Information Asset

Server metadata and

physical condition
HAZEL MOO information
Technical
Risk Scenario
CISO
Department
Server infrastructure

- The Server used by each department within the company. But each department have
their own dedicated server to store their information. This would allow the company to
separate the business process and avoid a centralised failure in case one server machine
is failed. The server hardware responsibility is fall under technical department and
CISO department responsibility is to ensure the security elements to protect the server
is achieved.
- Consequently, the nature of server in which contains a sensitive information and
become the backbone for company data processing equipment, make this hardware
become an information asset that needed to be protected.
- The output from this process would be a set of guidelines for protecting the server from
various threat and ensuring its availability in case unfortunate events occurs.
- The initial server value was 30.000 $ but added 20.000 $ in UPS, fire protection system,
and cooling system making it in 50.000$ in total
- the ARO calculations is also based on the threat, with considering factor for each threat
like maintenance process which occurs in 3-5 years depending on the server capacity,
natural disaster occurrences within the office area, the vulnerability of stolen data,
unauthorised data modification, and misconfiguration on server in which occurs in 3-5
years
 CEO HR Department
Information Asset, Information Asset,
procedures, standard, procedures, standard,
controls, etc. controls, etc.

Information Asset,
procedures, standard, Manufacturing
Information Asset,
controls, etc. Department
procedures, standard,
controls, etc.
CFO CISO

Information Asset, RD Department

Information Asset, procedures, standard,
procedures, standard, controls, etc.
Technical controls, etc.
Department Information Asset,
procedures, standard,
controls, etc. Marketing
Department

Risk Registers
- All potential risks from each department are identified based on the information asset
under each department that may affect the company business services, then what actions
should be taken to address the potential risks, prepare the appropriate responds to each
risk and what procedures to follow in case the risks are appeared.
- The document provided from the risk management process in this case the risk registers
would be considered as an asset because the information contained within the document
relate to the existing risk that may affecting the company business process.
- The output of the document would be a list of risks related to the information asset,
procedures, standard, and the implemented control from each department.
- the rate of occurrences was calculated based on a yearly rate since risk management
tend to be reviewed in a yearly basis
Risk Scenario

The risk scenario for both of the information asset is created based on the ISACA framework.
For Server the actor of risk could come from both internal and external as the data contained
within the server and the availability of the server have to be protected. The internal cover risks
such as, privilege abuse, misconfigured, lack of update, low security awareness, and
mistreatment. The external threat covers the human aspect such as, ransomware, malware,
DDoS, and theft but it also covers unpredictable events such as disaster, power outage, and
equipment failure. The next aspect from the framework that could affect the server is the threat
type whether its malicious, accidental/error, failure, Natural, and external requirement. This
aspect would be use to determine the responses and what control should be implemented to
address the threat associate with the existing threat type for the server. Next is the Event in
which used to determine what could be happened to the information asset that relates to the
nature of the server. Disclosure, interruption, modification, destruction, and inappropriate use
are the things that are considered that possibly affects the server seeing the nature of our
industry. Next components are the asset or resource type that would allow us to identify the
importance of the asset whether is tangible or intangible asset. In this case the server is a
tangible asset that physically exist and need to be protected. And the last components are time
that connected to the importance of the server for the company. We incorporated the time
elements to our what would management do in which we separate the time under the service
interruption that reflect the existing threat with the severity of its consequences. Half day effect
falls under insignificant category, half day effect falls under minor category, a day effect falls
under moderate category, one-month effect falls under major category, and the last effect is
monthly basis falls under extreme category.

For the risk registers since this is an intangible asset, the threat actor would be covers by internal
actor with associated threat likes misidentification, insufficient data, poor planning, and lack
of update, but an external threat such as environment changes and data loss are also considered
to affecting this asset. The threat type for this asset would be affected by accidental/error,
external requirement, failure, and natural. The event that would affect this asset are
interruption, modification, ineffective design, ineffective execution, and disclosure. The time
aspect for this asset determined by the nature of risk management process in which reviewed
on a yearly basis with the effect of the process would last for 3 to 5 years depends on the
company environment. But the daily effect should also be considered seeing the importance of
the risk registers data to a company.