SATYAM-VENTURE ENGINEERING SERVICES PVT LTD

Risk Assessment Form

Form No. : IFRM01W01 /7.0

Date of preparation: 25-02-2021 W.E.F : March 01, 2016

Department: Network & Systsems

CIA OF Asset Risk After applying controls

Asset Likelihood of Present Risk Value (Asset Risk owners'
Treatment Recommended Residual Risk owners'
Category Acceptable use of the Value = ISO 27001:2013 Controls occurrence Value = Max. of CIA) x Level Risk treatment approval for Likelihood of Management Input for
S.No Asset Name Quantity Asset Owner Custodian Opportunity Threat Level of Threats Vulnerabilities Risk Owners Procedures Existing Controls Plan (for additional Controls Risk approval for
of Asset Asset Max of control References effective Date (Level of of Threat X Level of method Risk Treatment Level of occurrence Decision BCP
C I A Risk Value > ISO 27001:2013 Ref Value Residual Risk
CIA vulnarability) Vulnarability Plan Threats (Level of
18)
vulnarability)
Asset Type:
1. Power 1. No disruptions or
Fluctuations fluctuations in the
Server crash power supply
1. Hardware 2. Non - 2.Through TechM
Failure/system availability of Anti 1. Physical and Patch updates server
N&S on Ensure that the Domain Servers Damage Virus Software, Environmental Security (SCCM) Patches are A.11.1.4
Used for SVES domain 2..Procedure for
Domain Servers which are controlled by behalf of 4 3 3 are up and running. Also ensure 2. Virus Older version of Information system updated in the A.12.2.1 11.05.15 16 Retain NA NA NA NA NA NA NA Accept No
1 3 Restricted N&S services controlled by 4 2 HOD-N&S 2
TechMahindra Senior that no threats and attack/Malfunctio Anti Virus Acquisition,developme servers controlled A.14.2.9
TechM team. vulnerabilities are exists
Management ning/Server not software. nt and maintanance centrally by TechM A11.2.9
accessible. 3. Microsoft 3. Regular update of
patches not AV Mcafee patches
updated automatically through
the TechMahindra epo
server
Hardware Procedure for No disruptions or
Failure(System Power Information system 11.05.15 2 16 Retain NA NA NA NA NA NA NA Accept No
2 HOD-N&S Acquisition,developme fluctuations in the A. 11.1.4
damage) Fluctuations
nt and maintanance power supply

Non -availability
Used for SVES 1. Regular update of
of Anti Virus Procedure for
applications like AV Mcafee patches
N&S on Software, Information system
DLP,Druva Backup, Ensure that the Domain Servers are HOD-N&S 11.05.15 2 16 Retain NA NA NA NA NA NA NA Accept No
behalf of Older version of Acquisition,developme automatically through A.12.2.1
2 Servers other than domain servers 18 Restricted N&S Windchill 4 3 3 4 up and running. Also ensure that no nt and maintanance the TechMahindra epo
Senior threats and vulnerabilities are exists Virus Anti Virus
application,Backup server
Management attack/Malfunctio software.
servers,Project specific 2
servers,ERP servers ning/Server not Through TechM Patch
accessible. Procedure for updates server
Microsoft patches Information system (SCCM) Patches are A.14.2.9
HOD-N&S 11.05.15 2 16 Retain NA NA NA NA NA NA NA Accept No
not updated Acquisition,developme updated in the A11.2.9
nt and maintanance servers controlled
centrally by TechM
1. No disruptions or
Hardware Power Procedure for fluctuations in the
Failure(System 2 Fluctuations Information system 11.05.15 2 16 Retain NA NA NA NA NA NA NA Accept No
HOD-N&S Acquisition,developme power supply A.11.1.4
damage)
N&S on nt and maintanance 2. AMC to Vendor.
behalf of Used for SVES CAE Ensure that Linux Servers are up
3 64 CPU LINUX SERVER's 2 Restricted N&S 4 3 3 4
Senior Business need and running.
Management Malfunctioning/ Procedure for
2 Poor cable Information system Structured Cabling 11.05.15 2 16 Retain NA NA NA NA NA NA NA Accept No
Server not HOD-N&S Acquisition,developme A.11.2.4
connectivity with multiple ports
accessible nt and maintanance

1. No disruptions or
fluctuations in the
Hardware Procedure for
Power power supply
Failure(System 2 Information system 11.05.15 2 12 Retain NA NA NA NA NA NA NA Accept No
Fluctuations HOD-N&S Acquisition,developme 2. AMC to Vendor. A.11.2.4
N&S on damage)
Used for SVES CAE nt and maintanance 3. Shifting the
behalf of 3 3 3 3 Ensure that Linux Servers are up services to standby
4 LINUX workstations 34 Restricted N&S Licenses and and running.
Senior server
applications.
Management
Malfunctioning/ Procedure for
Poor cable Information system Structured Cabling
Server not 2 HOD-N&S A.11.2.3 11.05.15 2 12 Retain NA NA NA NA NA NA NA Accept No
connectivity Acquisition,developme with multiple ports
accessible. nt and maintanance

1. No disruptions or
fluctuations in the
Power Procedure for
Hardware power supply
Fluctuations Information system
Failure(System 2 HOD-N&S 2. AMC to Vendor. A.11.2.4, A.12.3.1 11.05.15 2 12 Retain NA NA NA NA NA NA NA Accept No
Acquisition,developme
damage) nt and maintanance 3. Shifting the
services to standby
server
1. Regular update of
. Non -availability Procedure for AV Mcafee patches
Ensure that the workstations are up Information system
of Anti Virus HOD-N&S A.12.2.1 11.05.15 1 6 Retain NA NA NA NA NA NA NA Accept No
N&S on
and running. Also ensure that no Acquisition,developme automatically through
behalf of Operations / Used for SVES users for Software nt and maintanance the TechMahindra epo
5 All /Work stations 350 Restricted 3 3 3 3 threats and vulnerabilities are exists Virus
Senior CS Team various applilcations . server
attack/Malfunctio 2
Management Follow the process on vendor visits. Through TechM Patch
ning/Server not
Procedure for updates server
accessible
Microsoft patches Information system (SCCM) Patches are 11.05.15 1 6 Retain NA NA NA NA NA NA NA Accept No
HOD-N&S Acquisition,developme A.14.2.9
not updated updated in the
nt and maintanance servers controlled
centrally by TechM

Access by Procedure for

2 Information system Escorting the vendor 11.05.15 1 6 Retain NA NA NA NA NA NA NA Accept No
Data loss external parties HOD-N&S Acquisition,developme A.15.1.2
while servicing
(Suppliers) nt and maintanance
Ensure that the Router is up and 1. No disruptions or
running fluctuations in the
N&S on 1. Power Procedure for
To protect corporate network Unable to access power supply
1 behalf of Used for SVES users for Fluctuations Information system
6 Router Restricted N&S 3 3 4 4 the servers ,,e- 4 HOD-N&S 2. AMC to Vendor. A.11.2.4 11.05.15 1 16 Retain NA NA NA NA NA NA NA Accept No
Senior various applilcations . Server crash Acquisition,developme
mail, internet nt and maintanance 3. Shifting the
Management
services to standby
server

1. Targeted by Procedure for Annual VAPT is

Information system 11.05.15 1 16 Retain NA NA NA NA NA NA NA Accept No
unknown hacker HOD-N&S Acquisition,developme conducted by TecHM A.11.2.4
2.Spamming nt and maintanance (No vulnarabilities)
Ensure that the Firewall is up and 1. No disruptions or
running 1.Power fluctuations in the
unable to access Procedure for
To protect corporate network Fluctuations power supply
the customer Information system 11.05.15 1 16 Retain NA NA NA NA NA NA NA Accept No
2. Hardware HOD-N&S Acquisition,developme 2. AMC to Vendor. A.11.2.4
through VPN
N&S on Failure nt and maintanance 3. Shifting the
Used for connecting to
behalf of services to standby
7 Firewall 7 Restricted N&S VPN various 3 3 4 4 4
Senior firewall
applilcations/Customers
Management 1. Inbound access is
1. Targeted by Procedure for restsricted in firewall.
Information system 11.05.15 1 16 Retain NA NA NA NA NA NA NA Accept No
Hacking unknown hacker HOD-N&S Acquisition,developme 2.VAPT test is A.11.2.4
2.Spamming nt and maintanance conducted(no
vulnarabilities).
N&S on Procedure for
Used for connecting the Warrenty with
behalf of Ensure that the network is up and Information system
8 Switches 30 Restricted N&S workstations/laptops/ to 2 3 2 3 Mal-functioning 2 Hardware Failure HOD-N&S supplier/ Spare A.11.2.4 11.05.15 1 6 Retain NA NA NA NA NA NA NA Accept No
Senior running Acquisition,developme
server. nt and maintanance Switches maintained
Management
N&S on Procedure for
Used for SVES CAE Warrenty with
behalf of Ensure that the network is up and Information system
9 Hubs 15 Restricted N&S Licenses and 2 3 2 3 Mal-functioning 2 Hardware Failure HOD-N&S supplier/ Spare A.11.2.4 11.05.15 2 12 Retain NA NA NA NA NA NA NA Accept No
Senior running Acquisition,developme
applications. nt and maintanance Switches maintained
Management

N&S on Procedure for

Printing of Project Warrenty with
behalf of Operations / 2 2 2 2 Ensure that the Printer and plotter Printer/Plotter 2 Information system 11.05.15 2 8 Retain NA NA NA NA NA NA NA Accept No
10 Printer / Plotter 23 Restricted Related / Organisational available 100% Hardware Failure HOD-N&S Acquisition,developme supplier/ Regular A.11.2.4
Senior CS Team failure
Required Data nt and maintanance maintenance
Management

Scanning the documents

N&S on Procedure for
required for orrganization Warrenty with
behalf of Operations / Ensure that the Scanner available Information system
11 Scanner 5 Restricted (functions like 2 2 2 2 Scanner failure 2 Hardware Failure HOD-N&S supplier/ Regular A.11.2.4 11.05.15 2 8 Retain NA NA NA NA NA NA NA Accept No
Senior CS Team 100% Acquisition,developme
HR/Commercial/Finance/ nt and maintanance maintenance
Management
Corporate)

1. No disruptions or
fluctuations in the
Power Information systems A.13.1.1
power supply
Hardware Failure 2 Fluctuations HOD-N&S Acquisition, A.11.2.3 11.05.15 2 16 Retain NA NA NA NA NA NA NA Accept No
Development & 2. AMC to Vendor. A 9.1.2
Server crash
Maintenance - N&S 3. Shifting the
services to standby
server
Ensure that the license Servers are 1. Regular update of AV
12 Access to License as per 4 up and running. Also ensure that no Mcafee patches
License Servers 32 Restricted Project team N&S 2 3 4 Non -availability of Physical and
project requirement threats and vulnerabilities are exists HOD-N&S 11.05.15 2 16 Retain NA NA NA NA NA NA NA Accept No
Anti Virus Software Environmental Security automatically through
the TechMahindra epo
1.Virus server A 11.2.2
attack/Malfunctioni 2
ng/Server not Through TechM Patch
accessible. updates server (SCCM)
Microsoft patches not HOD-N&S Physical and 11.05.15 2 16 Retain NA NA NA NA NA NA NA Accept No
updated Environmental Security Patches are updated in
the servers controlled
centrally by TechM A 11.2.4
 CIA OF Asset Risk After applying controls
Asset Likelihood of Present Risk Value (Asset Risk owners'
Treatment Recommended Residual Risk owners'
Category Acceptable use of the Value = ISO 27001:2013 Controls occurrence Value = Max. of CIA) x Level Risk treatment approval for Likelihood of Management Input for
S.No Asset Name Quantity Asset Owner Custodian Opportunity Threat Level of Threats Vulnerabilities Risk Owners Procedures Existing Controls Plan (for additional Controls Risk approval for
of Asset Asset Max of control References effective Date (Level of of Threat X Level of method Risk Treatment Level of occurrence Decision BCP
C I A Risk Value > ISO 27001:2013 Ref Value Residual Risk
CIA vulnarability) Vulnarability Plan Threats (Level of
18)
vulnarability)
1. Warrenty with
supplier/ Regular
maintenance
2. Data is backed up
using Druva.
3. Access to CD/DVD
1.Mal-functioning is restricted through
N&S on 2. Data Loss. Procedure for group policies and
1.Hardware
13 Laptops 145 behalf of Used for SVES users for 3 2 2 3 Ensure that no data loss and theft, 3. Unauthorised 2 Information system System Hardening 11.05.15 1 6 Retain NA NA NA NA NA NA NA Accept No
Restricted N&S Also un authorised access Failure HOD-N&S Acquisition,developme A.11.2.4
Senior various applilcations . data access, 4. Access to
2. Laptop is lost nt and maintanance
Management unauthorised USB/Flash drives is
changes restricted through
group policies and
System Hardening
5. Data Encryption
software installed

1. Warrenty with
supplier/ Regular
maintenance
2. Data is backed up
using Druva.
1.Mal-functioning
3. Access to CD/DVD
N&S on 2. Data Loss. 1.Hardware Procedure for is restricted through
behalf of Used for SVES users for Ensure that no data loss and theft, 3. Unauthorised Failure Information system
14 Desktops 95 Restricted N&S 2 2 2 2 2 HOD-N&S group policies and A.11.2.4 11.05.15 2 8 Retain NA NA NA NA NA NA NA Accept No
Senior various applilcations . Also un authorised access data access, 2.Data Loss due Acquisition,developme
nt and maintanance System Hardening
Management unauthorised to HDD failure
4. Access to
changes
USB/Flash drives is
restricted through
group policies and
System Hardening

Secondary Assets 11.05.15 Retain NA NA NA NA NA NA NA Accept No

Missing the Request sent to the Vendor
Delay in license 2 information to Vendor HOD-N&S Routing a Purchase well in advance once the A.15.2.1 11.05.15 2 12 Retain NA NA NA NA NA NA NA Accept No
renewal Request
for renewal extension is justified

Non -availability of
Anti Virus Software, Information systems UPS, Admin password
Older version of Anti restriction, Anti virus policy
System Crash / 2 Acquisition,
Virus software , Power HOD-N&S in place A12.2.1 11.05.15 2 12 Retain NA NA NA NA NA NA NA Accept No
Virus attacks fluctuations, Development & Centralised patch update
Maintenance - N&S
unauthorized software Backup in place.
Refer to list of installations
N&S Team Ensure that the license Servers are
15 Licenses from Access to License as per 3 up and running. Also ensure that no
CAD/CAE License Files Restricted Project Team Commerical 2 3 3
Asset project requirement threats and vulnerabilities are exists
Team
Management

Only N & S adminstration

team is authorized to
Unintended 2 wrong allocation of HOD-N&S Access Control access backup media and A.9.2.2, 11.05.15 2 12 Retain NA NA NA NA NA NA NA Accept No
modifications access rights backup data creation. All A.9.2.3,
other authorized users have A.9.2.4
read only access.

Missing the Request sent to the Vendor

Delay in license 2 information to Vendor HOD-N&S Routing a Purchase well in advance once the A.15.2.1 11.05.15 2 12 Retain NA NA NA NA NA NA NA Accept No
renewal Request
for renewal extension is justified

Non -availability of
Anti Virus Software, Information systems UPS, Admin password
Older version of Anti restriction, Anti virus policy
System Crash / 2 Acquisition,
Refer to list of Virus software , Power HOD-N&S Development & in place A12.2.1 11.05.15 2 12 Retain NA NA NA NA NA NA NA Accept No
N&S Team Ensure that the license Servers are Virus attacks fluctuations, Centralised patch update
16 License Files - other than CAD/CAE software products Licenses from Access to License as per
3 up and running. Also ensure that no Maintenance - N&S
Restricted Project Team Commerical 2 3 3 unauthorized software Backup in place.
like Microsoft and Adobe Asset project requirement threats and vulnerabilities are exists installations
Team
Management

Only N & S adminstration

team is authorized to
Unintended wrong allocation of access backup media and A.9.2.2,
2 HOD-N&S Access Control 11.05.15 2 12 Retain NA NA NA NA NA NA NA Accept No
modifications access rights backup data creation. All A.9.2.3,
other authorized users have A.9.2.4
read only access.

Procedure for
Information system Regular maintanance A11.2.4 11.05.15 1 9 Retain NA NA NA NA NA NA NA Accept No
Unable to connect Cabling Failure HOD-N&S Acquisition,developme
N&S on by N&S
To TechM servers nt and maintanance
behalf of Used for SVES users for Ensure that the network is up and
17 Server room Cabling for network 2 Restricted N&S 2 3 3 3 for 3
Senior various connectivities. running
authentication, e- Procedure for
Management connectivity Information system Regular maintanance
mail HOD-N&S A11.2.4 11.05.15 1 9 Retain NA NA NA NA NA NA NA Accept No
Issues Acquisition,developme by N&S
nt and maintanance
Password policy, Backup
sharing of passwords A9.4.3 11.05.15 Retain NA NA NA NA NA NA NA Accept No
Access Control of PST data through 1 4
A.12.3.1
Druva backup

N&S on behalf Data loss due to Non -availability of

18 to retain the communication Protect data from Threats and 2 Anti Virus Software, HOD-N&S Procedure for 1. Regular update of AV
N&S Associates PST 13 confidential of Senior HOD-N&S 2 2 2 2 PST get corruption
of the day to day activities virus. Older version of Anti Information system Mcafee patches
Management and deleted A 12.5.1
Virus software , Power Acquisition,developm automatically through 11.05.15 1 4 Retain NA NA NA NA NA NA NA Accept No
fluctuations, A.12.2.1
ent and the TechMahindra epo
unauthorized software maintanance- N&S server
installations

Quarterly Renewal of the

Access Control ftp user and password
19 Access to specific FTP Accounts 3 3 3 3 FTP site not 2 FTP site not renewed. HOD-N&S Guide lines for change and reconsilation of A9.2.2 11.05.15 2 12 Retain NA NA NA NA NA NA NA Accept No
N&S accessable
executing ODC/IDC the ftp user accounts by A.9.4.3
For Data transfer between TechM
46 Restricted N&S Associates specific customers
System Used for WFH -RDS
a) Satven Laptop, Satven WS, Satven DeskTop, Rented Laptop &
Personal Laptop Associates Using Restricted access to only
Intentional customer given Mail authorised persons
Box / Customer portal Guidelines of customer
b) Rental Laptops /desktop/workstation systems to be given to misuse of 4
login credential /
HOD-N&S
dedicated teams Work From Home - NDA A 9.2.3 1-Apr-20 1 12 Retain Retain NA Approved NA NA NA Approved Accept No
associates for Work from home option are not in Satven/Techm customer data Using any open portal Associates are working in
domain, Operating system is by the service provider, with out avilable RDP/VDI Mode
AV, DLP.and system hardening.

c) Enabling of RDP in the systems at office (Satven-HYd), and

including the associates in the RDP group in the system. Non -availability of Information systems
4
Anti Virus Software,
HOD-N&S
Acquisition, Anti virus policy in place - A.12.2.1 1-Apr-20 12 Retain Retain NA Approved NA NA NA Approved Accept
Virus attacks Older version of Anti Development & RDP Systems 1
Virus software version Maintenance - N&S

Intentional Unauthorised persons Access Control, Physical Asscoiates were oriented

Hardware 4 entry and fiddling with HOD-N&S and Environmental A.11.2.4 1-Apr-20 1 12 Retain Retain NA Approved NA NA NA Approved Accept
cables and hardware Security on WFH Dos & DON'Ts
damage
Follow the process and policies to Physical and UPS Provided for WFH
protect company data
Used for connecting the Power fluctuations HOD-N&S Environmental Associates On need A.11.2.4 1-Apr-20 1 9 Retain Retain NA Approved NA NA NA Approved Accept
167 (Rental, workstations in office through Protect from malware/threats Security basis
Personnel systems RDS solution provided by
HOD- Hardware Satven Owned &
20 used for RDP:144) , Restricted Operations TechMahindra to the and 3 3 3 3
Operations Failure / Loss Of Rented Systems are
(satven systems Execution of projects as per the 3
used for RDP :23) customers' & organisational In-Progress Improper Physical and from branded OEM's
requirements Project Data hardware HOD-N&S Environmental with warranty and A.11.2.4 1-Apr-20 2 18 Retain Retain NA Approved NA NA NA Approved Accept
maintainence Security support for 3 years,
identified systems are
under AMC

Access Control,
Lack of Physical HOD-N&S Physical and Asscoiates were oriented A.11.2.4 1-Apr-20 Retain Retain NA Approved NA NA NA Approved Accept
Protection on WFH Dos & DON'Ts 1 9
Environmental
Security

Possibility of theft
/ Hacking - In 3
RDP Mode