Professional Documents
Culture Documents
Corporate Office:
© This document is a sole property of Wellness Forever Medicare Pvt. Ltd. All rights reserved. No part
of this document shall be reproduced or utilized in any form without permission of issuer of the
document. DOWNLOADED AND/OR HARD COPY UNCONTROLLED. Verify that this is the correct version
before use.
Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page2of14
Document Summary
Document Title Risk Assessment Methodology
Current Date of
Document Id WF-CORP-ISM-P0002 0.1
Version Release
Classification Internal Storage
Location
Department ISM Department Information Security
Code Name
Reference ISO 27001:2013 Clause 6, 8
clauses
addressed
Author Siddharth Iyer
Document Name Siddharth Iyer
Owner Designation Information Security Head
Document Distribution
Sl. No. Name Department Designation
Revision History
Version No Date of Revision Pages Affected Description of Change
Document Reviewers
Version Departmen
Name Designation Date
No t
Document Approvers
Version
Name Designation Signature Date
No
Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page3of14
Contents
Introduction.................................................................................................................................................4
Purpose.......................................................................................................................................................4
Scope...........................................................................................................................................................4
Roles and Responsibilities...........................................................................................................................4
Risk Assessment Goals and Objectives........................................................................................................5
Risk Assessment Methodology....................................................................................................................5
Context establishment.............................................................................................................................6
Threat and Vulnerability Identification....................................................................................................6
Risk Assessment..........................................................................................................................................8
Risk Identification....................................................................................................................................8
Risk Estimation........................................................................................................................................8
Control Analysis...................................................................................................................................8
Likelihood Determination....................................................................................................................8
Impact Analysis....................................................................................................................................9
Risk Evaluation.........................................................................................................................................9
Risk Treatment......................................................................................................................................11
Risk Acceptance.....................................................................................................................................12
Risk Monitoring & Review.....................................................................................................................12
Key for Risk Management Program Success......................................................................................12
Risk Communication..............................................................................................................................13
Abbreviations............................................................................................................................................13
Reference Documents and Records...........................................................................................................14
Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page4of14
Introduction
In order to deliver high quality services, it is imperative to assess information security posture across WF
assets. To understand the information security posture, Information Security Team shall facilitate WF's
business units to conduct risk assessment across their assets. Information Security Team shall also work
with respective business units to identify, assess, and manage risks. This Information Security Risk
Management document is based on and developed from both the ISO 27001 security management
processes, the ISO 20000 IT services security and risk management related documentation provided by
the National Institute of Standards and Technology (NIST).
Purpose
The purpose of this procedure is to describe the WF’s methodology for risk management across their
assets.
Scope
This Information Security Risk Management Methodology covers WF's IT assets. This methodology shall
also guide ISMG and IT teams to manage risks across IT assets, throughout their lifecycle. This
document provides information about policies and procedures relevant to Risk Management related
activities as implemented in WF.
ISMG:
IT Team:
The goals and objectives for WF Information Security risk management process are:
WF’s Risk assessment (RA) methodology includes the process of identifying risks, assessing risks,
mitigating risks and evaluating the residual risks after mitigation. Risks are continuously monitored and
communicated to relevant stakeholders. RA is an iterative process that can be performed in each stage
of the lifecycle, namely – Strategy, Design, Transition, Operations, and Continual Improvement.
The figure below describes the Risk Management Methodology as it is implemented and followed by
ISMG along with activities performed in each step.
Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page6of14
Context establishment
During this step, all the boundaries of the services, systems, and resources are identified. This also
includes some identification of the following information:
These RA methodology outputs can be valuable input for the designing stage of products or services, so
the relevant enhancements can be made to mitigate risks.
Threat is defined as an event, which can potentially cause harm exploiting known or unknown
weaknesses.
Vulnerability is defined as the weakness that could allow it to be exploited and harmed by one or more
threats.
Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page7of14
WF shall identify the potential and/or perceived threats along with known and/or unknown
vulnerabilities across the IT assets. The result of this identification will be an input to determine
appropriate risk level for a given IT asset.
Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page8of14
Risk Assessment
Risk Identification
Risk identification is a process of qualifying the impact, when a potential and/or perceived threat
exploits known and/or unknown vulnerabilities resulting in security breach. Following are some of the
tasks Information Security team may perform to identify/qualify the risk:
Risk Estimation
Risk estimation is a process of analyzing the qualified risk for likelihood of occurrence and its impact on
WF. WF shall analyze the controls implemented around an identified risk, assess the possibility of
occurrence and it impact across their IT assets.
Control Analysis
Likelihood Determination
WF shall assign a probability value for a possible/potential security breach. WF shall consider High,
Medium and/or Low as likelihood levels. In order to arrive at a probability value, WF shall consider
likelihood levels along with following:
Likelihood Definition
High 'No' existing controls, or is ineffective. Threat source is highly capable
Medium Threat source is capable but controls may be in place to counter threat, or impede
successful execution of vulnerability
Impact Analysis
WF shall analyze the product or service characterization related information, such as business services
supported, end users, underlying systems and services, data criticality and sensitivity, as well as the
business critical nature for a given IT asset.
Impact on business if a failure of a service or service component is valuable input for this impact
analysis. Impact can be tangible, such as loss of revenue or labor cost spent to recover service or
intangible, such as reputation damage, losing confidence from stakeholders, etc.,
WF shall consider qualitative value of High, Medium and/or Low to determine impact on an IT asset.
Impact Definition
Level
High Exercise of the vulnerability:
May result in significant loss of critical assets and/or resources
May significantly violate, harm, or impede WF’s mission, reputation, and/or
interest
May result in serious injury and/or human death
Medium Exercise of the vulnerability:
May result in loss of critical assets and/or resources
May violate, harm, or impede WF’s mission, reputation, and/or interest
May result in human injury
Advantage of the qualitative impact analysis is to prioritize the risks and identify areas for immediate
improvement in addressing the vulnerabilities.
Qualitative analysis does not provide specific quantifiable measurements of magnitude of the impact.
Hence, it poses a challenge to develop cost-benefit analysis of recommended controls.
Risk Evaluation
The adequacy of planned and/or existing controls to reduce and/or eliminate the risk
Risk rating is determined to enable Information Security team to prioritize the actions required to
reduce and/or mitigate the risk.
Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page11of14
Risk Determination
Likelihood
Impact
High Medium Low
High High High Medium
Medium High Medium Low
Low Medium Low Low
Risk scale, with its ratings of High, Medium, and Low, represents the degree or level of risk to which a
resource, system, facility, product, and/or procedure might be exposed, if a given vulnerability were
exploited.
Based on risk rating, WF must consider necessary actions as defined in below table:
Medium Corrective actions are needed and a plan must be developed to incorporate these
actions within a reasonable period of time.
Low The Information security management committee must determine whether corrective
actions are still required or decide to apply dispensation or absorb the risk.
Risk Treatment
Because the elimination of all risk is usually impractical or close to impossible, it is the responsibility of
senior management and functional and business managers to use the least-cost approach and
implement the most appropriate controls to reduce the risk to an acceptable level, with minimal
adverse impact on the organization’s resources.
Risk Treatment plan includes approaches, techniques, and methods used to avoid, reduce and control
the likelihood of the occurrence of risk, the extent of damage incurred should the risk occur, or both.
Risks are monitored and when they exceed the established thresholds, the risk treatment plans are
deployed to return the impacted effort to an acceptable risk level.
If the risk cannot be mitigated, a contingency plan is invoked. Both risk mitigation and contingency plans
are often generated only for selected risks, where the consequences of the risks are determined to be
high or unacceptable.
Risk mitigation can be achieved through many methods, including but not limited to the following:
Version : 0.1
Risk Assessment Methodology Date : 19-Oct-2020
Page : Page12of14
Risk Assumption: To accept the potential risk and continue operating the IT system and/or to
implement controls to lower the risk to an acceptable level
Risk Avoidance: Changing or lowering requirements, while still meeting the organization's
needs
Risk Control: Taking active steps to minimize risks. Implement technical, managerial,
operational, security and/or other controls to mitigate risks
Risk Transfer: Reallocating requirements to lower the risks. To transfer the risk by using other
options to compensate for the loss, such as purchasing insurance
Risk Monitoring: Periodically evaluating the risk for possible/potential changes to the risk rating
Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes, implements,
and maintains the required controls.
Risk Acceptance
Risk acceptance is usually done when the risk is judged too low for formal mitigation and/or when the
cost of mitigation is too high (higher than the cost, if the risk actually is realized) and/or when there
appears to be no viable way to reduce the risk.
The ISMG and the Management may choose to accept or otherwise mitigate a risk that has a low rating.
The record of this will be captured in meeting minutes or a risk assessment report. Other risks may be
accepted, if an analysis determines that it is not practical for them to be otherwise mitigated.
Acceptance of risks with medium or high ratings should be documented in a Corrective Action and
Preventive Action Plan (CPA) created for the risk and must be approved by ISMG.
Risk assessment is an iterative process and must be followed accurately to ensure risks related to IT
assets are managed effectively and efficiently. The RA policy guidance will drive the enforcement of risk
management activities across all stages of the information asset, resource and/or resource life cycle.
The Risk Register will be a living document that must be maintained by the Information Security team
and assessments are done as per the policy.
The success of WF’s risk Assessment program will depend on the following factors:
The competence of risk assessment team, which must have the expertise to apply the risk
assessment methodology to a specific IT asset, identify business risks and provide cost-effective
safeguards that meets the needs of the organization
Awareness and cooperation of members of the end user community, who must follow
procedures and comply with the implemented controls to safeguard the business and the
mission of WF
An ongoing evaluation and assessment of newly identified and existing risks, at least quarterly.
WF performs an information security risk assessment continually—whenever a new risk is
identified, as a result of a new service release, when an update to an existing service is
introduced, when a new information asset is planned, when a change in physical environment
occurs, when a change in mission direction is projected, or after a significant security incident.
Risk Communication
All identified risks for WF and partner organizations are documented in the WF - Risk Assessment sheet
and Risk Register. Risks are evaluated, analyzed, and updated, at least quarterly. Each time an update is
made to the register, it goes through the change control process and is sent to the ISMG for review. All
changes to the risk register are approved by the ISMG.
Abbreviations
Abbreviations/Acronyms Expansion
WF Wellness Forever Medicare
INFORMATION SECURITY Information Security Management System