Risk Analysis and

Assessment (CSL 385)

Lab Manual
Department of Computer Science and Engineering
The NorthCap University, Gurugram
 Risk Analysis and Assessment|i
2024-2025

Risk Analysis and Assessment

Lab Manual
CSL385
Dr. Manvi Breja

Department of Computer Science and Engineering

NorthCap University, Gurugram- 122001, India

Session 2024-25

Published by:

School of Engineering and Technology

Department of Computer Science & Engineering

The NorthCap University Gurugram

 Risk Analysis and Assessment| ii

2024-25

• Laboratory Manual is for Internal Circulation only

© Copyright Reserved

No part of this Practical Record Book may be

reproduced, used, stored without prior permission of The NorthCap University

Copying or facilitating copying of lab work comes under cheating and is considered as use of
unfair means. Students indulging in copying or facilitating copying shall be awarded zero marks
for that particular experiment. Frequent cases of copying may lead to disciplinary action.
Attendance in lab classes is mandatory.

Labs are open up to 7 PM upon request. Students are encouraged to make full use of labs beyond
normal lab hours.
 Risk Analysis and Assessment| iii

2024-25

PREFACE

Risk Analysis and Assessment Lab Manual is designed to meet the course and program
requirements of NCU curriculum for B.Tech III year Cyber Security students of CSE branch.
The concept of the lab work is to give brief practical experience for basic lab skills to students. It
provides the space and scope for self-study so that students can come up with new and creative
ideas.

The Lab manual is written on the basis of “teach yourself pattern” and expected that students
who come with proper preparation should be able to perform the experiments without any
difficulty. Brief introduction to each experiment with information about self-study material is
provided. The laboratory case study will assist students to develop an understanding of the
fundamentals of risk management and to introduce classical as well as state-of-the-art risk
analysis techniques. Students will be able to perform risk assessment and determine mitigation
step for the same. Students are expected to come thoroughly prepared for the lab. General
disciplines, safety guidelines and report writing are also discussed.

The lab manual is a part of curriculum for the The NorthCap University, Gurugram. Teacher’s
copy of the experimental results and answer for the questions are available as sample guidelines.

We hope that lab manual would be useful to students of CSE and IT branches and author
requests the readers to kindly forward their suggestions / constructive criticism for further
improvement of the work book.

Author expresses deep gratitude to Members, Governing Body-NCU for encouragement and
motivation.

Authors
The NorthCap University
Gurugram, India
 Risk Analysis and Assessment| iv

2024-25

CONTENTS
Page
S.N. Details No.

Syllabus

1 Introduction

2 Lab Requirement

3 General Instructions

4 List of Experiments

5 Rubrics
 Risk Analysis and Assessment| v

2024-25

1. INTRODUCTION

That ‘learning is a continuous process’ cannot be over emphasized. The theoretical

knowledge gained during lecture sessions need to be strengthened through practical
experimentation. Thus, practical makes an integral part of a learning process.

The purpose of conducting experiments can be stated as follows:

● Perform a complete risk assessment.

● Assign a data owner and custodian to an information asset.
● Assign classification values to critical information assets.
● Prioritize risk remediation efforts as a result of performing a risk assessment.
● Evaluate risk management models for use in their own organization.
● Prepare Audit report for IT infrastructure.
 Risk Analysis and Assessment| vi

2024-25

2. LAB REQUIREMENTS

Requirements Details

Operating System Windows | Linux

Hardware Requirements Windows and Linux:

8 GB RAM (Recommended)

80 GB hard disk space

Required Bandwidth NA
 Risk Analysis and Assessment| vii

2024-25

3. GENERAL INSTRUCTIONS

3.1 General discipline in the lab

● Students must turn up in time and contact concerned faculty for the experiment they
are supposed to perform.
● Students will not be allowed to enter late in the lab.
● Students will not leave the class till the period is over.
● Students should come prepared for their experiment.
● Experimental results should be entered in the lab report format and certified/signed
by concerned faculty/ lab Instructor.
● Students must get the connection of the hardware setup verified before switching on
the power supply.
● Students should maintain silence while performing the experiments. If any necessity
arises for discussion amongst them, they should discuss with a very low pitch
without disturbing the adjacent groups.
● Violating the above code of conduct may attract disciplinary action.
● Damaging lab equipment or removing any component from the lab may invite
penalties and strict disciplinary action.

3.2 Attendance
● Attendance in the lab class is compulsory.
● Students should not attend a different lab group/section other than the one assigned
at the beginning of the session.
● On account of illness or some family problems, if a student misses his/her lab
classes, he/she may be assigned a different group to make up the losses in
consultation with the concerned faculty / lab instructor. Or he/she may work in the
lab during spare/extra hours to complete the experiment. No attendance will be
granted for such case.
 Risk Analysis and Assessment| viii

2024-25

3.3 Preparation and Performance

● Students should come to the lab thoroughly prepared on the experiments they are
assigned to perform on that day. Brief introduction to each experiment with
information about self-study reference is provided on LMS.
● Students must bring the lab report during each practical class with written records
of the last experiments performed complete in all respect.
● Each student is required to write a complete report of the experiment he has
performed and bring to lab class for evaluation in the next working lab. Sufficient
space in work book is provided for independent writing of theory, observation,
calculation and conclusion.
● Students should follow the Zero tolerance policy for copying / plagiarism. Zero
marks will be awarded if found copied. If caught further, it will lead to disciplinary
action.
● Refer Annexure 1 for Lab Report Format.
 Risk Analysis and Assessment| ix

2024-25

4. LIST OF EXPERIMENTS

Sr. Title of the Experiment Unit CO Time Required

No. covered
Covered

1. Given different scenarios to identify threat, 1 CO1 2hrs

asset and vulnerability

2. Design Security Policy on online teaching 1 CO1 2 hrs

and exam conduction.

3. Design Vulnerability Report on E- 1 CO1 2 hrs

Commerce site

4. Design Risk Assessment Report on NCU 2 CO2 2 hrs

5. Threat Identification Exercise for a Sample E- 2 CO2 2 hrs

Commerce Application

6. Perform risk mitigation on the following 3 CO3 2 hrs

scenario:

You are managing a small software

development project with a team of five
developers. One of your critical risks is that
a key developer might unexpectedly leave
the project.

7. Perform risk mitigation on the following 3 CO3 2 hrs

scenario of NCU
 Risk Analysis and Assessment| x

2024-25

NCU relies heavily on an online learning

management system (LMS) for managing
classes, assignments, and exams. A risk has
been identified: the LMS server might go
down during final exams, disrupting the
examination process.

8. Design Risk treatment and risk 4 CO4 4 hrs

communication on risk assessment report of
NCU.

9. Design ISO audit report on NCU. 5 CO5 2 hrs

10. Conduct an Audit using the COBIT 5 CO5 2 hrs

framework for a given scenario in
university. The university is implementing a
new Student Information System (SIS) to
manage admissions, course registrations,
grades, and student records. The audit will
assess the governance and management of
IT during this implementation.

11. Study a real-world cyber security incident 6 CO6 2 hrs

and summarize the challenges faced during
response.

5. RUBRICS

Marks Distribution
 Risk Analysis and Assessment| xi

2024-25

Continuous Evaluation (50 Marks) Final Evaluation (20 Marks)

Each Lab Assessment (30 marks) At the end of the semester viva will be
conducted related to the subject
Each lab experiment shall be evaluated for
knowledge and this component carries 20
10 marks for which breakup is:
marks.
6 Marks: Observation & conduct of
experiment. Teacher may ask questions
about experiment.

2 Marks: For completing questions given at

the end of each experiment

2 Marks: For timely submission.

Mid Term Lab Viva (10 marks)

Lab File (10 marks)

 Annexure 1

Risk Analysis And Assessment

(CSL 385)

Lab Practical Report

Faculty name: Manvi Bareja Student name: Divyansh Sahu

Roll No.: 22CSU062

Semester: 6th

Group: CS1

Department of Computer Science and Engineering

NorthCap University, Gurugram- 122001, India
Session 2024-25
 INDEX
S.No Experiment Page Date of Date of Marks CO Sign
No. Experiment Submission Covered
 Risk Analysis and Assessment | 1
2024-25

EXPERIMENT NO. 1

Student Name and Roll Number: Divyansh Sahu 22CSU062

Semester /Section: 6th / CY-A

Link to Code:

Date:

Faculty Signature:

Marks:

Objective(s):

● Identify assets, threat, vulnerability according to the scenario

Outcome:

Student will be familiarize with concepts of assets, threat and vulnerability and prepare report on it

Problem Statement:

Give different scenarios to identify threat, asset and vulnerability

1. A growing e-commerce company, ShopEasey, provides an online platform where customers can
browse and purchase a variety of products. The platform processes customer data, manages
inventory, and integrates with third-party payment gateways. Recently, ShopEasey experienced a
surge in failed login attempts and unusual traffic patterns, raising concerns about potential security
risks. The company's management wants to evaluate the platform’s threats, assets, and
vulnerabilities to improve security.
Identify assets, threats, and vulnerability
2. A modern, mid-sized hospital, HealthCare Plus, relies heavily on its Hospital Management System
(HMS) to manage patient records, appointments, billing, and medical equipment tracking. The
system integrates with various devices, including IoT-enabled medical devices, to monitor patient
vitals in real-time. Recently, there have been instances of system downtime and phishing attempts
targeting hospital staff. The hospital's management wants to evaluate its assets, threats, and
vulnerabilities to protect its sensitive data and critical operations.
Identify assets, threats, and vulnerability

Background Study:
Vulnerability assessment report contains three columns in excel file: - assets, vulnerability and threat.
Asset: anything that has value to the organization.
 Risk Analysis and Assessment | 2
2024-25

Vulnerability: - A weakness of an asset that can be exploited by one or more threats.

Threat: any action or event with the potential to cause harm.

Question Bank:

1. Identify Technical asset and Operational assets?

2. Identify vulnerabilities present in NCU Software’s?

3. Explain different types of Vulnerabilities?

4. What is the difference between vulnerability and threat?

 Risk Analysis and Assessment | 3
2024-25

Student Work Area

1.

2.
 Risk Analysis and Assessment | 4
2024-25

EXPERIMENT-2

Student Name and Roll Number: Divyansh Sahu 22CSU062

Semester /Section: 6th / CY-A
Link to Code:
Date:
Faculty Signature:
Marks:
Objective:

● Understands the management requirement and formulate the requirement into high-level
statement.
● Formulate statement that are concise, brief , unambiguous and easy to understand
Outcome:

Student will be able to frame security policies.

Problem Statement:
Policy on online teaching and exam conduction.
Background Study:

Policy is a high-level statement of requirements. A security policy is the primary way in which
management’s expectations for security are provided to the builders, installers, maintainers, and
users of an organization’s information systems.
A good security policy should be a high-level, brief, formalized statement of the security practices
that management expects employees and other stakeholders to follow.
Policy should contain:-purpose, scope, responsibility and content

Question Bank:

1.What are the security documents?

2. What are the characteristics of good policy?

3. Design a policy for online banking system from customer end.

 Risk Analysis and Assessment | 5
2024-25

Student Work Area

POLICY ON ONLINE TEACHING AND EXAM CONDUCTION

Purpose

The purpose of this policy is to establish guidelines for the effective and secure conduct of online
teaching and examinations. It aims to ensure academic integrity, compliance with institutional
standards, and a seamless learning experience for students and faculty.

Scope

This policy applies to:

 All faculty members conducting online lectures and assessments.

 Students enrolled in online courses or taking exams remotely.

 Institutional administrators responsible for managing online education platforms and

exam security.

 Any third-party platforms or tools used for virtual learning and assessments.

Responsibilities

3.1 Faculty Responsibilities

 Deliver structured online lessons through institution-approved platforms.

 Ensure the confidentiality of course materials and exam questions.

 Record attendance and monitor student engagement.

 Provide clear guidelines for assignments and assessments.

 Address student concerns related to online learning and assessments.

3.2 Student Responsibilities

 Attend scheduled online classes and participate in discussions.

 Follow academic integrity guidelines during exams and assignments.

 Risk Analysis and Assessment | 6
2024-25

 Ensure a stable internet connection and a conducive learning environment.

 Report any technical issues or unfair examination practices.

3.3 Administration Responsibilities

 Maintain and monitor online teaching and exam platforms.

 Provide necessary training and support to faculty and students.

 Implement security measures such as proctoring tools and authentication mechanisms.

 Review and update policies to align with technological advancements and institutional
needs.

4. Content

4.1 Online Teaching Guidelines

4.1.1 Platform & Infrastructure

 All online teaching must be conducted through officially approved platforms (e.g.,
Google Meet, Microsoft Teams, Zoom, or LMS).

 Faculty and students must use secure login credentials and follow cybersecurity best
practices.

4.1.2 Course Delivery & Engagement

 Course plans must be shared in advance, including schedules, assignments, and reading
materials.

 Faculty should incorporate interactive elements (polls, quizzes, discussions) to maintain

student engagement.

 Recorded lectures may be provided for academic reference, ensuring compliance with
privacy policies.

4.1.3 Attendance & Participation

 Attendance must be recorded using digital tracking mechanisms.

 Students must actively engage in learning activities and discussions as per course
requirements.

4.1.4 Assessments & Assignments

 Risk Analysis and Assessment | 7
2024-25

 Assignments should be submitted via the institution’s Learning Management System

(LMS).

 Plagiarism detection software should be used to maintain academic integrity.

 Feedback must be provided in a timely manner to support continuous learning.

4.2 Online Examination Guidelines

4.2.1 Exam Format

 Exams may include multiple-choice questions, case studies, open-book tests, or oral
assessments.

 Question papers should be designed to minimize malpractice risks (e.g., randomized

questions).

 Time-bound assessments should be enforced to prevent extended access to exam content.

4.2.2 Authentication & Proctoring

 Students must verify their identity using institutional credentials (e.g., ID verification,
webcam authentication).

 AI-based or live proctoring may be used to monitor exams.

 Restricted browsing or secure exam environments may be implemented to prevent

cheating.

4.2.3 Academic Integrity & Misconduct

 Any form of academic dishonesty, including plagiarism and unauthorized

communication, will result in penalties.

 Violation of exam rules may lead to disciplinary actions, including disqualification or re-
examination.

4.2.4 Technical Issues & Contingencies

 Students must report technical difficulties immediately to the designated support team.

 In case of connectivity failures, backup options such as rescheduling or alternative

assessment methods may be considered.
 Risk Analysis and Assessment | 8
2024-25

5. Reviews and Updates

 This policy will be reviewed annually or as required to adapt to new technologies and
institutional needs.

 Any changes or amendments will be communicated to faculty, students, and

administrators.

 Feedback from stakeholders will be considered in policy revisions to enhance its

effectiveness.

By adhering to this policy, the instruction aims to ensure a secure, fair and effective learning
environment for all students, whether online or offline.
 Risk Analysis and Assessment | 9
2024-25

EXPERIMENT NO. 3

Student Name and Roll Number: Divyansh Sahu 22CSU062

Semester /Section: 5th / Cy-A
Link to Code:
Date:
Faculty Signature:
Marks:
Objective:

● Identify assets, threat, vulnerability

● Classify threat under different categories: -adversarial, Accidental, structural,
Environmental
Outcome:

Student will be familiarizing with concepts of assets, threat and vulnerability and prepare report on it

Problem Statement:
Design Vulnerability Report on E-Commerce site

Background Study:

Vulnerability assessment report contains three columns in excel file:- assets, vulnerability and threat.
Asset: anything that has value to the organization.
Vulnerability: - A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.

Question Bank:

1. Identify Management and infrastructure assets?

2. Identify vulnerabilities related to policies in e-commerce website?

 Risk Analysis and Assessment | 10
2024-25

Student Work Area

Asset Type Vulnerability Type of Threat Type of Risk
of Vulnerabilit Threat
Asset y

Customer Digital Insecure API Software Data Adversarial High

Personal Endpoints Vulnerabilit Breach
and y
Financial
Informati
on

User Digital Weak Human Credential Adversarial High

Credentia Passwords Error Theft
ls

Payment Digital Weak Software Payment Adversarial High

Processin Encryption Vulnerabilit Fraud
g System Practices y

Website Digital Unpatched Software Exploits Adversarial High

and Web Software Vulnerabilit and
Applicatio y Malware
ns Injection

Employee Huma Lack of Human Phishing Accidental Mediu

s n Security Error Attacks m
Awareness

Servers Physic Misconfigurat Configurati Unauthoriz Structural High

al ion on Error ed Access

Data Physic Power Failure Environmen System Environmen Mediu

Centers al tal Downtime tal m

Backup Physic Poor Access Policy Data Accidental Mediu

Storage al Control Weakness Corruption m
Devices
 Risk Analysis and Assessment | 11
2024-25

EXPERIMENT NO. 4

Student Name and Roll Number:

Semester /Section:

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Identify assets, threat, vulnerability

● Classify threat under different categories:-adversarial, Accidental, structural ,Environmental
Outcome:

Student will be familiarize with concepts of assets, threat and vulnerability and prepare report on it

Problem Statement:
Design Risk Assessment Report on NCU
Background Study:

Risk assessment report contains columns in excel file :- assets, vulnerability, threat, threat severity and
threat likelihood, Risk, type of Risk and Risk severity .
Asset: anything that has value to the organization.
Vulnerability:- A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.
Risk=threat× Vulnerability on particular assets

Question Bank:

1.Mention two characteristics of Software risk ?

2.What do you mean by exposure factor?

3. To estimate the level of risk from a particular type of security breach, three factors are considered:
threats, vulnerabilities, and impact. An agent with the potential to CAUSE a security breach. This could be
either a person or an environmental condition such as fire would be ……………

4.What are the difference between quantitative risk assessment and qualitative risk assessment?
 Risk Analysis and Assessment | 12
2024-25

Student Work Area

 Risk Analysis and Assessment | 13
2024-25

EXPERIMENT NO. 5

Student Name and Roll Number:

Semester /Section:

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● To identify the threat as a process of Risk Assessment

Outcome:

Student will be able to identify possible threats in a certain scenario

Problem Statement:

Threat Identification Exercise for a Sample E-Commerce Application

Background Study:
• Understand the concept of Risk Assessment
• Different processes involved in Risk Assessment

Question Bank:

1. How can we ensure comprehensive identification of both internal and external threats?
2. What tools or methods can be used to identify emerging or evolving threats effectively?
3. How do we prioritize identified threats based on their relevance to organizational
objectives?
 Risk Analysis and Assessment | 14
2024-25

Student Work Area

 Risk Analysis and Assessment | 15
2024-25

EXPERIMENT NO. 6

Student Name and Roll Number:

Semester /Section:

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Understands different types of security controls: -Logical controls, physical controls,

organizational controls and personnel controls
Outcome:

Student will be able to find out all the controls for the respective risk as well as recommends the
one of the specific controls to mitigate that respective risk.
Problem Statement:

Perform risk mitigation on the following scenario:

You are managing a small software development project with a team of five developers. One of
your critical risks is that a key developer might unexpectedly leave the project.
Background Study:
Report contains columns in excel file:- assets, vulnerability, threat, threat severity and threat likelihood,
Risk, type of Risk , Risk severity, Control and Recommended Control .
Asset: anything that has value to the organization.
Vulnerability: - A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.
Risk=threat× Vulnerability on particular assets.
Security controls categorised in the following areas:
• Logical controls (e.g. protection of data, protection of network assets, protection of access to
applications etc.)
• Physical controls (e.g. alarm systems, fire sensors, physical access control, surveillance etc.)
• Organisational controls (e.g. usage rules, administration procedures, process descriptions,
definition of roles etc.)
• Personnel controls (e.g. sanctions, confidentiality clauses in contracts, training and awareness etc.)

Question Bank:
 Risk Analysis and Assessment | 16
2024-25

1.Mention Controls that can substitute for the loss of primary controls and mitigate risk down to an
acceptable level.
2. Which type of control protects transmitted data and information as well as stored data against
unauthorized disclosure?
3. How Least cost approach impacts the risk mitigation strategy decisions?
 Risk Analysis and Assessment | 17
2024-25

Student Work Area

 Risk Analysis and Assessment | 18
2024-25

EXPERIMENT NO. 7

Student Name and Roll Number:

Semester /Section:

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Understands different types of security controls: -Logical controls, physical controls,

organizational controls and personnel controls
Outcome:

Student will be able to find out all the controls for the respective risk as well as recommends the
one of the specific controls to mitigate that respective risk.
Problem Statement:

Perform risk mitigation on the following scenario of NCU

NCU relies heavily on an online learning management system (LMS) for managing classes,
assignments, and exams. A risk has been identified: the LMS server might go down during final
exams, disrupting the examination process.
Background Study:
Report contains columns in excel file:- assets, vulnerability, threat, threat severity and threat likelihood,
Risk, type of Risk , Risk severity, Control and Recommended Control .
Asset: anything that has value to the organization.
Vulnerability: - A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.
Risk=threat× Vulnerability on particular assets.
Security controls categorised in the following areas:
• Logical controls (e.g. protection of data, protection of network assets, protection of access to
applications etc.)
• Physical controls (e.g. alarm systems, fire sensors, physical access control, surveillance etc.)
• Organisational controls (e.g. usage rules, administration procedures, process descriptions,
definition of roles etc.)
• Personnel controls (e.g. sanctions, confidentiality clauses in contracts, training and awareness etc.)
 Risk Analysis and Assessment | 19
2024-25

Question Bank:

1. How do you prioritize risks for mitigation when resources are limited?
2. How can we balance the need for proactive mitigation with maintaining operational efficiency?
3. How do we ensure that mitigation strategies remain effective in a rapidly changing risk landscape?
 Risk Analysis and Assessment | 20
2024-25

Student Work Area

 Risk Analysis and Assessment | 21
2024-25

EXPERIMENT-8

Student Name and Roll Number:

Semester /Section:

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Understands different options of risk treatment:- mitigation ,transfer ,avoidance and

retention of risks
Outcome:

Student will be able to find out residual risk and prepare overall summary of risk management.
Problem Statement:
Risk treatment and risk communication on risk assessment report of NCU.

Background Study:
Report contains columns in excel file :- assets, vulnerability, threat, threat severity and threat likelihood,
Risk, type of Risk , Risk severity, Control , Recommended Control and Residual Risk.
Asset: anything that has value to the organization.
Vulnerability:- A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.
Risk=threat× Vulnerability on particular assets.
Options of risk treatment:- mitigation ,transfer ,avoidance and retention of risks

Question Bank:

1.What are the residual Risk?

2. What are direct and indirect method of Risk treatment?
 Risk Analysis and Assessment | 22
2024-25

Student Work Area

 Risk Analysis and Assessment | 23
2024-25

EXPERIMENT NO. 9

Student Name and Roll Number:

Semester /Section:

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Understands ISO 27001 and ISO 27002 audit domains

Outcome:

Student will be able to find out residual risk and prepare overall summary of risk management.
Problem Statement:
Design ISO audit report on NCU.
Background Study:
Report contains columns in excel file:- assets, vulnerability, threat, threat severity and threat likelihood,
Risk, type of Risk , Risk severity, Control , Recommended Control and Residual Risk.
Asset: anything that has value to the organization.
Vulnerability: - A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.
Risk=threat× Vulnerability on particular assets.
Options of risk treatment: - mitigation, transfer ,avoidance and retention of risks

Question Bank:

1.What is ISMS?
2. What are the difference between security and privacy?
3. What are the key benefits of ISO27001?
4.What do you mean by incident Management?
 Risk Analysis and Assessment | 24
2024-25

Student Work Area

 Risk Analysis and Assessment | 25
2024-25

EXPERIMENT NO. 10

Student Name and Roll Number:

Semester /Section:

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

To assess the governance and management of IT during the implementation of a new Student
Information System (SIS) at a university, using the COBIT framework. This audit aims to ensure
effective alignment of IT goals with institutional objectives, risk mitigation, and optimized resource
utilization.
Outcome:

Student will be able to evaluate the alignment of IT processes with business goals, identify gaps in
controls, and recommend improvements to enhance compliance, security, and operational
efficiency..
Problem Statement:

Conduct an Audit using the COBIT framework for a given scenario in university. The university is
implementing a new Student Information System (SIS) to manage admissions, course registrations,
grades, and student records. The audit will assess the governance and management of IT during this
implementation.

Background Study:

The Control Objectives for Information and Related Technology (COBIT) framework is a globally
recognized framework for managing and governing enterprise IT. It provides a comprehensive set
of practices, tools, and metrics designed to help organizations align IT strategies with business
objectives.

Key components of COBIT include:

 Governance Objectives: Focused on ensuring stakeholder needs are evaluated, agreed

 Risk Analysis and Assessment | 26
2024-25

upon, and addressed.

 Management Objectives: Concerned with planning, building, running, and monitoring IT
processes to achieve business goals.
 Domains: Divided into five domains: Evaluate, Direct, and Monitor (EDM); Align, Plan,
and Organize (APO); Build, Acquire, and Implement (BAI); Deliver, Service, and Support
(DSS); and Monitor, Evaluate, and Assess (MEA).

Question Bank:

1. How does the university ensure alignment between SIS project goals and institutional
objectives?
2. What mechanisms are in place to evaluate and manage stakeholder expectations regarding
the SIS implementation?
3. How does the university’s governing body oversee IT investments related to the SIS?
4. How are human, financial, and technical resources allocated and managed for the SIS
project?
5. What KPIs are used to monitor IT performance related to the SIS?
 Risk Analysis and Assessment | 27
2024-25

Student Work Area

 Risk Analysis and Assessment | 28
2024-25

EXPERIMENT NO. 11

Student Name and Roll Number:

Semester /Section:

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

To analyze a real-world cybersecurity incident, identify the challenges faced during the response
phase, and provide insights into how such incidents can be better managed in the future

Outcome:

Student will be able to deliver a comprehensive summary of the cybersecurity incident, highlighting
the key challenges encountered during response efforts. It will also provide recommendations to
enhance incident response planning and execution.
Problem Statement:

Study a real-world cyber security incident and summarize the challenges faced during response.
Background Study:

Cybersecurity incidents are increasingly prevalent, impacting organizations globally. A thorough

understanding of such incidents is crucial to developing robust response strategies.

Key aspects of cybersecurity incidents include:

 Nature of the Attack: Understanding the type (e.g., ransomware, phishing, denial of
service) and scope of the attack.
 Challenges During Response: Identifying issues like delayed detection, lack of
coordination, insufficient resources, and communication gaps.
 Mitigation Measures: Exploring how organizations address vulnerabilities and recover
from the attack.

By studying real-world incidents, we can extract lessons to bolster future defenses and responses.
 Risk Analysis and Assessment | 29
2024-25

Question Bank:

1. What vulnerabilities were exploited during the attack?

2. How was the attack initially detected?
3. What teams or departments were involved in the response effort, and how was coordination
managed?
4. Were third-party vendors or external security experts involved, and how effective was their
contribution?
 Risk Analysis and Assessment | 30
2024-25

Student Work Area