk assessment program.
B: Assign responsibilities for the risk assessment plan.
Risk Assessment process (Assets Identification & Classification)

Proposed Risk Assessment Method:
A) Management Level Policy Planning for Assessment:
• Preventive control
• Detective control
• Corrective control

Current Risk Assessment Tools:
Product Company Focus
CRAMM Insight Consulting Ltd. Government, Public Sector
CORA International SecurityTechnology Inc. Telecom, Logistics Government, IT
COBRA C&A Systems Security Ltd. Enterprise
Risk Check Norman Security Enterprise
RiskPAC CSCI Inc. Business Continuity
RiskWatch Risk Watch, Inc HIPAA, DITSCAP, NIACAP
The Buddy System Alion Science & technology Inc. IT

B) System level assessment:
• Disaster Recovery Plan (DRP):
• Emergency Plan:
• Backup Plan:
• Recovery Plan:
• Test Plan:
• Others:
Ø Insurance

Minimize the risk factor at minimum level.

Therefore, we can able to safeguard or protect the IS infrastructure/assets (Data, Hardware, Software, Network), from intruder, hacker and external vendor or contractor.

The risk management & assessment method to ensure and achieve protection, data integrity, effectiveness and efficiencies must be designed implement as per requirement of business objective of an organization.

Governance of Outsourcing

Governance of outsourcing is the set of responsibilities, roles, objectives, interfaces and controls required to anticipate change and manage the introduction, maintenance, performance, costs and control of third-party provided services. It is an active process that the client and service provider must adopt to provide a common, consistent and effective approach that identifies the necessary information, relationships, controls and exchanges among many stakeholders across both parties.

Best Practices for Governance of Outsourcing
For the organisation to adopt best practice, the outsourcing life cycle must be understood operationally and strategically as this supports control across each of the life cycle stages.
Armed with this widely accepted life cycle model, the organisation will be better able to manage, govern and allocate resources effectively across the following areas.
1) Asset Management
2) Contract Management
3) Relationship Management
4) SLAs and OLAs
5) Due Diligence
6) Baselining and Benchmarking
7) Governance Processes

Grow Your Knowledge With COBIT®

With the growing adoption of COBIT, ISACA recognized the need for structured and formal education and worked together with ITpreneurs to develop authentic COBIT learning solutions. COBIT training courses help professionals master COBIT and utilize this knowledge for effective implementation within their organizations. Sustainable COBIT competencies help IT organizations and departments align with the goals and objectives of the business and generate strategic value from IT.

The COBIT curriculum includes the following courses:
§ COBIT Awareness Course (2 hours, self paced e-learning)
§ COBIT Foundation Course (8 hours, self paced e-learning or 14 hours, classroom)
§ COBIT Foundation Exam (1 hour, online 40 questions)
§ IT Governance Implementation Course (14 hours, classroom)
§ COBIT for Sarbanes-Oxley Compliance (5 hours, self paced e-learning)

COBIT Education FAQs
Important FAQ section for COBIT 4.1

Q0.0: When are COBIT 4.1 courses available?
A: The e-COBIT courses are amongst the first courses to reflect COBIT 4.1. The updated English COBIT Foundation Course and COBIT Awareness Course will be available from the third week of May onwards.The Classroom COBIT Foundation Course will be updated in June and will be made available in the last week of June

Q0.1: I am currently taking a 4.0 course, can I upgrade to 4.1?
A: YES, definitely. All users who (still) have access to a COBIT 4.0 course can request a free upgrade to a COBIT 4.1 course. Simply write an email to with the following information: Subject: COBIT 4.1 upgradeISACA number / User nameEmail address: Number of days access left:Please provide me with a COBIT 4.1 upgrade course.

Q0.2: What is the difference between COBIT V4 and V4.1 Foundation Course?
A: Please click here to download the PDF providing information related to difference between COBIT V4 and V4.1 Foundation Course.

Q0.3: When can I take a COBIT 4.1 Exam
A: The COBIT Foundation Exam will be available on first of July. The updated courses then already include an exam preparation for the new exam allowing you to practice before the real exam

Q0.4: Can I still take COBIT 4.0 exams in the coming months?
A: Yes ; the COBIT 4.0 exam will be available for at least another 3 months after the launch of COBIT 4.1 courseware

Q0.5: What about other language courses?
A: Other language courses will be translated to COBIT 4.1 in the course of the year and de pending of the availability of COBIT 4.1 in the local language. If for example COBIT 4.1 is not yet available in simplified Chinese, course materials will also not be updated as yet.

Q1.1: What is the COBIT Foundation Course?
A: The COBIT Foundation Course is available as an 8-hour online training and as a 2 and 2.5 day classroom training course. The web-based course is modularized and allows for self-paced learning. The web based course explains the need for a control framework, the role COBIT fulfills in this need, and provides details on elements of the COBIT Framework, Audit Guidelines and Management Guidelines.
You may register for the course at The COBIT Foundation Course prepares candidates for taking on the COBIT Foundation Exam™ (See "About the COBIT Foundation Exam" below for details.) The classroom course cover the same learning outcomes but then in an interactive classroom setting. The 2.5 day course includes a business simulation; the ‘COBIT Games’. These courses cannot be scheduled through the online learning portal but are available through

Q1.2: Who is the target audience for the COBIT Foundation Course and COBIT Foundation Exam?
A: The COBIT Foundation Course and COBIT Foundation Exam are equally applicable to IT auditors, IT managers, IT quality professionals, IT leadership, IT developers, process practitioners and managers in IT service providing firms. Anyone interested in learning more about COBIT will find value in the COBIT Foundation Course and COBIT Foundation Exam.

Q1.3: What is the registration fee for the online COBIT Foundation Course?
A: Individuals can register to take the COBIT Foundation Course at for US$499. ISACA members receive a 30% discount on the COBIT Foundation Course

Q1.4: Is there a discount for ISACA members?
A: Yes, ISACA members receive a significant discount on all online courses except for the COBIT Foundation Exam.
Please visit to find out more.

Q1.5: How do I register for the course?
A: Please follow the steps below to register for the COBIT Foundation Course.
Step 1: Visit and click on 'Login'.
Step 2: If you are not registered, sign up on the portal first. Then provide your username and password as login details. You should now be logged in.
Step 3: Click on the 'Catalog' to browse and select a course.
Step 4: Click on 'View Details' to learn more about a particular course.
Step 5: Click on 'Add to Cart' to register for a course and proceed to 'Checkout'.
Step 6: Choose the payment option and provide necessary details to complete the registration process.
Step 7: Incase of credit card payment, the course will be available immediately. With any other payment option, you can begin your course as soon as your payment is received!

Q1.6: Is this course available from other training providers?
A: The COBIT Foundation Course is owned by ISACA and available at The course is also available through a number of training providers globally. ISACA members can only benefit from their member discount through the cobitcampus

Q1.7: Does ISACA manage the complete operation of the COBIT Foundation Course?
A: No, the operation of the COBIT Foundation Course is managed by ITpreneurs, a global provider of IT management and governance learning solutions. For more information, please visit or write to

Q1.8: What are the advantages of taking the COBIT Foundation Course and passing the COBIT Foundation Exam?
A: Completing the COBIT Foundation Course and passing the exam provides you with recognition and confidence that you understand the principles, elements and recommended application of COBIT at a Foundation level. Passing the COBIT Foundation Exam is a prerequisite for attending the workshop ‘Implementing IT Governance using COBIT and ValIT.

Q1.9: Are Continuing Professional Education (CPE) credits provided for taking the COBIT Foundation Course and passing the COBIT Foundation Exam?
A: Yes, after successful completion of the COBIT Foundation Course and after also passing the COBIT Foundation Exam, you will be awarded 8 CPE credits for the online course or 14 for the classroom course. These credits will be provided by ISACA/ITGI.

Q1.10: What is the difference between a Virtual Instructor Led and a self paced e-learning course?
A: The virtual instructor led course provides you with the support from an instructor who will answer any content related questions you might have. The self paced course does not provide this support. A more active support is also possible for groups of students (8 to 16 students). For groups of students an instructor can provide additional support through conference calls at predefined milestones in the course.

Q1.11: My organization is interested in training multiple people. Is there a discount structure available for this?
A: For groups of students and corporate accounts, a volume discount structure is available. Please write to and provide details regarding the course name, the number of people to be trained and your training timelines. An ITpreneurs representative will contact you to discuss your specific training need.

Q1.12: Does ISACA provide a certificate for taking the course and passing the Exam?
A: To see the sample of the certificate issued by ISACA after taking the COBIT Foundation Course and passing the COBIT Foundation Exam, please click here

Q1.13: When will the COBIT Foundation Course and COBIT Foundation Exam be aligned with Version 4.1?
A: The course and exam will be aligned with COBIT 4.1 in the second week of May

Q1.14: Will I get an extension on the course if I am unable to complete it within 90 days?
A: The course is designed in a manner that it can be completed in 90 days timeframe. However, if due to specific reasons (i.e. workload) you are unable to complete your course, a one time extension of 14 days can be provided.

2. The COBIT Foundation Exam

Q2.1: What is the COBIT Foundation Exam and how will it be delivered?
A: The COBIT Foundation Exam is an online, multiple-choice exam. Taking and passing the exam results in an official certificate provided by ISACA. The exam must be supervised by a proctor who commits to supervising the exam and maintaining controlled conditions. Details about registering a proctor will be provided when candidates register for the exam.

Q2.2: What is the passing grade for the exam?
A: The exam consists of 40 multiple-choice questions. To pass the exam, an individual must correctly answer 28 or more questions, or attain a score of 70% or higher.

Q2.3: Does successful completion of the exam result in a certificate?
A: Yes, a formal certificate acknowledging that you passed the exam will be issued by ISACA/ITGI after successful completion of the exam.

Q2.4: Where do I take the COBIT Foundation Exam?
A: You can register for the COBIT Foundation Exam at Once you are registered to take the exam, you will receive the required information on how to register a proctor and how the examination session should be organized.

Q2.5: I am already familiar with COBIT and feel that I have foundation-level knowledge. Do I need to take the COBIT Foundation Course in order to take the COBIT Foundation Exam?
A: No, you do not need to take the COBIT Foundation Course in order to be eligible to take the exam. A syllabus detailing the exam objectives will be provided to you to help you prepare for the exam.

Q2.6: How does passing the COBIT Foundation Exam help me in my career?
A: The COBIT Foundation certificate provides you with the confidence and recognition that you master COBIT at the Foundation level. With this certificate, you will be eligible to participate in higher-level COBIT course offerings such as the workshop ‘Implementing IT Governance using COBIT and ValIT.

Q2.7: Do any of the courses offer CPE credit?
A: You will receive 8 CPE credits for completing the online COBIT Foundation course and passing the COBIT Foundation Exam. You will receive 14 CPE credits for completing the classroom COBIT Foundation Course and passing the COBIT Foundation Exam

Q2.8: How does the online examination work, do I have to go somewhere or arrange for anything?
A: ISACA/ITGI provides maximum flexibility in the examination procedure with the condition that a proctor is physically present during the examination session. The proctor should be someone who has no business advantage from the candidates' exam-result. The proctor can be someone within the candidates' organization, but it should not be the candidates' personal manager or direct colleague. Someone within the candidates' local education group or HR organization would be ideal. The proctor will have to be registered prior to performing this role.

Q2.9: Does ISACA provide any certificate on passing the Exam?
A: To see the sample of the certificate issued by ISACA for the COBIT Foundation Exam, please click here

Q2.10: Do I need to pay for the exam again in case I did not pass the exam?
A: Yes, if you did not pass the exam you will need to purchase the exam again and participate in the exam registration process once more.

3. Other COBIT Courses

Q3.1: Are there any additional COBIT courses be available besides the COBIT Foundation Course?
A: Yes, the COBIT for Sarbanes Oxley IT compliance course provides an insight into how COBIT can be used to manage Sarbanes Oxley IT compliance. This 5-hour course was developed with the support from industry experts who helped several organizations to meet the Sarbanes Oxley requirements. Case studies and supporting templates come with this practical course as well.

Q3.2: I am looking for a training course that helps the implementation team to get a better understanding of the route map towards COBIT Implementation
A: The two day workshop ‘Implementing IT Governance using COBIT and ValIT’ helps COBIT practitioners and implementation teams to get a better understanding of the roadmap towards implementation of COBIT. This workshop uses practical case studies and examples to ensure that learners not only learn about the roadmap but also understand the practical implications of the implementation.

Q3.3: What are the COBIT Games?
A: The COBIT Games is a business board simulation that is used in the 2.5 day COBIT Foundation Classroom training. Stu de nts prepare a city for hosting the upcoming Olympic Games and learn principles of governance and COBIT in their en de avor. Using a business simulation helps to better stu de nts to better un de rstand and apply knowledge by actually using it in a practical environment. For more information visit:

4. Technical Requirements

Q4.1: What are the technical requirements for the COBIT online courses?
A: The following configuration is required for any of the COBIT Campus e-learning courses: a Pentium IV computer, Internet Explorer 5.x, cookies enabled, Macromedia Flash Player 7.0, speakers or a headset and 1024X768 pixel resolution.
Q4.2: I am facing some technical difficulties. Where can I obtain help or technical support?
A: If you are logged into the learning system, please click on the ‘Support’ button on the top of the page to submit a support ticket. You can also write directly to: