RA-ID | Risk Owner | Information Asset/ infrastructure-Management (Risk Area) | Form / Nature of Asset | Applicable Threats (NEW) | RA Date | Impact Rating | Justification | Existing Controls (=Strengths) | Missing Controls (=Weaknesses) | Vulnerability | Justification | Probability | Justification | Revised Risk Value | Recommendation (Yes or No) | Revised Risk Category | Residual Risks |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
xxx-RA-01 | All Departments | xxx Employees (All personnel) | Personnel – Internal | Leak of Sensitive / Critical Data | 01.01.1900 | 4 | Teams has category 4 information | 1. Background Screening in place, 2. Most Employee undergo induction training, 3. All employees sign code of conduct, | 1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?) | 3 | One major vulnerability identified, however the ‘ease’ factor has high impact | 2 | Human behaviour is unpredictable | 24 | Yes – DLP verification is WIP | High | One major vulnerability identified, however the ‘ease’ factor has high impact |
xxx-RA-02 | All Departments | xxx Employees (All personnel) | Personnel – Internal | Critical Business activities get impacted | 01.01.1900 | 4 | Several teams are crucial for availability | 1.Leave control management in place, 2. Whenever there is an additional manpower requirement, it is addressed as part of HR planning | No known weakness | 1 | No identified vulnerability | 2 | Human behaviour is unpredictable | 8 | No | low | No identified vulnerability |
xxx-RA-03 | All Departments | Operations Applications(Petrel 2012/Geo Frame – IESX/Geo Frame – Techlog Petrophysical Applications/ IHS Kingdom Suite/REP/Merak – Peep/Merak-Volts/Oil Field Manager/Eclipse/Interactive Petrophysics/Croker/Kingdom Suite/REP/Questor – Onshore/Offshore 9.8/Mbal 8.0/Pansystem 3.2/Rose Risk Multi-mode risk Analysis/Tellus Database/LiveQuest Solution/Zeh Composer Seisworks + Zmap/PEEP/GEM (Eco Software)/Eclipse-Office) | Business Applications | Confidential data leakage | 01.01.1900 | 4 | Unauthorized access leading to information theft (by outsider) | Access Controls in placed. Central AD protects primary authentication followed by application specific controls. | No known weakness | 1 | No weakness identified | 1 | No incidents in the past one year, unlikely opportunity in the next year | 4 | No | Low | No weakness identified |
xxx-RA-04 | All Departments | Common User Applications (Active Directory/IP Telephony Oracle HRMS/Sharepoint Portal/Asset Management System/Enterprise Document Management System/Share drive (G: Drive)/Cogness/RPSystem/Discover/Global Tax Management System (GTMS)/Sun System/Hyperion/Website) | Business Applications | Information leakage and misuse, Virus impact on data/servers | 01.01.1900 | 4 | Applications are critical to business operations. Most information is rated as 3 | Most products deployed are standard tools from recognized vendors/OEM. | 1. OFI in change management process, 2. OFI in better access control | 3 | 2 Identified vulnerabilities | 1 | No suspected incidents of application performance or misuse in the last year | 12 | Yes | High | 1. OFI in change management process, 2. OFI in better access control |
xxx-RA-05 | IT Support | Switch configurations | LAN Management | Network down / impact day to day business operations | 01.01.1900 | 4 | Internal connectivity outage | Redundant network, secure configuration | No known weakness | 1 | No known weakness | 1 | No suspected incidents of application performance or misuse in the last year | 4 | No | Low | No weakness identified |
xxx-RA-06 | IT Support | Router Configurations | WAN Management | impact day to day business operations | 01.01.1900 | 4 | External connectivity outage | Redundant network, secure configuration | No known weakness | 1 | No known weakness | 1 | No suspected incidents of application performance or misuse in the last year | 4 | No | Low | No weakness identified |
xxx-RA-07 | IT Support | Wireless Configurations | Wireless Management | Data Leakage due to unauthorized access | 01.01.1900 | 3 | Office connectivity of mobile users | Alternate network based controls exist, limited access | No known weakness | 1 | No known weakness | 1 | No suspected incidents of application performance or misuse in the last year | 3 | No | Low | No weakness identified |
xxx-RA-08 | IT Support | All Servers (Unix and Windows) (Windows XP SP3/Windows 2003/Windows 2008/Solaris/Linux) | Server Management | Data Loss | 01.01.1900 | 4 | High Availability, High confidentiality | Combination of policies exist that include patch management, and vulnerability in place, certified staff handling the changes | No known weakness | 1 | No known weakness | 1 | No suspected incidents of application performance or misuse in the last year | 4 | No | Low | No weakness identified |
xxx-RA-09 | IT Support | Database Management (SQL and Oracle) | Database Management | Impact day to day business operations | 01.01.1900 | 4 | High Availability, High confidentiality | Combination of policies exist that include patch management, and vulnerability in place, certified staff handling the changes | No known weakness | 1 | No known weakness | 1 | No suspected incidents of application performance or misuse in the last year | 4 | No | Low | No weakness identified |
xxx-RA-10 | IT Support | Security Applications (Access Point – Card System/Access Point – Biometrics/Checkpoint-VPN/Firewall (Checkpoint)/AV (McAfee)/IPS/IDS (Cisco MARS)/Spam Filter (Symantec)/backup Management (Tivoli)) | Security Applications | Data Leakage / corrupt due to unauthorized access | 01.01.1900 | 4 | Security Controls protecting the network | Combination of policies exist that include patch management, and vulnerability in place, certified staff handling the changes | No known weakness | 1 | No known weakness | 1 | No suspected incidents of application performance or misuse in the last year | 4 | No | Low | No weakness identified |
xxx-RA-11 | IT Support | Desktop Management (Dell) | Desktop Management | Daily business activities impacted / delayed | 01.01.1900 | 4 | End user infrastructure | Standard list of software installed, malware protection that combines gateway and end user malware protection | No known weakness | 1 | No known weakness | 1 | No suspected incidents of application performance or misuse in the last year | 4 | No | Low | No weakness identified |
xxx-RA-12 | IT Support | Laptop Management (Dell / Apple) | Laptop Management | Impact day to day business operations | 01.01.1900 | 4 | End user infrastructure | Standard list of software installed, malware protection that combines gateway and end user malware protection | No known weakness | 1 | No known weakness | 2 | Laptop theft is an opportunity | 8 | No | Medium | No weakness identified |
xxx-RA-13 | General Services | Physical Access Management (Building, Floors, Work area, Server Room/s, generator Areas) | Physical Access Management | People / business information or data impacted | 01.01.1900 | 4 | Availability infrastructure | Combination of controls including manpower, CCTV, Access controls in place | No known weakness | 1 | No known weakness | 1 | No suspected incidents of application performance or misuse in the last year | 4 | No | Medium | No weakness identified |
xxx-RA-14 | IT Support | Document Management System (Share drives/Folders/Enterprise Document Management System) | Document Management | Data Leakage / corrupt / loss | 01.01.1900 | 4 | Storage areas for sensitive files/documents | Access Controls in placed. Central AD protects primary authentication followed by application specific controls. | No known weakness | 1 | No known weakness | 1 | No suspected incidents of application performance or misuse in the last year | 4 | No | Medium | No weakness identified |
xxx-RA-15 | Legal | External Service providers (OEMs providing technical problem and patch management support) | External Service providers – IT | Financial Loss | 01.01.1900 | 4 | High Availability, their service are critical to application up time | SLA in place, most vendors are global, and provide 24-7 support | No known weakness | 1 | No known weakness | 1 | No suspected incidents of application performance or misuse in the last year | 4 | No | Medium | No weakness identified |
xxx-RA-16 | Legal | External Service providers (IT Consultants) | External Service providers – Legal | Financial / reputation Loss | 01.01.1900 | 4 | Teams has configurations which in turn has category 4 information | 1. Background Screening in place, 2. All vendors staff sign NDA | 1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?), 2. Consider bring vendor staff under the scope of induction on information security | 3 | Two major vulnerably identified | 2 | Human behaviour is unpredictable | 24 | Yes – DLP verification is WIP + Training on induction | High | 1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?), 2. Consider bring vendor staff under the scope of induction on information security |
xxx-RA-17 | IT Support | External Service providers – IT + Hasibat information technology | External Service providers – IT | Financial Loss | 01.01.1900 | 4 | Several teams are crucial for availability | 1. SLA including manpower availability is in place. 2. Vendors whose support in the form of patch/problem exist, are covered in SLA/NDA | No known weakness | 1 | No identified vulnerability | 2 | Human behaviour is unpredictable | 8 | No | Low | No identified vulnerability |
xxx-RA-18 | Key Departments (Legal/ Operations/ Commercial/ Finance/Human Resources) | Paper Document Management (Agreements/new Contracts) | Paper Management | Financial / reputation Loss | 01.01.1900 | 4 | Printed documents and design documents | 1. Printers have passwords, 2. Users follow clear desk and clear screen policy including paper shredding when no more in use. | Awareness on handling of documents can be increase | 2 | Paper on desks | 1 | No incidents in the past one year, unlikely opportunity in te next year | 8 | No | Low | Awareness on handling of documents can be increase |
Dear Pretesh,How r you Hope all is well This is to explore the possibility of our association for one IATF 16949 certificationLet me know your conveniance to discuss
Thanks and Regards Sanjeev Jahagirdar
Technical Director
T I Integrated Quality Services & Solutions
E I sanjeev_jahagirdar@yahoo.com
A I Pune, Maharashtra, India-411058
M I +91 9552585317/ +91 020 295 295 04
Connect us I https://www.linkedin.com/in/jahagirdar-sanjeev-55a09118
Thank You very much sir. Regards
Nilesh P Acharekar
Ofcourse, this assessment will help in migating most intra issue far sight with proper planning & zero tolerance. Good work Pretesh