Please note: This sample shows only a small part of the complete Assessment and Treatment tool. Note all columns are shown in the table below. Asset Group
Risk Owner
Select…
(blank)
Risk Level
Treatment Opti...
Calculated
Select…
Asset-Based Risk Assessment and Treatment Tool Start with your most valuable assets and the most likely threats that will cause the highest impact. RISK DESCRIPTION Ref Asset Group
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select…
PRE-TREATMENT ASSESSMENT Asset
Threat
Vulnerability Risk Type Risk Owner Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select…
Existing Controls Likelihood
Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select…
Likelihood Impact Rationale Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select…
Impact Rationale
Risk Score
Risk Level
Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated
Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated
Examples of Assets The following is an initial list of typical assets that may be use as guidance for your risk assessment. Note: information assets should be captured in more detail in the Information Asset Inventory. ASSET GROUP
SUB-CATEGORY
Business activities
Information
ASSET Business-critical activities Supporting activities Compliance
Cloud customer data Corporate
Sales and Marketing
Human Resources
Finance Buying
Legal
Operations
Audit and Compliance
Personally identifiable information (PII) Non-PII Budgets Sales forecasts Corporate plans Corporate policies Customer records - names, addresses, contacts Customer credit card information Customer bank details e.g. Direct Debits Website information Customer preferences and purchase history Customer correspondence and complaints Employee records - address, DOB, insurance numbers Employee expense claims Payroll information, including bank details Training records Recruitment information Security clearance/check information Employee complaints/disciplinary records Sickness/occupational health records Employment contracts Accounting records - invoices, bills, accounts Business account banking details Supplier contact details Buying plans Commercial terms Supplier contracts Customer contracts Property leases Credit agreements Insurance policies Documents held on behalf of customers Product specifications and bills of materials Process and procedural documentation Intellectual Property specific to the organisation Resource plans Internal audit records External audit reports Risk assessments
Examples of Threats The following is a standard list of typical threats that may be use as guidance for your risk assessment. THREAT CATEGORY
THREAT
EXAMPLE
Human
Malicious outsider
Someone launches a denial of service attack on your cloud service platform An employee or trusted third party accesses cardholder data in an unauthorised manner from inside your network One or more people with key skills or knowledge are unavailable perhaps due to extended sickness An employee accidentally deletes cardholder data A manager loses a memory stick with cardholder data on it
Malicious insider Loss of key personnel Human error Accidental loss
Natural
Fire Flood Severe weather Earthquake Lightning
Technical
Hardware failure Software failure Virus/Malicious code
Physical
Sabotage Theft Arson
Environmental
Hazardous waste Power failure Gas supply failure
Operational
Process error
Crime scene
Your data centre burns down due to an electrical fault The nearby river breaks its banks and your main office is severely flooded Non-one can get into the office due to the weather The area of your main data centre is affected by an earth tremor that damages all your servers All your servers are fried by a lightning strike on the data centre building A key physical server has a processor failure Your financial system processes invoices incorrectly due to a bug A virus spreads throughout your network preventing access to your (and your customers') data A disgruntled ex-employee takes an axe to your server room You come in on Monday morning to find some important drives have been stolen Someone with a grudge against your organisation starts a fire during the night A lorry carrying hazardous waste has an accident outside your office The sub-station supplying your area has a meltdown There is a suspected leak and all supplies are turned off Your new data transfer procedure doesn't cater for unexpected circumstances and cardholder data is lost or sent to the wrong destination A crime happens in or near your office and the area is sealed off by police
Classification of Risk Level The chart below shows the rating scheme used to determine risk level based on a combination of likelihood and impact. RISK SCORE 5 HIGH 4
Risk Likelihood
MEDIUM
3
2 LOW 1
1
2
3
Risk Impact
4
5