chapter 1: introduction 2- handbook steps.pdf · government needs to assess whether the initial...

Chapter 1 - 1

MyRAM Handbook

MAM

PU

Chapter 1: Introduction

1.0 Overview

In every area of government work, effective risk handling depends on the ability to cover five(5) broad areas:

1. What can happen (identification). Regular reality checks, involving rigorous assessmentof trends, possibilities, threats, their impact and likelihood, are conducted.

2. What matters (assessment). Governments need to make judgments of value on the outcomes,taking the reliability of a service into account.

3. What can be done (action). Having established what matters, governments then need todecide either to accept (cope with) the potential risk or otherwise to plan ways to reduce(mitigate), transfer, or avoid the risk. They also need to plan for uncertainties.

4. What has happened (review). Since new exploits and threats emerge very rapidly, thegovernment needs to assess whether the initial action has had the intended effect, whetherthe assessment of risk needs to be changed and whether further action is needed.

5. Effective communication. This is the means to manage the above areas; both with thosewho can help manage the risks and those potentially affected by the risks.

Introduction: Overview

Chapter 1 - 2

MyRAM Handbook

1.1 General Framework

The general framework involving multiple components of ICT is shown in Figure 1.1. As shownin the figure, Risk Assessment is a component of Risk Management, which in turn is part of ICTGovernance. The outermost boundary in the model is Enterprise Governance.

Figure 1.1: Relationships of Multiple Components of ICT

Increased complexity, speed, interconnectivity and globalisation mean that information andcommunications technology (ICT) may involve substantial investments and risks. Due to the fastpace, certain terminologies and concepts used in the Malaysian public sector which this documentis based upon unfortunately remain undefined. For example, the term ‘Enterprise governance’in Figure 1.1. In moving forward, MyRAM needs to address these shortcomings and as such,has proceeded to define these concepts as used in this document. The terms were defined alsofor the purpose of better understanding in engaging a MyRAM exercise.

Enterprise governance in Figure 1.1 refers to the set of responsibilities and practices exercisedby the management committee with the goal of providing strategic direction, ensuring thatobjectives are achieved, ascertaining that risks are managed appropriately and verifying that theenterprise’s resources are used responsibly. It is the system by which the organisation is directedand controlled. The activities within enterprise governance are represented as four (4) principalcomponents: direction, executive action, supervision and accountability. Enterprise governanceframeworks ensure that management is held accountable for the performance of its organisationand that owners are able to monitor and intervene in the operations of management. Enterprisegovernance is an ongoing activity of maintaining a sound system of internal control to protectstakeholders’ interest and the organisation’s assets.

Introduction: General Framework

Chapter 1 - 3

MyRAM Handbook

MAM

PU

In short, enterprise governance is the process and structure used to direct and manage the businessand affairs of the organisation towards enhancing business prosperity and enterprise accountability.It is through enterprise governance that long-term objectives of stakeholders are met and theirinterests protected and satisfied.

Enterprise governance for the public sector is laid down by the set of General Orders (Perintah-perintah Am, issued by the Ketua Pengarah Perkhidmatan Awam) which briefly outlines thevarious enterprise responsibilities and accountabilities. Complementing the set of General Ordersare documents such as Arahan Perbendaharaan (Treasury Instructions) dan Arahan Keselamatan.

To achieve success in the information economy, governance of ICT is a crucial facet of organisationalgovernance. ICT governance, in which the strategies and accountability covering ICT within anorganisation are set, resides within the context of enterprise governance. It concerns the responsibilitiesfor the management of ICT, as well as the comprehensiveness of the requirements and/or policiesput forward. ICT governance is the responsibility of the senior management. It is an integral partof enterprise governance and consists of:

(a) leadership,

(b) organisational structures,

(c) processes,

(d) alignment of ICT to objectives of the organisation, and

(e) risk management.

This is to ensure the organisation’s ICT sustains and extends the organisation’s aforementionedstrategies as well as objectives. It is also used to balance risk against investments over ICT andits processes.

ICT governance is the responsibility of the executive management. It is an integral part ofenterprise governance and consists of the leadership, organisational structures and processes thatensure two things; the organisation’s ICT is aligned with the organisational strategies and objectivesand likewise the strategies take proper advantage of ICT.

The reason why ICT governance is important is that expectations and reality often do not match.The senior management usually expects others to:

(a) deliver quality ICT solutions on time and within budget;

(b) harness and exploit ICT to return business value;

(c) use ICT to increase efficiency and productivity while managing ICT risks.

However, the senior management frequently experiences:

(a) business losses, damaged reputation or weakened competitive position;

(b) deadlines that are not met, costs higher than budgeted and quality lower than expected;

(c) efficiency and core functions impaired by poor quality of deliverables;

(d) failure in delivering the promised benefits.

One of the components of ICT Governance aforementioned is risk management. Risk managementare processes and structures that an organisation has in place to identify, assess, report, monitorand manage ICT risks, specifically risk relating to an ICT Governance Framework.


Chapter 1 - 4

MyRAM Handbook

MAM

PU

As shown in Figure 1.1, managing risk within the context of ICT Governance is in fact managementof ICT Security. Risk Management defines:

(a) Types of assets with its risk value.

(b) The relative magnitude of risk - level of each risk.

(c) The sources of those risks - location of or connection to those risks.

(d) What to do about those identified risks - measures to take when protecting assets againstidentified risks.

(e) Implementing controls or safeguards to reduce risks - measures to accept, reduce, transferor avoid risks are weighed and the appropriate actions are taken.

(f) Monitoring - consistent check on the results of the control measures.

(g) Review - continuous revision of the ICT infrastructure to ensure that risks are always atan acceptable level.

With regards to ICT security governance, the government has issued a circular, namely thePekeliling Am Bil 3. Tahun 2000 entitled ‘Rangka Dasar Keselamatan Teknologi Maklumat danKomunikasi Kerajaan’. Addition to these, MAMPU has also published a set of guidelines calledMalaysian Public Sector Management of Information & Communications Technology SecurityHandbook (MyMIS). This document which complements the circular above is intended more asa reference guide.

Another framework which is used as a reference for best practices in the industry including byMyMIS, is based on the BS 7799 standard. Both MyMIS and the BS 7799 specify the need toperform risk management in which risk assessment is a core component.

As shown in Figure 1.2, risk assessment which uses MyRAM as its methodology can be viewedin a bigger perspective called Risk Maturity Model. The model is a risk management cycle thatstarts with identification of guidance, references and standards followed by definition of objectives.As a feasibility evaluation, the next step is the high-level RA which consists of interviews,desktop reviews and questionnaires to determine the High-level RA output. (The guideline onperforming High-level RA is issued as a document entitled The Malaysian Public Sector InformationSecurity High-level Risk Assessment (HiLRA) Guide, available at MAMPU website At this point,a decision is made whether to proceed with a detail risk assessment (MyRAM) or not. Thedecision for not proceeding with MyRAM is based on the fact that the organisation has notsufficiently follow information security best-practice or implement MyMIS recommended safeguard.

If it is decided that MyRAM is to be done, other requirements in the form of objectives andguidance for the MyRAM are gathered. This is then followed by the Preparation stage whichis detailed in Part II: Technical, Chapter 7. Once the Preparation stage is completed, risk isidentified, analyzed, and calculated. Following this, a set of high-level recommendations (optionsto accept, reduce, transfer or avoid risk) is put forward before a mitigation plan for appropriatetreatment of risks is spelled out.

Risk Identification as well as Risk Analysis and Calculation constitute the process of RiskAssessment, which is defined as:

(a) putting information security threats into the context of what the agencies are trying toachieve, resulting in explicit statements of the risk to the organisation’s critical assets.

(b) providing the basis and criteria for measuring risks and setting priorities when developingasset protection improvement programs, which leads to creating a strategy for the agencies’security.

(c) creating of a risk mitigation plan for each identified critical asset.

The prioritization and selection of safeguards must now be implemented and their performancesevaluated. The entire process is continuously reviewed and monitored.


Chapter 1 - 5

MyRAM Handbook

Decisions on control and safeguard measures must ensure that the optimum security level is metand is cost-effective. Whatever ICT security solutions put forward must be within the contextof the organisation’s security objectives.


Figure 1.2: The Risk Maturity Model

Chapter 1 - 6

MyRAM Handbook

MAM

PU

The risk management and risk assessment circles in Figure 1.1 can be mapped to the RiskMaturity Model (Figure 1.2), as shown in Figure 1.3. The Plan-Do-Check-Act (PDCA) cycle,which is based on the BS 7799 Part 2:2002 standard, can also be mapped onto the same modelas shown in the same figure. Detailed descriptions of the PDCA cycle are as follows:

(a) PLAN (Establish) means establishing or defining security policy, objectives, targets, processesand procedures relevant to managing risk and improving information security to deliverresults in parallel and to suit an organisation’s policies and objectives. This includesidentifying and analyzing risks. This process covers the initiation, risk identification, andrisk analysis and calculation stages within the Risk Maturity Model.

(b) DO (Implement and operate) is building and operating the security policy, controls,processes and procedures. Here, the appropriate safeguards (after decisions have beenmade) are implemented. This process covers the high-level recommendations, risk mitigationplans or treatments, and implementation stages within the Risk Maturity Model.

(c) CHECK (Monitor and review) means evaluating or assessing and, where applicable,measuring process performance against security policy, objectives and real-case applicabilityscenarios, and reporting the results to senior management for review. This process coversthe performance stage within the Risk Maturity Model.

(d) ACT (Maintain and improve) is taking, rectifying, corrective and preventive actions,based on the results of the senior management review, to continually improve the ISMS.This process covers the continuous review of performance and risks within the Risk MaturityModel.

The cycle is used to coordinate the continuous improvement efforts in managing ICT securityissues. It demonstrates and emphasizes the fact that improvement programs must start with well-planned ideas and actions, and result in effective actions.


Chapter 1 - 7

MyRAM Handbook


Ho

w d

oe

s M

yRA

M f

it in

to t

he

co

mb

ine

d m

od

els

?

Th

is c

an

be

se

en

in

Fig

ure

1.3

, w

he

re t

he

bla

cke

ne

d b

ox

rep

rese

nts

th

e b

ou

nd

ary

of

MyR

AM

.

Fig

ure

1.3

: B

ou

nd

ary

of

MyR

AM

in

Co

mb

ine

d M

od

els

Chapter 1 - 8

MyRAM Handbook

MAM

PU

As illustrated in Figure 1.3, MyRAM is more than just risk assessment. Prior to identifying risk,preparation is made where initial allocation of resources (manpower, budget and time) as wellas requirements and objectives is specified. This is then followed by formally analyzing andcalculating risk. Finally, a set of high-level recommendations is prepared for the senior managementto consider. Within the PDCA Cycle, and in the perspective of MyRAM which differs slightlyfrom BS 7799, the methodology covers the stages of PLAN and the early part of DO, namelythe high-level recommendations stage.

The combined figure shows the components of the risk management circle which are laid outin the Risk Maturity Model. These components are also mapped to a well-established andaccepted information security management system (ISMS), BS 7799’s PDCA Cycle. The wayMyRAM fits into the combined models shows that it addresses the core element of risk management,that is, risk assessment.


Chapter 1 - 9

MyRAM Handbook

1.2 The Coverage

MyRAM provides a comprehensive approach to identifying and quantifying risks. It takes theuser through the step-by-step tasks involved before a risk level for a particular asset can be clearlydefined. As seen in Figure 1.4: What MyRAM Is and What It Covers, MyRAM provides a wayto identify as well as evaluate assets critical to organisations in the public sector. MyRAM usesa qualitative process/method in determining the levels of risks associated to the assets. Sets ofattributes are identified and analyzed in considering the values of risk. There is no mathematicalor statistical calculation done to determine the risk levels.

Exhaustive lists of common threats and vulnerabilities are made available to these organisations.The business impacts if an asset is compromised, and the likelihood of assets damaged, altered,or destroyed, is calculated. On a strategic level, MyRAM focuses on identifying the key risksto successful achievement of organisational objectives. These are the risks that are most likelyto affect performance and delivery of business services. On an operational level, MyRAM lookscarefully at the risks affecting programs, projects and operational assets and services.

Introduction: The Coverage

Figure 1.4: What MyRAM Is and What It Covers

Chapter 1 - 10

MyRAM Handbook

MAM

PU

The term ‘High-Level Recommendations’ in MyRAM refers to decisions that are to be made afterthe severity of risk is determined. Decision makers are guided in reaching the decisions onwhether to accept, reduce, transfer or avoid the risks. The decisions on which safeguards andcontrol items to be implemented are addressed at this high-level recommendation stage basedon Annex C: Generic Safeguard List. The ICT Steering Committee will then decide whether tofollow the recommended safeguards or opt for other ways to safeguard the assets.

Results of the risk assessment activity can be used in formulating and improving the securitypolicies for the organisation. This activity also fulfils a portion of the BS 7799 complianceprogram in which the results obtained are used to produce a relevant treatment plan for the risksidentified.


Chapter 1 - 11

MyRAM Handbook

MAM

PU

1.3 Introduction to Principles and Components

This section introduces users to the MyRAM framework. The principles of the framework arebonded tightly to ensure the completeness of the methodology. They act as the foundation forthe components of MyRAM. Figure 1.5 shows The House of Principles and Components, whileFigure 1.6 shows the relationship between the Multiple Components of ICT, Risk MaturityModel, PDCA Cycle and House of Principles and Components.

1.3.1 Principles and Components

The principles as shown in Figure 1.5 display the foundation of the methodology and are reflectedin their names. The integration of the five (5) principles covers the entire base of the architecturesupporting the MyRAM model, from the “Preparation” stage to the “High-Level Recommendations”stage.

Introduction: Introduction to Principles and Components

Chapter 1 - 12

MyRAM Handbook

Fig

ure

1.5

: T

he

Ho

use

of

Pri

nci

ple

s a

nd

Co

mp

on

en

ts


Chapter 1 - 13

MyRAM Handbook

MAM

PU

Below are the descriptions of the principles and components laid out in Figure 1.5.

1.3.2 Principles

The principles shown in the above figure must all exist in order for the methodology to becomplete and comprehensive. A detailed description of each principle follows:

(a) Practicality and Suitability

MyRAM is based on a pragmatic approach. This approach leads to the practicality of themethodology in all environments. This principle separates MyRAM from any theory-oriented methodology and makes it highly suitable for public sector applications.

Currently, the ministries and agencies are grouped into several categories, and MyRAM canbe suitably applied to all of them due to the generic nature of the methodology. The threatand vulnerability lists are those most commonly studied to be facing the ministries andagencies.

(b) Structure and Definition

The ten (10) steps in risk assessment are ordered or placed in a logical sequence. Thosewith even minimal knowledge of and skill in risk assessment would be able to perform thewhole exercise.

The steps are very well-defined, whereby they can be followed systematically. The riskassessment process is guaranteed to be consistent in interpretation and has been constructedto avoid ambiguity.

(c) A Continuous Process

Continuity is an advantage to users because it enables them to keep track of the entireexercise. No matter which step it is at in the process, the RA team will be able to figureout where it is by referring to the documents produced. This enables the team to resumetheir RA exercise from where they last stopped.

(d) Distinctive Results

The results or output of the RA process can easily be mapped back to the steps involved.This output is unique and specific to the respective steps. The clarity of the results producedhelps the RA team to analyse and calculate risks as accurately as possible.

(e) Integration

All the components of the methodology are well-interconnected and integrated. The stepsand tasks within the RA process are organised in such a way that the output produced bythose steps is well-linked.

Integration between and cooperation from all parties involved (management and operations) arecrucial to ensure the availability of resources, consistency of approaches, and integrity of theinput and output.


Chapter 1 - 14

MyRAM Handbook

MAM

PU

1.3.3 Components

MyRAM educates users about vital hands-on risk assessment steps. It guides the users in thedistinct steps for respective organisations. The criteria used in Part II: TECHNICAL in valuingassets, impact, and likelihood is based on a three (3)-quadrant value-rating table which iscurrently the best practice in the industry.

The components in Figure 1.5 consist of twelve (12) items or pillars. A detailed description ofeach component is as follows:

(a) Preparation

Tasks carried out prior to the risk assessment activities are known as tasks performed inthe “Preparation” stage. A preliminary RA team is set up, required resources such as scopeof review boundary, manpower, duration and budget are determined and senior managementcommitment plus approval is necessarily obtained. These preliminary tasks are done toenable a successful risk assessment process.

(b) Establishment of Team

Risk assessment team members are identified, their roles and responsibilities are definedand a tasking schedule list is drawn up.

(c) Establishment of Review Boundary

The scope of the RA activities to be conducted is set or fixed either by asset, businessprocess or department. Materials related to the review boundary are obtained. “Green light”approval and endorsement must be received from senior management before the RAactivity can begin. Finally, “Step 1: Establishment of Team” is revisited as necessary.

(d) Identification of Assets

Related assets are identified before being grouped and classified. Owners and custodiansof the assets are identified as well.

(e) Valuation of Assets and Establishment of Dependencies Between Assets

A quantified value is assigned to each asset. Assigning a quantified value here means givingvalue to the assets, from Low (L) to High (H).

(f) Assessment of Threats

In this RA step, a generic threat profile is created before all relevant threats to the assetsare identified.

(g) Assessment of Vulnerabilities

Potential vulnerabilities exploited by threats are identified.

(h) Identification of Existing/ Planned Safeguards

Existing and planned safeguards which protect the assets are reviewed. The term ‘safeguards’in MyRAM refers to either safeguards or controls to be recommended and implemented.


Chapter 1 - 15

MyRAM Handbook

MAM

PU

(i) Analysis of Impact

The impact levels to assets are determined. Impact levels of possible losses to assets arerated from Low (L) to High (H).

(j) Analysis of Likelihood

The probability of threats and vulnerabilities that may happen is determined. The occurrencesof these identified threats and vulnerabilities are recorded and the results will be used inthe calculation of risk step. The likelihood is also rated from Low (L) to High (H).

(k) Calculation of Risk

The risk level for each asset is calculated and a risk matrix is built after the risks havebeen calculated.

(l) High-Level Recommendations

Options on how to handle the risk are determined. The attributes to be considered priorto the decision-making are analysed. These high-level recommendations are those putforward by the risk assessment team to the senior management in an overall summaryreport on the RA activity completed.

1.4 Overall Architecture

Figure 1.6 shows the overall architecture of the various models, principles and components whichhave been integrated to include MyRAM. The detailed description of the architecture will beginfrom the principles which form the foundation of the House.


Chapter 1 - 16

MyRAM Handbook

Introduction: Overall Architecture

Fig

ure

1.6

: T

he

Ove

ral l

Arc

hite

ctu

re o

f V

ari

ou

s M

od

els

, P

rin

cip

les,

an

d C

om

po

ne

nts

Chapter 1 - 17

MyRAM Handbook

MAM

PU

The five (5) principles laid out as the foundation of the House transcend the entire structure tosupport all the components shown in the figure. These components form the pillars of thestructure, which in turn are grouped and mapped to the Risk Maturity Model. These pillarsconstitute the main structure of the House.

As illustrated in Figure 1.6, MyRAM is embedded inside various established models such as theEnterprise Governance, Risk Management and the PDCA Cycle. The set of pillars labelled P,S1 to S10, and H represent a conceptualized MyRAM. Pillars S1 to S10 represent any typicalrisk assessment process, while MyRAM includes two (2) additional steps; Preparation labelledP and High Level Recommendation labelled as H that comprised of two steps Decision onOptions and Protection Strategy.

The methodology also covers part of the PDCA Cycle, both of which have also been mappedto the Risk Maturity Model. The need to map MyRAM to the PDCA Cycle is justified by thefact that the Cycle constitutes the basis of the de facto information security management system,BS 7799 Part 2:2002.

As can be seen from the upper portion of the House, these various models are mapped to thedifferent components of ICT, namely Risk Management and Enterprise Governance within anorganisation. The House was designed to illustrate how to properly combine components of thevarious established models (Risk Maturity Model, PDCA Cycle, and Enterprise Governancemodel). This helps those who are familiar with the various models to understand where MyRAMfits into their approaches.

Introduction: Overall Architecture

Chapter 2 - 18

MyRAM Handbook

MAM

PU

Chapter 2: Preparation

2.0 Introduction

The preparation stage as illustrated in Figure 2.1 is not part of the risk assessment process inMyRAM. However, it is vital in determining the successful start of a MyRAM. It is at thispreparation stage that the risk assessment team formed will understand the pre-requisites for asuccessful risk assessment exercise. Prior to the Preparation stage, one must recall that there isthe high-level Risk Assessment (HiLRA) which determines whether a detail RA using MyRAMis necessary or not. For the high-level Risk Assessment, the senior management will be theapproving authority for this exercise.

Figure 2.1: Preparation Diagram

DESCRIPTION:

The appointed ICTSO should initiate the Preparation stage. This stage is to gather and documentall prerequisites prior to the risk assessment exercise for senior management approval.

GOAL:

1. To identify the requirements and justifications for a risk assessment exercise.

2. To specify the objectives and the resources (budget, manpower, time line) required tosuccessfully complete the RA exercise.

3. To obtain endorsement from the senior management to proceed with the risk assessmentexercise.

TASK:

1. Setting up a Preliminary Risk Assessment Team.

a. Gather personnel who is working in the operational area

b. Set up a group led by the ICTSO.

c. Come up with a proposal which details out the importance of risk assessment. Theproposal should consist of the following attributes:

Preparation

Chapter 2 - 19

MyRAM Handbook

MAM

PU

i. Objectives.

ii. Goals.

iii. Key Benefits.

2. Identify Required Resources.

Identify elements (high level information only) for an approval by the senior management.

a. Scope or Review Boundary:

It is advisable that the scope is determined based on core functions of the agency.When the scoping is done for the first RA, only one (1) or two (2) core functionsshould be looked at. Once experience in performing RA activities is acquired, theagency can extend the boundary to include more processes or functions. Examplesof documents that can be reviewed to determine the scope are:

i. client’s charter

ii. work procedure manual

iii. organisational structure

iv. Ketua Pengarah’s desk file/ fail meja

v. standard operating procedures

vi. annual report.

b. Manpower:

Normally, it will take two (2) full-time RA team members and two (2) part-time staffto identify and analyse risks associated with two (2) core business functions.

c. Duration:

For core functions with approximately 100 assets, and at least two (2) full-time andtwo (2) part-time RA team members, the whole exercise may take approximately three(3) to four (4) months.

d. Allocation of Budget:

If the personnel of the agency perform the exercise, then the agency must look at costsassociated with possible needs for training, software tools, and hiring external consultants.If no internal officers are available, the senior management will need to find alternativesto ensure that the risk assessment activity is performed.

3. Obtain Senior Management Commitment and Approval.

a. Table out the proposal to the senior management.

b. Present it either in a discussion session, formal meeting or formal forum.

c. Obtain consensus from the senior management regarding the risk assessment exercise.

Note: Endorsement should be in the form of a written approval or acknowledgmentfrom the senior management can be in a form of a letter, memo, e-mail orany formal communication method specifying the members of the preliminaryRA team (based on the proposal written) for the whole exercise.

Preparation

Chapter 2 - 20

MyRAM Handbook

MAM

PU

PRODUCED DOCUMENTS / OUTPUT:

1) Proposal2) Sample of Memo/Letter on Acknowledgement of RA Exercise to be Conducted

ICT Security Risk Assessment Proposal for Agency <XXX>

1.0 Introduction

2.0 Purpose

3.0 Background of Risk Assessment

3.1 Goals

3.2 Benefits

3.3 Implications

4.0 Recommended Scope

4.1 Scope

4.2 Resources

4.3 Budget

4.4 Timeline

5.0 Authorisation

Sample of Memo/Letter on Acknowledgement of RA Exercise to be Conducted

Subject: Acknowledgement of Undertaking RA Exercise

Thanks.

< Approving Authority >

Preparation

Chapter 3 - 21

MyRAM Handbook

Ch

ap

ter

3:

Ris

k A

sse

ssm

en

t P

roce

ss

3.0

Intr

od

uct

ion

Fig

ure

3.1

be

low

sh

ow

s th

at

the

re a

re t

en

(1

0)

ess

en

tial

ste

ps

alto

ge

the

r in

a r

isk

ass

ess

me

nt

(RA

) a

ctiv

ity o

r e

xerc

ise

.

Fig

ure

3.1

: R

isk

Ass

ess

me

nt

Pro

cess

Dia

gra

m

Th

e i

np

ut

for

on

e s

tep

of

the

RA

act

ivity

ma

y b

e t

ake

n f

rom

th

e o

utp

ut

of

on

e o

f its

pre

vio

us

ste

ps.

Risk Assessment Process: Introduction

Chapter 3 - 22

MyRAM Handbook

MAM

PU

Below is the overview of the steps in the risk assessment process, the subtasks involved ineach step and its description as well.

Table 3.1: Description of RA Steps

Steps Description Task(s) Involved

Establishment Creates a basic component of a) Identify the risk assessmentof Team a risk assessment exercise. team members(Step 1) The team members that possess b) Draw up Tasking Schedule List

vast knowledge of the organisationare identified. Lastly, the scheduleand logistics are established toensure the smoothness of the wholeexercise.

Establishment Determines the scope of the a) Identify the scope of theof Review risk assessment process. The risk assessmentBoundary final scope will be submitted b) Obtain approval from senior(Step 2) to the senior management. management

Once it has received approval, c) Gather information relatedthe risk assessment team will to the review boundarycollect all the relevant d) Prepare the Reviewmaterials and information. Boundary Document

e) Revisit Step 1 as necessary

Identification Identifies all the assets which are a) Identify related assetsof Assets within the scope of the risk b) Group and classify assets(Step 3) assessment boundary. c) Identify assets’ owners and

custodiansd) Verify and validate the

findings of the questionnaires

Valuation of Assigns semi-quantitative values a) Identify dependenciesAssets and to the assets and determines those associated with the assetsEstablishment assets’ dependencies. b) Assign a quantified value toof Dependencies each assetBetween Assets c) Verify and Validate the(Step 4) Findings of the Questionnaires

Assessment of Determines types of threats a) Create a generic threat profileThreat (Step 5) associated with the assets, and b) Identify all relevant threats

their relative levels. to assetsc) Verify and validate the findings

of the questionnaires

Assessment of Identifies all potential a) Identify potentialVulnerability vulnerabilities which may be vulnerabilities exploited by(Step 6) exploited by threats. In addition, threats

it will rate the relative b) Verify and validate thevulnerability exposure levels. findings of the questionnaires


Chapter 3 - 23

MyRAM Handbook

MAM

PU

Identification of Identifies all types of existing a) Review existing and plannedExisting & & planned safeguards which safeguards for protectingPlanned have been or will be deployed the assetsSafeguards to protect the assets. b) Verify and validate the findings(Step 7) of the questionnaires

Analysis of Quantifies the business impacts a) Determine the business lossImpact (Step 8) of the assets accordingly. The b) Determine the impact levels

calculation will be based on the c) Verify and validate the findingsassets’ values & business loss. of the questionnaires

Analysis of Ascertains the likelihood of threats a) Determine the likelihood ofLikelihood & vulnerabilities that may happen, threats & vulnerabilities that(Step 9) with or without safeguard(s) in may happen

place. b) Verify and validate the findingsof the questionnaires

Calculation of Calculates the risk level for each a) Calculate the risk level forRisk (Step 10) asset, based on the impact value each asset

& likelihood results.

Steps Description Task(s) Involved


Chapter 3 - 24

MyRAM Handbook

MAM

PU

3.1 Step 1: Establishment of Team

DESCRIPTION:

The appointed ICTSO should initiate this step, namely Step 1: Establishment ofTeam. This step is to formally establish a team that will conduct the risk assessmentexercise. The team member list which has been proposed in the preparation stageneeds to be refined. The team should consist of personnel members who possess wellbalance skills and knowledge of the organisation.

GOAL:

1. To obtain dedicated team members.

2. To assign tasks to all team members with associated roles and responsibilities.

TASKS:

1. Identify the Risk Assessment Team Members

a. Determine the adequate number of members that should be included inthe risk assessment team.

b. Specify the team members’ names, job functions, the sector/unit/department/section/division/vendor.

c. The organisational chart for the RA team consists of the project advisor,project manager, team leader(s) or team member(s).

d. It is important to acknowledge that the project advisor plays a vital rolein an RA project. The role played is not only as an when required advisebut must conduct final evaluations, reviews and authorisation of alloutput and documents before they are presented to the senior managementat all stages and steps of the project.

e. The organisational chart for the RA team is defined as follows:

Risk Assessment Process: Establishment of Review Boundary

Chapter 3 - 25

MyRAM Handbook

MAM

PU


Figure 3.2: RA Team Organisation Chart

2. Draw up Tasking Schedule List

a. Determine the proper allocation for manpower, tasks and duration.

b. Assign all the team members with appropriate task(s)

PRODUCED DOCUMENTS/ OUTPUT:

1. Team Member List

Consist of the following attribute(s):

a. Number

b. Name

c. Job Function

d. Section/Unit/Department/Division/Vendor

e. RA Function

Note: A letter, memo, e-mail or any formal communication method of appointment will be attachedtogether with this Team Member List for the official establishment of this RA team. The formatof the memo or letter can vary depending on the agency’s format.

ProjectAdvisor

ProjectManager

Team Leader (s)

Team Member (s)

Chapter 3 - 26

MyRAM Handbook

MAM

PU

Team Member L ist MyRAM/Form/S1-1.0

No. Name Job Function Sect/ Unit/ Dept/ RA FunctionDiv/Vendor

Prepared by: Reviewed by: Approved by:_________________ ___________________ ______________________< Project Manager > < Project Advisor > < Chief Information Officer >

Note: The sign-offs should be with the official stamp.

2. Tasking Schedule List

Consist of the following attribute(s):

a. Activities (Tasks)

b. Duration

c. Start Date and Finish Date

d. Assigned Personnel

e. Venue

f. Output

Tasking Schedule List MyRAM/Form/S1-2.0

Activity

1.0 Activity Name (Y Days : Start Date – End Date)

Output:1. Output A2. Output B

Prepared by: Reviewed by: Approved by:_________________ ___________________ ______________________

< Team Leader > < Project Manager > < Project Advisor >



NoDate Task Details

SRA TeamVenue

Chapter 3 - 27

MyRAM Handbook

MAM

PU

3.2 Step 2: Establishment of Review Boundary

DESCRIPTION:

The appointed Team Leader(s) and Project Manager should initiate this step, namelyStep 2: Establishment of Review Boundary. This step is to identify and refine theboundary statement based on the agreed key processes or functions.

GOAL:

1. To identify appropriate review boundary.

2. To get consensus and approval from the senior management on the agreedreview boundary.

TASK:

1. Identify the Scope of the Risk Assessment

a. Gather basic information on the business operations of the organisations.

b. Study and review the business processes.

c. Discuss it with operational area key personnel regarding the requirements.Scope can be based on:

i. Assets

ii. Business processes or functions

iii. Departments

d. Document the information gathered and present it to the seniormanagement.

Note: It is recommended that core business functions or processes areused as the review boundary.

2. Obtain Approval from Senior Management

Before obtaining approval from senior management on the review boundaryor scope of the risk assessment, the project advisor must review and finalisethe documents for approval. Approval from senior management is requiredto ensure senior management is committed to the RA activity.

3. Obtain Materials Related to the Review Boundary

Gather all the relevant documents which are related directly or indirectlyto the scope. Some means of information gathering include the followingdocuments:

a. Network Topology.

b. Service-Level Agreements.

c. Security Policies.

d. Standard Operating Procedures.

e. Corporate ICT Security Statements.

f. Process Flow of Business Functions.


Chapter 3 - 28

MyRAM Handbook

MAM

PU

To complement the above documents, the RA team may use other meansfor information gathering, such as interviews and additional tools, for examplenetwork topology scanning tool.

The risk assessment team may obtain relevant information from the JabatanPerkhidmatan Awam (JPA), Jabatan Kerja Raya (JKR), building maintenancecontractor, Office of Chief Government Security Officer (CGSO) and othersupporting agencies.

4. Prepare the Review Boundary Document

a. This document will consists the vital information such as;

i. purpose of the risk assessment (RA) exercise,

ii. core businesses,

iii. supporting business process and

iv. external interfaces involved in the RA scope.

v. personnel,

vi. information assets,

vii sites/buildings information

5. Revisit Step 1 as Necessary

Revisit Step 1 to make sure that the team is sufficient in numbers and skills.

PRODUCED DOCUMENTS/ OUTPUT:1. Review Boundary Document.

2. List of Related Materials Used.

3. List of Questionnaires With Findings

1. Review Boundary Document

Review Boundary Document

Table of ContentAcronymsList of FiguresList of Tables

1.0 Purpose2.0 Background of Review Boundary3.0 Review Boundary Statement4.0 Key Business Processes and Functions5.0 Supporting Business Processes6.0 External Interfaces7.0 Personnel8.0 Information Assets9.0 Sites/Buildings10.0 Conclusion

Prepared by: Reviewed by: Approved by:_________________ ___________________ ______________________< Project Manager > < Project Advisor > < Senior Management

Personnel >

Chapter 3 - 29

MyRAM Handbook

MAM

PU

2. List of Related Materials Used

List of Related Materials Used MyRAM/Form/S2-2.0

Name Description

Prepared by: Approved by:_________________ ___________________

< Team Leader > < Project Manager >


3. List of Questionnaires With Findings

List of Questionnaires

No. <Topic> Answer Remark By Who (Function orQuestion Name – If Applicable)

Notes:

a) A sign-off for the questionnaires is required at the High-level Recommendations stage.

b) The sign-offs should be with the official stamp.


MyRAM/Form/S2-3.0

Chapter 3 - 30

MyRAM Handbook

MAM

PU

3.3 Step 3: Identification of Assets

DESCRIPTION:

The appointed Team Leader(s) should initiate this step, namely Step 3: Identificationof Assets. This step is to identify all the relevant asset(s) associated to the agreedscope or review boundary of the RA exercise.

GOAL:

1. To gather all the assets those are to be assessed (in relation to the agreedreview boundary).

2. To verify the validity of each asset before the assessment begins.

TASK:

1. Identify Related Assetsa. Identify the best asset gathering techniques.

b. Identify questions during interviews and document the responses received.

c. Identify questions during the brainstorming sessions of asset gatheringand document the responses received.

2. Group and Classify Assets

a. Classify assets and classify them based on following categories:

i. Hardware

ii. Software

iii. Services

iv. Data or Information

v. People

3. Identify Assets Owners and Custodians

Identify the relevant owner(s) and custodian(s) to assets.

4. Verify and Validate the Findings of the Questionnaires

a. The questionnaires distributed and asked in Step 2 need to be revisited.

b. The findings need to be verified and validated to ensure completenessand truthfulness.

Note: A sign-off for the questionnaires is required at the High-levelRecommendations stage.


1) List of Assets

Consist of following attribute(s):

a. Number

b. Asset Group

c. Asset ID

d. Asset Name

e. Owner

f. Custodian

g. Location

h. Description of Asset

Risk Assessment Process: Identification of Assets

Chapter 3 - 31

MyRAM Handbook

MAM

PU

Risk Assessment Process: Identification of Assets

Lis

t o

f A

sse

ts

No

.A

sse

t G

rou

pA

sse

t ID

Ass

et

Na

me

Ow

ne

rC

ust

od

ian

Lo

catio

nD

esc

rip

tion

of

Ass

et

Pre

pa

red

by:

Re

vie

we

d b

y:A

pp

rove

d b

y:_

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

< T

ea

m L

ea

de

r >

<

Pro

ject

Ad

viso

r>

No

te:

Th

e s

ign

-off

s sh

ou

ld b

e w

ith t

he

of

ficia

l st

am

p.

MyR

AM

/Fo

rm/S

3-1

.0

Chapter 3 - 32

MyRAM Handbook

MAM

PU

3.4 Step 4: Valuation of Assets and Establishment of Dependencies between Assets

DESCRIPTION:

The appointed Team Leader(s) should initiate this step, namely Step 4: Valuationof Asset and Establishment of Dependencies between Assets. This step is to determinethe value of the assets identified in Step 3. The dependencies of the assets will beidentified as well.

GOAL:

1. To establish the dependencies of the assets.

2. To assign a quantified value to each identified asset.

TASK:

1. Identify Dependencies Associated with The Asset

a. Identify dependencies which associated to all the assets

b. Verify all discovered dependencies with its owners and custodians

2. Assign a Quantified Value to Each Assets

a. Give a quantified value based on the Confidentiality, Integrity andAvailability (CIA).

b. The scale rating is from Low to High.

Notes:

i. Agencies can modify the example criteria used to fit into the agencies’environments.

ii. Project advisor must advise the RA team the importance of giving realisticasset values to ensure no false risk calculation result.





Risk Assessment Process: Valuation of Assets &Establishment of Dependencies between Assets

Chapter 3 - 33

MyRAM Handbook

MAM

PU

Risk Assessment Process: Valuation of Assets &Establishment of Dependencies between Assets


1. Summary of Asset Value & Dependencies


a. Number

b. Asset Group

c. Asset ID

d. Asset Name

e. Value (C,I,A)

f. Asset Depended On

g. Dependent Asset

h. Asset Value

Summary of Asset Value and Dependencies MyRAM/Form/S4-1.0

No. Asset Asset Asset Value Asset Dependent AssetGroup ID Name C I A Depended Asset Value

On

Prepared by: Reviewed by: Approved by:_____________________ _____________________ _______________________

< Team Leader > < Project Manager > < Project Advisor>

Chapter 3 - 34

MyRAM Handbook

MAM

PU

3.5 Step 5: Assessment of Threats

DESCRIPTION:

The appointed Team Leader(s) should initiate this step, namely Step 5: Assessmentof Threats. This step is to determine the relevant threats to all listed assets.

GOAL:

1. To produce a generic organisational threat profile.

2. To identify all relevant threats to assets.

TASK:

1. Create A Generic Threat Profile

a. Gather list of threats which have occurred before.

b. Gather list of threats which might occur in future if prevention mechanismsare lacking or not available.

c. Gather list of threats which may occur even if proactive prevention hasbeen taken.

2. Identify All Relevant Threats to Assets

a. Map all identified assets to relevant threats.

b. Verify the identified threats with owners and custodians.






1. Generic Threat Profile


a. Threat Group

b. Threat ID

c. Threat Name

d. Threat Description

Risk Assessment Process: Assessment of Threats

Chapter 3 - 35

MyRAM Handbook

MAM

PU

Risk Assessment Process: Assessment of Threats

Generic Thr eat Profile MyRAM/Form/S5-1.0

Threat Threat Threat Name Threat DescriptionGroup ID




2. Relevant Threats to Assets


a. Number

b. Asset Group

c. Asset ID

d. Asset Name

e. Threat Attributes (Threat Group, Threat ID, Threat Name)

Relevant Thr eat to Asset MyRAM/Form/S5-2.0

No. Asset Asset Asset Threat Threat ID Threat NameGroup ID Name Group




Chapter 3 - 36

MyRAM Handbook

MAM

PU

3.6 Step 6: Assessment of Vulnerabilities

DESCRIPTION:

The appointed Team Leader(s) should initiate this step, namely Step 6: Assessmentof Vulnerabilities. This step is to determine the relevant vulnerabilities to all assets.

GOAL:

1. To determine the vulnerabilities for each asset

TASK:

1. Identify Potential Vulnerabilities Exploited by Threats

a. Determine vulnerability list which is specific to the organisation.

b. Verify the list with the risk assessment team, owners and custodians.






1. List of Potential Vulnerabilities to Assets


a. Number

b. Asset Group

c. Asset ID

d. Asset Name


f. Vulnerability Attributes (Vulnerability Group, Vulnerability ID, Vulnerability Name)

Risk Assessment Process: Assessment of Vulnerabilities

Chapter 3 - 37

MyRAM Handbook

MAM

PU

Risk Assessment Process: Assessment of Vulnerabilities

List

of P

oten

tial V

ulne

rabi

litie

s to

Ass

ets

MyR

AM

/Fo

rm/S

6-1

.0

No.

Ass

etA

sset

Ass

etT

hrea

tT

hrea

tT

hrea

tVu

lner

abili

tyVu

lner

abili

tyVu

lner

abili

tyG

roup

IDN

ame

Gro

upID

Nam

eG

roup

IDN

ame

Pre

pare

d by

:R

evie

wed

by:

App

rove

d by

:__

____

____

____

___

____

____

____

____

___

____

____

____

____

____

__<

Tea

m L

eade

r >





Not

e: T

he s

ign-

offs

sho

uld

be w

ith th

e offic

ial s

tam

p.

Chapter 3 - 38

MyRAM Handbook

MAM

PU

Risk Assessment Process: Identification of Existing/PlannedSafeguards

3.7 Step 7: Identification of Existing/Planned Safeguards

DESCRIPTION:

The appointed Team Leader(s) should initiate this step, namely Step 7: Identificationof Existing and Planned Safeguards. This step is to determine the relevant existingor planned safeguards for each identified asset. Chosen safeguard must be based onAnnex C: Generic Safeguard List.

GOAL:

1. To identify all relevant existing and planned safeguards or controls for eachasset.

TASK:

1. Review Existing and Planned Safeguards For Protecting the Assets

Safeguards (control)s are identified. The types of safeguards that need tobe considered are classified according to the ten (10) domains in Annex Cwhich are as the following:

a. Security Policy

b. Organisational Security

c. Asset Classification and Control

d. Personnel Security

e. Physical and Environmental Security

f. Communications and Operations Management

g. Access Control

h. System Development and Maintenance

i. Business Continuity Management

j. Compliance

One asset may have several safeguards already in-placed or planned to be.Project advisors must consider the most cost effective safeguards in his/herrecommendations.






1. Existing and Planned Safeguards


a. Number

b. Asset Group

c. Asset ID

d. Asset Name


f. Safeguard ID with related Safeguard Name

g. Current Safeguard Solution

h. Type- Existing/Planned

Chapter 3 - 39

MyRAM Handbook

MAM

PU

Risk Assessment Process: Identification of Existing/PlannedSafeguards

MyR

AM

/Fo

rm/S

7-1

.0

Exi

stin

g an

d P

lann

ed S

afeg

uard

s

No.

Ass

etA

sset

IDA

sset

Thr

eat

Thr

eat

Thr

eat

Saf

egua

rd ID

Cur

rent

Type

Gro

upN

ame

Gro

upID

Nam

ew

ith r

elat

edS

afeg

uard

Exi

stin

gP

lann

edS

afeg

uard

Sol

utio

nN

ame

Pre

pare

d by

:R

evie

wed

by:

App

rove

d by

:__

____

____

____

___

____

____

____

____

___

____

____

____

____

____

__<

Tea

m L

eade

r >





Not

e: T

he s

ign-

offs

sho

uld

be w

ith th

e offic

ial s

tam

p.

Chapter 3 - 40

MyRAM Handbook

MAM

PU

3.8 Step 8: Analysis of Impact

DESCRIPTION:

The appointed Team Leader(s) should initiate this step, namely Step 8: Analysis ofImpact. This step is to determine the business impact levels if identified assets arecompromised (intentionally or unintentionally).

GOAL:

1. To determine the business loss if an asset were to be compromised.

2. To determine the impact level of each compromised asset.

TASK:

1. Determine the Business Loss

a. Determine the business loss by considering the below attributes:

i. Replacement values of the assets

ii. Reputation values

Notes:

i. Agencies can modify the criteria used to fit into the agencies’ environments.

ii. Project advisor must advise the RA team the importance of giving realisticasset values to ensure no false risk rating result.

2. Determine the Impact Levels

Determine the impact levels of the identified assets based on the exampleof Impact Level Matrix.




Note: A sign-off for the questionnaires is required at the High-level Recommendationsstage.


1. Impact Level List


a. Number

b. Asset Group

c. Asset ID

d. Asset Name

e. Asset Value

f. Business Loss

g. Impact Level

Risk Assessment Process: Analysis of Impact

Chapter 3 - 41

MyRAM Handbook

MAM

PU

Impact Level List

No. Asset Asset Asset Asset Business Loss ImpactGroup ID Name Value Level




Risk Assessment Process: Analysis of Impact

Chapter 3 - 42

MyRAM Handbook

MAM

PU

3.9 Step 9: Analysis of Likelihood

DESCRIPTION:

The appointed Team Leader(s) should initiate this step, namely Step 9: Analysis ofLikelihood. This step is to calculate the likelihood of threats and vulnerabilitiescompromising the assets taking into consideration of existing/planned safeguards.

GOAL:

1. To determine the likelihood values of threats and vulnerabilities, taking intoconsideration the existing and planned controls.

TASK:

1. Determine The Likelihood of Threats and Vulnerabilities That MayHappen

a. Utilise the outputs from Step 5, Step 6 and Step 7

i. Step 5 - Threats

ii. Step 6 - Vulnerabilities

iii. Step 7 - Safeguards

b. Determine the likelihood that a specific asset might be compromised.

c. Analyse the threats, vulnerabilities and controls which have been identifiedand the following attributes should be taken into consideration:

i. Past experience.

ii. Probability of future occurrences

iii. Implementation of safeguards or controls.



b. The findings need to be verified and validated to ensure completenessand truthfulness. At this stage, ensure that all the questions have somevalid answers


PRODUCED DOCUMENTS / OUTPUTS:

1. Likelihood List


a. Number

b. Asset Group

c. Asset ID

d. Asset Name

e. Threat Attributes (Threat ID, Threat Name)

f. Vulnerability Attributes (Vulnerability ID, Vulnerability Name)

g. Current Safeguard Solution

h. Likelihood

Risk Assessment Process: Analysis of Likelihood

Chapter 3 - 43

MyRAM Handbook

MAM

PU

Risk Assessment Process: Analysis of Likelihood

Like

lihoo

d Li

st

No.

Ass

etA

sset

Ass

etT

hrea

tT

hrea

tVu

lner

abili

tyVu

lner

abili

tyC

urre

ntLi

kelih

ood

Gro

upID

Nam

eID

Nam

eID

Nam

eS

afeg

uard

Sol

utio

n

Pre

pare

d by

:R

evie

wed

by:

App

rove

d by

:__

____

____

____

___

____

____

____

____

___

____

____

____

____

____

__<

Tea

m L

eade

r >





Not

e: T

he s

ign-

offs

sho

uld

be w

ith th

e offic

ial s

tam

p.

MyR

AM

/Fo

rm/S

9-1

.0

Chapter 3 - 44

MyRAM Handbook

MAM

PU

3.10 Step 10: Calculation of Risk

DESCRIPTION:

The appointed Team Leader(s) should initiate this step, namely Step 10: Calculationof Risk. This step is to obtain the risk level rating for each asset this is based onthe risk matrix table.

GOAL:

1. To get each asset’s risk level rating based on the risk matrix table.

TASK:

1. Calculate The Risk Level For Each Asset

a. Calculate risk based on the prescribed risk matrix table.

b. Use the results from previous steps

i. Step 8 - Impact Level

ii. Step 9 – Likelihood


1. Risk Matrix


a. Number

b. Asset Group

c. Asset ID

d. Asset Name

e. Threat ID

f. Threat Name

g. Impact Level

h. Likelihood

i. Risk Level

MyRAM/Form/S10-1.0Risk Matrik

No. Asset Asset Asset Threat Threat Impact Likelihood RiskGroup ID Name ID Name Level Level

Prepared by: Reviewed by: Approved by:_____________________ _____________________ _______________________



Risk Assessment Process: Calculation of Risk

Chapter 4 - 45

MyRAM Handbook

MAM

PU

High-Level Recommendations: Decision on Options

Chapter 4: High-Level Recommendations

4.0 Introduction

Figure 4.1 shows that decisions of whether to accept, reduce, transfer, or avoid risks that havebeen identified must be made only after the risk assessment exercise has been completed.

Figure 4.1: High-Level Recommendation Diagram

4.1 Decision on Options

DESCRIPTION:

The appointed Project Manager should initiate this stage. The Project Advisor willadvise on the suitability of the decisions made. To provide a high-level recommendationafter risk levels are identified and analysed. The organisations need to decide whetherto accept, reduce, transfer, or avoid the identified risk.

GOAL:

1. To decide on whether to accept, reduce, transfer or avoid risk.

TASK:

1. Analyse The Attributes To Be Considered Prior To The Decision-MakingThe decision of whether to accept, reduce, transfer or avoid the risks cataloguedmust take the following factors into consideration:

a. Time

b. Money

c. Manpower

e. Equipment

2. Determine The Option Of How To Handle The Risk

a. The result of Step 10 (from Chapter 3: Risk Assessment Process) details outthe risk level associated with each identified asset.

b. If the risks are accepted, there is no immediate plan carried out or action takento protect the asset.

Chapter 4 - 46

MyRAM Handbook

MAM

PU

c. The risks are reduced when they are regarded as having High/H or Medium/M impact. Here, risks are mitigated by deploying the proper controls (counter-measures) to ensure that critical business operations continue with no downtime.

d. In transferring risks, the risks are moved to another organisation or entity orcause. One may want to transfer risks when they are at the level of Low/L orMedium/M. An example of this is transferring risks to a third party organisation.

e. Risks should be avoided altogether when there is no reasonable control availableto be implemented by the organisation. This decision needs to be treated withcaution, since most of the time the only way to avoid risks is to totallydisconnect the system.

f. Good security controls combine most of the options above. When an asset hasa high value of business impact as well as a high likelihood of getting “attacked”,it is advisable to first reduce the risk by deploying more controls and thentransfer the remaining risk to a third party organisation. In the end, what isleft is an acceptable residual risk level for that particular asset.

The presentation to the senior management on risk analysis information obtainedcontains the following information:

i. An understanding of the relation between risk calculation results andsenior management decisions in protecting critical assets.

ii. Any terms and concepts that may be new or different - for example,assets, threats, risk and risk profile - explained precisely and concisely.

iii. Composite, analysed results of the survey data, presented in a table orgraphical easy-to-read information. Each identified level of risk shouldalso state specific implications.

iv. Data on protection strategy practices and organisational vulnerabilities,segregated in tables according to practice areas.

v. Threat, risk and vulnerability information for each critical asset tabled.

The senior management will then determine the best approach to combat allidentified risks – do some of them need to be mitigated? If so, then how wouldthat affect the resources and budget of the organisation?


1. Decision on Options


a. Number

b. Asset Group

c. Asset ID

d. Asset Name

e. Threat ID

f. Threat Name

g. Existing/Planned Safeguard

h. Risk Level

i. Recommendation

j. Decision (note: to be filled-up only after the management’s decision).


Chapter 4 - 47

MyRAM Handbook

MAM

PU


MyR

AM

/Fo

rm/H

LR

-1.0

Dec

isio

n on

Opt

ions

No.

Ass

etA

sset

Ass

etT

hrea

tT

hrea

tE

xist

ing/

Ris

kR

ecom

men

datio

nD

ecis

ion

Gro

upID

Nam

eID

Nam

eP

lann

edLe

vel

Saf

egua

rd(s

)

Pre

pare

d by

:R

evie

wed

by:

App

rove

d by

:__

____

____

____

___

____

____

____

____

___

____

____

____

____

____

__<

Tea

m L

eade

r >





Not

e: T

he s

ign-

offs

sho

uld

be w

ith th

e offic

ial s

tam

p.

Chapter 4 - 48

MyRAM Handbook

MAM

PU

4.2 Protection Strategy

DESCRIPTION:

The appointed Project Manager should initiate this stage. The team members are heavilyinvolved in this step as well. The results in the previous section, section 4.1, provide theRA team with a prioritization of risk for the assets with related threats and vulnerabilities.This prioritization allows the team to develop a security improvement program in stages.High risk assets with related threats and vulnerabilities would need to be reduced possiblybefore trying to reduce Medium risk. This step guides the RA team in developing safeguardoptions.

TASK:

1. Choose Safeguard Groups

These groups are based on the ten (10) security domains available in BS 7799.

a. Security Policy

b. Organisational Security

c. Asset Classification and Control

d. Personnel Security

e. Physical and Environmental Security

f. Communications and Operations Management

g. Access Control

h. System Maintenance

i. Business Continuity Management

j. Compliance

2. Examine Safeguard Attributes

The attributes to be examined are:

a. Function

b. Strength

c. Correctness

3. Examine Safeguard Cost

It is very natural, especially for the senior management, to think about costs associatedto safeguards to be put in placed. When considering costs, the following attributes shouldbe considered (but not limited to):

a. Cost to acquire and install the safeguards.

b. Cost for training requirements.

c. Cost for ongoing operating expenses like power, personnel requirements, and maintenance.

d. Indirect cost to productivity level.

e. Indirect cost like life expectancy of the safeguard and the assets it protects.

High-Level Recommendations: Protection Strategy

Chapter 4 - 49

MyRAM Handbook

MAM

PU

4. Examine Safeguard Effectiveness

Other than the mentioned above attributes and costs to be considered, the following factorsshould also be examined:a. Dependencies on other safeguards.

b. Human intervention. Safeguards with less human intervention are generally morereliable.

c. User acceptability. Safeguards should be easy to use and apply, as well as userfriendly.

5. Select the Options

With all the above considerations, the RA team can now select the options. A preferredoption must be highlighted with a brief explanation and justification.

PRODUCED DOCUMENTS / OUTPUTS:

1. Protection Strategy


a. Number

b. Asset Group

c. Asset ID

d. Asset Name

e. Threat ID

f. Threat Name

g. Existing/Planned Safeguard(s)

h. Risk Level

i. Recommendation

j. Protection Strategy

k. Justification


Chapter 4 - 50

MyRAM Handbook

MAM

PU

MyR

AM

/Fo

rm/H

LR

-2.0

Pro

tect

ion

Str

ate

gy

No

.A

sse

tA

sse

tA

sse

tT

hre

at

Th

rea

tE

xist

ing

/R

isk

Re

com

me

nd

atio

nP

rote

ctio

nJu

stifi

catio

nG

rou

pID

Na

me

IDN

am

eP

lan

ne

dL

eve

lS

tra

teg

yS

afe

gu

ard

(s)

Pre

pa

red

by:

Re

vie

we

d b

y:A

pp

rove

d b

y:_

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

_<

Te

am

Le

ad

er

><

Pro

ject

Ma

na

ge

r >



No

te:

Th

e s

ign

-off

s sh

ou

ld b

e w

ith t

he

of

ficia

l st

am

p.

Chapter 4 - 51

MyRAM Handbook

MAM

PU

High-Level Recommendations: Summary to High-LevelRecommendations

4.3 Summary to High-Level Recommendations

DESCRIPTION:

Once the RA activity is completed, the RA team needs to present the findings to the seniormanagement for an approval. Once the approval is obtained, the next course of action isdetermined.

TASK:

1. Present Findings to the Senior Management

The findings are presented to the senior management. A summary report is produced. Aformal presentation session is scheduled.

2. Determine the Next Course of Action

Once the final approval is obtained, the RA team needs to determine what should be donenext to ensure that vulnerable and critical assets are protected adequately. A detailed actionplan and roadmap need to be drafted based on the senior management’s decision as wellas the protection strategy developed.

3. Sign-off Questionnaires

The set of questionnaires which were used for information gathering during Step 2 untilStep 9 is signed-off at this stage. It is included as an Appendix at the end of the SummaryReport to the Senior Management.

Chapter 4 - 52

MyRAM Handbook

MAM

PU

Output (Sample Summary Report)

1. Sample Summary Report on RA Activity

ICT Security RA Report for Agency <XXX>

List of Tables

List of Figures

Glossary

Related Reference

Structure of the Report

Executive Summary

1.0 Introduction1.1 Background1.2 Objectives of Security Risk Assessment1.3 Scope of Security Risk Assessment

2.0 Security Risk Assessment Methodology3.0 Analysis of Findings

3.1 Current Snapshot of the Infra and Info Structure3.2 Summary of the Result

3.2.1 Asset Classification and Valuation3.2.2 Threats, Vulnerability and Safeguard Analysis3.2.3 Business Impact Analysis3.2.4 Likelihood3.2.5 Overall Risk Analysis Distribution

4.0 High-level Recommendations4.1 Decision on Options4.2 Protection Strategy

5.0 Conclusion

Annexes

Annex A: PreparationAnnex B: Step 1–Establishment of TeamAnnex C: Step 2–Establishment of Review BoundaryAnnex D: Step 3–Identification of AssetsAnnex E: Step 4–Valuation of AssetsAnnex F: Step 5–Assessment of ThreatsAnnex G: Step 6–Assessment of VulnerabilitiesAnnex H: Step 7–Identification of Existing and Planned SafeguardsAnnex I: Step 8–Analysis of ImpactAnnex J: Step 9–Analysis of LikelihoodAnnex K: Step 10–Calculation of RiskAnnex L: Decision on Options

Prepared by: Reviewed by: Approved by:_____________________ _____________________ ______________________________

< Project Manager > < Project Advisor > < Senior Management Personnel >


High-Level Recommendations: Summary to High-LevelRecommendations

chapter 1: introduction 2- handbook steps.pdf · government needs to assess whether the initial...

Documents