Professional Documents
Culture Documents
Module 2 Lab Manual 4 Risk Assessment and Treatment - Answer (Repaired)
Module 2 Lab Manual 4 Risk Assessment and Treatment - Answer (Repaired)
Asset
Business Criticality
Asset Description Threat Description
Process (VH / H/
M/ L/ N)
Compromise of device
security
Email Campaign
High
Application Server
Fire
Email
Marketing Unauthorized access /
modification
Email Campaign
Medium
Logs
Information leakage
Breach of licenses
Application failure
Finance &
Accounts
Finance &
Accounts
Information leakage
Internal Audit
Low
Reports
Fire
Hacking
Information
Data theft / misuse
Technology
Technical faults
Fire
Employee
Medium
Agreements
Unauthorized physical
access
Human
Resource
Fire
Employee
Background Checks High
Records
Resource
Employee
Background Checks High
Records
Theft / loss
Legal liability
Statutory Returns
(ROC, Income Tax Medium
etc.)
Compliance
Dust particles
Non Disclosure
Agreements with Medium
Clients
Fire
Risk Assessment
Threat Information Vulnerability Information Consequences
Consequence
Threat Source Vulnerability Description Incident Scenario
Value
Disgruntled employees
Lack of physical security
Employees could physically steal or Medium
controls
damage the records
Regulatory body's
Internal staff / The statutory returns may
requirements applicable to
espionage / third party not be filed with the High
organization has not been
staff regulators on time
identified & complied
Inadequate cleaning
activities like dropping / Dust particles, eating &
spillage of food particle, drinking within the record
Employees Medium
liquid on the equipment, rooms could damage the
papers, removable media paper records
causing damage.
0 0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
Risk Response
Risk Treatment Revised Risk Valuation
Revised Revised
Suggested Controls to Treat Revised Risk
Likelihood of Likelihood
the Risk Level
Occurance Value
Vulnerability Assessment /
Penetration testing to be carried
Negligible 1 5
out periodically to plug the open
vulnerabilities.
DLP Solutions to be
implemented to prevent sensitive
data to be leaked out of the
company.
Negligible 1 4
Awareness training on
information security for all
employees to be carried out
periodically.
Managements
Revised
Acceptance /
Risk
Decision on
Ranking
Residual Risk
Low
Management has
accepted the
residual risk
Medium
based on the risk
appetite of the
company
Low
Low
Low
Low
Low
Low
Management has
accepted the
residual risk
Medium
based on the risk
appetite of the
company
Low
Low
Low
Negligible
Low
Negligible
Low
Management has
accepted the
residual risk
Medium
based on the risk
appetite of the
company
Management has
accepted the
residual risk
Medium
based on the risk
appetite of the
company
Low
Low
Sample List of Threats and Threat Source
Threat Description
Application failure
Breach of licenses
Compromise of device security
Compromise of firewall security
Data corruption
Unauthorized modifications
Unauthorized physical access
Unavailability / poor quality of services
Unavailability of cables
Unavailability of data / data corruption
Unavailability of equipment
Unavailability of information
Uncontrolled copying
User error
Wardriving
Threats and Threat Source
Threat Source
Employees / Insiders
Employees / Insiders
Hacker / cracker / cyber criminal / insider
Outsider / insider with malicious intentions
Electromagnetic interferences
Industrial spying / espionage / third party staff
Outsider / insider with malicious intentions
Accidental / deliberate service disruptions
Hacker / cracker / cyber criminal
Accidents
Influenza / flu / seasonal pandemics
Health issues / shortage / attrition
Industrial spying / espionage / third party staff
Accidents
Infection
Hacker / cracker / cyber criminal / insider
Accidental
Natural / man-made disasters
Industrial spying / espionage / third party staff
Employees / Insiders
Employees / Insiders
Disastrous events / hacker / insider
Employees / Insiders
Industrial spying / espionage
Civil unrest / riots
Disastrous events / hacker / insider
Hacker / cracker / cyber criminal
Disastrous events
Hacker / cracker / cyber criminal / insider
Disastrous events
Industrial spying / espionage / third party staff
Hacker / cracker / cyber criminal / insider
Employees / contract personnel
Technology events
Technology events
Industrial spying / espionage
Industrial spying / espionage
Technology faults / events
Technology faults / events
Technology incidents
Employees
Outsider / insider with malicious intentions
Employees
Employees / Insiders
Hacker / cracker / cyber criminal / insider
Hacker/ cracker/ cyber criminal / insider
Employees
Hacker / cracker / cyber criminal / insider
Accidental / deliberate attempts to change
Hacker / cracker / cyber criminal
Employees / Insiders
Hacker / cracker / cyber criminal / insider
Hacker / cracker / insider
Accidental / deliberate attempt
Employees
Industrial spying / espionage / third party staff
Accidental / deliberate service disruptions
Rodents
Electromagnetic interferences
Natural / manmade disasters
Hacker / cracker / cyber criminal
Employees / Insiders
Employees / Insiders
Hacker / cracker / cyber criminal / insider
List of Threats and Threat Source considered for the exercise
Threat Description Threat Source
Breach of licenses Employees / Insiders
Compromise of device security Hacker / cracker / cyber criminal / insider
Industrial spying / espionage / third party staff
Data theft / misuse
Outsider / insider with malicious intentions
Disputes with service providers Accidental / deliberate service disruptions
Dust particles Accidents
Fire Accidents
Hacking Hacker / cracker / cyber criminal / insider
Information leakage Industrial spying / espionage / third party staff
Legal liability Industrial spying / espionage
Non compliance of law Industrial spying / espionage / third party staff
Technical faults Technology incidents
Theft / loss Employees
Employees / Insiders
Unauthorized access / modification Hacker / cracker / cyber criminal / insider
Hacker/ cracker/ cyber criminal / insider
Unauthorized physical access Industrial spying / espionage / third party staff
Sample List of Vulnerabilities (Threat Specific)
Threat Description
Application failure
Breach of licenses
Data corruption
Dumpster diving
Dust particles
Epidemics
Fire
Food poisoning
Hacking
Legal liability
Loss of information
Social engineering
Spying
Technical faults
Theft / loss
Unauthorized access
Unauthorized access / modification
Unauthorized access
(read / modify)
Unauthorized changes
Unauthorized copying
Unauthorized disclosure /
information leakage
Unauthorized modifications
Unavailability of cables
Unavailability of equipment
Unavailability of information
Uncontrolled copying
User error
Wardriving
Sample List of Vulnerabilities (Threat Specific)
Vulnerability Description
Absence of BCP & DR plans
Lack of system planning and acceptance
Technical review not carried out after making changes at OS level
Lack of control over software installation
Vulnerable services on the operating systems not disabled
Vulnerable services on the servers not disabled
Firewall is having vulnerable OS version
Firewall rule base (i.e. anti-spoofing filters, stealth rule, imp echo requests, imp
masquerading etc.) miss-configuration.
No measures against various attacks like port scanning, buffer overflow, Do's, Dodos
etc.
SNMP traps not enabled
Unnecessary / default ports open on firewall interface
Data is corrupted due to software / Hardware malfunction
Data cables and power cables are in same cable panel.
Disposal of media policy & procedure not in place
Improper labelling
Lack of physical security controls
No / inadequate AMCs
Preventive maintenance is not carried out
Lack of fire drills /emergency plan
No smoke detection /fire suppression equipment
Open electrical fittings
Smoking within the premises
Storage of combustible material
Poor quality food served by the caterer
Contact with special security groups not maintained to remain updated about new
technology / vulnerabilities / threats
Vulnerability Assessment and Penetration Testing is not carried out periodically
Improper rotation of shifts / extended working hours
Inadequate HVAC arrangements
No / inadequate lighting
Unavailability of BCP & DR plans
"return of assets" procedure is not followed
Agreements do not address information exchange mechanism / terms of non-
disclosure of information
Confidentiality clause not addressed in agreements
Data not encrypted between client and server
Lack of internal security controls allowing Trojans, backdoor traps etc.
No separation between development, test and production environment
Password of default account is not changed. (default account provided by application
vendor)
Terminated application admin's ID has not been disabled.
User rights are not reviewed periodically to ensure any kind the unauthorized
modifications
Absence of disciplinary process
Disgruntled employee / integrity issue
Lack of awareness of organizational responsibilities including security responsibility
Inadequate maintenance
Lack of equipment replacement scheme on periodic basis
Susceptibility to humidity, dust, soiling
Temperature variations in the data centre
Unauthorized device movement
Equipment are not stored in locked racks
Lack of physical access controls
No monitoring of data centre
Public areas are not separated from critical areas such as data centre
Uncontrolled asset movements within / outside organization
Absence of clear desk clear screen policy
Data is stored on mobile devices without any security control
Default accounts not disabled
Detection of default SNMP community strings
Firewall remote access (external) for managing is available through weak
communication channel.
Firewall web GUI management console accessible from entire network remotely
(internally / externally)
Improper password management
Logon banner displaying router or organizational information not disabled
No / improper classification in terms of criticality
No logging for configuration-changes and authentication-failures
No monitoring policy
No policy defined for issuance of data card
No policy for acceptable usage of internet
Organization’s IT assets are placed in a manner which allows unauthorized people to
overlook restricted information displayed on the screen
Passwords not encrypted
Segregation of duties is not followed
Session time out not configured
Telnet access enabled for remote management
Traffic (internal / external) not allowed based on service access policy
Unauthorized telnet access available
Unavailability of role-based user management procedure (e.g. user accounts exist
with higher privileges than required to perform a responsibility)
Unnecessary rules are present in the firewall
Administrator logs are not reviewed
Log monitoring systems are not password protected.
Logs are not stored in a form of 'read only'. administrator can modify the logs
Baseline configuration document is not maintained
Guest account is enabled
Incident management process not in place
Non-essential ports / services are opened
Operating system is not hardened / latest patches are not applied
Terminated user accounts are not disabled.
Third party can connect from remote location
Unrestricted access to third party employee
Use registration forms are not signed before creating user on system.
User rights are not reviewed periodically
Vendor default accounts and passwords are not disabled
Absence of asset management
Absence of change management
Absence of change management for firewall related changes
Baseline configuration document is not maintained for each devices.
User rights are not defined
Absence of asset management procedure
Unauthorized photocopies
Disgruntled /corrupt employees
Lack of security awareness
No “exit procedure” in place to ensure return of assets / removal of access rights