IS Risk Assessment example

1,041 views

Published on

IS Risk Assessment example using ISO/IEC 27005.
On this example, 6 different applications are evaluated doing the analysis of the risk associated to diferent vulnerabilities and threats.
The scale for asset value, probability, impact and risk is showed.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,041
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
48
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

IS Risk Assessment example

  1. 1. IS Security Risk Assessment Date: 29th of July, 2013 Document version: v 1 Prepared by: Ramiro Cid Approved by: Explanations 1 This Risk Assessment is done based on Standard ISO/IEC 27005 (Information Security Risk Management) 2 More detail description of Assets Valuation could be found on Sheet "Assets list" 3 More detail description of Threats, Vulnerabilities Valuation's and Risk Calculation could be found on Sheet "Rerences & Scores" 4 Risk Assessment for different Assets categories is described/included in sheet "Risk Analysis" Assumptions: 1 Data classification has not been done yet. At this stage Critical Business data valued in Risk Assessment: Confidentiality - High Integrity - Medium Availability - Medium In this version it was considering that there are no data processed in the country which: Degradation of the accuracy and completeness of data is unacceptable ( Integrity - High). The asset/information is required on 24x7 basis (Availability - High). 2 This is the 1st version of Risk Assessment. Potential updates, improvement requires more time for investigation and will be included in future versions. 3 The current version of Risk Assessment mainly cover the assets and risks are under Country IS Service Management control. 4 The current version of Risk Assessment has little or not cover (almost all cases) assets and risks: Global functions (Enterprise organization) related assets and risks: Central Firewall SAP development, support, etc Industrial sites, location and technical networks Etc. These assets and risks will be covered in future versions.
  2. 2. Estimation of Probability Score Prabability Attributes (A) Control Environment (C) 1 Never happens or not happened Small attacker population (insider knowledge) Not remotely executable Administrator privileges needed Not automated Not a publicly published attack method 1 if all five apply Strong existing controls, well tested, make this very unlikely. OR, an unlikely target 2 Rarely happened Somewhere between 1 and 3 Existing controls believed to be strong but not tested recently OR, not a likely target 3 Could happens periodically or Medium attacker population (specialist) Existing controls believed to be4 Regular, frequently Somewhere between 3 and 5 Weak controls and a likely target 5 No controls and a very likely target Large attacker population (hobbyists) Remotely executable Anonymous privileges needed Automated Publicly published attack method 5 if any apply No controls and a very likely target
  3. 3. Assets In this sheet is described the assets included in the country in relation of IT Security Domain Asset name Asset value [ASS-APP-1] Application #1 Very High Value [ASS-APP-2] Application #2 High Value [ASS-APP-3] Application #3 Very High Value [ASS-APP-4] Application #4 High Value [ASS-APP-5] Application #5 Very High Value [ASS-APP-6] Application #6 Very High Value
  4. 4. Asset Global/Local Location/s Business Owner Power user C I A Asset Value Threat Threat description Vulnerability Controls/practices Asset Value Impact Probability Risk New mitigation actions (Planned mitigation activities/controls) Inside users can accidentally read or modify customers's confidential information An human error building up user profile can allow user accessing unauthorized information User profile is not double checked by another person before assignement Periodical review of users access 5 4 2 11 Other person different than user manager should verify correct creation of user profile before assignement or test profile before assignment Not authorized users can read confidential information Someone can copy information It is possible read and copy confidential infomation from a colleague desk Active Directory policy blocks session after 15 minutes of no activity, users lock the desk before leaving office desk 5 4 1 10 Segregate users authorised to read confidential information from people not authorized Inside people export confidential information outside the application Authorized users can export information It is possible to download information on personal laptop (with no encrypted disks), on mobile devices or to export files, so losing any kind of controls inside the application Verification of logs to check access, exportation of data and printing of information 5 4 4 13 Encrypt laptop disks. Limit to the minimum number of users the rights to do exportation of data Create autorization process to allow an user to do exportation of data Lock some fields to be exported WAN communication problem interrupt client session Packet transmission losses put citrix session in time out Citrix client session do not withstand packet losses. connection goes down because is very sensible to time out if communications have some shorts cuts Open incident for wan packet losses 5 1 1 7 Ask carrier to introduce in SLA minimun guaranteed performance Data loss Data loss in PDA containing confidential information PDA can be stolen or get lost outside the company. PDA are not controlled by Active Directory (there are not in domain) To use PDA it is required a personal password and a unit password - after 10 attemps for each required password access is locked then only Application #1 Administrators are in charge to unlock 5 3 2 10 Make users accountable of recharging the cost of PDA when it get lost Remote deletion of data by admin if user report the PDA as stolen/or getting lost Trainning to user about phisycal security best practices use on PDA After 10 attemps not ony bloc the PDA but also remove the data Application #1 grace logins from 10 to only 3 attemps Application #2 Local Tokio Akira Takahashi Takeshi Suzuki 3 4 4 4 Company XX password compromised Disclosure of personal data To allow continuity of service during vacation, dispatchers shares their passwords Dispatchers use to put their passwords in a list with all dispatcher credential Password lose confidentiality characteristic. No possibility to trace responsibilities in case of data corruption data losses or disclosure of information Loss of any personal confidentiality Application #2 use a self profiling system not directly connected with Active Directory 4 5 4 13 Create a Application #2 special profile for dispatcher, independent from Active Directory. Never share Active Directory passwords In case mail need to be shared too, create a special dispatcher mail-in box if mail-in do not solve the problem use Corporate email internal delegation to assign reader mail rights to other colleagues. Avoid creation of list of Application #2 users credentials. if no other solution exist keep this list in a locked place under surveillance Application #3 Local Cape Town Addae Wilkins Michael Andersen 5 2 2 5 Disclosure of personal sensitive data Only for some employee have been collected and stored in the application some sentive personal data that are not necessary for the company. Treatment of this data is not complying with data protection law. The replacement of this application with Saphron is almost completed 5 3 3 11 Remove sesitive data not required and not necessary for the company When data tranfer will be completed in Saphron remove old application from Corporate email Disclosure of confidential data Internal maintenance technician have high probability to accidentally read confidential information Users do not always control intervention of technicians Technicians do not have signed any confidential agreement Technicians have been not trained about protection of confidential data Ethical / professional training 5 3 4 12 Technicians (internal and external) should be trained about protection of confidential data to understand their responsibilities Technicians (internal an external) should sign an internal confidentiality agreement User password compromised Due to maintanance reason and/or connection testing ,Users reveal their password no possibility to use Administrator password to test user connections Technician do not have signed any confidential agreement Password change 5 3 5 13 Technicians should always recommend password change to the users after their intervention (if possible technicians have to set "change on next logon") Technicians (internal an external) should sign an internal confidentiality agreement Application #1 Prague 4 Grozny Poznatky Local 5Vítězslav Novotný 5 5 Local São Paulo Carlos dos Santos 4Patricia da Silva 5 4 4 Application #4
  5. 5. Application #5 Local Paris Ludovic Dupond Sophie Renou 5 4 5 5 Disclosure of confidential data Maintenance technicians of users Corporate email mail have high probability to accidentally read confidential information Users do not always control intervention of technicians Technicians do not have signed any confidential agreement Technicians have been not trained about protection of confidential data Ethical / professional training 5 3 4 12 Technicians (internal and external) should be trained about protection of confidential data to understand their responsibilities Technicians (internal an external) should sign an internal confidentiality agreement Inadequate user identification password of customers without expiration time Application is not managing password expiration customerss are divided according customer belonging. User profile limited to a specific customer's customerss 5 5 4 14 Application must be modified to force periodical password expiration Deliberate disclosure of private sensitive data customer's password without expiration time can be easily identified Application is not managing password expiration customerss are divided according curstomer belonging. User profile limited to a specific customer's customerss 5 5 4 14 Application must be modified to force periodical password expiration to increase user identification Deliberate corruption or loss of sensitive private data Some customer have rights to create or modify doctor prescriptions Password of customers without expiration Doctor's id with weak password security can be used to forging acces and destroy, change customers prescritptions customerss are divided according curstomer belonging. User profile limited to a specific customer's customerss 5 5 4 14 Application must be modified to force periodical password expiration to increase user identification (for external users) Forcing of access rights Customer user id has weak quality The user id is created using last name and first letter of fist name not adequate to the importance of the data stored customerss are divided according curstomer belonging. User profile limited to a specific customer's customerss 5 5 4 14 A more adequate policy to customer's id quality should be implemented to reduce possibility of discovering IDs Accidental disclosure of private sensitive data External IT developers can see all data No segregation of data for development scope External developers are identified by Company XX Active Directory 5 4 5 14 Developers should never work using production data Missing third party confidentiality agreement External developers have not signed any confidentiality agreement with Company XX Lack on third party control No controls in this case 5 4 4 13 External developers have to sign a confidentiality agreement Loss of identification control Customers that are not using application client are allowed to store their access credential on their internet browser. With access credential stored in internet browser it is not possible guarantee the identification of the user No controls in this case 5 4 4 13 Company XX should ask customers to subscribe an agreement they implement security policy to forbidded access credential on browsers . modify web application in order to avoid automatic logon Accidental physical access to private sensitive data people not authorized could accidentally access to private sensitive data There is no physical restricted area to prevent data access to unauthorized people No controls in this case 5 4 5 14 A physical restricted area to avoid accidentalaccess to private sensitive data should be implemented Loss of confidentiality All application users can export data from application to local file No possibility to apply confidentiality controls on exported local file No controls in this case 5 5 5 15 Export of data from application to local file should be forbidden 5Irene Massa 5 5 5 Application #6 Global Rome Marco Biasini

×