SlideShare uma empresa Scribd logo

IS Risk Assessment example

Ramiro Cid
Ramiro Cid

IS Risk Assessment example using ISO/IEC 27005. On this example, 6 different applications are evaluated doing the analysis of the risk associated to diferent vulnerabilities and threats. The scale for asset value, probability, impact and risk is showed.

TecnologiaNegócios
1 de 7
Baixar para ler offline
IS Security Risk Assessment Date: 29th of July, 2013 Document version: v 1 Prepared by: Ramiro Cid Approved by: Explanations 1 This Risk Assessment is done based on Standard ISO/IEC 27005 (Information Security Risk Management) 2 More detail description of Assets Valuation could be found on Sheet "Assets list" 3 More detail description of Threats, Vulnerabilities Valuation's and Risk Calculation could be found on Sheet "Rerences & Scores" 4 Risk Assessment for different Assets categories is described/included in sheet "Risk Analysis" Assumptions: 1 Data classification has not been done yet. At this stage Critical Business data valued in Risk Assessment: Confidentiality - High Integrity - Medium Availability - Medium In this version it was considering that there are no data processed in the country which: Degradation of the accuracy and completeness of data is unacceptable ( Integrity - High). The asset/information is required on 24x7 basis (Availability - High). 2 This is the 1st version of Risk Assessment. Potential updates, improvement requires more time for investigation and will be included in future versions. 3 The current version of Risk Assessment mainly cover the assets and risks are under Country IS Service Management control. 4 The current version of Risk Assessment has little or not cover (almost all cases) assets and risks: Global functions (Enterprise organization) related assets and risks: Central Firewall SAP development, support, etc Industrial sites, location and technical networks Etc. These assets and risks will be covered in future versions.
Estimation of Probability Score Prabability Attributes (A) Control Environment (C) 1 Never happens or not happened Small attacker population (insider knowledge) Not remotely executable Administrator privileges needed Not automated Not a publicly published attack method 1 if all five apply Strong existing controls, well tested, make this very unlikely. OR, an unlikely target 2 Rarely happened Somewhere between 1 and 3 Existing controls believed to be strong but not tested recently OR, not a likely target 3 Could happens periodically or Medium attacker population (specialist) Existing controls believed to be4 Regular, frequently Somewhere between 3 and 5 Weak controls and a likely target 5 No controls and a very likely target Large attacker population (hobbyists) Remotely executable Anonymous privileges needed Automated Publicly published attack method 5 if any apply No controls and a very likely target
Assets In this sheet is described the assets included in the country in relation of IT Security Domain Asset name Asset value [ASS-APP-1] Application #1 Very High Value [ASS-APP-2] Application #2 High Value [ASS-APP-3] Application #3 Very High Value [ASS-APP-4] Application #4 High Value [ASS-APP-5] Application #5 Very High Value [ASS-APP-6] Application #6 Very High Value
Asset Global/Local Location/s Business Owner Power user C I A Asset Value Threat Threat description Vulnerability Controls/practices Asset Value Impact Probability Risk New mitigation actions (Planned mitigation activities/controls) Inside users can accidentally read or modify customers's confidential information An human error building up user profile can allow user accessing unauthorized information User profile is not double checked by another person before assignement Periodical review of users access 5 4 2 11 Other person different than user manager should verify correct creation of user profile before assignement or test profile before assignment Not authorized users can read confidential information Someone can copy information It is possible read and copy confidential infomation from a colleague desk Active Directory policy blocks session after 15 minutes of no activity, users lock the desk before leaving office desk 5 4 1 10 Segregate users authorised to read confidential information from people not authorized Inside people export confidential information outside the application Authorized users can export information It is possible to download information on personal laptop (with no encrypted disks), on mobile devices or to export files, so losing any kind of controls inside the application Verification of logs to check access, exportation of data and printing of information 5 4 4 13 Encrypt laptop disks. Limit to the minimum number of users the rights to do exportation of data Create autorization process to allow an user to do exportation of data Lock some fields to be exported WAN communication problem interrupt client session Packet transmission losses put citrix session in time out Citrix client session do not withstand packet losses. connection goes down because is very sensible to time out if communications have some shorts cuts Open incident for wan packet losses 5 1 1 7 Ask carrier to introduce in SLA minimun guaranteed performance Data loss Data loss in PDA containing confidential information PDA can be stolen or get lost outside the company. PDA are not controlled by Active Directory (there are not in domain) To use PDA it is required a personal password and a unit password - after 10 attemps for each required password access is locked then only Application #1 Administrators are in charge to unlock 5 3 2 10 Make users accountable of recharging the cost of PDA when it get lost Remote deletion of data by admin if user report the PDA as stolen/or getting lost Trainning to user about phisycal security best practices use on PDA After 10 attemps not ony bloc the PDA but also remove the data Application #1 grace logins from 10 to only 3 attemps Application #2 Local Tokio Akira Takahashi Takeshi Suzuki 3 4 4 4 Company XX password compromised Disclosure of personal data To allow continuity of service during vacation, dispatchers shares their passwords Dispatchers use to put their passwords in a list with all dispatcher credential Password lose confidentiality characteristic. No possibility to trace responsibilities in case of data corruption data losses or disclosure of information Loss of any personal confidentiality Application #2 use a self profiling system not directly connected with Active Directory 4 5 4 13 Create a Application #2 special profile for dispatcher, independent from Active Directory. Never share Active Directory passwords In case mail need to be shared too, create a special dispatcher mail-in box if mail-in do not solve the problem use Corporate email internal delegation to assign reader mail rights to other colleagues. Avoid creation of list of Application #2 users credentials. if no other solution exist keep this list in a locked place under surveillance Application #3 Local Cape Town Addae Wilkins Michael Andersen 5 2 2 5 Disclosure of personal sensitive data Only for some employee have been collected and stored in the application some sentive personal data that are not necessary for the company. Treatment of this data is not complying with data protection law. The replacement of this application with Saphron is almost completed 5 3 3 11 Remove sesitive data not required and not necessary for the company When data tranfer will be completed in Saphron remove old application from Corporate email Disclosure of confidential data Internal maintenance technician have high probability to accidentally read confidential information Users do not always control intervention of technicians Technicians do not have signed any confidential agreement Technicians have been not trained about protection of confidential data Ethical / professional training 5 3 4 12 Technicians (internal and external) should be trained about protection of confidential data to understand their responsibilities Technicians (internal an external) should sign an internal confidentiality agreement User password compromised Due to maintanance reason and/or connection testing ,Users reveal their password no possibility to use Administrator password to test user connections Technician do not have signed any confidential agreement Password change 5 3 5 13 Technicians should always recommend password change to the users after their intervention (if possible technicians have to set "change on next logon") Technicians (internal an external) should sign an internal confidentiality agreement Application #1 Prague 4 Grozny Poznatky Local 5Vítězslav Novotný 5 5 Local São Paulo Carlos dos Santos 4Patricia da Silva 5 4 4 Application #4
Application #5 Local Paris Ludovic Dupond Sophie Renou 5 4 5 5 Disclosure of confidential data Maintenance technicians of users Corporate email mail have high probability to accidentally read confidential information Users do not always control intervention of technicians Technicians do not have signed any confidential agreement Technicians have been not trained about protection of confidential data Ethical / professional training 5 3 4 12 Technicians (internal and external) should be trained about protection of confidential data to understand their responsibilities Technicians (internal an external) should sign an internal confidentiality agreement Inadequate user identification password of customers without expiration time Application is not managing password expiration customerss are divided according customer belonging. User profile limited to a specific customer's customerss 5 5 4 14 Application must be modified to force periodical password expiration Deliberate disclosure of private sensitive data customer's password without expiration time can be easily identified Application is not managing password expiration customerss are divided according curstomer belonging. User profile limited to a specific customer's customerss 5 5 4 14 Application must be modified to force periodical password expiration to increase user identification Deliberate corruption or loss of sensitive private data Some customer have rights to create or modify doctor prescriptions Password of customers without expiration Doctor's id with weak password security can be used to forging acces and destroy, change customers prescritptions customerss are divided according curstomer belonging. User profile limited to a specific customer's customerss 5 5 4 14 Application must be modified to force periodical password expiration to increase user identification (for external users) Forcing of access rights Customer user id has weak quality The user id is created using last name and first letter of fist name not adequate to the importance of the data stored customerss are divided according curstomer belonging. User profile limited to a specific customer's customerss 5 5 4 14 A more adequate policy to customer's id quality should be implemented to reduce possibility of discovering IDs Accidental disclosure of private sensitive data External IT developers can see all data No segregation of data for development scope External developers are identified by Company XX Active Directory 5 4 5 14 Developers should never work using production data Missing third party confidentiality agreement External developers have not signed any confidentiality agreement with Company XX Lack on third party control No controls in this case 5 4 4 13 External developers have to sign a confidentiality agreement Loss of identification control Customers that are not using application client are allowed to store their access credential on their internet browser. With access credential stored in internet browser it is not possible guarantee the identification of the user No controls in this case 5 4 4 13 Company XX should ask customers to subscribe an agreement they implement security policy to forbidded access credential on browsers . modify web application in order to avoid automatic logon Accidental physical access to private sensitive data people not authorized could accidentally access to private sensitive data There is no physical restricted area to prevent data access to unauthorized people No controls in this case 5 4 5 14 A physical restricted area to avoid accidentalaccess to private sensitive data should be implemented Loss of confidentiality All application users can export data from application to local file No possibility to apply confidentiality controls on exported local file No controls in this case 5 5 5 15 Export of data from application to local file should be forbidden 5Irene Massa 5 5 5 Application #6 Global Rome Marco Biasini
IS Risk Assessment example

Recomendados

Document Risk Management
Document Risk ManagementDocument Risk Management
Document Risk Managementmeulenberghs
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Skill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCSkill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCFuad Khan
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Kabul Education University
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Chapter 2 phisycal security threat
Chapter 2 phisycal security threatChapter 2 phisycal security threat
Chapter 2 phisycal security threatSyaiful Ahdan
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Examkoidis
 

Recomendados

Document Risk Management
Document Risk ManagementDocument Risk Management
Document Risk Managementmeulenberghs
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Skill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCSkill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCFuad Khan
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Kabul Education University
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Chapter 2 phisycal security threat
Chapter 2 phisycal security threatChapter 2 phisycal security threat
Chapter 2 phisycal security threatSyaiful Ahdan
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Examkoidis
 
Physical Security
Physical SecurityPhysical Security
Physical SecurityKriscila Yumul
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplacedougfarre
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2Kabul Education University
 
CISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseCISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseAdrian Mikeliunas
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 
Network security # Lecture 2
Network security # Lecture 2Network security # Lecture 2
Network security # Lecture 2Kabul Education University
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical SecurityAlfred Ouyang
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
Spo2 w23 a
Spo2 w23 aSpo2 w23 a
Spo2 w23 aSelectedPresentations
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG ReportPriyanka Aash
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Tixi segundo
Tixi segundoTixi segundo
Tixi segundodragoncito2
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 

Mais conteúdo relacionado

Mais procurados

Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplacedougfarre
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
CISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseCISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseAdrian Mikeliunas
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 

Mais procurados (20)

Physical Security
Physical SecurityPhysical Security
Physical Security
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplace
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2
 
CISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseCISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy Course
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
Network security # Lecture 2
Network security # Lecture 2Network security # Lecture 2
Network security # Lecture 2
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical Security
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
 
Spo2 w23 a
Spo2 w23 aSpo2 w23 a
Spo2 w23 a
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspects
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Incident response
Incident responseIncident response
Incident response
 

Destaque

Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 
Quantified Risk Assessment as a decision support for the protection of the Cr...
Quantified Risk Assessment as a decision support for the protection of the Cr...Quantified Risk Assessment as a decision support for the protection of the Cr...
Quantified Risk Assessment as a decision support for the protection of the Cr...Community Protection Forum
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Master thesis presentation (VU)
Master thesis presentation (VU)Master thesis presentation (VU)
Master thesis presentation (VU)Viktor Gregor
 
airside operation 3
airside operation 3airside operation 3
airside operation 3AiDY
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
The importance of information security risk management
The importance of information security risk managementThe importance of information security risk management
The importance of information security risk managementMichael Francis
 
Risk assessment principles and guidelines
Risk assessment principles and guidelinesRisk assessment principles and guidelines
Risk assessment principles and guidelinesHaris Tahir
 
ACO-3 Rescue and Firefighting Personnel Safety
ACO-3 Rescue and Firefighting Personnel SafetyACO-3 Rescue and Firefighting Personnel Safety
ACO-3 Rescue and Firefighting Personnel SafetyBrock Jester
 
Airport Ground Handling (Introduction)
Airport Ground Handling (Introduction)Airport Ground Handling (Introduction)
Airport Ground Handling (Introduction)Mike Joseph
 
OHSAS Hazard identification & Risk assessment
OHSAS Hazard identification & Risk assessmentOHSAS Hazard identification & Risk assessment
OHSAS Hazard identification & Risk assessmentTechnoSysCon
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk AssessmentSteve Bishop
 

Destaque (18)

Tixi segundo
Tixi segundoTixi segundo
Tixi segundo
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 
Quantified Risk Assessment as a decision support for the protection of the Cr...
Quantified Risk Assessment as a decision support for the protection of the Cr...Quantified Risk Assessment as a decision support for the protection of the Cr...
Quantified Risk Assessment as a decision support for the protection of the Cr...
 
The DNA of Airport Safety
The DNA of Airport SafetyThe DNA of Airport Safety
The DNA of Airport Safety
 
Airside Hazards And Risks
Airside Hazards And RisksAirside Hazards And Risks
Airside Hazards And Risks
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Master thesis presentation (VU)
Master thesis presentation (VU)Master thesis presentation (VU)
Master thesis presentation (VU)
 
airside operation 3
airside operation 3airside operation 3
airside operation 3
 
risk assessment
risk assessment risk assessment
risk assessment
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
The importance of information security risk management
The importance of information security risk managementThe importance of information security risk management
The importance of information security risk management
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Risk assessment principles and guidelines
Risk assessment principles and guidelinesRisk assessment principles and guidelines
Risk assessment principles and guidelines
 
ACO-3 Rescue and Firefighting Personnel Safety
ACO-3 Rescue and Firefighting Personnel SafetyACO-3 Rescue and Firefighting Personnel Safety
ACO-3 Rescue and Firefighting Personnel Safety
 
Airport Ground Handling (Introduction)
Airport Ground Handling (Introduction)Airport Ground Handling (Introduction)
Airport Ground Handling (Introduction)
 
OHSAS Hazard identification & Risk assessment
OHSAS Hazard identification & Risk assessmentOHSAS Hazard identification & Risk assessment
OHSAS Hazard identification & Risk assessment
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 

Semelhante a IS Risk Assessment example

IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET Journal
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10jpmccormack
 
Prompt Detection of Transformed Data Brench
Prompt Detection of Transformed Data BrenchPrompt Detection of Transformed Data Brench
Prompt Detection of Transformed Data BrenchIRJET Journal
 
Cloud computing risks
Cloud computing risksCloud computing risks
Cloud computing riskssripriya78
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
(Slides) What's Yours Is Mine: How Employess Are Putting Your Sensitive Data ...
(Slides) What's Yours Is Mine: How Employess Are Putting Your Sensitive Data ...(Slides) What's Yours Is Mine: How Employess Are Putting Your Sensitive Data ...
(Slides) What's Yours Is Mine: How Employess Are Putting Your Sensitive Data ...infoLock Technologies
 
ISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docxISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docxchristiandean12115
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019Fahad Al-Hasan
 
Strategies for Data Leakage Prevention
Strategies for Data Leakage PreventionStrategies for Data Leakage Prevention
Strategies for Data Leakage PreventionIRJET Journal
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight BackMTG IT Professionals
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4Rodrigo Piovesana
 
Protecting pii and phi exec summary
Protecting pii and phi exec summaryProtecting pii and phi exec summary
Protecting pii and phi exec summaryJoe Orlando
 
IT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsIT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsDam Frank
 

Semelhante a IS Risk Assessment example (20)

IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10
 
Prompt Detection of Transformed Data Brench
Prompt Detection of Transformed Data BrenchPrompt Detection of Transformed Data Brench
Prompt Detection of Transformed Data Brench
 
Cloud computing risks
Cloud computing risksCloud computing risks
Cloud computing risks
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
 
Capstone Finished
Capstone FinishedCapstone Finished
Capstone Finished
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
(Slides) What's Yours Is Mine: How Employess Are Putting Your Sensitive Data ...
(Slides) What's Yours Is Mine: How Employess Are Putting Your Sensitive Data ...(Slides) What's Yours Is Mine: How Employess Are Putting Your Sensitive Data ...
(Slides) What's Yours Is Mine: How Employess Are Putting Your Sensitive Data ...
 
ISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docxISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docx
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Wp security-data-safe
Wp security-data-safeWp security-data-safe
Wp security-data-safe
 
Siem requirement.pdfsd
Siem requirement.pdfsdSiem requirement.pdfsd
Siem requirement.pdfsd
 
Strategies for Data Leakage Prevention
Strategies for Data Leakage PreventionStrategies for Data Leakage Prevention
Strategies for Data Leakage Prevention
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 
Final Project1
Final Project1Final Project1
Final Project1
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
Protecting pii and phi exec summary
Protecting pii and phi exec summaryProtecting pii and phi exec summary
Protecting pii and phi exec summary
 
IT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsIT Audit - Shadow IT Systems
IT Audit - Shadow IT Systems
 

Mais de Ramiro Cid

Seminario sobre ciberseguridad
Seminario sobre ciberseguridadSeminario sobre ciberseguridad
Seminario sobre ciberseguridadRamiro Cid
 
Captación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagenCaptación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagenRamiro Cid
 
Passwords for sale
Passwords for salePasswords for sale
Passwords for saleRamiro Cid
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017Ramiro Cid
 
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?Ramiro Cid
 
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?Ramiro Cid
 
Lean Six Sigma methodology
Lean Six Sigma methodologyLean Six Sigma methodology
Lean Six Sigma methodologyRamiro Cid
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500Ramiro Cid
 
Cyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationCyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationRamiro Cid
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection RegulationRamiro Cid
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacksRamiro Cid
 
Thinking on risk analysis
Thinking on risk analysisThinking on risk analysis
Thinking on risk analysisRamiro Cid
 
Drones and their use on critical infrastructure
Drones and their use on critical infrastructureDrones and their use on critical infrastructure
Drones and their use on critical infrastructureRamiro Cid
 
Internet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacyInternet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacyRamiro Cid
 
Space computing
Space computingSpace computing
Space computingRamiro Cid
 
The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...Ramiro Cid
 
Internet of things
Internet of thingsInternet of things
Internet of thingsRamiro Cid
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityRamiro Cid
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 

Mais de Ramiro Cid (20)

Seminario sobre ciberseguridad
Seminario sobre ciberseguridadSeminario sobre ciberseguridad
Seminario sobre ciberseguridad
 
Captación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagenCaptación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagen
 
Passwords for sale
Passwords for salePasswords for sale
Passwords for sale
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
 
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
 
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
 
Lean Six Sigma methodology
Lean Six Sigma methodologyLean Six Sigma methodology
Lean Six Sigma methodology
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500
 
Cyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationCyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk Aggregation
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
 
Payment fraud
Payment fraudPayment fraud
Payment fraud
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
 
Thinking on risk analysis
Thinking on risk analysisThinking on risk analysis
Thinking on risk analysis
 
Drones and their use on critical infrastructure
Drones and their use on critical infrastructureDrones and their use on critical infrastructure
Drones and their use on critical infrastructure
 
Internet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacyInternet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacy
 
Space computing
Space computingSpace computing
Space computing
 
The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 

Último

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

IS Risk Assessment example

  • 1.
  • 2. IS Security Risk Assessment Date: 29th of July, 2013 Document version: v 1 Prepared by: Ramiro Cid Approved by: Explanations 1 This Risk Assessment is done based on Standard ISO/IEC 27005 (Information Security Risk Management) 2 More detail description of Assets Valuation could be found on Sheet "Assets list" 3 More detail description of Threats, Vulnerabilities Valuation's and Risk Calculation could be found on Sheet "Rerences & Scores" 4 Risk Assessment for different Assets categories is described/included in sheet "Risk Analysis" Assumptions: 1 Data classification has not been done yet. At this stage Critical Business data valued in Risk Assessment: Confidentiality - High Integrity - Medium Availability - Medium In this version it was considering that there are no data processed in the country which: Degradation of the accuracy and completeness of data is unacceptable ( Integrity - High). The asset/information is required on 24x7 basis (Availability - High). 2 This is the 1st version of Risk Assessment. Potential updates, improvement requires more time for investigation and will be included in future versions. 3 The current version of Risk Assessment mainly cover the assets and risks are under Country IS Service Management control. 4 The current version of Risk Assessment has little or not cover (almost all cases) assets and risks: Global functions (Enterprise organization) related assets and risks: Central Firewall SAP development, support, etc Industrial sites, location and technical networks Etc. These assets and risks will be covered in future versions.
  • 3. Estimation of Probability Score Prabability Attributes (A) Control Environment (C) 1 Never happens or not happened Small attacker population (insider knowledge) Not remotely executable Administrator privileges needed Not automated Not a publicly published attack method 1 if all five apply Strong existing controls, well tested, make this very unlikely. OR, an unlikely target 2 Rarely happened Somewhere between 1 and 3 Existing controls believed to be strong but not tested recently OR, not a likely target 3 Could happens periodically or Medium attacker population (specialist) Existing controls believed to be4 Regular, frequently Somewhere between 3 and 5 Weak controls and a likely target 5 No controls and a very likely target Large attacker population (hobbyists) Remotely executable Anonymous privileges needed Automated Publicly published attack method 5 if any apply No controls and a very likely target
  • 4. Assets In this sheet is described the assets included in the country in relation of IT Security Domain Asset name Asset value [ASS-APP-1] Application #1 Very High Value [ASS-APP-2] Application #2 High Value [ASS-APP-3] Application #3 Very High Value [ASS-APP-4] Application #4 High Value [ASS-APP-5] Application #5 Very High Value [ASS-APP-6] Application #6 Very High Value
  • 5. Asset Global/Local Location/s Business Owner Power user C I A Asset Value Threat Threat description Vulnerability Controls/practices Asset Value Impact Probability Risk New mitigation actions (Planned mitigation activities/controls) Inside users can accidentally read or modify customers's confidential information An human error building up user profile can allow user accessing unauthorized information User profile is not double checked by another person before assignement Periodical review of users access 5 4 2 11 Other person different than user manager should verify correct creation of user profile before assignement or test profile before assignment Not authorized users can read confidential information Someone can copy information It is possible read and copy confidential infomation from a colleague desk Active Directory policy blocks session after 15 minutes of no activity, users lock the desk before leaving office desk 5 4 1 10 Segregate users authorised to read confidential information from people not authorized Inside people export confidential information outside the application Authorized users can export information It is possible to download information on personal laptop (with no encrypted disks), on mobile devices or to export files, so losing any kind of controls inside the application Verification of logs to check access, exportation of data and printing of information 5 4 4 13 Encrypt laptop disks. Limit to the minimum number of users the rights to do exportation of data Create autorization process to allow an user to do exportation of data Lock some fields to be exported WAN communication problem interrupt client session Packet transmission losses put citrix session in time out Citrix client session do not withstand packet losses. connection goes down because is very sensible to time out if communications have some shorts cuts Open incident for wan packet losses 5 1 1 7 Ask carrier to introduce in SLA minimun guaranteed performance Data loss Data loss in PDA containing confidential information PDA can be stolen or get lost outside the company. PDA are not controlled by Active Directory (there are not in domain) To use PDA it is required a personal password and a unit password - after 10 attemps for each required password access is locked then only Application #1 Administrators are in charge to unlock 5 3 2 10 Make users accountable of recharging the cost of PDA when it get lost Remote deletion of data by admin if user report the PDA as stolen/or getting lost Trainning to user about phisycal security best practices use on PDA After 10 attemps not ony bloc the PDA but also remove the data Application #1 grace logins from 10 to only 3 attemps Application #2 Local Tokio Akira Takahashi Takeshi Suzuki 3 4 4 4 Company XX password compromised Disclosure of personal data To allow continuity of service during vacation, dispatchers shares their passwords Dispatchers use to put their passwords in a list with all dispatcher credential Password lose confidentiality characteristic. No possibility to trace responsibilities in case of data corruption data losses or disclosure of information Loss of any personal confidentiality Application #2 use a self profiling system not directly connected with Active Directory 4 5 4 13 Create a Application #2 special profile for dispatcher, independent from Active Directory. Never share Active Directory passwords In case mail need to be shared too, create a special dispatcher mail-in box if mail-in do not solve the problem use Corporate email internal delegation to assign reader mail rights to other colleagues. Avoid creation of list of Application #2 users credentials. if no other solution exist keep this list in a locked place under surveillance Application #3 Local Cape Town Addae Wilkins Michael Andersen 5 2 2 5 Disclosure of personal sensitive data Only for some employee have been collected and stored in the application some sentive personal data that are not necessary for the company. Treatment of this data is not complying with data protection law. The replacement of this application with Saphron is almost completed 5 3 3 11 Remove sesitive data not required and not necessary for the company When data tranfer will be completed in Saphron remove old application from Corporate email Disclosure of confidential data Internal maintenance technician have high probability to accidentally read confidential information Users do not always control intervention of technicians Technicians do not have signed any confidential agreement Technicians have been not trained about protection of confidential data Ethical / professional training 5 3 4 12 Technicians (internal and external) should be trained about protection of confidential data to understand their responsibilities Technicians (internal an external) should sign an internal confidentiality agreement User password compromised Due to maintanance reason and/or connection testing ,Users reveal their password no possibility to use Administrator password to test user connections Technician do not have signed any confidential agreement Password change 5 3 5 13 Technicians should always recommend password change to the users after their intervention (if possible technicians have to set "change on next logon") Technicians (internal an external) should sign an internal confidentiality agreement Application #1 Prague 4 Grozny Poznatky Local 5Vítězslav Novotný 5 5 Local São Paulo Carlos dos Santos 4Patricia da Silva 5 4 4 Application #4
  • 6. Application #5 Local Paris Ludovic Dupond Sophie Renou 5 4 5 5 Disclosure of confidential data Maintenance technicians of users Corporate email mail have high probability to accidentally read confidential information Users do not always control intervention of technicians Technicians do not have signed any confidential agreement Technicians have been not trained about protection of confidential data Ethical / professional training 5 3 4 12 Technicians (internal and external) should be trained about protection of confidential data to understand their responsibilities Technicians (internal an external) should sign an internal confidentiality agreement Inadequate user identification password of customers without expiration time Application is not managing password expiration customerss are divided according customer belonging. User profile limited to a specific customer's customerss 5 5 4 14 Application must be modified to force periodical password expiration Deliberate disclosure of private sensitive data customer's password without expiration time can be easily identified Application is not managing password expiration customerss are divided according curstomer belonging. User profile limited to a specific customer's customerss 5 5 4 14 Application must be modified to force periodical password expiration to increase user identification Deliberate corruption or loss of sensitive private data Some customer have rights to create or modify doctor prescriptions Password of customers without expiration Doctor's id with weak password security can be used to forging acces and destroy, change customers prescritptions customerss are divided according curstomer belonging. User profile limited to a specific customer's customerss 5 5 4 14 Application must be modified to force periodical password expiration to increase user identification (for external users) Forcing of access rights Customer user id has weak quality The user id is created using last name and first letter of fist name not adequate to the importance of the data stored customerss are divided according curstomer belonging. User profile limited to a specific customer's customerss 5 5 4 14 A more adequate policy to customer's id quality should be implemented to reduce possibility of discovering IDs Accidental disclosure of private sensitive data External IT developers can see all data No segregation of data for development scope External developers are identified by Company XX Active Directory 5 4 5 14 Developers should never work using production data Missing third party confidentiality agreement External developers have not signed any confidentiality agreement with Company XX Lack on third party control No controls in this case 5 4 4 13 External developers have to sign a confidentiality agreement Loss of identification control Customers that are not using application client are allowed to store their access credential on their internet browser. With access credential stored in internet browser it is not possible guarantee the identification of the user No controls in this case 5 4 4 13 Company XX should ask customers to subscribe an agreement they implement security policy to forbidded access credential on browsers . modify web application in order to avoid automatic logon Accidental physical access to private sensitive data people not authorized could accidentally access to private sensitive data There is no physical restricted area to prevent data access to unauthorized people No controls in this case 5 4 5 14 A physical restricted area to avoid accidentalaccess to private sensitive data should be implemented Loss of confidentiality All application users can export data from application to local file No possibility to apply confidentiality controls on exported local file No controls in this case 5 5 5 15 Export of data from application to local file should be forbidden 5Irene Massa 5 5 5 Application #6 Global Rome Marco Biasini