is risk assessment example

IS Security Risk Assessment

Date: 29th of July, 2013

Document version: v 1

Prepared by: Ramiro Cid

Approved by:

Explanations1 This Risk Assessment is done based on Standard ISO/IEC 27005 (Information Security Risk Management)

2 More detail description of Assets Valuation could be found on Sheet "Assets list"

3 More detail description of Threats, Vulnerabilities Valuation's and Risk Calculation could be found on Sheet "Rerences & Scores"

4 Risk Assessment for different Assets categories is described/included in sheet "Risk Analysis"

Assumptions:1 Data classification has not been done yet.

At this stage Critical Business data valued in Risk Assessment:

Confidentiality - High

Integrity - Medium

Availability - Medium

In this version it was considering that there are no data processed in the country which:

Degradation of the accuracy and completeness of data is unacceptable ( Integrity - High).

The asset/information is required on 24x7 basis (Availability - High).

2 This is the 1st version of Risk Assessment. Potential updates, improvement requires more time for investigation and will be included in future versions.

3 The current version of Risk Assessment mainly cover the assets and risks are under Country IS Service Management control.

4 The current version of Risk Assessment has little or not cover (almost all cases) assets and risks:

Global functions (Enterprise organization) related assets and risks:

Central Firewall

SAP development, support, etc

Industrial sites, location and technical networks

Etc.

These assets and risks will be covered in future versions.

Estimation of Probability

Score Prabability Attributes (A) Control

Environment (C)

1 Never happens or

not happened

Small attacker

population (insider

knowledge)

Not remotely executable

Administrator privileges

needed

Not automated

Not a publicly published

attack method

1 if all five apply

Strong existing

controls, well

tested, make this

very unlikely. OR,

an unlikely target

2 Rarely happened Somewhere between 1

and 3

Existing controls

believed to be

strong but not

tested recently

OR, not a likely

target

3 Could happens

periodically or

Medium attacker

population (specialist)

Existing controls

believed to be 4 Regular,

frequently

Somewhere between 3

and 5

Weak controls

and a likely target

5 No controls and a

very likely target

Large attacker

population (hobbyists)

Remotely executable

Anonymous privileges

needed

Automated

Publicly published attack

method

5 if any apply

No controls and a

very likely target

AssetsIn this sheet is described the assets included in the country in relation of IT Security

Domain Asset name Asset value

[ASS-APP-1] Application #1 Very High Value

[ASS-APP-2] Application #2 High Value


[ASS-APP-4] Application #4 High Value



Asset Global/Local Location/sBusiness

OwnerPower user C I A

Asset

ValueThreat Threat description Vulnerability Controls/practices

Asset

ValueImpact Probability Risk

New mitigation actions (Planned mitigation

activities/controls)

Inside users can

accidentally read or

modify customers's

confidential

information

An human error

building up user

profile can allow

user accessing

unauthorized

information

User profile is not double checked

by another person before

assignement

Periodical review of users access 5 4 2 11

Other person different than user manager should verify

correct creation of user profile before assignement or test

profile before assignment

Not authorized users

can read confidential

information

Someone can copy

information

It is possible read and copy

confidential infomation from a

colleague desk

Active Directory policy blocks session after

15 minutes of no activity, users lock the

desk before leaving office desk

5 4 1 10Segregate users authorised to read confidential information

from people not authorized

Inside people export

confidential

information outside

the application

Authorized users can

export information

It is possible to download

information on personal laptop

(with no encrypted disks), on

mobile devices or to export files,

so losing any kind of controls

inside the application

Verification of logs to check access,

exportation of data and printing of

information

5 4 4 13

Encrypt laptop disks.

Limit to the minimum number of users the rights to do

exportation of data

Create autorization process to allow an user to do

exportation of data

Lock some fields to be exported

WAN

communication

problem interrupt

client session

Packet transmission

losses put citrix

session in time out

Citrix client session do not

withstand packet losses.

connection goes down because is

very sensible to time out if

communications have some shorts

cuts

Open incident for wan packet losses 5 1 1 7Ask carrier to introduce in SLA minimun guaranteed

performance

Data loss

Data loss in PDA

containing

confidential

information

PDA can be stolen or get lost

outside the company. PDA are not

controlled by Active Directory

(there are not in domain)

To use PDA it is required a personal

password and a unit password - after 10

attemps for each required password access

is locked then only Application #1

Administrators are in charge to unlock

5 3 2 10

Make users accountable of recharging the cost of PDA

when it get lost

Remote deletion of data by admin if user report the PDA as

stolen/or getting lost

Trainning to user about phisycal security best practices use

on PDA

After 10 attemps not ony bloc the PDA but also remove the

data

Application #1 grace logins from 10 to only 3 attemps

Application

#2Local Tokio

Akira

TakahashiTakeshi Suzuki 3 4 4 4

Company XX

password

compromised

Disclosure of

personal data

To allow continuity

of service during

vacation,

dispatchers shares

their passwords

Dispatchers use to

put their passwords

in a list with all

dispatcher credential

Password lose confidentiality

characteristic. No possibility to

trace responsibilities in case of

data corruption data losses or

disclosure of information

Loss of any personal confidentiality

Application #2 use a self profiling system

not directly connected with Active Directory 4 5 4 13

Create a Application #2 special profile for dispatcher,

independent from Active Directory. Never share Active

Directory passwords

In case mail need to be shared too, create a special

dispatcher mail-in box

if mail-in do not solve the problem use Corporate email

internal delegation to assign reader mail rights to other

colleagues.

Avoid creation of list of Application #2 users credentials. if

no other solution exist keep this list in a locked place under

surveillance

Application

#3Local Cape Town Addae Wilkins Michael Andersen 5 2 2 5

Disclosure of

personal sensitive

data

Only for some

employee have been

collected and stored

in the application

some sentive

personal data that

are not necessary

for the company.

Treatment of this data is not

complying with data protection law.

The replacement of this application with

Saphron is almost completed5 3 3 11

Remove sesitive data not required and not necessary for

the company

When data tranfer will be completed in Saphron remove

old application from Corporate email

Disclosure of

confidential data

Internal maintenance

technician have high

probability to

accidentally read

confidential

information

Users do not always control

intervention of technicians

Technicians do not have signed

any confidential agreement

Technicians have been not trained

about protection of confidential

data

Ethical / professional training 5 3 4 12

Technicians (internal and external) should be trained about

protection of confidential data to understand their

responsibilities

Technicians (internal an external) should sign an internal

confidentiality agreement

User password

compromised

Due to maintanance

reason and/or

connection testing

,Users reveal their

password

no possibility to use Administrator

password to test user connections

Technician do not have signed any

confidential agreement

Password change 5 3 5 13

Technicians should always recommend password change

to the users after their intervention (if possible technicians

have to set "change on next logon")



Application

#1Prague 4

Grozny

PoznatkyLocal 5Vítězslav Novotný 5 5

Local São PauloCarlos dos

Santos4Patricia da Silva 5 4 4

Application

#4

Application

#5Local Paris

Ludovic

DupondSophie Renou 5 4 5 5

Disclosure of

confidential data

Maintenance

technicians of users

Corporate email mail

have high probability

to accidentally read

confidential

information

Users do not always control

intervention of technicians

Technicians do not have signed

any confidential agreement

Technicians have been not trained

about protection of confidential

data

Ethical / professional training 5 3 4 12

Technicians (internal and external) should be trained about

protection of confidential data to understand their

responsibilities



Inadequate user

identification

password of

customers without

expiration time

Application is not managing

password expiration

customerss are divided according customer

belonging. User profile limited to a specific

customer's customerss

5 5 4 14Application must be modified to force periodical password

expiration

Deliberate

disclosure of private

sensitive data

customer's

password without

expiration time can

be easily identified

Application is not managing

password expiration

customerss are divided according

curstomer belonging. User profile limited to

a specific customer's customerss


expiration to increase user identification

Deliberate corruption

or loss of sensitive

private data

Some customer

have rights to create

or modify doctor

prescriptions

Password of

customers without

expiration

Doctor's id with weak password

security can be used to forging

acces and destroy, change

customers prescritptions





expiration to increase user identification (for external users)

Forcing of access

rights

Customer user id

has weak quality

The user id is created using last

name and first letter of fist name

not adequate to the importance of

the data stored




5 5 4 14A more adequate policy to customer's id quality should be

implemented to reduce possibility of discovering IDs

Accidental

disclosure of private

sensitive data

External IT

developers can see

all data

No segregation of data for

development scope

External developers are identified by

Company XX Active Directory5 4 5 14 Developers should never work using production data

Missing third party

confidentiality

agreement

External developers

have not signed any

confidentiality

agreement with

Company XX

Lack on third party control No controls in this case 5 4 4 13External developers have to sign a confidentiality

agreement

Loss of identification

control

Customers that are

not using application

client are allowed to

store their access

credential on their

internet browser.

With access credential stored in

internet browser it is not possible

guarantee the identification of the

user

No controls in this case 5 4 4 13

Company XX should ask customers to subscribe an

agreement they implement security policy to forbidded

access credential on browsers .

modify web application in order to avoid automatic logon

Accidental physical

access to private

sensitive data

people not

authorized could

accidentally access

to private sensitive

data

There is no physical restricted area

to prevent data access to

unauthorized people

No controls in this case 5 4 5 14A physical restricted area to avoid accidentalaccess to

private sensitive data should be implemented

Loss of

confidentiality

All application users

can export data from

application to local

file

No possibility to apply

confidentiality controls on exported

local file

No controls in this case 5 5 5 15Export of data from application to local file should be

forbidden

5Irene Massa 5 5 5Application

#6Global Rome Marco Biasini

is risk assessment example

Technology

high value assapp

confidential information

asset value assapp

risk calculation

application authorized

exportation of data

printing of information

security risk assessment