chapter 1: introduction 2- handbook steps.pdf · government needs to assess whether the initial...
TRANSCRIPT
Chapter 1 - 1
MyRAM Handbook
MAM
PU
Chapter 1: Introduction
1.0 Overview
In every area of government work, effective risk handling depends on the ability to cover five(5) broad areas:
1. What can happen (identification). Regular reality checks, involving rigorous assessmentof trends, possibilities, threats, their impact and likelihood, are conducted.
2. What matters (assessment). Governments need to make judgments of value on the outcomes,taking the reliability of a service into account.
3. What can be done (action). Having established what matters, governments then need todecide either to accept (cope with) the potential risk or otherwise to plan ways to reduce(mitigate), transfer, or avoid the risk. They also need to plan for uncertainties.
4. What has happened (review). Since new exploits and threats emerge very rapidly, thegovernment needs to assess whether the initial action has had the intended effect, whetherthe assessment of risk needs to be changed and whether further action is needed.
5. Effective communication. This is the means to manage the above areas; both with thosewho can help manage the risks and those potentially affected by the risks.
Introduction: Overview
Chapter 1 - 2
MyRAM Handbook
1.1 General Framework
The general framework involving multiple components of ICT is shown in Figure 1.1. As shownin the figure, Risk Assessment is a component of Risk Management, which in turn is part of ICTGovernance. The outermost boundary in the model is Enterprise Governance.
Figure 1.1: Relationships of Multiple Components of ICT
Increased complexity, speed, interconnectivity and globalisation mean that information andcommunications technology (ICT) may involve substantial investments and risks. Due to the fastpace, certain terminologies and concepts used in the Malaysian public sector which this documentis based upon unfortunately remain undefined. For example, the term ‘Enterprise governance’in Figure 1.1. In moving forward, MyRAM needs to address these shortcomings and as such,has proceeded to define these concepts as used in this document. The terms were defined alsofor the purpose of better understanding in engaging a MyRAM exercise.
Enterprise governance in Figure 1.1 refers to the set of responsibilities and practices exercisedby the management committee with the goal of providing strategic direction, ensuring thatobjectives are achieved, ascertaining that risks are managed appropriately and verifying that theenterprise’s resources are used responsibly. It is the system by which the organisation is directedand controlled. The activities within enterprise governance are represented as four (4) principalcomponents: direction, executive action, supervision and accountability. Enterprise governanceframeworks ensure that management is held accountable for the performance of its organisationand that owners are able to monitor and intervene in the operations of management. Enterprisegovernance is an ongoing activity of maintaining a sound system of internal control to protectstakeholders’ interest and the organisation’s assets.
Introduction: General Framework
Chapter 1 - 3
MyRAM Handbook
MAM
PU
In short, enterprise governance is the process and structure used to direct and manage the businessand affairs of the organisation towards enhancing business prosperity and enterprise accountability.It is through enterprise governance that long-term objectives of stakeholders are met and theirinterests protected and satisfied.
Enterprise governance for the public sector is laid down by the set of General Orders (Perintah-perintah Am, issued by the Ketua Pengarah Perkhidmatan Awam) which briefly outlines thevarious enterprise responsibilities and accountabilities. Complementing the set of General Ordersare documents such as Arahan Perbendaharaan (Treasury Instructions) dan Arahan Keselamatan.
To achieve success in the information economy, governance of ICT is a crucial facet of organisationalgovernance. ICT governance, in which the strategies and accountability covering ICT within anorganisation are set, resides within the context of enterprise governance. It concerns the responsibilitiesfor the management of ICT, as well as the comprehensiveness of the requirements and/or policiesput forward. ICT governance is the responsibility of the senior management. It is an integral partof enterprise governance and consists of:
(a) leadership,
(b) organisational structures,
(c) processes,
(d) alignment of ICT to objectives of the organisation, and
(e) risk management.
This is to ensure the organisation’s ICT sustains and extends the organisation’s aforementionedstrategies as well as objectives. It is also used to balance risk against investments over ICT andits processes.
ICT governance is the responsibility of the executive management. It is an integral part ofenterprise governance and consists of the leadership, organisational structures and processes thatensure two things; the organisation’s ICT is aligned with the organisational strategies and objectivesand likewise the strategies take proper advantage of ICT.
The reason why ICT governance is important is that expectations and reality often do not match.The senior management usually expects others to:
(a) deliver quality ICT solutions on time and within budget;
(b) harness and exploit ICT to return business value;
(c) use ICT to increase efficiency and productivity while managing ICT risks.
However, the senior management frequently experiences:
(a) business losses, damaged reputation or weakened competitive position;
(b) deadlines that are not met, costs higher than budgeted and quality lower than expected;
(c) efficiency and core functions impaired by poor quality of deliverables;
(d) failure in delivering the promised benefits.
One of the components of ICT Governance aforementioned is risk management. Risk managementare processes and structures that an organisation has in place to identify, assess, report, monitorand manage ICT risks, specifically risk relating to an ICT Governance Framework.
Introduction: General Framework
Chapter 1 - 4
MyRAM Handbook
MAM
PU
As shown in Figure 1.1, managing risk within the context of ICT Governance is in fact managementof ICT Security. Risk Management defines:
(a) Types of assets with its risk value.
(b) The relative magnitude of risk - level of each risk.
(c) The sources of those risks - location of or connection to those risks.
(d) What to do about those identified risks - measures to take when protecting assets againstidentified risks.
(e) Implementing controls or safeguards to reduce risks - measures to accept, reduce, transferor avoid risks are weighed and the appropriate actions are taken.
(f) Monitoring - consistent check on the results of the control measures.
(g) Review - continuous revision of the ICT infrastructure to ensure that risks are always atan acceptable level.
With regards to ICT security governance, the government has issued a circular, namely thePekeliling Am Bil 3. Tahun 2000 entitled ‘Rangka Dasar Keselamatan Teknologi Maklumat danKomunikasi Kerajaan’. Addition to these, MAMPU has also published a set of guidelines calledMalaysian Public Sector Management of Information & Communications Technology SecurityHandbook (MyMIS). This document which complements the circular above is intended more asa reference guide.
Another framework which is used as a reference for best practices in the industry including byMyMIS, is based on the BS 7799 standard. Both MyMIS and the BS 7799 specify the need toperform risk management in which risk assessment is a core component.
As shown in Figure 1.2, risk assessment which uses MyRAM as its methodology can be viewedin a bigger perspective called Risk Maturity Model. The model is a risk management cycle thatstarts with identification of guidance, references and standards followed by definition of objectives.As a feasibility evaluation, the next step is the high-level RA which consists of interviews,desktop reviews and questionnaires to determine the High-level RA output. (The guideline onperforming High-level RA is issued as a document entitled The Malaysian Public Sector InformationSecurity High-level Risk Assessment (HiLRA) Guide, available at MAMPU website At this point,a decision is made whether to proceed with a detail risk assessment (MyRAM) or not. Thedecision for not proceeding with MyRAM is based on the fact that the organisation has notsufficiently follow information security best-practice or implement MyMIS recommended safeguard.
If it is decided that MyRAM is to be done, other requirements in the form of objectives andguidance for the MyRAM are gathered. This is then followed by the Preparation stage whichis detailed in Part II: Technical, Chapter 7. Once the Preparation stage is completed, risk isidentified, analyzed, and calculated. Following this, a set of high-level recommendations (optionsto accept, reduce, transfer or avoid risk) is put forward before a mitigation plan for appropriatetreatment of risks is spelled out.
Risk Identification as well as Risk Analysis and Calculation constitute the process of RiskAssessment, which is defined as:
(a) putting information security threats into the context of what the agencies are trying toachieve, resulting in explicit statements of the risk to the organisation’s critical assets.
(b) providing the basis and criteria for measuring risks and setting priorities when developingasset protection improvement programs, which leads to creating a strategy for the agencies’security.
(c) creating of a risk mitigation plan for each identified critical asset.
The prioritization and selection of safeguards must now be implemented and their performancesevaluated. The entire process is continuously reviewed and monitored.
Introduction: General Framework
Chapter 1 - 5
MyRAM Handbook
Decisions on control and safeguard measures must ensure that the optimum security level is metand is cost-effective. Whatever ICT security solutions put forward must be within the contextof the organisation’s security objectives.
Introduction: General Framework
Figure 1.2: The Risk Maturity Model
Chapter 1 - 6
MyRAM Handbook
MAM
PU
The risk management and risk assessment circles in Figure 1.1 can be mapped to the RiskMaturity Model (Figure 1.2), as shown in Figure 1.3. The Plan-Do-Check-Act (PDCA) cycle,which is based on the BS 7799 Part 2:2002 standard, can also be mapped onto the same modelas shown in the same figure. Detailed descriptions of the PDCA cycle are as follows:
(a) PLAN (Establish) means establishing or defining security policy, objectives, targets, processesand procedures relevant to managing risk and improving information security to deliverresults in parallel and to suit an organisation’s policies and objectives. This includesidentifying and analyzing risks. This process covers the initiation, risk identification, andrisk analysis and calculation stages within the Risk Maturity Model.
(b) DO (Implement and operate) is building and operating the security policy, controls,processes and procedures. Here, the appropriate safeguards (after decisions have beenmade) are implemented. This process covers the high-level recommendations, risk mitigationplans or treatments, and implementation stages within the Risk Maturity Model.
(c) CHECK (Monitor and review) means evaluating or assessing and, where applicable,measuring process performance against security policy, objectives and real-case applicabilityscenarios, and reporting the results to senior management for review. This process coversthe performance stage within the Risk Maturity Model.
(d) ACT (Maintain and improve) is taking, rectifying, corrective and preventive actions,based on the results of the senior management review, to continually improve the ISMS.This process covers the continuous review of performance and risks within the Risk MaturityModel.
The cycle is used to coordinate the continuous improvement efforts in managing ICT securityissues. It demonstrates and emphasizes the fact that improvement programs must start with well-planned ideas and actions, and result in effective actions.
Introduction: General Framework
Chapter 1 - 7
MyRAM Handbook
Introduction: General Framework
Ho
w d
oe
s M
yRA
M f
it in
to t
he
co
mb
ine
d m
od
els
?
Th
is c
an
be
se
en
in
Fig
ure
1.3
, w
he
re t
he
bla
cke
ne
d b
ox
rep
rese
nts
th
e b
ou
nd
ary
of
MyR
AM
.
Fig
ure
1.3
: B
ou
nd
ary
of
MyR
AM
in
Co
mb
ine
d M
od
els
Chapter 1 - 8
MyRAM Handbook
MAM
PU
As illustrated in Figure 1.3, MyRAM is more than just risk assessment. Prior to identifying risk,preparation is made where initial allocation of resources (manpower, budget and time) as wellas requirements and objectives is specified. This is then followed by formally analyzing andcalculating risk. Finally, a set of high-level recommendations is prepared for the senior managementto consider. Within the PDCA Cycle, and in the perspective of MyRAM which differs slightlyfrom BS 7799, the methodology covers the stages of PLAN and the early part of DO, namelythe high-level recommendations stage.
The combined figure shows the components of the risk management circle which are laid outin the Risk Maturity Model. These components are also mapped to a well-established andaccepted information security management system (ISMS), BS 7799’s PDCA Cycle. The wayMyRAM fits into the combined models shows that it addresses the core element of risk management,that is, risk assessment.
Introduction: General Framework
Chapter 1 - 9
MyRAM Handbook
1.2 The Coverage
MyRAM provides a comprehensive approach to identifying and quantifying risks. It takes theuser through the step-by-step tasks involved before a risk level for a particular asset can be clearlydefined. As seen in Figure 1.4: What MyRAM Is and What It Covers, MyRAM provides a wayto identify as well as evaluate assets critical to organisations in the public sector. MyRAM usesa qualitative process/method in determining the levels of risks associated to the assets. Sets ofattributes are identified and analyzed in considering the values of risk. There is no mathematicalor statistical calculation done to determine the risk levels.
Exhaustive lists of common threats and vulnerabilities are made available to these organisations.The business impacts if an asset is compromised, and the likelihood of assets damaged, altered,or destroyed, is calculated. On a strategic level, MyRAM focuses on identifying the key risksto successful achievement of organisational objectives. These are the risks that are most likelyto affect performance and delivery of business services. On an operational level, MyRAM lookscarefully at the risks affecting programs, projects and operational assets and services.
Introduction: The Coverage
Figure 1.4: What MyRAM Is and What It Covers
Chapter 1 - 10
MyRAM Handbook
MAM
PU
The term ‘High-Level Recommendations’ in MyRAM refers to decisions that are to be made afterthe severity of risk is determined. Decision makers are guided in reaching the decisions onwhether to accept, reduce, transfer or avoid the risks. The decisions on which safeguards andcontrol items to be implemented are addressed at this high-level recommendation stage basedon Annex C: Generic Safeguard List. The ICT Steering Committee will then decide whether tofollow the recommended safeguards or opt for other ways to safeguard the assets.
Results of the risk assessment activity can be used in formulating and improving the securitypolicies for the organisation. This activity also fulfils a portion of the BS 7799 complianceprogram in which the results obtained are used to produce a relevant treatment plan for the risksidentified.
Introduction: The Coverage
Chapter 1 - 11
MyRAM Handbook
MAM
PU
1.3 Introduction to Principles and Components
This section introduces users to the MyRAM framework. The principles of the framework arebonded tightly to ensure the completeness of the methodology. They act as the foundation forthe components of MyRAM. Figure 1.5 shows The House of Principles and Components, whileFigure 1.6 shows the relationship between the Multiple Components of ICT, Risk MaturityModel, PDCA Cycle and House of Principles and Components.
1.3.1 Principles and Components
The principles as shown in Figure 1.5 display the foundation of the methodology and are reflectedin their names. The integration of the five (5) principles covers the entire base of the architecturesupporting the MyRAM model, from the “Preparation” stage to the “High-Level Recommendations”stage.
Introduction: Introduction to Principles and Components
Chapter 1 - 12
MyRAM Handbook
Fig
ure
1.5
: T
he
Ho
use
of
Pri
nci
ple
s a
nd
Co
mp
on
en
ts
Introduction: The Coverage
Chapter 1 - 13
MyRAM Handbook
MAM
PU
Below are the descriptions of the principles and components laid out in Figure 1.5.
1.3.2 Principles
The principles shown in the above figure must all exist in order for the methodology to becomplete and comprehensive. A detailed description of each principle follows:
(a) Practicality and Suitability
MyRAM is based on a pragmatic approach. This approach leads to the practicality of themethodology in all environments. This principle separates MyRAM from any theory-oriented methodology and makes it highly suitable for public sector applications.
Currently, the ministries and agencies are grouped into several categories, and MyRAM canbe suitably applied to all of them due to the generic nature of the methodology. The threatand vulnerability lists are those most commonly studied to be facing the ministries andagencies.
(b) Structure and Definition
The ten (10) steps in risk assessment are ordered or placed in a logical sequence. Thosewith even minimal knowledge of and skill in risk assessment would be able to perform thewhole exercise.
The steps are very well-defined, whereby they can be followed systematically. The riskassessment process is guaranteed to be consistent in interpretation and has been constructedto avoid ambiguity.
(c) A Continuous Process
Continuity is an advantage to users because it enables them to keep track of the entireexercise. No matter which step it is at in the process, the RA team will be able to figureout where it is by referring to the documents produced. This enables the team to resumetheir RA exercise from where they last stopped.
(d) Distinctive Results
The results or output of the RA process can easily be mapped back to the steps involved.This output is unique and specific to the respective steps. The clarity of the results producedhelps the RA team to analyse and calculate risks as accurately as possible.
(e) Integration
All the components of the methodology are well-interconnected and integrated. The stepsand tasks within the RA process are organised in such a way that the output produced bythose steps is well-linked.
Integration between and cooperation from all parties involved (management and operations) arecrucial to ensure the availability of resources, consistency of approaches, and integrity of theinput and output.
Introduction: Introduction to Principles and Components
Chapter 1 - 14
MyRAM Handbook
MAM
PU
1.3.3 Components
MyRAM educates users about vital hands-on risk assessment steps. It guides the users in thedistinct steps for respective organisations. The criteria used in Part II: TECHNICAL in valuingassets, impact, and likelihood is based on a three (3)-quadrant value-rating table which iscurrently the best practice in the industry.
The components in Figure 1.5 consist of twelve (12) items or pillars. A detailed description ofeach component is as follows:
(a) Preparation
Tasks carried out prior to the risk assessment activities are known as tasks performed inthe “Preparation” stage. A preliminary RA team is set up, required resources such as scopeof review boundary, manpower, duration and budget are determined and senior managementcommitment plus approval is necessarily obtained. These preliminary tasks are done toenable a successful risk assessment process.
(b) Establishment of Team
Risk assessment team members are identified, their roles and responsibilities are definedand a tasking schedule list is drawn up.
(c) Establishment of Review Boundary
The scope of the RA activities to be conducted is set or fixed either by asset, businessprocess or department. Materials related to the review boundary are obtained. “Green light”approval and endorsement must be received from senior management before the RAactivity can begin. Finally, “Step 1: Establishment of Team” is revisited as necessary.
(d) Identification of Assets
Related assets are identified before being grouped and classified. Owners and custodiansof the assets are identified as well.
(e) Valuation of Assets and Establishment of Dependencies Between Assets
A quantified value is assigned to each asset. Assigning a quantified value here means givingvalue to the assets, from Low (L) to High (H).
(f) Assessment of Threats
In this RA step, a generic threat profile is created before all relevant threats to the assetsare identified.
(g) Assessment of Vulnerabilities
Potential vulnerabilities exploited by threats are identified.
(h) Identification of Existing/ Planned Safeguards
Existing and planned safeguards which protect the assets are reviewed. The term ‘safeguards’in MyRAM refers to either safeguards or controls to be recommended and implemented.
Introduction: The Coverage
Chapter 1 - 15
MyRAM Handbook
MAM
PU
(i) Analysis of Impact
The impact levels to assets are determined. Impact levels of possible losses to assets arerated from Low (L) to High (H).
(j) Analysis of Likelihood
The probability of threats and vulnerabilities that may happen is determined. The occurrencesof these identified threats and vulnerabilities are recorded and the results will be used inthe calculation of risk step. The likelihood is also rated from Low (L) to High (H).
(k) Calculation of Risk
The risk level for each asset is calculated and a risk matrix is built after the risks havebeen calculated.
(l) High-Level Recommendations
Options on how to handle the risk are determined. The attributes to be considered priorto the decision-making are analysed. These high-level recommendations are those putforward by the risk assessment team to the senior management in an overall summaryreport on the RA activity completed.
1.4 Overall Architecture
Figure 1.6 shows the overall architecture of the various models, principles and components whichhave been integrated to include MyRAM. The detailed description of the architecture will beginfrom the principles which form the foundation of the House.
Introduction: Introduction to Principles and Components
Chapter 1 - 16
MyRAM Handbook
Introduction: Overall Architecture
Fig
ure
1.6
: T
he
Ove
ral l
Arc
hite
ctu
re o
f V
ari
ou
s M
od
els
, P
rin
cip
les,
an
d C
om
po
ne
nts
Chapter 1 - 17
MyRAM Handbook
MAM
PU
The five (5) principles laid out as the foundation of the House transcend the entire structure tosupport all the components shown in the figure. These components form the pillars of thestructure, which in turn are grouped and mapped to the Risk Maturity Model. These pillarsconstitute the main structure of the House.
As illustrated in Figure 1.6, MyRAM is embedded inside various established models such as theEnterprise Governance, Risk Management and the PDCA Cycle. The set of pillars labelled P,S1 to S10, and H represent a conceptualized MyRAM. Pillars S1 to S10 represent any typicalrisk assessment process, while MyRAM includes two (2) additional steps; Preparation labelledP and High Level Recommendation labelled as H that comprised of two steps Decision onOptions and Protection Strategy.
The methodology also covers part of the PDCA Cycle, both of which have also been mappedto the Risk Maturity Model. The need to map MyRAM to the PDCA Cycle is justified by thefact that the Cycle constitutes the basis of the de facto information security management system,BS 7799 Part 2:2002.
As can be seen from the upper portion of the House, these various models are mapped to thedifferent components of ICT, namely Risk Management and Enterprise Governance within anorganisation. The House was designed to illustrate how to properly combine components of thevarious established models (Risk Maturity Model, PDCA Cycle, and Enterprise Governancemodel). This helps those who are familiar with the various models to understand where MyRAMfits into their approaches.
Introduction: Overall Architecture
Chapter 2 - 18
MyRAM Handbook
MAM
PU
Chapter 2: Preparation
2.0 Introduction
The preparation stage as illustrated in Figure 2.1 is not part of the risk assessment process inMyRAM. However, it is vital in determining the successful start of a MyRAM. It is at thispreparation stage that the risk assessment team formed will understand the pre-requisites for asuccessful risk assessment exercise. Prior to the Preparation stage, one must recall that there isthe high-level Risk Assessment (HiLRA) which determines whether a detail RA using MyRAMis necessary or not. For the high-level Risk Assessment, the senior management will be theapproving authority for this exercise.
Figure 2.1: Preparation Diagram
DESCRIPTION:
The appointed ICTSO should initiate the Preparation stage. This stage is to gather and documentall prerequisites prior to the risk assessment exercise for senior management approval.
GOAL:
1. To identify the requirements and justifications for a risk assessment exercise.
2. To specify the objectives and the resources (budget, manpower, time line) required tosuccessfully complete the RA exercise.
3. To obtain endorsement from the senior management to proceed with the risk assessmentexercise.
TASK:
1. Setting up a Preliminary Risk Assessment Team.
a. Gather personnel who is working in the operational area
b. Set up a group led by the ICTSO.
c. Come up with a proposal which details out the importance of risk assessment. Theproposal should consist of the following attributes:
Preparation
Chapter 2 - 19
MyRAM Handbook
MAM
PU
i. Objectives.
ii. Goals.
iii. Key Benefits.
2. Identify Required Resources.
Identify elements (high level information only) for an approval by the senior management.
a. Scope or Review Boundary:
It is advisable that the scope is determined based on core functions of the agency.When the scoping is done for the first RA, only one (1) or two (2) core functionsshould be looked at. Once experience in performing RA activities is acquired, theagency can extend the boundary to include more processes or functions. Examplesof documents that can be reviewed to determine the scope are:
i. client’s charter
ii. work procedure manual
iii. organisational structure
iv. Ketua Pengarah’s desk file/ fail meja
v. standard operating procedures
vi. annual report.
b. Manpower:
Normally, it will take two (2) full-time RA team members and two (2) part-time staffto identify and analyse risks associated with two (2) core business functions.
c. Duration:
For core functions with approximately 100 assets, and at least two (2) full-time andtwo (2) part-time RA team members, the whole exercise may take approximately three(3) to four (4) months.
d. Allocation of Budget:
If the personnel of the agency perform the exercise, then the agency must look at costsassociated with possible needs for training, software tools, and hiring external consultants.If no internal officers are available, the senior management will need to find alternativesto ensure that the risk assessment activity is performed.
3. Obtain Senior Management Commitment and Approval.
a. Table out the proposal to the senior management.
b. Present it either in a discussion session, formal meeting or formal forum.
c. Obtain consensus from the senior management regarding the risk assessment exercise.
Note: Endorsement should be in the form of a written approval or acknowledgmentfrom the senior management can be in a form of a letter, memo, e-mail orany formal communication method specifying the members of the preliminaryRA team (based on the proposal written) for the whole exercise.
Preparation
Chapter 2 - 20
MyRAM Handbook
MAM
PU
PRODUCED DOCUMENTS / OUTPUT:
1) Proposal2) Sample of Memo/Letter on Acknowledgement of RA Exercise to be Conducted
ICT Security Risk Assessment Proposal for Agency <XXX>
1.0 Introduction
2.0 Purpose
3.0 Background of Risk Assessment
3.1 Goals
3.2 Benefits
3.3 Implications
4.0 Recommended Scope
4.1 Scope
4.2 Resources
4.3 Budget
4.4 Timeline
5.0 Authorisation
Sample of Memo/Letter on Acknowledgement of RA Exercise to be Conducted
Subject: Acknowledgement of Undertaking RA Exercise
Thanks.
< Approving Authority >
Preparation
Chapter 3 - 21
MyRAM Handbook
Ch
ap
ter
3:
Ris
k A
sse
ssm
en
t P
roce
ss
3.0
Intr
od
uct
ion
Fig
ure
3.1
be
low
sh
ow
s th
at
the
re a
re t
en
(1
0)
ess
en
tial
ste
ps
alto
ge
the
r in
a r
isk
ass
ess
me
nt
(RA
) a
ctiv
ity o
r e
xerc
ise
.
Fig
ure
3.1
: R
isk
Ass
ess
me
nt
Pro
cess
Dia
gra
m
Th
e i
np
ut
for
on
e s
tep
of
the
RA
act
ivity
ma
y b
e t
ake
n f
rom
th
e o
utp
ut
of
on
e o
f its
pre
vio
us
ste
ps.
Risk Assessment Process: Introduction
Chapter 3 - 22
MyRAM Handbook
MAM
PU
Below is the overview of the steps in the risk assessment process, the subtasks involved ineach step and its description as well.
Table 3.1: Description of RA Steps
Steps Description Task(s) Involved
Establishment Creates a basic component of a) Identify the risk assessmentof Team a risk assessment exercise. team members(Step 1) The team members that possess b) Draw up Tasking Schedule List
vast knowledge of the organisationare identified. Lastly, the scheduleand logistics are established toensure the smoothness of the wholeexercise.
Establishment Determines the scope of the a) Identify the scope of theof Review risk assessment process. The risk assessmentBoundary final scope will be submitted b) Obtain approval from senior(Step 2) to the senior management. management
Once it has received approval, c) Gather information relatedthe risk assessment team will to the review boundarycollect all the relevant d) Prepare the Reviewmaterials and information. Boundary Document
e) Revisit Step 1 as necessary
Identification Identifies all the assets which are a) Identify related assetsof Assets within the scope of the risk b) Group and classify assets(Step 3) assessment boundary. c) Identify assets’ owners and
custodiansd) Verify and validate the
findings of the questionnaires
Valuation of Assigns semi-quantitative values a) Identify dependenciesAssets and to the assets and determines those associated with the assetsEstablishment assets’ dependencies. b) Assign a quantified value toof Dependencies each assetBetween Assets c) Verify and Validate the(Step 4) Findings of the Questionnaires
Assessment of Determines types of threats a) Create a generic threat profileThreat (Step 5) associated with the assets, and b) Identify all relevant threats
their relative levels. to assetsc) Verify and validate the findings
of the questionnaires
Assessment of Identifies all potential a) Identify potentialVulnerability vulnerabilities which may be vulnerabilities exploited by(Step 6) exploited by threats. In addition, threats
it will rate the relative b) Verify and validate thevulnerability exposure levels. findings of the questionnaires
Risk Assessment Process: Introduction
Chapter 3 - 23
MyRAM Handbook
MAM
PU
Identification of Identifies all types of existing a) Review existing and plannedExisting & & planned safeguards which safeguards for protectingPlanned have been or will be deployed the assetsSafeguards to protect the assets. b) Verify and validate the findings(Step 7) of the questionnaires
Analysis of Quantifies the business impacts a) Determine the business lossImpact (Step 8) of the assets accordingly. The b) Determine the impact levels
calculation will be based on the c) Verify and validate the findingsassets’ values & business loss. of the questionnaires
Analysis of Ascertains the likelihood of threats a) Determine the likelihood ofLikelihood & vulnerabilities that may happen, threats & vulnerabilities that(Step 9) with or without safeguard(s) in may happen
place. b) Verify and validate the findingsof the questionnaires
Calculation of Calculates the risk level for each a) Calculate the risk level forRisk (Step 10) asset, based on the impact value each asset
& likelihood results.
Steps Description Task(s) Involved
Risk Assessment Process: Introduction
Chapter 3 - 24
MyRAM Handbook
MAM
PU
3.1 Step 1: Establishment of Team
DESCRIPTION:
The appointed ICTSO should initiate this step, namely Step 1: Establishment ofTeam. This step is to formally establish a team that will conduct the risk assessmentexercise. The team member list which has been proposed in the preparation stageneeds to be refined. The team should consist of personnel members who possess wellbalance skills and knowledge of the organisation.
GOAL:
1. To obtain dedicated team members.
2. To assign tasks to all team members with associated roles and responsibilities.
TASKS:
1. Identify the Risk Assessment Team Members
a. Determine the adequate number of members that should be included inthe risk assessment team.
b. Specify the team members’ names, job functions, the sector/unit/department/section/division/vendor.
c. The organisational chart for the RA team consists of the project advisor,project manager, team leader(s) or team member(s).
d. It is important to acknowledge that the project advisor plays a vital rolein an RA project. The role played is not only as an when required advisebut must conduct final evaluations, reviews and authorisation of alloutput and documents before they are presented to the senior managementat all stages and steps of the project.
e. The organisational chart for the RA team is defined as follows:
Risk Assessment Process: Establishment of Review Boundary
Chapter 3 - 25
MyRAM Handbook
MAM
PU
Risk Assessment Process: Establishment of Review Boundary
Figure 3.2: RA Team Organisation Chart
2. Draw up Tasking Schedule List
a. Determine the proper allocation for manpower, tasks and duration.
b. Assign all the team members with appropriate task(s)
PRODUCED DOCUMENTS/ OUTPUT:
1. Team Member List
Consist of the following attribute(s):
a. Number
b. Name
c. Job Function
d. Section/Unit/Department/Division/Vendor
e. RA Function
Note: A letter, memo, e-mail or any formal communication method of appointment will be attachedtogether with this Team Member List for the official establishment of this RA team. The formatof the memo or letter can vary depending on the agency’s format.
ProjectAdvisor
ProjectManager
Team Leader (s)
Team Member (s)
Chapter 3 - 26
MyRAM Handbook
MAM
PU
Team Member L ist MyRAM/Form/S1-1.0
No. Name Job Function Sect/ Unit/ Dept/ RA FunctionDiv/Vendor
Prepared by: Reviewed by: Approved by:_________________ ___________________ ______________________< Project Manager > < Project Advisor > < Chief Information Officer >
Note: The sign-offs should be with the official stamp.
2. Tasking Schedule List
Consist of the following attribute(s):
a. Activities (Tasks)
b. Duration
c. Start Date and Finish Date
d. Assigned Personnel
e. Venue
f. Output
Tasking Schedule List MyRAM/Form/S1-2.0
Activity
1.0 Activity Name (Y Days : Start Date – End Date)
Output:1. Output A2. Output B
Prepared by: Reviewed by: Approved by:_________________ ___________________ ______________________
< Team Leader > < Project Manager > < Project Advisor >
Note: The sign-offs should be with the official stamp.
Risk Assessment Process: Establishment of Review Boundary
NoDate Task Details
SRA TeamVenue
Chapter 3 - 27
MyRAM Handbook
MAM
PU
3.2 Step 2: Establishment of Review Boundary
DESCRIPTION:
The appointed Team Leader(s) and Project Manager should initiate this step, namelyStep 2: Establishment of Review Boundary. This step is to identify and refine theboundary statement based on the agreed key processes or functions.
GOAL:
1. To identify appropriate review boundary.
2. To get consensus and approval from the senior management on the agreedreview boundary.
TASK:
1. Identify the Scope of the Risk Assessment
a. Gather basic information on the business operations of the organisations.
b. Study and review the business processes.
c. Discuss it with operational area key personnel regarding the requirements.Scope can be based on:
i. Assets
ii. Business processes or functions
iii. Departments
d. Document the information gathered and present it to the seniormanagement.
Note: It is recommended that core business functions or processes areused as the review boundary.
2. Obtain Approval from Senior Management
Before obtaining approval from senior management on the review boundaryor scope of the risk assessment, the project advisor must review and finalisethe documents for approval. Approval from senior management is requiredto ensure senior management is committed to the RA activity.
3. Obtain Materials Related to the Review Boundary
Gather all the relevant documents which are related directly or indirectlyto the scope. Some means of information gathering include the followingdocuments:
a. Network Topology.
b. Service-Level Agreements.
c. Security Policies.
d. Standard Operating Procedures.
e. Corporate ICT Security Statements.
f. Process Flow of Business Functions.
Risk Assessment Process: Establishment of Review Boundary
Chapter 3 - 28
MyRAM Handbook
MAM
PU
To complement the above documents, the RA team may use other meansfor information gathering, such as interviews and additional tools, for examplenetwork topology scanning tool.
The risk assessment team may obtain relevant information from the JabatanPerkhidmatan Awam (JPA), Jabatan Kerja Raya (JKR), building maintenancecontractor, Office of Chief Government Security Officer (CGSO) and othersupporting agencies.
4. Prepare the Review Boundary Document
a. This document will consists the vital information such as;
i. purpose of the risk assessment (RA) exercise,
ii. core businesses,
iii. supporting business process and
iv. external interfaces involved in the RA scope.
v. personnel,
vi. information assets,
vii sites/buildings information
5. Revisit Step 1 as Necessary
Revisit Step 1 to make sure that the team is sufficient in numbers and skills.
PRODUCED DOCUMENTS/ OUTPUT:1. Review Boundary Document.
2. List of Related Materials Used.
3. List of Questionnaires With Findings
1. Review Boundary Document
Review Boundary Document
Table of ContentAcronymsList of FiguresList of Tables
1.0 Purpose2.0 Background of Review Boundary3.0 Review Boundary Statement4.0 Key Business Processes and Functions5.0 Supporting Business Processes6.0 External Interfaces7.0 Personnel8.0 Information Assets9.0 Sites/Buildings10.0 Conclusion
Prepared by: Reviewed by: Approved by:_________________ ___________________ ______________________< Project Manager > < Project Advisor > < Senior Management
Personnel >
Note: The sign-offs should be with the official stamp.
Risk Assessment Process: Establishment of Review Boundary
Chapter 3 - 29
MyRAM Handbook
MAM
PU
2. List of Related Materials Used
List of Related Materials Used MyRAM/Form/S2-2.0
Name Description
Prepared by: Approved by:_________________ ___________________
< Team Leader > < Project Manager >
Note: The sign-offs should be with the official stamp.
3. List of Questionnaires With Findings
List of Questionnaires
No. <Topic> Answer Remark By Who (Function orQuestion Name – If Applicable)
Notes:
a) A sign-off for the questionnaires is required at the High-level Recommendations stage.
b) The sign-offs should be with the official stamp.
Risk Assessment Process: Establishment of Review Boundary
MyRAM/Form/S2-3.0
Chapter 3 - 30
MyRAM Handbook
MAM
PU
3.3 Step 3: Identification of Assets
DESCRIPTION:
The appointed Team Leader(s) should initiate this step, namely Step 3: Identificationof Assets. This step is to identify all the relevant asset(s) associated to the agreedscope or review boundary of the RA exercise.
GOAL:
1. To gather all the assets those are to be assessed (in relation to the agreedreview boundary).
2. To verify the validity of each asset before the assessment begins.
TASK:
1. Identify Related Assetsa. Identify the best asset gathering techniques.
b. Identify questions during interviews and document the responses received.
c. Identify questions during the brainstorming sessions of asset gatheringand document the responses received.
2. Group and Classify Assets
a. Classify assets and classify them based on following categories:
i. Hardware
ii. Software
iii. Services
iv. Data or Information
v. People
3. Identify Assets Owners and Custodians
Identify the relevant owner(s) and custodian(s) to assets.
4. Verify and Validate the Findings of the Questionnaires
a. The questionnaires distributed and asked in Step 2 need to be revisited.
b. The findings need to be verified and validated to ensure completenessand truthfulness.
Note: A sign-off for the questionnaires is required at the High-levelRecommendations stage.
PRODUCED DOCUMENTS / OUTPUT:
1) List of Assets
Consist of following attribute(s):
a. Number
b. Asset Group
c. Asset ID
d. Asset Name
e. Owner
f. Custodian
g. Location
h. Description of Asset
Risk Assessment Process: Identification of Assets
Chapter 3 - 31
MyRAM Handbook
MAM
PU
Risk Assessment Process: Identification of Assets
Lis
t o
f A
sse
ts
No
.A
sse
t G
rou
pA
sse
t ID
Ass
et
Na
me
Ow
ne
rC
ust
od
ian
Lo
catio
nD
esc
rip
tion
of
Ass
et
Pre
pa
red
by:
Re
vie
we
d b
y:A
pp
rove
d b
y:_
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
< T
ea
m L
ea
de
r >
< P
roje
ct M
an
ag
er
><
Pro
ject
Ad
viso
r>
No
te:
Th
e s
ign
-off
s sh
ou
ld b
e w
ith t
he
of
ficia
l st
am
p.
MyR
AM
/Fo
rm/S
3-1
.0
Chapter 3 - 32
MyRAM Handbook
MAM
PU
3.4 Step 4: Valuation of Assets and Establishment of Dependencies between Assets
DESCRIPTION:
The appointed Team Leader(s) should initiate this step, namely Step 4: Valuationof Asset and Establishment of Dependencies between Assets. This step is to determinethe value of the assets identified in Step 3. The dependencies of the assets will beidentified as well.
GOAL:
1. To establish the dependencies of the assets.
2. To assign a quantified value to each identified asset.
TASK:
1. Identify Dependencies Associated with The Asset
a. Identify dependencies which associated to all the assets
b. Verify all discovered dependencies with its owners and custodians
2. Assign a Quantified Value to Each Assets
a. Give a quantified value based on the Confidentiality, Integrity andAvailability (CIA).
b. The scale rating is from Low to High.
Notes:
i. Agencies can modify the example criteria used to fit into the agencies’environments.
ii. Project advisor must advise the RA team the importance of giving realisticasset values to ensure no false risk calculation result.
3. Verify and Validate the Findings of the Questionnaires
a. The questionnaires distributed and asked in Step 2 need to be revisited.
b. The findings need to be verified and validated to ensure completenessand truthfulness.
Note: A sign-off for the questionnaires is required at the High-levelRecommendations stage.
Risk Assessment Process: Valuation of Assets &Establishment of Dependencies between Assets
Chapter 3 - 33
MyRAM Handbook
MAM
PU
Risk Assessment Process: Valuation of Assets &Establishment of Dependencies between Assets
PRODUCED DOCUMENTS / OUTPUT:
1. Summary of Asset Value & Dependencies
Consist of following attribute(s):
a. Number
b. Asset Group
c. Asset ID
d. Asset Name
e. Value (C,I,A)
f. Asset Depended On
g. Dependent Asset
h. Asset Value
Summary of Asset Value and Dependencies MyRAM/Form/S4-1.0
No. Asset Asset Asset Value Asset Dependent AssetGroup ID Name C I A Depended Asset Value
On
Prepared by: Reviewed by: Approved by:_____________________ _____________________ _______________________
< Team Leader > < Project Manager > < Project Advisor>
Note: The sign-offs should be with the official stamp.
Chapter 3 - 34
MyRAM Handbook
MAM
PU
3.5 Step 5: Assessment of Threats
DESCRIPTION:
The appointed Team Leader(s) should initiate this step, namely Step 5: Assessmentof Threats. This step is to determine the relevant threats to all listed assets.
GOAL:
1. To produce a generic organisational threat profile.
2. To identify all relevant threats to assets.
TASK:
1. Create A Generic Threat Profile
a. Gather list of threats which have occurred before.
b. Gather list of threats which might occur in future if prevention mechanismsare lacking or not available.
c. Gather list of threats which may occur even if proactive prevention hasbeen taken.
2. Identify All Relevant Threats to Assets
a. Map all identified assets to relevant threats.
b. Verify the identified threats with owners and custodians.
3. Verify and Validate the Findings of the Questionnaires
a. The questionnaires distributed and asked in Step 2 need to be revisited.
b. The findings need to be verified and validated to ensure completenessand truthfulness.
Note: A sign-off for the questionnaires is required at the High-levelRecommendations stage.
PRODUCED DOCUMENTS / OUTPUT:
1. Generic Threat Profile
Consist of following attribute(s):
a. Threat Group
b. Threat ID
c. Threat Name
d. Threat Description
Risk Assessment Process: Assessment of Threats
Chapter 3 - 35
MyRAM Handbook
MAM
PU
Risk Assessment Process: Assessment of Threats
Generic Thr eat Profile MyRAM/Form/S5-1.0
Threat Threat Threat Name Threat DescriptionGroup ID
Prepared by: Reviewed by: Approved by:_________________ ___________________ ______________________
< Team Leader > < Project Manager > < Project Advisor >
Note: The sign-offs should be with the official stamp.
2. Relevant Threats to Assets
Consist of following attribute(s):
a. Number
b. Asset Group
c. Asset ID
d. Asset Name
e. Threat Attributes (Threat Group, Threat ID, Threat Name)
Relevant Thr eat to Asset MyRAM/Form/S5-2.0
No. Asset Asset Asset Threat Threat ID Threat NameGroup ID Name Group
Prepared by: Reviewed by: Approved by:_________________ ___________________ ______________________
< Team Leader > < Project Manager > < Project Advisor >
Note: The sign-offs should be with the official stamp.
Chapter 3 - 36
MyRAM Handbook
MAM
PU
3.6 Step 6: Assessment of Vulnerabilities
DESCRIPTION:
The appointed Team Leader(s) should initiate this step, namely Step 6: Assessmentof Vulnerabilities. This step is to determine the relevant vulnerabilities to all assets.
GOAL:
1. To determine the vulnerabilities for each asset
TASK:
1. Identify Potential Vulnerabilities Exploited by Threats
a. Determine vulnerability list which is specific to the organisation.
b. Verify the list with the risk assessment team, owners and custodians.
2. Verify and Validate the Findings of the Questionnaires
a. The questionnaires distributed and asked in Step 2 need to be revisited.
b. The findings need to be verified and validated to ensure completenessand truthfulness.
Note: A sign-off for the questionnaires is required at the High-levelRecommendations stage.
PRODUCED DOCUMENTS / OUTPUT:
1. List of Potential Vulnerabilities to Assets
Consist of following attribute(s):
a. Number
b. Asset Group
c. Asset ID
d. Asset Name
e. Threat Attributes (Threat Group, Threat ID, Threat Name)
f. Vulnerability Attributes (Vulnerability Group, Vulnerability ID, Vulnerability Name)
Risk Assessment Process: Assessment of Vulnerabilities
Chapter 3 - 37
MyRAM Handbook
MAM
PU
Risk Assessment Process: Assessment of Vulnerabilities
List
of P
oten
tial V
ulne
rabi
litie
s to
Ass
ets
MyR
AM
/Fo
rm/S
6-1
.0
No.
Ass
etA
sset
Ass
etT
hrea
tT
hrea
tT
hrea
tVu
lner
abili
tyVu
lner
abili
tyVu
lner
abili
tyG
roup
IDN
ame
Gro
upID
Nam
eG
roup
IDN
ame
Pre
pare
d by
:R
evie
wed
by:
App
rove
d by
:__
____
____
____
___
____
____
____
____
___
____
____
____
____
____
__<
Tea
m L
eade
r >
< P
roje
ct M
anag
er >
< P
roje
ct A
dvis
or >
Not
e: T
he s
ign-
offs
sho
uld
be w
ith th
e offic
ial s
tam
p.
Chapter 3 - 38
MyRAM Handbook
MAM
PU
Risk Assessment Process: Identification of Existing/PlannedSafeguards
3.7 Step 7: Identification of Existing/Planned Safeguards
DESCRIPTION:
The appointed Team Leader(s) should initiate this step, namely Step 7: Identificationof Existing and Planned Safeguards. This step is to determine the relevant existingor planned safeguards for each identified asset. Chosen safeguard must be based onAnnex C: Generic Safeguard List.
GOAL:
1. To identify all relevant existing and planned safeguards or controls for eachasset.
TASK:
1. Review Existing and Planned Safeguards For Protecting the Assets
Safeguards (control)s are identified. The types of safeguards that need tobe considered are classified according to the ten (10) domains in Annex Cwhich are as the following:
a. Security Policy
b. Organisational Security
c. Asset Classification and Control
d. Personnel Security
e. Physical and Environmental Security
f. Communications and Operations Management
g. Access Control
h. System Development and Maintenance
i. Business Continuity Management
j. Compliance
One asset may have several safeguards already in-placed or planned to be.Project advisors must consider the most cost effective safeguards in his/herrecommendations.
2. Verify and Validate the Findings of the Questionnaires
a. The questionnaires distributed and asked in Step 2 need to be revisited.
b. The findings need to be verified and validated to ensure completenessand truthfulness.
Note: A sign-off for the questionnaires is required at the High-levelRecommendations stage.
PRODUCED DOCUMENTS / OUTPUT:
1. Existing and Planned Safeguards
Consist of following attribute(s):
a. Number
b. Asset Group
c. Asset ID
d. Asset Name
e. Threat Attributes (Threat Group, Threat ID, Threat Name)
f. Safeguard ID with related Safeguard Name
g. Current Safeguard Solution
h. Type- Existing/Planned
Chapter 3 - 39
MyRAM Handbook
MAM
PU
Risk Assessment Process: Identification of Existing/PlannedSafeguards
MyR
AM
/Fo
rm/S
7-1
.0
Exi
stin
g an
d P
lann
ed S
afeg
uard
s
No.
Ass
etA
sset
IDA
sset
Thr
eat
Thr
eat
Thr
eat
Saf
egua
rd ID
Cur
rent
Type
Gro
upN
ame
Gro
upID
Nam
ew
ith r
elat
edS
afeg
uard
Exi
stin
gP
lann
edS
afeg
uard
Sol
utio
nN
ame
Pre
pare
d by
:R
evie
wed
by:
App
rove
d by
:__
____
____
____
___
____
____
____
____
___
____
____
____
____
____
__<
Tea
m L
eade
r >
< P
roje
ct M
anag
er >
< P
roje
ct A
dvis
or >
Not
e: T
he s
ign-
offs
sho
uld
be w
ith th
e offic
ial s
tam
p.
Chapter 3 - 40
MyRAM Handbook
MAM
PU
3.8 Step 8: Analysis of Impact
DESCRIPTION:
The appointed Team Leader(s) should initiate this step, namely Step 8: Analysis ofImpact. This step is to determine the business impact levels if identified assets arecompromised (intentionally or unintentionally).
GOAL:
1. To determine the business loss if an asset were to be compromised.
2. To determine the impact level of each compromised asset.
TASK:
1. Determine the Business Loss
a. Determine the business loss by considering the below attributes:
i. Replacement values of the assets
ii. Reputation values
Notes:
i. Agencies can modify the criteria used to fit into the agencies’ environments.
ii. Project advisor must advise the RA team the importance of giving realisticasset values to ensure no false risk rating result.
2. Determine the Impact Levels
Determine the impact levels of the identified assets based on the exampleof Impact Level Matrix.
3. Verify and Validate the Findings of the Questionnaires
a. The questionnaires distributed and asked in Step 2 need to be revisited.
b. The findings need to be verified and validated to ensure completenessand truthfulness.
Note: A sign-off for the questionnaires is required at the High-level Recommendationsstage.
PRODUCED DOCUMENTS / OUTPUT:
1. Impact Level List
Consist of following attribute(s):
a. Number
b. Asset Group
c. Asset ID
d. Asset Name
e. Asset Value
f. Business Loss
g. Impact Level
Risk Assessment Process: Analysis of Impact
Chapter 3 - 41
MyRAM Handbook
MAM
PU
Impact Level List
No. Asset Asset Asset Asset Business Loss ImpactGroup ID Name Value Level
Prepared by: Reviewed by: Approved by:_________________ ___________________ ______________________
< Team Leader > < Project Manager > < Project Advisor >
Note: The sign-offs should be with the official stamp.
Risk Assessment Process: Analysis of Impact
Chapter 3 - 42
MyRAM Handbook
MAM
PU
3.9 Step 9: Analysis of Likelihood
DESCRIPTION:
The appointed Team Leader(s) should initiate this step, namely Step 9: Analysis ofLikelihood. This step is to calculate the likelihood of threats and vulnerabilitiescompromising the assets taking into consideration of existing/planned safeguards.
GOAL:
1. To determine the likelihood values of threats and vulnerabilities, taking intoconsideration the existing and planned controls.
TASK:
1. Determine The Likelihood of Threats and Vulnerabilities That MayHappen
a. Utilise the outputs from Step 5, Step 6 and Step 7
i. Step 5 - Threats
ii. Step 6 - Vulnerabilities
iii. Step 7 - Safeguards
b. Determine the likelihood that a specific asset might be compromised.
c. Analyse the threats, vulnerabilities and controls which have been identifiedand the following attributes should be taken into consideration:
i. Past experience.
ii. Probability of future occurrences
iii. Implementation of safeguards or controls.
2. Verify and Validate the Findings of the Questionnaires
a. The questionnaires distributed and asked in Step 2 need to be revisited.
b. The findings need to be verified and validated to ensure completenessand truthfulness. At this stage, ensure that all the questions have somevalid answers
Note: A sign-off for the questionnaires is required at the High-levelRecommendations stage.
PRODUCED DOCUMENTS / OUTPUTS:
1. Likelihood List
Consist of following attribute(s):
a. Number
b. Asset Group
c. Asset ID
d. Asset Name
e. Threat Attributes (Threat ID, Threat Name)
f. Vulnerability Attributes (Vulnerability ID, Vulnerability Name)
g. Current Safeguard Solution
h. Likelihood
Risk Assessment Process: Analysis of Likelihood
Chapter 3 - 43
MyRAM Handbook
MAM
PU
Risk Assessment Process: Analysis of Likelihood
Like
lihoo
d Li
st
No.
Ass
etA
sset
Ass
etT
hrea
tT
hrea
tVu
lner
abili
tyVu
lner
abili
tyC
urre
ntLi
kelih
ood
Gro
upID
Nam
eID
Nam
eID
Nam
eS
afeg
uard
Sol
utio
n
Pre
pare
d by
:R
evie
wed
by:
App
rove
d by
:__
____
____
____
___
____
____
____
____
___
____
____
____
____
____
__<
Tea
m L
eade
r >
< P
roje
ct M
anag
er >
< P
roje
ct A
dvis
or >
Not
e: T
he s
ign-
offs
sho
uld
be w
ith th
e offic
ial s
tam
p.
MyR
AM
/Fo
rm/S
9-1
.0
Chapter 3 - 44
MyRAM Handbook
MAM
PU
3.10 Step 10: Calculation of Risk
DESCRIPTION:
The appointed Team Leader(s) should initiate this step, namely Step 10: Calculationof Risk. This step is to obtain the risk level rating for each asset this is based onthe risk matrix table.
GOAL:
1. To get each asset’s risk level rating based on the risk matrix table.
TASK:
1. Calculate The Risk Level For Each Asset
a. Calculate risk based on the prescribed risk matrix table.
b. Use the results from previous steps
i. Step 8 - Impact Level
ii. Step 9 – Likelihood
PRODUCED DOCUMENTS / OUTPUT:
1. Risk Matrix
Consist of following attribute(s):
a. Number
b. Asset Group
c. Asset ID
d. Asset Name
e. Threat ID
f. Threat Name
g. Impact Level
h. Likelihood
i. Risk Level
MyRAM/Form/S10-1.0Risk Matrik
No. Asset Asset Asset Threat Threat Impact Likelihood RiskGroup ID Name ID Name Level Level
Prepared by: Reviewed by: Approved by:_____________________ _____________________ _______________________
< Team Leader > < Project Manager > < Project Advisor >
Note: The sign-offs should be with the official stamp.
Risk Assessment Process: Calculation of Risk
Chapter 4 - 45
MyRAM Handbook
MAM
PU
High-Level Recommendations: Decision on Options
Chapter 4: High-Level Recommendations
4.0 Introduction
Figure 4.1 shows that decisions of whether to accept, reduce, transfer, or avoid risks that havebeen identified must be made only after the risk assessment exercise has been completed.
Figure 4.1: High-Level Recommendation Diagram
4.1 Decision on Options
DESCRIPTION:
The appointed Project Manager should initiate this stage. The Project Advisor willadvise on the suitability of the decisions made. To provide a high-level recommendationafter risk levels are identified and analysed. The organisations need to decide whetherto accept, reduce, transfer, or avoid the identified risk.
GOAL:
1. To decide on whether to accept, reduce, transfer or avoid risk.
TASK:
1. Analyse The Attributes To Be Considered Prior To The Decision-MakingThe decision of whether to accept, reduce, transfer or avoid the risks cataloguedmust take the following factors into consideration:
a. Time
b. Money
c. Manpower
e. Equipment
2. Determine The Option Of How To Handle The Risk
a. The result of Step 10 (from Chapter 3: Risk Assessment Process) details outthe risk level associated with each identified asset.
b. If the risks are accepted, there is no immediate plan carried out or action takento protect the asset.
Chapter 4 - 46
MyRAM Handbook
MAM
PU
c. The risks are reduced when they are regarded as having High/H or Medium/M impact. Here, risks are mitigated by deploying the proper controls (counter-measures) to ensure that critical business operations continue with no downtime.
d. In transferring risks, the risks are moved to another organisation or entity orcause. One may want to transfer risks when they are at the level of Low/L orMedium/M. An example of this is transferring risks to a third party organisation.
e. Risks should be avoided altogether when there is no reasonable control availableto be implemented by the organisation. This decision needs to be treated withcaution, since most of the time the only way to avoid risks is to totallydisconnect the system.
f. Good security controls combine most of the options above. When an asset hasa high value of business impact as well as a high likelihood of getting “attacked”,it is advisable to first reduce the risk by deploying more controls and thentransfer the remaining risk to a third party organisation. In the end, what isleft is an acceptable residual risk level for that particular asset.
The presentation to the senior management on risk analysis information obtainedcontains the following information:
i. An understanding of the relation between risk calculation results andsenior management decisions in protecting critical assets.
ii. Any terms and concepts that may be new or different - for example,assets, threats, risk and risk profile - explained precisely and concisely.
iii. Composite, analysed results of the survey data, presented in a table orgraphical easy-to-read information. Each identified level of risk shouldalso state specific implications.
iv. Data on protection strategy practices and organisational vulnerabilities,segregated in tables according to practice areas.
v. Threat, risk and vulnerability information for each critical asset tabled.
The senior management will then determine the best approach to combat allidentified risks – do some of them need to be mitigated? If so, then how wouldthat affect the resources and budget of the organisation?
PRODUCED DOCUMENTS / OUTPUT:
1. Decision on Options
Consist of following attribute(s):
a. Number
b. Asset Group
c. Asset ID
d. Asset Name
e. Threat ID
f. Threat Name
g. Existing/Planned Safeguard
h. Risk Level
i. Recommendation
j. Decision (note: to be filled-up only after the management’s decision).
High-Level Recommendations: Decision on Options
Chapter 4 - 47
MyRAM Handbook
MAM
PU
High-Level Recommendations: Decision on Options
MyR
AM
/Fo
rm/H
LR
-1.0
Dec
isio
n on
Opt
ions
No.
Ass
etA
sset
Ass
etT
hrea
tT
hrea
tE
xist
ing/
Ris
kR
ecom
men
datio
nD
ecis
ion
Gro
upID
Nam
eID
Nam
eP
lann
edLe
vel
Saf
egua
rd(s
)
Pre
pare
d by
:R
evie
wed
by:
App
rove
d by
:__
____
____
____
___
____
____
____
____
___
____
____
____
____
____
__<
Tea
m L
eade
r >
< P
roje
ct M
anag
er >
< P
roje
ct A
dvis
or >
Not
e: T
he s
ign-
offs
sho
uld
be w
ith th
e offic
ial s
tam
p.
Chapter 4 - 48
MyRAM Handbook
MAM
PU
4.2 Protection Strategy
DESCRIPTION:
The appointed Project Manager should initiate this stage. The team members are heavilyinvolved in this step as well. The results in the previous section, section 4.1, provide theRA team with a prioritization of risk for the assets with related threats and vulnerabilities.This prioritization allows the team to develop a security improvement program in stages.High risk assets with related threats and vulnerabilities would need to be reduced possiblybefore trying to reduce Medium risk. This step guides the RA team in developing safeguardoptions.
TASK:
1. Choose Safeguard Groups
These groups are based on the ten (10) security domains available in BS 7799.
a. Security Policy
b. Organisational Security
c. Asset Classification and Control
d. Personnel Security
e. Physical and Environmental Security
f. Communications and Operations Management
g. Access Control
h. System Maintenance
i. Business Continuity Management
j. Compliance
2. Examine Safeguard Attributes
The attributes to be examined are:
a. Function
b. Strength
c. Correctness
3. Examine Safeguard Cost
It is very natural, especially for the senior management, to think about costs associatedto safeguards to be put in placed. When considering costs, the following attributes shouldbe considered (but not limited to):
a. Cost to acquire and install the safeguards.
b. Cost for training requirements.
c. Cost for ongoing operating expenses like power, personnel requirements, and maintenance.
d. Indirect cost to productivity level.
e. Indirect cost like life expectancy of the safeguard and the assets it protects.
High-Level Recommendations: Protection Strategy
Chapter 4 - 49
MyRAM Handbook
MAM
PU
4. Examine Safeguard Effectiveness
Other than the mentioned above attributes and costs to be considered, the following factorsshould also be examined:a. Dependencies on other safeguards.
b. Human intervention. Safeguards with less human intervention are generally morereliable.
c. User acceptability. Safeguards should be easy to use and apply, as well as userfriendly.
5. Select the Options
With all the above considerations, the RA team can now select the options. A preferredoption must be highlighted with a brief explanation and justification.
PRODUCED DOCUMENTS / OUTPUTS:
1. Protection Strategy
Consist of following attribute(s):
a. Number
b. Asset Group
c. Asset ID
d. Asset Name
e. Threat ID
f. Threat Name
g. Existing/Planned Safeguard(s)
h. Risk Level
i. Recommendation
j. Protection Strategy
k. Justification
High-Level Recommendations: Protection Strategy
Chapter 4 - 50
MyRAM Handbook
MAM
PU
MyR
AM
/Fo
rm/H
LR
-2.0
Pro
tect
ion
Str
ate
gy
No
.A
sse
tA
sse
tA
sse
tT
hre
at
Th
rea
tE
xist
ing
/R
isk
Re
com
me
nd
atio
nP
rote
ctio
nJu
stifi
catio
nG
rou
pID
Na
me
IDN
am
eP
lan
ne
dL
eve
lS
tra
teg
yS
afe
gu
ard
(s)
Pre
pa
red
by:
Re
vie
we
d b
y:A
pp
rove
d b
y:_
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
__
_<
Te
am
Le
ad
er
><
Pro
ject
Ma
na
ge
r >
< P
roje
ct A
dvi
sor
>
No
te:
Th
e s
ign
-off
s sh
ou
ld b
e w
ith t
he
of
ficia
l st
am
p.
High-Level Recommendations: Protection Strategy
Chapter 4 - 51
MyRAM Handbook
MAM
PU
High-Level Recommendations: Summary to High-LevelRecommendations
4.3 Summary to High-Level Recommendations
DESCRIPTION:
Once the RA activity is completed, the RA team needs to present the findings to the seniormanagement for an approval. Once the approval is obtained, the next course of action isdetermined.
TASK:
1. Present Findings to the Senior Management
The findings are presented to the senior management. A summary report is produced. Aformal presentation session is scheduled.
2. Determine the Next Course of Action
Once the final approval is obtained, the RA team needs to determine what should be donenext to ensure that vulnerable and critical assets are protected adequately. A detailed actionplan and roadmap need to be drafted based on the senior management’s decision as wellas the protection strategy developed.
3. Sign-off Questionnaires
The set of questionnaires which were used for information gathering during Step 2 untilStep 9 is signed-off at this stage. It is included as an Appendix at the end of the SummaryReport to the Senior Management.
Chapter 4 - 52
MyRAM Handbook
MAM
PU
Output (Sample Summary Report)
1. Sample Summary Report on RA Activity
ICT Security RA Report for Agency <XXX>
List of Tables
List of Figures
Glossary
Related Reference
Structure of the Report
Executive Summary
1.0 Introduction1.1 Background1.2 Objectives of Security Risk Assessment1.3 Scope of Security Risk Assessment
2.0 Security Risk Assessment Methodology3.0 Analysis of Findings
3.1 Current Snapshot of the Infra and Info Structure3.2 Summary of the Result
3.2.1 Asset Classification and Valuation3.2.2 Threats, Vulnerability and Safeguard Analysis3.2.3 Business Impact Analysis3.2.4 Likelihood3.2.5 Overall Risk Analysis Distribution
4.0 High-level Recommendations4.1 Decision on Options4.2 Protection Strategy
5.0 Conclusion
Annexes
Annex A: PreparationAnnex B: Step 1–Establishment of TeamAnnex C: Step 2–Establishment of Review BoundaryAnnex D: Step 3–Identification of AssetsAnnex E: Step 4–Valuation of AssetsAnnex F: Step 5–Assessment of ThreatsAnnex G: Step 6–Assessment of VulnerabilitiesAnnex H: Step 7–Identification of Existing and Planned SafeguardsAnnex I: Step 8–Analysis of ImpactAnnex J: Step 9–Analysis of LikelihoodAnnex K: Step 10–Calculation of RiskAnnex L: Decision on Options
Prepared by: Reviewed by: Approved by:_____________________ _____________________ ______________________________
< Project Manager > < Project Advisor > < Senior Management Personnel >
Note: The sign-offs should be with the official stamp.
High-Level Recommendations: Summary to High-LevelRecommendations