Information Asset

Server metadata
and physical
HAZEL MOO condition
Risk Scenario Technical
CISO
Department
Server infrastructure

- The Server used by each department within the company. But each department have
their own dedicated server to store their information. This would allow the company
to separate the business process and avoid a centralised failure in case one server
machine is failed. The server hardware responsibility is fall under technical
department and CISO department responsibility is to ensure the security elements to
protect the server is achieved.
- Consequently, the nature of server in which contains a sensitive information and
become the backbone for company data processing equipment, make this hardware
become an information asset that needed to be protected.
- The output from this process would be a set of guidelines for protecting the server
from various threat and ensuring its availability in case unfortunate events occurs.
- The initial server value was 30.000 $ but added 20.000 $ in UPS, fire protection
system, and cooling system making it in 50.000$ in total
- the ARO calculations is also based on the threat, with considering factor for each
threat like maintenance process which occurs in 3-5 years depending on the server
capacity, natural disaster occurrences within the office area, the vulnerability of stolen
data, unauthorised data modification, and misconfiguration on server in which occurs
in 3-5 years

CEO HR Department
Information Asset, Information Asset,
procedures, standard, procedures, standard,
controls, etc. controls, etc.
 Information Asset,
Information Asset, procedures, standard, Manufacturing
procedures, standard, controls, etc. Department
controls, etc.
CFO CISO

Information Asset,
RD Department
Information Asset, procedures, standard,
procedures, standard, controls, etc.

Technical controls, etc.

Department Information Asset,
procedures, standard,
controls, etc. Marketing
Department

Risk Registers
- All potential risks from each department are identified based on the information asset
under each department that may affect the company business services, then what
actions should be taken to address the potential risks, prepare the appropriate responds
to each risk and what procedures to follow in case the risks are appeared.
- The document provided from the risk management process in this case the risk
registers would be considered as an asset because the information contained within
the document relate to the existing risk that may affecting the company business
process.
- The output of the document would be a list of risks related to the information asset,
procedures, standard, and the implemented control from each department.
- the rate of occurrences was calculated based on a yearly rate since risk management
tend to be reviewed in a yearly basis

Risk Scenario
The risk scenario for both of the information asset is created based on the ISACA framework.
For Server the actor of risk could come from both internal and external as the data contained
within the server and the availability of the server have to be protected. The internal cover
risks such as, privilege abuse, misconfigured, lack of update, low security awareness, and
mistreatment. The external threat covers the human aspect such as, ransomware, malware,
DDoS, and theft but it also covers unpredictable events such as disaster, power outage, and
equipment failure. The next aspect from the framework that could affect the server is the
threat type whether its malicious, accidental/error, failure, Natural, and external requirement.
This aspect would be use to determine the responses and what control should be implemented
to address the threat associate with the existing threat type for the server. Next is the Event in
which used to determine what could be happened to the information asset that relates to the
nature of the server. Disclosure, interruption, modification, destruction, and inappropriate use
are the things that are considered that possibly affects the server seeing the nature of our
industry. Next components are the asset or resource type that would allow us to identify the
importance of the asset whether is tangible or intangible asset. In this case the server is a
tangible asset that physically exist and need to be protected. And the last components are time
that connected to the importance of the server for the company. We incorporated the time
elements to our what would management do in which we separate the time under the service
interruption that reflect the existing threat with the severity of its consequences. Half day
effect falls under insignificant category, half day effect falls under minor category, a day
effect falls under moderate category, one-month effect falls under major category, and the
last effect is monthly basis falls under extreme category.

For the risk registers since this is an intangible asset, the threat actor would be covers by
internal actor with associated threat likes misidentification, insufficient data, poor planning,
and lack of update, but an external threat such as environment changes and data loss are also
considered to affecting this asset. The threat type for this asset would be affected by
accidental/error, external requirement, failure, and natural. The event that would affect this
asset are interruption, modification, ineffective design, ineffective execution, and disclosure.
The time aspect for this asset determined by the nature of risk management process in which
reviewed on a yearly basis with the effect of the process would last for 3 to 5 years depends
on the company environment. But the daily effect should also be considered seeing the
importance of the risk registers data to a company.