Risk Assessment Methodology

Corporate Office:

Wellness Forever Medicare Pvt. Ltd.

A1, Empire Plaza, LBS Marg, Chandan Nagar, Vikhroli West, Mumbai, Maharashtra 400083

© This document is a sole property of Wellness Forever Medicare Pvt. Ltd. All rights reserved. No part
of this document shall be reproduced or utilized in any form without permission of issuer of the
document. DOWNLOADED AND/OR HARD COPY UNCONTROLLED. Verify that this is the correct version
before use.
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page2of14

Document Summary
Document Title Risk Assessment Methodology
Current Date of
Document Id WF-CORP-ISM-P0002 0.1
Version Release
Classification Internal Storage
Location
Department ISM Department Information Security
Code Name
Reference ISO 27001:2013 Clause 6, 8
clauses
addressed
Author Siddharth Iyer
Document Name Siddharth Iyer
Owner Designation Information Security Head

Document Distribution
Sl. No. Name Department Designation

Revision History
Version No Date of Revision Pages Affected Description of Change

Document Reviewers
Version Departmen
Name Designation Date
No t

Document Approvers
Version
Name Designation Signature Date
No
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page3of14

Contents

Introduction.................................................................................................................................................4
Purpose.......................................................................................................................................................4
Scope...........................................................................................................................................................4
Roles and Responsibilities...........................................................................................................................4
Risk Assessment Goals and Objectives........................................................................................................5
Risk Assessment Methodology....................................................................................................................5
Context establishment.............................................................................................................................6
Threat and Vulnerability Identification....................................................................................................6
Risk Assessment..........................................................................................................................................8
Risk Identification....................................................................................................................................8
Risk Estimation........................................................................................................................................8
Control Analysis...................................................................................................................................8
Likelihood Determination....................................................................................................................8
Impact Analysis....................................................................................................................................9
Risk Evaluation.........................................................................................................................................9
Risk Treatment......................................................................................................................................11
Risk Acceptance.....................................................................................................................................12
Risk Monitoring & Review.....................................................................................................................12
Key for Risk Management Program Success......................................................................................12
Risk Communication..............................................................................................................................13
Abbreviations............................................................................................................................................13
Reference Documents and Records...........................................................................................................14
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page4of14

Introduction

In order to deliver high quality services, it is imperative to assess information security posture across WF
assets. To understand the information security posture, Information Security Team shall facilitate WF's
business units to conduct risk assessment across their assets. Information Security Team shall also work
with respective business units to identify, assess, and manage risks. This Information Security Risk
Management document is based on and developed from both the ISO 27001 security management
processes, the ISO 20000 IT services security and risk management related documentation provided by
the National Institute of Standards and Technology (NIST).

Purpose

The purpose of this procedure is to describe the WF’s methodology for risk management across their
assets.

Scope

This Information Security Risk Management Methodology covers WF's IT assets. This methodology shall
also guide ISMG and IT teams to manage risks across IT assets, throughout their lifecycle. This
document provides information about policies and procedures relevant to Risk Management related
activities as implemented in WF.

Roles and Responsibilities

Information Security Team:

 Performs technical and operational risk assessment of IT assets

 Identifies threats and vulnerabilities
 Performs risk identification activities
 Makes decision on risk mitigation for low rated risks
 Makes recommendation on Medium and High ratings and participates in final decision for
managing risks
 Develops plans of risk response or implementing controls
 Reviews performance to identify risks and mitigation strategy
 Ensures RA policies are implemented and followed
 Performs risk related to end user trainings, if needed
 Responsible for creating and maintaining documentation related to IT Risk Management
Methodology
 Ensures RA processes are followed
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page5of14

 Defines performance metrics for process efficiency and effectiveness

 Participates in process performance review and other Continual Improvement Process (CIP)
activities

ISMG:

 Approves or rejects recommended risk mitigation options

 Responsible for dispensation/absorption of classified risks affecting business mission
 Approve plans for implementing controls to mitigate risks
 Provides information on business criticality of IT assets
 Reviews cost benefit analysis for selecting controls for risk mitigation

IT Team:

 Facilitate business units to Identify risks

 Implement identified controls to mitigate risks

Risk Assessment Goals and Objectives

The goals and objectives for WF Information Security risk management process are:

 Help WF ISMG to better manage the risks

 Provide practical guidance necessary for identifying, assessing, and mitigating risks related to IT
assets
 Enables ISMG and WF management to make informed decisions in managing risks and justify
related investment

Risk Assessment Methodology

WF’s Risk assessment (RA) methodology includes the process of identifying risks, assessing risks,
mitigating risks and evaluating the residual risks after mitigation. Risks are continuously monitored and
communicated to relevant stakeholders. RA is an iterative process that can be performed in each stage
of the lifecycle, namely – Strategy, Design, Transition, Operations, and Continual Improvement.

The figure below describes the Risk Management Methodology as it is implemented and followed by
ISMG along with activities performed in each step.
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page6of14

Context establishment

During this step, all the boundaries of the services, systems, and resources are identified. This also
includes some identification of the following information:

 End users of the resources

 Internal and external
dependencies and interfaces
 Resource details
 Business functions supported,
including critical functions
 Business criticality and
sensitivity
 Dependencies between
components and services that
are needed to provision,
deliver and support the
requested services
 Management controls and
underlying infrastructure
(example rules of behavior
etc.)
 Technical controls and underlying infrastructure; and
 Operational controls

These RA methodology outputs can be valuable input for the designing stage of products or services, so
the relevant enhancements can be made to mitigate risks.

Threat and Vulnerability Identification

Threat is defined as an event, which can potentially cause harm exploiting known or unknown
weaknesses.

Vulnerability is defined as the weakness that could allow it to be exploited and harmed by one or more
threats.
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page7of14

WF shall identify the potential and/or perceived threats along with known and/or unknown
vulnerabilities across the IT assets. The result of this identification will be an input to determine
appropriate risk level for a given IT asset.
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page8of14

Risk Assessment

Risk Identification

Risk identification is a process of qualifying the impact, when a potential and/or perceived threat
exploits known and/or unknown vulnerabilities resulting in security breach. Following are some of the
tasks Information Security team may perform to identify/qualify the risk:

 Identify threats and vulnerabilities across IT assets

 Conduct a risk assessment across IT assets based on identified threats and vulnerabilities
 Facilitate IT asset's owner along with relevant stakeholders to qualify the risk

Risk Estimation

Risk estimation is a process of analyzing the qualified risk for likelihood of occurrence and its impact on
WF. WF shall analyze the controls implemented around an identified risk, assess the possibility of
occurrence and it impact across their IT assets.

Control Analysis

WF shall analyze the controls implemented (management, technical, operational, security,

environmental etc.) to minimize or eliminate the likelihood of a threat exploiting a particular
vulnerability. The implemented controls can be technical and non-technical controls, and can be either
preventive or detective in nature.

Likelihood Determination

WF shall assign a probability value for a possible/potential security breach. WF shall consider High,
Medium and/or Low as likelihood levels. In order to arrive at a probability value, WF shall consider
likelihood levels along with following:

 Threat source capability and motivation

 Nature of vulnerability
 Current controls in place

Table below explains the likelihood levels:

Likelihood Definition
High 'No' existing controls, or is ineffective. Threat source is highly capable

Medium Threat source is capable but controls may be in place to counter threat, or impede
successful execution of vulnerability

Low Existing control is effective, threat source lack motivation or capability.

 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page9of14

Impact Analysis

WF shall analyze the product or service characterization related information, such as business services
supported, end users, underlying systems and services, data criticality and sensitivity, as well as the
business critical nature for a given IT asset.

Impact on business if a failure of a service or service component is valuable input for this impact
analysis. Impact can be tangible, such as loss of revenue or labor cost spent to recover service or
intangible, such as reputation damage, losing confidence from stakeholders, etc.,

WF shall consider qualitative value of High, Medium and/or Low to determine impact on an IT asset.

Table below explains the impact levels:

Impact Definition
Level
High Exercise of the vulnerability:
 May result in significant loss of critical assets and/or resources
 May significantly violate, harm, or impede WF’s mission, reputation, and/or
interest
 May result in serious injury and/or human death
Medium Exercise of the vulnerability:
 May result in loss of critical assets and/or resources
 May violate, harm, or impede WF’s mission, reputation, and/or interest
 May result in human injury

Low Exercise of the vulnerability:

 May result in limited loss of assets and/or resources
 May noticeably affect WF’s mission, reputation, and/or interest

Advantage of the qualitative impact analysis is to prioritize the risks and identify areas for immediate
improvement in addressing the vulnerabilities.

Qualitative analysis does not provide specific quantifiable measurements of magnitude of the impact.
Hence, it poses a challenge to develop cost-benefit analysis of recommended controls.

Risk Evaluation

WF shall rate the risks based on:

 Likelihood of a threat to exploiting the vulnerability

 Magnitude of impact, should the threat successfully exploit the vulnerability
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page10of14

 The adequacy of planned and/or existing controls to reduce and/or eliminate the risk

Risk rating is determined to enable Information Security team to prioritize the actions required to
reduce and/or mitigate the risk.
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page11of14

Risk Determination
Likelihood
Impact
High Medium Low
High High High Medium
Medium High Medium Low
Low Medium Low Low

Risk scale, with its ratings of High, Medium, and Low, represents the degree or level of risk to which a
resource, system, facility, product, and/or procedure might be exposed, if a given vulnerability were
exploited.

Based on risk rating, WF must consider necessary actions as defined in below table:

Risk Rating Definition – Necessary Actions

High There is a strong need for corrective measures to reduce and/or mitigate risk. An
existing IT asset may continue to operate, but a corrective action plan must be put in
place on priority.

Medium Corrective actions are needed and a plan must be developed to incorporate these
actions within a reasonable period of time.

Low The Information security management committee must determine whether corrective
actions are still required or decide to apply dispensation or absorb the risk.

Risk Treatment

Because the elimination of all risk is usually impractical or close to impossible, it is the responsibility of
senior management and functional and business managers to use the least-cost approach and
implement the most appropriate controls to reduce the risk to an acceptable level, with minimal
adverse impact on the organization’s resources.

Risk Treatment plan includes approaches, techniques, and methods used to avoid, reduce and control
the likelihood of the occurrence of risk, the extent of damage incurred should the risk occur, or both.
Risks are monitored and when they exceed the established thresholds, the risk treatment plans are
deployed to return the impacted effort to an acceptable risk level.

If the risk cannot be mitigated, a contingency plan is invoked. Both risk mitigation and contingency plans
are often generated only for selected risks, where the consequences of the risks are determined to be
high or unacceptable.

Risk mitigation can be achieved through many methods, including but not limited to the following:
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page12of14

 Risk Assumption: To accept the potential risk and continue operating the IT system and/or to
implement controls to lower the risk to an acceptable level
 Risk Avoidance: Changing or lowering requirements, while still meeting the organization's
needs
 Risk Control: Taking active steps to minimize risks. Implement technical, managerial,
operational, security and/or other controls to mitigate risks
 Risk Transfer: Reallocating requirements to lower the risks. To transfer the risk by using other
options to compensate for the loss, such as purchasing insurance
 Risk Monitoring: Periodically evaluating the risk for possible/potential changes to the risk rating
 Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes, implements,
and maintains the required controls.

Risk Acceptance

Risk acceptance is usually done when the risk is judged too low for formal mitigation and/or when the
cost of mitigation is too high (higher than the cost, if the risk actually is realized) and/or when there
appears to be no viable way to reduce the risk.

The ISMG and the Management may choose to accept or otherwise mitigate a risk that has a low rating.
The record of this will be captured in meeting minutes or a risk assessment report. Other risks may be
accepted, if an analysis determines that it is not practical for them to be otherwise mitigated.

Acceptance of risks with medium or high ratings should be documented in a Corrective Action and
Preventive Action Plan (CPA) created for the risk and must be approved by ISMG.

Risk Monitoring & Review

Risk assessment is an iterative process and must be followed accurately to ensure risks related to IT
assets are managed effectively and efficiently. The RA policy guidance will drive the enforcement of risk
management activities across all stages of the information asset, resource and/or resource life cycle.

The Risk Register will be a living document that must be maintained by the Information Security team
and assessments are done as per the policy.

Key for Risk Management Program Success

The success of WF’s risk Assessment program will depend on the following factors:

 WF’s senior management’s commitment

 Support and participation of the Information Security Management Group (ISMG)
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page13of14

 The competence of risk assessment team, which must have the expertise to apply the risk
assessment methodology to a specific IT asset, identify business risks and provide cost-effective
safeguards that meets the needs of the organization
 Awareness and cooperation of members of the end user community, who must follow
procedures and comply with the implemented controls to safeguard the business and the
mission of WF
 An ongoing evaluation and assessment of newly identified and existing risks, at least quarterly.
WF performs an information security risk assessment continually—whenever a new risk is
identified, as a result of a new service release, when an update to an existing service is
introduced, when a new information asset is planned, when a change in physical environment
occurs, when a change in mission direction is projected, or after a significant security incident.

Risk Communication

All identified risks for WF and partner organizations are documented in the WF - Risk Assessment sheet
and Risk Register. Risks are evaluated, analyzed, and updated, at least quarterly. Each time an update is
made to the register, it goes through the change control process and is sent to the ISMG for review. All
changes to the risk register are approved by the ISMG.

Abbreviations

Abbreviations/Acronyms Expansion
WF Wellness Forever Medicare
INFORMATION SECURITY Information Security Management System

ISMG Information Security Management Group

IT Information Technology
HR Human Resources

NIST National Institute of Standards and Technology

RA Risk Assessment

CPA Corrective and Preventive Action

CIP Continual Improvement Plan
 Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page14of14

Reference Documents and Records

 WF Information Security Policy

 WF Disposal Policy
 Access Control Policy
 WF Information Classification Policy
 Backup and Restore Policy