Example of ISMS Risk Assessment

Uncategorized 5 Minutes
RA-IDRisk OwnerInformation Asset/ infrastructure-Management (Risk Area)Form / Nature of AssetApplicable
Threats
(NEW)		RA DateImpact RatingJustificationExisting Controls (=Strengths)Missing Controls (=Weaknesses)VulnerabilityJustificationProbabilityJustificationRevised Risk ValueRecommendation (Yes or No)Revised Risk CategoryResidual Risks
xxx-RA-01All Departmentsxxx Employees (All personnel)Personnel – InternalLeak of Sensitive / Critical Data01.01.19004Teams has category 4 information1. Background Screening in place,
2. Most Employee undergo induction training,
3. All employees sign code of conduct, 		1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?)3One major vulnerability identified, however the ‘ease’ factor has high impact2Human behaviour is unpredictable24Yes – DLP verification is WIPHighOne major vulnerability identified, however the ‘ease’ factor has high impact
xxx-RA-02All Departmentsxxx Employees (All personnel)Personnel – InternalCritical Business activities get impacted01.01.19004Several teams are crucial for availability1.Leave control management in place,
2. Whenever there is an additional manpower requirement, it is addressed as part of HR planning		No known weakness1No identified vulnerability2Human behaviour is unpredictable8NolowNo identified vulnerability
xxx-RA-03All DepartmentsOperations Applications(Petrel 2012/Geo Frame – IESX/Geo Frame – Techlog Petrophysical Applications/ IHS Kingdom Suite/REP/Merak – Peep/Merak-Volts/Oil Field Manager/Eclipse/Interactive Petrophysics/Croker/Kingdom Suite/REP/Questor – Onshore/Offshore 9.8/Mbal 8.0/Pansystem 3.2/Rose Risk Multi-mode risk Analysis/Tellus Database/LiveQuest Solution/Zeh Composer Seisworks + Zmap/PEEP/GEM (Eco Software)/Eclipse-Office)Business ApplicationsConfidential data leakage01.01.19004Unauthorized access leading to information theft (by outsider)Access Controls in placed. Central AD protects primary authentication followed by application specific controls.No known weakness1No weakness identified1No incidents in the past one year, unlikely opportunity in the next year4NoLowNo weakness identified
xxx-RA-04All DepartmentsCommon User Applications (Active Directory/IP Telephony
Oracle HRMS/Sharepoint Portal/Asset Management System/Enterprise Document Management System/Share drive (G: Drive)/Cogness/RPSystem/Discover/Global Tax Management System (GTMS)/Sun System/Hyperion/Website)		Business ApplicationsInformation leakage and misuse, Virus impact on data/servers01.01.19004Applications are critical to business operations. Most information is rated as 3 Most products deployed are standard tools from recognized vendors/OEM. 1. OFI in change management process, 2. OFI in better access control32 Identified vulnerabilities1No suspected incidents of application performance or misuse in the last year12YesHigh1. OFI in change management process, 2. OFI in better access control
xxx-RA-05IT SupportSwitch configurationsLAN ManagementNetwork down / impact day to day business operations01.01.19004Internal connectivity outageRedundant network, secure configurationNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-06IT SupportRouter ConfigurationsWAN Managementimpact day to day business operations
01.01.19004External connectivity outageRedundant network, secure configurationNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-07IT SupportWireless ConfigurationsWireless ManagementData Leakage due to unauthorized access01.01.19003Office connectivity of mobile usersAlternate network based controls exist, limited accessNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year3NoLowNo weakness identified
xxx-RA-08IT SupportAll Servers (Unix and Windows)
(Windows XP SP3/Windows 2003/Windows 2008/Solaris/Linux)		Server ManagementData Loss01.01.19004High Availability, High confidentialityCombination of policies exist that include patch management, and vulnerability in place, certified staff handling the changesNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-09IT SupportDatabase Management (SQL and Oracle)Database Management Impact day to day business operations01.01.19004High Availability, High confidentialityCombination of policies exist that include patch management, and vulnerability in place, certified staff handling the changesNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-10IT SupportSecurity Applications (Access Point – Card System/Access Point – Biometrics/Checkpoint-VPN/Firewall (Checkpoint)/AV (McAfee)/IPS/IDS (Cisco MARS)/Spam Filter (Symantec)/backup Management (Tivoli))Security ApplicationsData Leakage / corrupt due to unauthorized access01.01.19004Security Controls protecting the networkCombination of policies exist that include patch management, and vulnerability in place, certified staff handling the changesNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-11IT SupportDesktop Management  (Dell)Desktop ManagementDaily business activities impacted / delayed01.01.19004End user infrastructureStandard list of software installed, malware protection that combines gateway and end user malware protectionNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-12IT SupportLaptop Management (Dell / Apple)Laptop ManagementImpact day to day business operations01.01.19004End user infrastructureStandard list of software installed, malware protection that combines gateway and end user malware protectionNo known weakness1No known weakness2Laptop theft is an opportunity8NoMediumNo weakness identified
xxx-RA-13General ServicesPhysical Access Management (Building, Floors, Work area, Server Room/s, generator Areas)Physical Access ManagementPeople / business information or data impacted01.01.19004Availability infrastructureCombination of controls including manpower, CCTV, Access controls in placeNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoMediumNo weakness identified
xxx-RA-14IT SupportDocument Management System (Share drives/Folders/Enterprise Document Management System)Document ManagementData Leakage / corrupt / loss01.01.19004Storage areas for sensitive files/documentsAccess Controls in placed. Central AD protects primary authentication followed by application specific controls.No known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoMediumNo weakness identified
xxx-RA-15LegalExternal Service providers (OEMs providing technical problem and patch management support)External Service providers – ITFinancial Loss01.01.19004High Availability, their service are critical to application up timeSLA in place, most vendors are global, and provide 24-7 supportNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoMediumNo weakness identified
xxx-RA-16LegalExternal Service providers (IT Consultants)External Service providers – LegalFinancial / reputation Loss01.01.19004Teams has configurations which in turn has category 4 information1. Background Screening in place, 2. All vendors staff sign NDA1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?), 2. Consider bring vendor staff under the scope of induction on information security3Two major vulnerably identified2Human behaviour is unpredictable24Yes – DLP verification is WIP + Training on inductionHigh1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?), 2. Consider bring vendor staff under the scope of induction on information security
xxx-RA-17IT SupportExternal Service providers – IT + Hasibat information technologyExternal Service providers – ITFinancial Loss01.01.19004Several teams are crucial for availability1. SLA including manpower availability is in place. 2. Vendors whose support in the form of patch/problem exist, are covered in SLA/NDANo known weakness1No identified vulnerability2Human behaviour is unpredictable8NoLowNo identified vulnerability
xxx-RA-18Key Departments (Legal/ Operations/ Commercial/ Finance/Human Resources)Paper Document Management  (Agreements/new Contracts)Paper ManagementFinancial / reputation Loss01.01.19004Printed documents and design documents1. Printers have passwords, 2. Users follow clear desk and clear screen policy including paper shredding when no more in use.Awareness on handling of documents can be increase2Paper on desks1No incidents in the past one year, unlikely opportunity in te next year8NoLowAwareness on handling of documents can be increase

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

3 thoughts on “Example of ISMS Risk Assessment

  1. Dear Pretesh,How r you Hope all is well This is to explore the possibility of our association for one IATF 16949 certificationLet me know your conveniance to discuss 

    Thanks and Regards Sanjeev Jahagirdar

    Technical Director

    T  I Integrated Quality Services & Solutions

    E  I sanjeev_jahagirdar@yahoo.com

    A  I Pune, Maharashtra, India-411058

    M I +91 9552585317/ +91 020 295 295 04 

    Connect us I  https://www.linkedin.com/in/jahagirdar-sanjeev-55a09118

    Reply

  3. Ofcourse, this assessment will help in migating most intra issue far sight with proper planning & zero tolerance. Good work Pretesh

    Reply

Leave a Reply