Assessment Details Completion Guidance Security Classification:
Confidential
Insert Classification
Risk Assessment Title:
Initial risk assessment of key information assets.
Short, descriptive title
Risk Assessment Scope:
Customer information assets, particularly those containing personal data. Increasing legislation surrounding the protection of personal data, such as the GDPR.
Risk Acceptance Criteria:
Risks at a level rated LOW may be accepted.
Version:
1
Describe the scope of the risk assessment e.g. location, process, assets Describe the general environment in which the assessment is carried out and internal and external factors affecting it Set out the factors which will make a risk acceptable and therefore not require treatment Start at Version 1
Dated:
28 Nov 20xx
Date the assessment was carried out
Risk Assessor(s):
A. N. Other
Risk Assessment Participants:
Marketing Manager, Chief Information Officer
Approval:
Chief Operating Officer
Name and title of person(s) carrying out the risk assessment Names and titles of people contributing to the risk assessment Name and title of approver
Date Approved:
3 Dec 20xx
Date the assessment was approved
Context of Risk Assessment:
Please Note: Not all columns are shown
Asset
[Note: to choose a different table layout, click in the table, select the Design menu ribbon and choose a table style]
Asset-Based Risk Assessment and Treatment Tool
Risk Owner
Risk Level
Cloud customer d...
Chief Information...
HIGH
Customer records
Marketing Manager
MEDIUM
Treatment ... Modify
Start with your most valuable assets and the most likely threats that will cause the highest impact. Risk Description Ref.
Pre-Treatment
Asset
Threat
Vulnerabilities
1
Cloud customer data
Malicious outsider hacking in to network and stealing data
Customer data is accessible from the Internet
2
Customer records
Malicious insider changes records as part of financial fraud
Many employees have access to the records
Customer records
Hardware failure prevents access to records
Customer database Availability held on single server
3
Risk Type
Risk Owner
Existing Controls
Confidentiality
Marketing Manager
Firewall, IDS, access control, anti-virus
Integrity
Marketing Manager
Admin access limited to key staff
Chief Information Officer
Nightly backups are made
Likelihood
Likelihood Rationale
3
We are a well known company and a target for hacktivists and cyber gangs
3
Large number of employees have access to the records
4
Server has failed twice in the last 12 months
Impact
Impact Rationale
Risk Score
Risk Level
4
Major impact to reputation if breach made public, resulting in significant loss of revenue
12
HIGH
3
Scope for financial loss is limited
9
MEDIUM
4
Lack of access to customer records impacts repeat business and support operations
16
HIGH
Please Note: Not all columns are shown
Risk Owner
[Note: to choose a different table layout, click in the table, select the Design menu ribbon and choose a table style]
Scenario-Based Risk Assessment and Treatment Tool
Risk Level
Chief Information...
HIGH
Marketing Manager
MEDIUM
Treatment ... Modify
Start with the risks that are felt to have the highest likelihood and impact combination first.
Risk Description Ref.
Risk Summary
Risk Description
1
Hacker steals sensitive data
Malicious outsider hacking in to network and stealing sensitive information such as customer PII
2
Financial fraud by insider
Malicious insider changes records as part of financial fraud e.g. customer or supplier information
Hardware failure of key server
Hardware failure prevents access to key business information such as customer database records
3
Pre-Treatment Risk Type
Risk Owner
Existing Controls
Confidentiality
Marketing Manager
Firewall, IDS, access control, anti-virus
Integrity
Marketing Manager
Admin access limited to key staff
Availability
Chief Information Officer
Nightly backups are made
Likelihood
Likelihood Rationale
3
We are a well known company and a target for hacktivists and cyber gangs
3
Large number of employees have access to the records
4
Server has failed twice in the last 12 months
Impact
Impact Rationale
Risk Score
Risk Level
4
Major impact to reputation if breach made public, resulting in significant loss of revenue
12
HIGH
3
Scope for financial loss is limited
9
MEDIUM
4
Lack of access to customer records impacts repeat business and support operations
16
HIGH
Please Note: Not all columns are shown
[Note: to choose a different table layout, click in the table, select the Design menu ribbon and choose a table style]
Opportunity Assessment and Action Planning Tool
Opportunity Type
Opportunity Owner
Opportunity Level
Financial
CIO
HIGH
Organizational
CISO
MEDIUM
Technical
This is an assessment of the opportunities that may occur and what could be done to capitalize on them. Opportunities are uncertainties that are likely to have a positive effect (unlike risks, which are likely to have a negative effect).
Ref.
Opportunity Type
Opportunity Likelihood Owner
Opportunity Summary
Opportunity Description
1
Increase in funding for information security
Possibly due to an internal or external event, more money is made available to address information security within the organization.
Financial
CISO
2
Better AI improves intrusion detection and prevention
.Advances in Artificial Intelligence may make IDS and IPS tools more effective
Technical
3
Merger or Acquisition
Our organization merges with another that has newer infrastructure and access to better security tools.
Organizational
Likelihood Rationale
Impact
3
The expectation of a major breach within our industry is high.
3
CISO
4
The pace of change in AI has accelerated recently.
4
CIO
3
Several deals are rumoured to be under discussion.
3
Impact Rationale Several control areas are currently underfunded and would benefit from more money. One of our biggest problems is finding out if we have been breached. There may be better access to tools and skills.
Opportunity Score
Opportunity Level
9
MEDIUM
16
HIGH
9
MEDIUM
ISO/IEC 27001 Annex A, ISO/IEC 27017 and ISO/IEC 27018 Reference Controls and Example Risks The following list shows each of the reference controls and gives examples of the types of risks that they may be used to treat. You may use this table to help to identify relevant risks for your organization and to define where the controls from Annex A of ISO/IEC 27001 are applicable. Note: ISO27017 and ISO27018 controls will generally only apply if your organization is a Cloud Service Provider (CSP). Control A.5 Information security policies A.5.1 Management direction for information security A.5.1.1 Policies for information security
A.5.1.2 Review of the policies for information security A.6 Organization of information security A.6.1 Internal organization A.6.1.1 Information security roles and responsibilities A.6.1.2 Segregation of duties
A.6.1.3 Contact with authorities A.6.1.4 Contact with special interest groups A.6.1.5 Information security in project management A.6.2 Mobile devices and teleworking A.6.2.1 Mobile device policy A.6.2.2 Teleworking
Example Risk(s)
It is not clear what the organization's rules are for managing information security. Employees and others aren't aware of what they should be doing to protect the organization. Policies are out of date, do not reflect the organization's business or technical setup. New threats have emerged that need to be addressed in policies.
It is not clear who should be doing what with respect to information security. An individual is able to commit fraud because they are able to perform all of the steps required to enable the fraud. Checks are insufficient to prevent accidental amendment or destruction of data. The organization is unaware of their legal or regulatory responsibilities and may break the law without realising it. The organization lacks up to date knowledge of information security issues such as current threats, new controls and other relevant information. Information gathered and created during projects is not adequately protected. Data held on mobile devices is compromised through loss or theft of the device, or unauthorised access. A teleworking site does not meet the information security standards ensured at main locations and data is exposed to loss or theft.
Example Assets The following is an initial list of typical assets that may be use as guidance for your risk assessment (if you choose to carry out an asset-based risk assessment) (Note - information assets should be captured in more detail in the Information Asset Inventory) Asset Category Information
Sub-Category Cloud customer data Corporate
Sales and Marketing
Human Resources
Asset Personally identifiable information (PII) Non-PII Budgets Sales forecasts Corporate plans Corporate policies Customer records - names, addresses, contacts Customer credit card information Customer bank details e.g. Direct Debits Website information Customer preferences and purchase history Customer correspondence and complaints Employee records - address, DOB, insurance numbers Employee expense claims Payroll information, including bank details Training records Recruitment information Security clearance/check information Employee complaints/disciplinary records Sickness/occupational health records Employment contracts
Example Threats The following is a standard list of typical threats that may be use as guidance for your risk assessment. Threat Category Human
Threat Malicious outsider Malicious insider Loss of key personnel Human error Accidental loss
Example Someone launches a denial of service attack on your cloud service platform An employee or trusted third party accesses information in an unauthorised manner from inside your network One or more people with key skills or knowledge are unavailable perhaps due to extended sickness An employee accidentally deletes customer data A manager loses a memory stick with customer bank details on it
Natural
Fire Flood Severe weather Earthquake Lightning
Your data centre burns down due to an electrical fault The nearby river breaks its banks and your main office is severely flooded Non-one can get into the office due to the weather The area of your main data centre is affected by an earth tremor that damages all your servers All your servers are fried by a lightning strike on the data centre building
Technical
Hardware failure Software failure Virus/Malicious code
A key physical server has a processor failure Your financial system processes invoices incorrectly due to a bug A virus spreads throughout your network preventing access to your (and your customers') data
Physical
Sabotage Theft Arson
A disgruntled ex-employee takes an axe to your server room You come in on Monday morning to find some important drives have been stolen Someone with a grudge against your organisation starts a fire during the night
Classification of Risk Level The chart below shows the rating scheme used to determine risk level based on a combination of likelihood and impact. RISK SCORE 5 HIGH 4
Risk Likelihood
MEDIUM
3
2 LOW 1
1
2
3
Risk Impact
4
5