IS Risk Assessment example

IS Security Risk Assessment
Date: 29th of July, 2013
Document version: v 1
Prepared by: Ramiro Cid
Approved by:
Explanations
1 This Risk Assessment is done based on Standard ISO/IEC 27005 (Information Security Risk Management)
2 More detail description of Assets Valuation could be found on Sheet "Assets list"
3 More detail description of Threats, Vulnerabilities Valuation's and Risk Calculation could be found on Sheet "Rerences & Scores"
4 Risk Assessment for different Assets categories is described/included in sheet "Risk Analysis"
Assumptions:
1 Data classification has not been done yet.
At this stage Critical Business data valued in Risk Assessment:
Confidentiality - High
Integrity - Medium
Availability - Medium
In this version it was considering that there are no data processed in the country which:
Degradation of the accuracy and completeness of data is unacceptable ( Integrity - High).
The asset/information is required on 24x7 basis (Availability - High).
2 This is the 1st version of Risk Assessment. Potential updates, improvement requires more time for investigation and will be included in future versions.
3 The current version of Risk Assessment mainly cover the assets and risks are under Country IS Service Management control.
4 The current version of Risk Assessment has little or not cover (almost all cases) assets and risks:
Global functions (Enterprise organization) related assets and risks:
Central Firewall
SAP development, support, etc
Industrial sites, location and technical networks
Etc.
These assets and risks will be covered in future versions.

Estimation of Probability
Score Prabability Attributes (A) Control
Environment (C)
1 Never happens or
not happened
Small attacker
population (insider
knowledge)
Not remotely executable
Administrator privileges
needed
Not automated
Not a publicly published
attack method
1 if all five apply
Strong existing
controls, well
tested, make this
very unlikely. OR,
an unlikely target
2 Rarely happened Somewhere between 1
and 3
Existing controls
believed to be
strong but not
tested recently
OR, not a likely
target
3 Could happens
periodically or
Medium attacker
population (specialist)
Existing controls
believed to be4 Regular,
frequently
Somewhere between 3
and 5
Weak controls
and a likely target
5 No controls and a
very likely target
Large attacker
population (hobbyists)
Remotely executable
Anonymous privileges
needed
Automated
Publicly published attack
method
5 if any apply
No controls and a
very likely target

Assets
In this sheet is described the assets included in the country in relation of IT Security
Domain Asset name Asset value
[ASS-APP-1] Application #1 Very High Value
[ASS-APP-2] Application #2 High Value
[ASS-APP-4] Application #4 High Value

Asset Global/Local Location/s
Business
Owner
Power user C I A
Asset
Value
Threat Threat description Vulnerability Controls/practices
Asset
Value
Impact Probability Risk
New mitigation actions (Planned mitigation
activities/controls)
Inside users can
accidentally read or
modify customers's
confidential
information
An human error
building up user
profile can allow
user accessing
unauthorized
information
User profile is not double checked
by another person before
assignement
Periodical review of users access 5 4 2 11
Other person different than user manager should verify
correct creation of user profile before assignement or test
profile before assignment
Not authorized users
can read confidential
information
Someone can copy
information
It is possible read and copy
confidential infomation from a
colleague desk
Active Directory policy blocks session after
15 minutes of no activity, users lock the
desk before leaving office desk
5 4 1 10
Segregate users authorised to read confidential information
from people not authorized
Inside people export
confidential
information outside
the application
Authorized users can
export information
It is possible to download
information on personal laptop
(with no encrypted disks), on
mobile devices or to export files,
so losing any kind of controls
inside the application
Verification of logs to check access,
exportation of data and printing of
information
5 4 4 13
Encrypt laptop disks.
Limit to the minimum number of users the rights to do
exportation of data
Create autorization process to allow an user to do
exportation of data
Lock some fields to be exported
WAN
communication
problem interrupt
client session
Packet transmission
losses put citrix
session in time out
Citrix client session do not
withstand packet losses.
connection goes down because is
very sensible to time out if
communications have some shorts
cuts
Open incident for wan packet losses 5 1 1 7
Ask carrier to introduce in SLA minimun guaranteed
performance
Data loss
Data loss in PDA
containing
confidential
information
PDA can be stolen or get lost
outside the company. PDA are not
controlled by Active Directory
(there are not in domain)
To use PDA it is required a personal
password and a unit password - after 10
attemps for each required password access
is locked then only Application #1
Administrators are in charge to unlock
5 3 2 10
Make users accountable of recharging the cost of PDA
when it get lost
Remote deletion of data by admin if user report the PDA as
stolen/or getting lost
Trainning to user about phisycal security best practices use
on PDA
After 10 attemps not ony bloc the PDA but also remove the
data
Application #1 grace logins from 10 to only 3 attemps
Application
#2
Local Tokio
Akira
Takahashi
Takeshi Suzuki 3 4 4 4
Company XX
password
compromised
Disclosure of
personal data
To allow continuity
of service during
vacation,
dispatchers shares
their passwords
Dispatchers use to
put their passwords
in a list with all
dispatcher credential
Password lose confidentiality
characteristic. No possibility to
trace responsibilities in case of
data corruption data losses or
disclosure of information
Loss of any personal confidentiality
Application #2 use a self profiling system
not directly connected with Active Directory
4 5 4 13
Create a Application #2 special profile for dispatcher,
independent from Active Directory. Never share Active
Directory passwords
In case mail need to be shared too, create a special
dispatcher mail-in box
if mail-in do not solve the problem use Corporate email
internal delegation to assign reader mail rights to other
colleagues.
Avoid creation of list of Application #2 users credentials. if
no other solution exist keep this list in a locked place under
surveillance
Application
#3
Local Cape Town Addae Wilkins Michael Andersen 5 2 2 5
Disclosure of
personal sensitive
data
Only for some
employee have been
collected and stored
in the application
some sentive
personal data that
are not necessary
for the company.
Treatment of this data is not
complying with data protection law.
The replacement of this application with
Saphron is almost completed
5 3 3 11
Remove sesitive data not required and not necessary for
the company
When data tranfer will be completed in Saphron remove
old application from Corporate email
Disclosure of
confidential data
Internal maintenance
technician have high
probability to
accidentally read
confidential
information
Users do not always control
intervention of technicians
Technicians do not have signed
any confidential agreement
Technicians have been not trained
about protection of confidential
data
Ethical / professional training 5 3 4 12
Technicians (internal and external) should be trained about
protection of confidential data to understand their
responsibilities
Technicians (internal an external) should sign an internal
confidentiality agreement
User password
compromised
Due to maintanance
reason and/or
connection testing
,Users reveal their
password
no possibility to use Administrator
password to test user connections
Technician do not have signed any
confidential agreement
Password change 5 3 5 13
Technicians should always recommend password change
to the users after their intervention (if possible technicians
have to set "change on next logon")
Application
#1
Prague 4
Grozny
Poznatky
Local 5Vítězslav Novotný 5 5
Local São Paulo
Carlos dos
Santos
4Patricia da Silva 5 4 4
Application
#4

Application
#5
Local Paris
Ludovic
Dupond
Sophie Renou 5 4 5 5
Disclosure of
confidential data
Maintenance
technicians of users
Corporate email mail
have high probability
to accidentally read
confidential
information
Users do not always control
intervention of technicians
Technicians do not have signed
any confidential agreement
Technicians have been not trained
about protection of confidential
data
Ethical / professional training 5 3 4 12
Technicians (internal and external) should be trained about
protection of confidential data to understand their
responsibilities
Inadequate user
identification
password of
customers without
expiration time
Application is not managing
password expiration
customerss are divided according customer
belonging. User profile limited to a specific
customer's customerss
5 5 4 14
Application must be modified to force periodical password
expiration
Deliberate
disclosure of private
sensitive data
customer's
password without
expiration time can
be easily identified
Application is not managing
password expiration
customerss are divided according
curstomer belonging. User profile limited to
a specific customer's customerss
5 5 4 14
expiration to increase user identification
Deliberate corruption
or loss of sensitive
private data
Some customer
have rights to create
or modify doctor
prescriptions
Password of
customers without
expiration
Doctor's id with weak password
security can be used to forging
acces and destroy, change
customers prescritptions
5 5 4 14
expiration to increase user identification (for external users)
Forcing of access
rights
Customer user id
has weak quality
The user id is created using last
name and first letter of fist name
not adequate to the importance of
the data stored
5 5 4 14
A more adequate policy to customer's id quality should be
implemented to reduce possibility of discovering IDs
Accidental
disclosure of private
sensitive data
External IT
developers can see
all data
No segregation of data for
development scope
External developers are identified by
Company XX Active Directory
5 4 5 14 Developers should never work using production data
Missing third party
confidentiality
agreement
External developers
have not signed any
confidentiality
agreement with
Company XX
Lack on third party control No controls in this case 5 4 4 13
External developers have to sign a confidentiality
agreement
Loss of identification
control
Customers that are
not using application
client are allowed to
store their access
credential on their
internet browser.
With access credential stored in
internet browser it is not possible
guarantee the identification of the
user
No controls in this case 5 4 4 13
Company XX should ask customers to subscribe an
agreement they implement security policy to forbidded
access credential on browsers .
modify web application in order to avoid automatic logon
Accidental physical
access to private
sensitive data
people not
authorized could
accidentally access
to private sensitive
data
There is no physical restricted area
to prevent data access to
unauthorized people
A physical restricted area to avoid accidentalaccess to
private sensitive data should be implemented
Loss of
confidentiality
All application users
can export data from
application to local
file
No possibility to apply
confidentiality controls on exported
local file
Export of data from application to local file should be
forbidden
5Irene Massa 5 5 5
Application
#6
Global Rome Marco Biasini

IS Risk Assessment example

More Related Content

What's hot

Viewers also liked

Similar to IS Risk Assessment example

More from Ramiro Cid

Recently uploaded

IS Risk Assessment example