Scribd Logo
Upload

Welcome to Scribd!

  • Iso27005 - Risk Managment Kit

    Uploaded by

    Mamdouh AL
    2 views11 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views11 pages

    Iso27005 - Risk Managment Kit

    Uploaded by

    Mamdouh AL

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    Innovative Solutions (Risk Assessment Treatment Report)

    Risk Management Register


    Document Title Risk Management Register

    Version 1.0

    Client Name

    Document Classification Confidential

    Document Description This report identifies the risk by the process of risk assessment. It defines the controls required for modifying/reducing the risk.

    Document Prepared By Initial preparation by Innovative Solutions (Consultant) and maintained by Information Security Unit (ISU)

    Effective Date 11-Jan-19

    DOCUMENT CHANGE CONTROL


    Issue Date Version Description Prepared By Reviewed By Approved By
    11-Jan-19 1 Final Document Innovative Solutions (Consultant) ISMGR Information Security Unit
    Manager
    Information Security Unit
    24-Feb-20 1.1 Risks re-evaluated and updated Information Security Unit ISMGR
    Manager
    Information Security Unit
    15-Mar-21 1.2 Risks re-evaluated and updated Information Security Unit ISMGR
    Manager

    DOCUMENT DISTRIBUTION LIST


    # Name Department Purpose
    1 Risk Management Register All departments under scope of Risk Management Risk Assessment and
    Treatment
    2
    3

    MOHE-RPT-505 Confidential 1
    Purpose of Risk Management

    Scope of Risk Management

    Boundaries of Risk Management

    Constrains
    Information Security Risk Management
    IDENTIFY Risk Analysis Risk TREATMENT / ACTION PLAN ONGOING REVIEWS
    # Asset Asset Value Threat Threat Actor (Source of the Vulnerability (s) Existing Controls Risk Assessment of Existing Controls Impact Likelihood Risk Priority Risk Owner (Department) Risk Owner Suggested Control Control Ref. Action Type Responsibility By When Status Last Reviewed Consequence Likelihood Residual Risk Review Frequency Next Review Remarks/Action Responsibility
    Risk) (Designation) Date Priority Date

    A.9.2.3 Working on availing required


    Event logging.
    1) Lack of Privilege Acess Management (PAM) A.12.4.1 security controls and Network and Operations
    Protection of log information.
    Internal & External - Multiple 2) Lack of implementation of log management policy/system may result into Risk that unauthorized access or activities may go undetected A.12.4.2 Treat (Likelihood or Under computing resources: PAM dept manager and
    1 System Logs High Abuse of rights
    Source unauthorized activities without detection on systems or applications.
    BASIC Control
    (Users and Admins)
    Inadequate Moderate Likely Medium All IT Depts. Departments Managers Administrator and operator logs.
    A.12.4.3 Consequence)
    Section Heads 1-Sep-2021
    Implementation
    17-Jan-2021 Tolerable Possible Low Semi Annually 06-Jun-21
    and integration with Application and E-
    Outsourced development.
    A.14.2.7 Centralized Logging by Services dept manager.
    SIEM

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22
    Summary of Risks
    Total Risks High Risks Medium Risks Low Risks

    22 7 11 4

    11

    22

    7
    Guidelines for Likelihood Ratings
    § Where possible, the likelihood of occurrence of risk should be assessed on a quantifiable basis with 5 being very high probability and 1 being very low
    § If the risk cannot be quantified, an estimation should be made based on management’s assessment and knowledge of IPA operations
    Likelihood of Occurrence
    Threat Capability / motivation /
    Rating Probability
    perception of attractiveness

    1 Extremely unlikely, may occur only in


    exceptional circumstances, estimated
    Very low capability / motivation and/
    or asset has no value
    No Chance, Rare to be less than once every 10-20 years

    2 The likelihood of occurrence is


    estimated to be about once every 3-10
    Low capability / motivation and/ or
    asset is not perceived as attractive
    Unlikely years

    3 The frequency of occurrence is once


    every 2-3 years
    Moderate capability/ motivation and/
    or perceived as a little attractive
    Possible

    4 Which is known to occur occasionally at Strong capability/ motivation and/ or


    a frequency of about once a year perceived as having significant value &
    Likely attractive

    Such incidents are expected to occur

    5 almost certainly, maybe a few times a


    month or few times in a year High capability/ motivation and/ or
    perceived as very attractive
    Almost Certain Any risk which is known in the system
    today
    hood Ratings
    ith 5 being very high probability and 1 being very low
    ent and knowledge of IPA operations
    currence
    Vulnerability Severity / external or
    Existing controls
    environmental factors

    No known vulnerability / very large LAYERED Controls ( Defense in


    resources required to exploit Depth )

    Threat requires a significant or large of


    resources to exploit the vulnerability CORE Control

    Threat requires a moderate number of


    resources to exploit this vulnerability BASIC Control

    Threat requires a few resources to


    exploit this vulnerability INFORMAL Control (Adhoc)

    Threat requires almost no resources to


    exploit this vulnerability NO Control
    Impact Sca
    5 4
    Catastrophic Loss Heavy Loss
    DISCLOUSURE

    Complete disclosure of confidential Customer information disclosure


    information (Customer, Official, etc.)
    Major Information leakage (Source Code, etc.)
    All System hacked and information leakage is
    imminent. Successful system hacks
    REPUTATION

    Legal / Official action on Organization


    Complete loss of credibility
    Tremendous bad publicity generated in
    international and local press
    FINANCIAL

    Extreme financial loss with very high operating Major financial loss and increase in operating
    costs cost
    SAFETY

    Result in severe or catastrophic harm to


    individuals involving loss of life or serious life Result in major harm to individuals or premises
    threatening injuries involving injuries & damages.
    Impact Scale
    3 2
    Moderate Loss Tolerable Loss

    Internal information related to systems,


    technology, application, etc. leakage.
    Internal Communication disclosure
    System Audit reports leakage

    Warning issued by legal authority / Increase in complaints 1X to 5X


    government agency
    Adverse publicity in local press
    Significant (5X) increase in complaints

    Significant multiple financial loss and increase One time financial loss is low with little
    in operating cost increase in operating cost

    Result in significant harm to individuals or


    premises that do not involve loss of life or Result in minor harm to individuals or
    serious life threatening injuries premises.
    1
    Mild Loss

    Insignificant disclosure

    Complaints are common


    Customer dissatisfaction

    Insignificant loss

    Result in no harm to individuals or premises.


    Risk Severity Rating
    Likelihoo 5 5 10 15 20 25
    4 4 8 12 16 20 15 - 25
    3 3 6 9 12 15
    d

    2 2 4 6 8 10 8 - 14
    1 1 2 3 4 5
    1 2 3 4 5 1-7
    Consequence
    HIGH RISK

    MEDIUM RISK

    LOW RISK

    You might also like