ISMS-FORM-06-1 Asset-Based RAT Tool

Page 1

Risk Assessment and Treatment Tool

PRE-TREATMENTASSESSMENT

Please note: This sample shows only a small part of the complete Assessment and Treatment tool. Not all columns are shown in the table below. Asset-Based
Startwithyourmostvaluable assetsandthe mostlikely threatsthatwill cause the highestimpact. Torefreshchartdataonthe riskdashboard,clickon“RefreshAll” onthe Dataribbon. Ref AssetGroup Asset Threat Vulnerability RiskType RiskOwner Existing Controls Likelihood Likelihood Rationale Impact ImpactRationale RiskScore RiskLevel 1 Select… Select… Select… Calculated Calculated 2 Select… Select… Select… Calculated Calculated 3 Select… Select… Select… Calculated Calculated 4 Select… Select… Select… Calculated Calculated 5 Select… Select… Select… Calculated Calculated 6 Select… Select… Select… Calculated Calculated 7 Select… Select… Select… Calculated Calculated 8 Select… Select… Select… Calculated Calculated 9 Select… Select… Select… Calculated Calculated 10 Select… Select… Select… Calculated Calculated 11 Select… Select… Select… Calculated Calculated 12 Select… Select… Select… Calculated Calculated 13 Select… Select… Select… Calculated Calculated 14 Select… Select… Select… Calculated Calculated 15 Select… Select… Select… Calculated Calculated 16 Select… Select… Select… Calculated Calculated 17 Select… Select… Select… Calculated Calculated 18 Select… Select… Select… Calculated Calculated 19 Select… Select… Select… Calculated Calculated 20 Select… Select… Select… Calculated Calculated RISKDESCRIPTION
RiskOwner (blank) RiskLevel Calculated TreatmentOptio... Select…

Not all rows are shown in the table below.

ISO/IEC27001 Annex AReference Controls

Thefollowinglistofreferencecontrolsisusedwithintheriskassessmentworksheets.

REF

A.5Organizationalcontrols

A.5.1Policiesforinformationsecurity

A.5.2Informationsecurityrolesandresponsibilities

A.5.3Segregationofduties

A.5.4Managementresponsibilities

A.5.5Contactwithauthorities

A.5.6Contactwithspecialinterestgroups

A.5.7Threatintelligence

A.5.8Informationsecurityinprojectmanagement

A.5.9Inventoryofinformationandotherassociatedassets

A.5.10Acceptableuseofinformationandotherassociatedassets

A.5.11Returnofassets

A.5.12Classificationofinformation

A.5.13Labellingofinformation

A.5.14Informationtransfer

A.5.15Accesscontrol

A.5.16Identitymanagement

A.5.17Authenticationinformation

A.5.18Accessrights

A.5.19Informationsecurityinsupplierrelationships

A.5.20Addressinginformationsecuritywithinsupplieragreements

A.5.21ManaginginformationsecurityintheICTsupplychain

A.5.22Monitoring,reviewandchangemanagementofsupplierservices

A.5.23Informationsecurityforuseofcloudservices

A.5.24Informationsecurityincidentmanagementplanningandpreparation

A.5.25Assessmentanddecisiononinformationsecurityevents

A.5.26Responsetoinformationsecurityincidents

A.5.27Learningfrominformationsecurityincidents

A.5.28Collectionofevidence

A.5.29Informationsecurityduringdisruption

A.5.30ICTreadinessforbusinesscontinuity

A.5.31Legal,statutory,regulatoryandcontractualrequirements

A.5.32Intellectualpropertyrights

A.5.33Protectionofrecords

A.5.34PrivacyandprotectionofPII

A.5.35Independentreviewofinformationsecurity

A.5.36Compliancewithpolicies,rulesandstandardsforinformationsecurity

A.5.37Documentedoperatingprocedures

Not all rows are shown in the table below.

Asset | Threat | Vulnerability | Risk Type | Control Examples

The followinglistshows alistof assets, with associated threats and vulnerabilities, risk type and the Annex A controls thatmightbe used to treatthem. You may use this table to help to identify relevantrisks foryourorganization and to define where the controls fromAnnex A of ISO/IEC27001are applicable.

REF EXAMPLEASSETGROUP EXAMPLETHREAT(S)

1 Organization Itis notclearwhatthe organization's rules are formanaging information security. Employees and others aren'taware of whatthey should be doingto protectthe organization

EXAMPLEVULNERABILITY

RISKTYPE(S) ANNEXACONTROL

Policies eitherdon'texistordon'tcoverthe required areas Availability A.5.1Policies forinformation security

2 Organization New threats have emerged thatneed to be addressed in policies Policies are outof date, do notreflectthe organization's business or technical setup

3 Organization Itis notclearwho should be doingwhatwith respectto information security Roles and responsibilities forinformation security have notbeen clearly defined

4 Business activities An individual is able to performall of the steps required to performasensitive business process. Checks are insufficientto preventaccidental amendmentordestruction of data

5 Organization The organization is unaware of theirlegal orregulatory responsibilities and may break the law withoutrealisingit

6 Business activities The organization lacks up to date knowledge of information security issues such as currentthreats, new controls and other relevantinformation

7 Organization Information gathered and created duringprojects is not adequately protected

8 Information Dataheld on mobile devices is prone to loss ortheftof the device, orunauthorised access

9 Physical/Site A teleworkingsite does notmeetthe information security standards ensured atmain locations and datais exposed to loss ortheft

10 Business activities Itis notclearwho does whatwith respectto cloud security and one party (e.g. cloud service customer) is underthe impression thatthe other(e.g. cloud service provider) is monitoringa particularaspect

Confidentiality, Integrity and Availability

Confidentiality

A.5.1Policies forinformation security

A.5.2Information security roles and responsibilities

Processes have notbeen designed to limitthe scope fordeliberate or accidental actions Confidentiality, Integrity and Availability A.5.3Segregation of duties

No contactis in place with bodies who may impose requirements on ourorganisation Confidentiality and Availability A.5.5Contactwith authorities

No budgetis currently available forattendance atconferences, seminars and trainingevents

Projectdocumentstores are setup ad hocand often outside of more formal access controls

No guidance is given to employees abouthow to protecttheirmobile devices

Teleworkingarrangements are informal and no checkingis done of the environmentin place

Confidentiality, Integrity and Availability A.5.6Contactwith special interestgroups

Confidentiality A.5.8Information security in projectmanagement

Confidentiality A.8.1Userendpointdevices

Confidentiality A.6.7Remote working

No splitof responsibilities is agreed as partof the cloud take-on service Availability

A.5.23Information security for use of cloud services

Not all rows are shown in the table below.

ExamplesofAssets

Thefollowingisaninitiallistoftypicalassetsthatmaybeuseasguidanceforyourriskassessment.

Note:informationassetsshouldbecapturedinmoredetailintheInformationAssetInventory.

ASSETGROUP SUB-CATEGORY ASSET

Businessactivities

Business-criticalactivities

Supportingactivities Compliance

Information Cloudcustomerdata Personallyidentifiableinformation(PII)

Non-PII

Corporate Budgets

Salesforecasts

Corporateplans

Corporatepolicies

SalesandMarketing Customerrecords-names,addresses,contacts

Customercreditcardinformation

Customerbankdetailse.g.DirectDebits

Websiteinformation

Customerpreferencesandpurchasehistory

Customercorrespondenceandcomplaints

HumanResources Employeerecords -address,DOB,insurancenumbers

Employeeexpenseclaims

Payrollinformation,includingbankdetails

Trainingrecords

Recruitmentinformation

Securityclearance/checkinformation

Employeecomplaints/disciplinaryrecords

Sickness/occupationalhealthrecords Employmentcontracts

Finance Accountingrecords-invoices,bills,accounts

Businessaccountbankingdetails

Buying Suppliercontactdetails

Buyingplans

Commercialterms

Legal Suppliercontracts

Customercontracts

Propertyleases

Creditagreements

Insurancepolicies

Operations Documentsheldonbehalfofcustomers

Productspecificationsandbillsofmaterials

Processandproceduraldocumentation

IntellectualPropertyspecifictotheorganisation

Resourceplans

AuditandCompliance Internalauditrecords

Externalauditreports

Riskassessments

Examplesof Threats

The followingisastandardlistof typical threatsthatmaybe use asguidance foryourriskassessment.

THREATCATEGORY THREAT

Human Maliciousoutsider

Maliciousinsider

Lossof keypersonnel

Humanerror

EXAMPLE

Someone launchesadenial of service attackonyourcloud service platform

Anemployee ortrustedthirdpartyaccessescardholderdatain anunauthorisedmannerfrominside yournetwork

One ormore people withkeyskillsorknowledge are unavailable perhapsdue toextendedsickness

Anemployee accidentallydeletescardholderdata

Accidental loss Amanagerlosesamemorystickwithcardholderdataonit

Natural Fire

Flood

Severe weather

Earthquake

Yourdatacentre burnsdowndue toanelectrical fault

The nearbyriverbreaksitsbanksandyourmainoffice is severelyflooded

Non-one cangetintothe office due tothe weather

The areaof yourmaindatacentre isaffectedbyanearth tremorthatdamagesall yourservers

Lightning All yourserversare friedbyalightningstrike onthe data centre building

Technical Hardware failure

Akeyphysical serverhasaprocessorfailure

Software failure Yourfinancial systemprocessesinvoicesincorrectlydue toa bug

Virus/Maliciouscode Avirusspreadsthroughoutyournetworkpreventingaccessto your(andyourcustomers') data

Physical Sabotage

Adisgruntledex-employee takesanaxe toyourserverroom

Theft Youcome inonMondaymorningtofindsome important driveshave beenstolen

Arson Someone withagrudge againstyourorganisationstartsafire duringthe night

Environmental Hazardouswaste Alorrycarryinghazardouswaste hasanaccidentoutside your office

Powerfailure

The sub-stationsupplyingyourareahasameltdown

Gassupplyfailure There isasuspectedleakandall suppliesare turnedoff

Operational Processerror

Crime scene

Yournewdatatransferprocedure doesn'tcaterforunexpected circumstancesandcardholderdataislostorsenttothe wrong destination

Acrime happensinornearyouroffice andthe areaissealed off bypolice

Likelihood

This table should be used to decide upon the most appropriate likelihood for a particular threat.

LIKELIHOOD DESCRIPTION SUMMARY

1 Improbable Has never happened before and there is no reason to think it is any more likely now

2 Unlikely There is a possibility that it could happen, but it probably won't

3 Likely On balance, the risk is more likely to happen than not

4 Very Likely It would be a surprise if the risk did not occur either based on past frequency or current circumstances

5 Almost certain Either already happens regularly or there is some reason to believe it is virtually imminent

Impact

IMPACT LEVEL IMPACT AREAS

This table should be used as guidance to help to decide upon the correct impact rating for a particular threat.
Impact rating General description Effect on customers Financial cost Health and Safety Damage to reputation Legal, Contractual and Organizational Compliance 1 Negligible No effect Very little or none Very small additional risk Negligible No implications 2 Slight Some local disturbance to normal business operations Some Within acceptable limits Slight Small risk of not meeting compliance 3 Moderate Can still deliver product/service with some difficulty Unwelcome but could be borne Elevated risk requiring immediate attention Moderate In definite danger of operating illegally 4 High Business is crippled in key areas Severe effect on income and/or profit Significant danger to life High Operating illegally in some areas 5 Very High Out of business; no service to customers Crippling; the organisation will go out of business Real or strong potential loss of life Very High Severe fines and possible imprisonment of staff
ISO/IEC27001Asset-basedriskassessmentandtreatmenttooldashboard Torefreshchartdataontheriskdashboard,clickon“RefreshAll”ontheDataribbon. Pre-treatmentassessment Post-treatmentassessment Classificationofrisklevel Riskprofilediagram Thechartbelowshowstheratingschemeusedtodeterminerisklevelbasedonacombinationoflikelihoodandimpact. Thechartsbelowshowthespreadofriskseveritiesbeforeandafterrisktreatment. Pre-treatment Post-treatment INSIGNIFICANT MINOR 2 SIGNIFICANT 3 MAJOR SEVERE 5 5 0 0 0 0 5 0 0 0 0 0 ALMOST CERTAIN 5 MEDIUM MEDIUM 10 HIGH 15 HIGH 20 HIGH 25 4 0 0 0 0 4 0 0 0 0 0 LIKELY 4 LOW MEDIUM 8 HIGH 12 HIGH 16 HIGH 20 3 0 0 0 0 3 0 0 0 0 0 MODERATE 3 LOW MEDIUM 6 MEDIUM 9 HIGH 12 HIGH 15 2 0 0 0 0 2 0 0 0 0 0 UNLIKELY 2 LOW LOW 4 MEDIUM 6 MEDIUM MEDIUM 10 1 0 0 0 0 1 0 0 0 0 0 RARE 1 LOW LOW 2 LOW 3 LOW MEDIUM 5 2 3 4 5 1 2 3 4 5 Treatmentplan Riskimpact LIKELIHOOD: What are the chances of the risk event happening? IMPACT:Howmajorcouldtheconsequencesbeiftheriskeventhappened? Risk Likelihood Risk Likelihood Riskimpact 0 Numberofpretreatmentrisks Low Medium High 10 15 20 (blank) Calculated Total 20 Pretreatmentrisklevelsbyriskowner 0 Numberofposttreatmentrisks Low Medium High Low Medium High Pre-treatment Post-treatment Numberofrisksbyrisklevelpreandposttreatment Risksbytreatmentoptionchosen Select… 0 0 0 0 0 1 1 1 1 1 1 Calculated Total 0 Totaltreatmentcostbyrisklevel (blank) Calculated Treatmentactionowner

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.