Process / Asset Information Threat Information

Asset
Business Criticality
Asset Description Threat Description
Process (VH / H/
M/ L/ N)

Compromise of device
security

Email Campaign
High
Application Server

Fire

Email
Marketing Unauthorized access /
modification

Email Campaign
Medium
Logs

Information leakage

Breach of licenses

Tally ERP9 Medium

Application failure

Finance &
Accounts
Finance &
Accounts

Information leakage

Internal Audit
Low
Reports

Fire

Hacking

Database Server Very High

Information
Data theft / misuse
Technology

Technical faults

Baggage Scanners Negligible

Disputes with service

providers

Fire

Employee
Medium
Agreements
Unauthorized physical
access

Human
Resource

Fire

Employee
Background Checks High
Records
Resource

Employee
Background Checks High
Records
Theft / loss

Legal liability

Statutory Returns
(ROC, Income Tax Medium
etc.)

Non compliance of law

Compliance

Dust particles
Non Disclosure
Agreements with Medium
Clients

Fire
 Risk Assessment
Threat Information Vulnerability Information Consequences

Consequence
Threat Source Vulnerability Description Incident Scenario
Value

The application server can

Hacker / cracker / Vulnerable services on the
be hacked by exploiting Very High
cyber criminal / insider servers not disabled
the vulnerabilities

No smoke detection /fire Fire can cause damage to

Accidents Very High
suppression equipment the application servers

The email campaign logs

Log monitoring systems are
Employees / Insiders can be modified or deleted Medium
not password protected.
by employees

Industrial spying / Sensitive data within the

espionage / third party Lack of security awareness logs like email id could be High
staff leaked to competitors

The software could be

Lack of control over software illegaly copied and licence
Employees / Insiders High
installation could be leaked on the
internet

The applcation could fail

Lack of system planning and
Employees / Insiders multiple times leading to High
acceptance
data corruption or deletion.
 Sensitive data within the
internal audit reports could
Industrial spying / No agreement in place with
be displosed by third party
espionage / third party third party / contract High
internal auditors to
staff personnel
competitors / regulators /
interested persons

Fire could damage the box

Storage of combustible
Accidents files in which the internal Medium
material
audit reports are stored

SQL Injection Attack could

Vulnerability Assessment
Outsider / insider with
and Penetration Testing is
malicious intentions
not carried out periodically
be carried out on the
Very High
database server leading to
disclosure of information.

USP Pen drives could be

Outsider / insider with Lack of physical security
malicious intentions controls
Technology incidents Inadequate maintenance
Service requirements and
scope of work are not
Accidental / deliberate
defined in SLA including
service disruptions
service levels, security,
availability etc.
Storage of combustible
Accidents
material
connected to the database
Very High
server to copy the
customer databases.
The baggage scanner
could fail multiple times
Low
due to improper preventive
mainteance.
Due to lack of SLA with the
service providers
preventive maintenance of Low
the equipment may not be
carried out.
Fire could damage the box
files in which the employee
Medium
confidentiality agreements
are stored

Disgruntled employees
Lack of physical security
Employees could physically steal or Medium
controls
damage the records

Open Electrical fittings in

the record rooms could
Accidents Open electrical fittings Low
cause short circuit resulting
into fire.

Lack of physical access
Employees
controls
Regulatory body's
Internal staff /
requirements applicable to
espionage / third party
organization has not been
staff
identified & complied
No proper contact and
Internal staff /
coordination is kept with
espionage / third party
external law authorities,
staff
special security forums etc.
Inadequate cleaning
activities like dropping /
spillage of food particle,
Employees
liquid on the equipment,
papers, removable media
causing damage.
Accidents Smoking within the premises
Disgruntled employees
could physically steal or Low
damage the records
The statutory returns may
not be filed with the High
regulators on time
Updates in the law are not
updated to the concerned
High
teams leading to wrong
filing of returns
Dust particles, eating &
drinking within the record
Medium
rooms could damage the
paper records
Smoking within the record
rooms could damage the Medium
paper records
nces Probability Information Risk Assessment Risk Treatment
Risk Response
Risk
Recommendatio
Likelihood of Likelihood Risk Ranking
Consequence ns (Accept/
Occurrence Value Value (VH / H/ M/
Transfer/
L/ N)
Mitigate/ Avoid)

5 Medium 3 15 High Mitigate

5 High 4 20 Very High Mitigate

3 Medium 3 9 Medium Mitigate

4 Low 2 8 Medium Mitigate

4 High 4 16 Very High Mitigate

4 Low 2 8 Medium Mitigate

4 Medium 3 12 High Mitigate

3 High 4 12 High Mitigate

5 Very High 5 25 Very High Mitigate

5 High 4 20 Very High Mitigate

2 Low 2 4 Low Accept

2 Low 2 4 Low Mitigate

3 High 4 12 High Mitigate

3 Medium 3 9 Medium Mitigate

2 Low 2 4 Low Accept

2 Medium 3 6 Low Mitigate

4 Low 2 8 Medium Mitigate

4 Low 2 8 Medium Mitigate

3 High 4 12 High Mitigate

3 High 4 12 High Mitigate

0 0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
 Risk Response
Risk Treatment Revised Risk Valuation

Revised Revised
Suggested Controls to Treat Revised Risk
Likelihood of Likelihood
the Risk Level
Occurance Value

Vulnerability Assessment /
Penetration testing to be carried
Negligible 1 5
out periodically to plug the open
vulnerabilities.

Smoke Detectors and FM200

gas based fire supression
systems to be installed in the Low 2 10
data centre hosting the
application servers

Purchase of SIEM tool to be

explored. The log files shall be
classified as "Read Only". Logs
Low 2 6
will be password protected and
access shall be granted only to
authorized users.

DLP Solutions to be
implemented to prevent sensitive
data to be leaked out of the
company.
Negligible 1 4
Awareness training on
information security for all
employees to be carried out
periodically.

Softare installation shall be

restricted through group policy.
Negligible 1 4
The licence file shall be in
encrypted format to avoid
unauthorized copying.

User acceptance testing,

functionaly testing & regression
testing shall be carried out prior Negligible 1 4
to implementation of the
software.
NDA Agreements with third aprty
internal auitors shall be
executed.
Negligible 1 4
DLP Solutions to be
implemented to prevent sensitive
data to be leaked out of the
company.

Fire proof cabinets to be

implemented in the record rooms
Low 2 6
to store critical and important
documents

Intrusion Precention Systems

(IPS) to be implemented to
prevent attacks on the Database
Server.
Low 2 10
Vulnerability Assessment /
Penetration testing to be carried
out periodically to plug the open
vulnerabilities.

USP Ports to be blocked on all

servers through the registry Negligible 1 5
settings.

Security Guard shall be

appointed to scan the baggages Low 2 4
of all the visitors and employees

SLA and AMC with the vendor

should be executed to ensure Low 2 4
propoer preventive maintenance.

Fire proof cabinets to be

implemented in the record rooms
Negligible 1 3
to store critical and important
documents

Keys to the fireproof safe shall

be kept with only 2 authorized
persons.
Low 2 6
Access to the record rooms shall
be controlled by biometric locks

All wiring and electrical fittings

Negligible 1 2
are concealed.
 Keys to the fireproof safe shall
be kept with only 2 authorized
persons.
Low 2 4
Access to the record rooms shall
be controlled by biometric locks

The CFO shall identify all the

elevant regulations applicable to
Low 2 8
the company and ensure
compliance to them.

Subscription to law updates shall

be taken from an external
organization.
Low 2 8
Appropriate training on updates /
new laws shall be carried out
periodically.

Security Guard appointed

outside the record room shall
Low 2 6
prevent people from carrying
eatables inside the record room.

Smoke Detectors and Carbon

Dioxide based fire supression
Low 2 6
systems to be installed in the
record room.
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
n Residual Risk

Managements
Revised
Acceptance /
Risk
Decision on
Ranking
Residual Risk

Low

Management has
accepted the
residual risk
Medium
based on the risk
appetite of the
company

Low

Low

Low

Low
 Low

Low

Management has
accepted the
residual risk
Medium
based on the risk
appetite of the
company

Low

Low

Low

Negligible

Low

Negligible
 Low

Management has
accepted the
residual risk
Medium
based on the risk
appetite of the
company

Management has
accepted the
residual risk
Medium
based on the risk
appetite of the
company

Low

Low
 Sample List of Threats and Threat Source
Threat Description
Application failure
Breach of licenses
Compromise of device security
Compromise of firewall security
Data corruption

Data theft / misuse

Disputes with service providers
Dumpster diving
Dust particles
Epidemics
Epidemics / absence / resignation
Failure of supporting utilities
Fire
Food poisoning
Hacking
Hazard due to failure of supporting utilities
Inability to operate in disaster
Information leakage
Information security breach / sabotage
IPR leakage / theft
Issues with log traceability
IT hardware / software malfunctioning
Legal liability
Loss of human life
Loss of information
Malware / virus attack
Man-made disaster (terrorist / mob attacks / bomb scare)
Misuse of software licenses
Natural calamities (floods / earthquake)
Non compliance of law
Password sniffing
Risk of data theft / misuse
Server / hardware failure
Server /hardware failure
Social engineering
Spying
System (hardware / software failure)
System (hardware / software failure) / unavailability of equipment
Technical faults
Theft / loss
Theft / wilful damage
Unauthorized access

Unauthorized access / modification

Unauthorized access
(read / modify)
Unauthorized changes
Unauthorized copying
Unauthorized disclosure / information leakage
Unauthorized logical access
Unauthorized modification

Unauthorized modifications
Unauthorized physical access
Unavailability / poor quality of services
Unavailability of cables
Unavailability of data / data corruption
Unavailability of equipment
Unavailability of information
Uncontrolled copying
User error
Wardriving
Threats and Threat Source
Threat Source
Employees / Insiders
Employees / Insiders
Hacker / cracker / cyber criminal / insider
Outsider / insider with malicious intentions
Electromagnetic interferences
Industrial spying / espionage / third party staff
Outsider / insider with malicious intentions
Accidental / deliberate service disruptions
Hacker / cracker / cyber criminal
Accidents
Influenza / flu / seasonal pandemics
Health issues / shortage / attrition
Industrial spying / espionage / third party staff
Accidents
Infection
Hacker / cracker / cyber criminal / insider
Accidental
Natural / man-made disasters
Industrial spying / espionage / third party staff
Employees / Insiders
Employees / Insiders
Disastrous events / hacker / insider
Employees / Insiders
Industrial spying / espionage
Civil unrest / riots
Disastrous events / hacker / insider
Hacker / cracker / cyber criminal
Disastrous events
Hacker / cracker / cyber criminal / insider
Disastrous events
Industrial spying / espionage / third party staff
Hacker / cracker / cyber criminal / insider
Employees / contract personnel
Technology events
Technology events
Industrial spying / espionage
Industrial spying / espionage
Technology faults / events
Technology faults / events
Technology incidents
Employees
Outsider / insider with malicious intentions
Employees
Employees / Insiders
Hacker / cracker / cyber criminal / insider
Hacker/ cracker/ cyber criminal / insider
Employees
Hacker / cracker / cyber criminal / insider
Accidental / deliberate attempts to change
Hacker / cracker / cyber criminal
Employees / Insiders
Hacker / cracker / cyber criminal / insider
Hacker / cracker / insider
Accidental / deliberate attempt
Employees
Industrial spying / espionage / third party staff
Accidental / deliberate service disruptions
Rodents
Electromagnetic interferences
Natural / manmade disasters
Hacker / cracker / cyber criminal
Employees / Insiders
Employees / Insiders
Hacker / cracker / cyber criminal / insider
 List of Threats and Threat Source considered for the exercise
Threat Description Threat Source
Breach of licenses Employees / Insiders
Compromise of device security Hacker / cracker / cyber criminal / insider
Industrial spying / espionage / third party staff
Data theft / misuse
Outsider / insider with malicious intentions
Disputes with service providers Accidental / deliberate service disruptions
Dust particles Accidents
Fire Accidents
Hacking Hacker / cracker / cyber criminal / insider
Information leakage Industrial spying / espionage / third party staff
Legal liability Industrial spying / espionage
Non compliance of law Industrial spying / espionage / third party staff
Technical faults Technology incidents
Theft / loss Employees
Employees / Insiders
Unauthorized access / modification Hacker / cracker / cyber criminal / insider
Hacker/ cracker/ cyber criminal / insider
Unauthorized physical access Industrial spying / espionage / third party staff
 Sample List of Vulnerabilities (Threat Specific)
Threat Description

Application failure

Breach of licenses

Compromise of device security

Compromise of firewall security

Data corruption

Data theft / misuse

Disputes with service providers

Dumpster diving

Dust particles
Epidemics

Epidemics / absence / resignation

Failure of supporting utilities

Fire

Food poisoning

Hacking

Hazard due to failure of supporting

utilities

Inability to operate in disaster

Information leakage

Information security breach /

sabotage

IPR leakage / theft

Issues with log traceability
IT hardware / software
malfunctioning

Legal liability

Loss of human life

Loss of information

Malware / virus attack

Man-made disaster (terrorist / mob

attacks / bomb scare)

Misuse of software licenses

Natural calamities (floods /

earthquake)
Non compliance of law
Password sniffing
Risk of data theft / misuse
Server / hardware failure
Server /hardware failure

Social engineering

Spying

System (hardware / software

failure)

System (hardware / software

failure) / unavailability of
equipment

Technical faults

Theft / loss

Theft / wilful damage

Unauthorized access
Unauthorized access / modification

Unauthorized access
(read / modify)

Unauthorized changes

Unauthorized copying

Unauthorized disclosure /
information leakage

Unauthorized logical access

Unauthorized modification

Unauthorized modifications

Unauthorized physical access

Unavailability / poor quality of

services

Unavailability of cables

Unavailability of data / data

corruption

Unavailability of equipment

Unavailability of information

Uncontrolled copying

User error
Wardriving
Sample List of Vulnerabilities (Threat Specific)
Vulnerability Description
Absence of BCP & DR plans
Lack of system planning and acceptance
Technical review not carried out after making changes at OS level
Lack of control over software installation
Vulnerable services on the operating systems not disabled
Vulnerable services on the servers not disabled
Firewall is having vulnerable OS version
Firewall rule base (i.e. anti-spoofing filters, stealth rule, imp echo requests, imp
masquerading etc.) miss-configuration.
No measures against various attacks like port scanning, buffer overflow, Do's, Dodos
etc.
SNMP traps not enabled
Unnecessary / default ports open on firewall interface
Data is corrupted due to software / Hardware malfunction
Data cables and power cables are in same cable panel.
Disposal of media policy & procedure not in place
Improper labelling
Lack of physical security controls

Media handling procedure is not defined.

Media movement register is not maintained.
Background check of third party is not verified.
Changes to the third party services are not managed
Service requirements and scope of work are not defined in SLA including service
levels, security, availability etc.
Absence of data destruction procedure
No paper shredder machine
Inadequate cleaning activities like dropping / spillage of food particle, liquid on the
equipment, papers, removable media causing damage.
Lack of awareness
Lack of cleanliness / poor housekeeping
Disgruntled / unmotivated staff / inappropriate rotation of employees shift

No / inadequate AMCs
Preventive maintenance is not carried out
Lack of fire drills /emergency plan
No smoke detection /fire suppression equipment
Open electrical fittings
Smoking within the premises
Storage of combustible material
Poor quality food served by the caterer
Contact with special security groups not maintained to remain updated about new
technology / vulnerabilities / threats
Vulnerability Assessment and Penetration Testing is not carried out periodically
Improper rotation of shifts / extended working hours
Inadequate HVAC arrangements
No / inadequate lighting
Unavailability of BCP & DR plans
"return of assets" procedure is not followed
Agreements do not address information exchange mechanism / terms of non-
disclosure of information
Confidentiality clause not addressed in agreements
Data not encrypted between client and server
Lack of internal security controls allowing Trojans, backdoor traps etc.
No separation between development, test and production environment
Password of default account is not changed. (default account provided by application
vendor)
Terminated application admin's ID has not been disabled.
User rights are not reviewed periodically to ensure any kind the unauthorized
modifications
Absence of disciplinary process
Disgruntled employee / integrity issue
Lack of awareness of organizational responsibilities including security responsibility

Unavailability of employee agreements / NDA

Uncontrolled access / copy rights
Device clocks are not synchronized
Improper patch management

Cryptographic keys are not compliant to applicable laws and regulation

Pirated versions of software / applications in use
Regulatory body's requirements applicable to organization has not been identified &
complied
User licenses exceed.
Entry to the premises is not restricted
Personnel evacuation is not performed.
Personnel evacuation plan is not present
Smoke detection and prevention mechanism is not present
Absence of / inadequate backup policy / inadequate backup frequency / retention
period
Backups are not moved to offsite location
No / improper incident management
No / inadequate BCP & DR plans
Restoration tests are not performed
Retention period is not identified for backup media.
Antivirus systems are not installed / antivirus definitions are not regularly updated

External media used without scanning

Internal / production network connected to internet
Inadequate physical entry controls
No business continuity plans / DR site
No process to address unidentified objects in premises
List of users are not maintained.
Data Centre situated in high seismic zone
Improper civil structure
Located in an area susceptible to flood
No earth pit
No lightening arrestors
No proper contact and coordination is kept with external law authorities, special
security forums etc.
Login through ftp and telnet
Unavailability of secure storage of devices
Internet access is not restricted.
AMC / warranty is not in place
Inadequate security training
Lack of security awareness
User awareness
absence of clearly defined HR policies and procedures
Weaker security controls allowing easy access to organizational information
Mis-configured system
No system maintenance
Power outage
Inadequate capacity planning & management process

Inadequate maintenance
Lack of equipment replacement scheme on periodic basis
Susceptibility to humidity, dust, soiling
Temperature variations in the data centre
Unauthorized device movement
Equipment are not stored in locked racks
Lack of physical access controls
No monitoring of data centre
Public areas are not separated from critical areas such as data centre
Uncontrolled asset movements within / outside organization
Absence of clear desk clear screen policy
Data is stored on mobile devices without any security control
Default accounts not disabled
Detection of default SNMP community strings
Firewall remote access (external) for managing is available through weak
communication channel.
Firewall web GUI management console accessible from entire network remotely
(internally / externally)
Improper password management
Logon banner displaying router or organizational information not disabled
No / improper classification in terms of criticality
No logging for configuration-changes and authentication-failures
No monitoring policy
No policy defined for issuance of data card
No policy for acceptable usage of internet
Organization’s IT assets are placed in a manner which allows unauthorized people to
overlook restricted information displayed on the screen
Passwords not encrypted
Segregation of duties is not followed
Session time out not configured
Telnet access enabled for remote management
Traffic (internal / external) not allowed based on service access policy
Unauthorized telnet access available
Unavailability of role-based user management procedure (e.g. user accounts exist
with higher privileges than required to perform a responsibility)
Unnecessary rules are present in the firewall
Administrator logs are not reviewed
Log monitoring systems are not password protected.
Logs are not stored in a form of 'read only'. administrator can modify the logs
Baseline configuration document is not maintained
Guest account is enabled
Incident management process not in place
Non-essential ports / services are opened
Operating system is not hardened / latest patches are not applied
Terminated user accounts are not disabled.
Third party can connect from remote location
Unrestricted access to third party employee
Use registration forms are not signed before creating user on system.
User rights are not reviewed periodically
Vendor default accounts and passwords are not disabled
Absence of asset management
Absence of change management
Absence of change management for firewall related changes
Baseline configuration document is not maintained for each devices.
User rights are not defined
Absence of asset management procedure
Unauthorized photocopies
Disgruntled /corrupt employees
Lack of security awareness
No “exit procedure” in place to ensure return of assets / removal of access rights

No agreement in place with third party / contract personnel

No agreement signed with employees on terms and conditions of employment and
non-disclosure
No disciplinary process
Transferring the data through email / internet
Unclear responsibilities
Absence of password policy
Audit logging not enabled or reviewed.
Data is not encrypted before transmission
Database information is not classified in terms of its criticality.
Direct access to database
Lack of clear desk & clear screen policy
Lack of identification and authentication mechanism like user based authentication

Level of access is not implemented as per its criticality.

No / improper classification in terms of criticality
No / incorrect access control policy
No account lock-out policy
No review of user access rights
No segregation of network
No stringent password policy, Poor password management (easily guessable
passwords, storing of passwords, inadequate frequency of change)
User ID given by vendor is used / active in production environment
Operational (live) environment and live data is used for development and testing of the
software
Testing database and live database are kept on the same server
Inadequate change control
Inadequate configuration control
Incident management process not in place
Segregation of duties is not followed
User activities are not logged e.g. audit trails
Asset inventory is not maintained
Employee after termination / separation is allowed to access the premises
Inadequate physical entry controls
Inappropriate equipment siting
Lack of physical security controls
No separation between public access area like delivery area and operations area

Ownership of assets is not defined

Unrestricted physical access
Unsupervised visitor movement / unsupervised work by third party
Weak sitting of servers allowing unauthorized view to onlookers
Contract renewal is not identified
Lack of training
Penalty clause is not defined in SLA
Third party services are not monitored
Inadequate protection to cables
Pest control is not done regularly
Backup media is not properly protected against dust, electromagnetic etc.
Periodic restoration drills are not carried out
Absence of change control
Adequate redundancies are not planned
Backup files not stored in a secured environment
Capacity management is not carried out
Lack of supporting utilities such as UPS, DG sets
No / inadequate backup of router configuration files
No / inadequate backup of firewall configuration / rule base files
No consideration of redundancy in case of failure of device
SLA / AMCs not in place
Unavailability of BCP & DR plans
Unavailability of incident management
Unstable power grid
Backup is not present
Absence of asset management procedure
Computing equipment are sent for maintenance / repair without sanitization
Data owner is not defined
Unauthorized data copy transfer through portable media like usb, zip drives, cds
Inadequate user skills
Lack of user training
Wireless router is not configured with password /wap key.
 List of Vulnerabilities considered for the exercise
Threat Description
Application failure
Breach of licenses
Compromise of device security
Data theft / misuse
Disputes with service providers
Dust particles
Fire
Hacking
Legal liability
Non compliance of law
Technical faults
Theft / wilful damage
Unauthorized access /
modification
Unauthorized disclosure /
information leakage
Unauthorized physical access
Vulnerability Description
Lack of system planning and acceptance
Lack of control over software installation
Vulnerable services on the servers not disabled
Lack of physical security controls
Service requirements and scope of work are not defined in
SLA including
Inadequate serviceactivities
cleaning levels, security, availability
like dropping etc. of food
/ spillage
particle, liquid on the equipment, papers,
No smoke detection /fire suppression equipment removable media
causing damage.
Open electrical fittings
Smoking within the premises
Storage of combustible material
Vulnerability Assessment and Penetration Testing is not
carried out periodically
Regulatory body's requirements applicable to organization has
not proper
No been identified & complied
contact and coordination is kept with external law
authorities,
Inadequate special security forums etc.
maintenance
Lack of physical access controls
Log monitoring systems are not password protected.
Lack of security awareness
No agreement in place with third party / contract personnel
Lack of physical security controls
 Risk Ranking Template

Consequences Negligible Low Medium

Probability Value 1 2 3
Very High 5 5 10 15
High 4 4 8 12
Medium 3 3 6 9
Low 2 2 4 6
Negligible 1 1 2 3
High Very High
4 5
20 25
16 20
12 15
8 10
4 5