ISMS-FORM-06-1 Asset-Based RAT Tool

Risk Assessment and Treatment Tool

PRE-TREATMENTASSESSMENT

Not all rows are shown in the table below.

ISO/IEC27001 Annex AReference Controls

Thefollowinglistofreferencecontrolsisusedwithintheriskassessmentworksheets.

REF

A.5Organizationalcontrols

A.5.1Policiesforinformationsecurity

A.5.2Informationsecurityrolesandresponsibilities

A.5.3Segregationofduties

A.5.4Managementresponsibilities

A.5.5Contactwithauthorities

A.5.6Contactwithspecialinterestgroups

A.5.7Threatintelligence

A.5.8Informationsecurityinprojectmanagement

A.5.9Inventoryofinformationandotherassociatedassets

A.5.10Acceptableuseofinformationandotherassociatedassets

A.5.11Returnofassets

A.5.12Classificationofinformation

A.5.13Labellingofinformation

A.5.14Informationtransfer

A.5.15Accesscontrol

A.5.16Identitymanagement

A.5.17Authenticationinformation

A.5.18Accessrights

A.5.19Informationsecurityinsupplierrelationships

A.5.20Addressinginformationsecuritywithinsupplieragreements

A.5.21ManaginginformationsecurityintheICTsupplychain

A.5.22Monitoring,reviewandchangemanagementofsupplierservices

A.5.23Informationsecurityforuseofcloudservices

A.5.24Informationsecurityincidentmanagementplanningandpreparation

A.5.25Assessmentanddecisiononinformationsecurityevents

A.5.26Responsetoinformationsecurityincidents

A.5.27Learningfrominformationsecurityincidents

A.5.28Collectionofevidence

A.5.29Informationsecurityduringdisruption

A.5.30ICTreadinessforbusinesscontinuity

A.5.31Legal,statutory,regulatoryandcontractualrequirements

A.5.32Intellectualpropertyrights

A.5.33Protectionofrecords

A.5.34PrivacyandprotectionofPII

A.5.35Independentreviewofinformationsecurity

A.5.36Compliancewithpolicies,rulesandstandardsforinformationsecurity

A.5.37Documentedoperatingprocedures

Not all rows are shown in the table below.

Asset | Threat | Vulnerability | Risk Type | Control Examples

The followinglistshows alistof assets, with associated threats and vulnerabilities, risk type and the Annex A controls thatmightbe used to treatthem. You may use this table to help to identify relevantrisks foryourorganization and to define where the controls fromAnnex A of ISO/IEC27001are applicable.

REF EXAMPLEASSETGROUP EXAMPLETHREAT(S)

1 Organization Itis notclearwhatthe organization's rules are formanaging information security. Employees and others aren'taware of whatthey should be doingto protectthe organization

EXAMPLEVULNERABILITY

RISKTYPE(S) ANNEXACONTROL

Policies eitherdon'texistordon'tcoverthe required areas Availability A.5.1Policies forinformation security

2 Organization New threats have emerged thatneed to be addressed in policies Policies are outof date, do notreflectthe organization's business or technical setup

3 Organization Itis notclearwho should be doingwhatwith respectto information security Roles and responsibilities forinformation security have notbeen clearly defined

4 Business activities An individual is able to performall of the steps required to performasensitive business process. Checks are insufficientto preventaccidental amendmentordestruction of data

5 Organization The organization is unaware of theirlegal orregulatory responsibilities and may break the law withoutrealisingit

6 Business activities The organization lacks up to date knowledge of information security issues such as currentthreats, new controls and other relevantinformation

7 Organization Information gathered and created duringprojects is not adequately protected

8 Information Dataheld on mobile devices is prone to loss ortheftof the device, orunauthorised access

9 Physical/Site A teleworkingsite does notmeetthe information security standards ensured atmain locations and datais exposed to loss ortheft

10 Business activities Itis notclearwho does whatwith respectto cloud security and one party (e.g. cloud service customer) is underthe impression thatthe other(e.g. cloud service provider) is monitoringa particularaspect

Confidentiality, Integrity and Availability

Confidentiality

A.5.1Policies forinformation security

A.5.2Information security roles and responsibilities

Processes have notbeen designed to limitthe scope fordeliberate or accidental actions Confidentiality, Integrity and Availability A.5.3Segregation of duties

No contactis in place with bodies who may impose requirements on ourorganisation Confidentiality and Availability A.5.5Contactwith authorities

No budgetis currently available forattendance atconferences, seminars and trainingevents

Projectdocumentstores are setup ad hocand often outside of more formal access controls

No guidance is given to employees abouthow to protecttheirmobile devices

Teleworkingarrangements are informal and no checkingis done of the environmentin place

Confidentiality, Integrity and Availability A.5.6Contactwith special interestgroups

Confidentiality A.5.8Information security in projectmanagement

Confidentiality A.8.1Userendpointdevices

Confidentiality A.6.7Remote working

No splitof responsibilities is agreed as partof the cloud take-on service Availability

A.5.23Information security for use of cloud services

Not all rows are shown in the table below.

ExamplesofAssets

Thefollowingisaninitiallistoftypicalassetsthatmaybeuseasguidanceforyourriskassessment.

Note:informationassetsshouldbecapturedinmoredetailintheInformationAssetInventory.

ASSETGROUP SUB-CATEGORY ASSET

Businessactivities

Business-criticalactivities

Supportingactivities Compliance

Information Cloudcustomerdata Personallyidentifiableinformation(PII)

Non-PII

Corporate Budgets

Salesforecasts

Corporateplans

Corporatepolicies

SalesandMarketing Customerrecords-names,addresses,contacts

Customercreditcardinformation

Customerbankdetailse.g.DirectDebits

Websiteinformation

Customerpreferencesandpurchasehistory

Customercorrespondenceandcomplaints

HumanResources Employeerecords -address,DOB,insurancenumbers

Employeeexpenseclaims

Payrollinformation,includingbankdetails

Trainingrecords

Recruitmentinformation

Securityclearance/checkinformation

Employeecomplaints/disciplinaryrecords

Sickness/occupationalhealthrecords Employmentcontracts

Finance Accountingrecords-invoices,bills,accounts

Businessaccountbankingdetails

Buying Suppliercontactdetails

Buyingplans

Commercialterms

Legal Suppliercontracts

Customercontracts

Propertyleases

Creditagreements

Insurancepolicies

Operations Documentsheldonbehalfofcustomers

Productspecificationsandbillsofmaterials

Processandproceduraldocumentation

IntellectualPropertyspecifictotheorganisation

Resourceplans

AuditandCompliance Internalauditrecords

Externalauditreports

Riskassessments

Examplesof Threats

The followingisastandardlistof typical threatsthatmaybe use asguidance foryourriskassessment.

THREATCATEGORY THREAT

Human Maliciousoutsider

Maliciousinsider

Lossof keypersonnel

Humanerror

EXAMPLE

Someone launchesadenial of service attackonyourcloud service platform

Anemployee ortrustedthirdpartyaccessescardholderdatain anunauthorisedmannerfrominside yournetwork

One ormore people withkeyskillsorknowledge are unavailable perhapsdue toextendedsickness

Anemployee accidentallydeletescardholderdata

Accidental loss Amanagerlosesamemorystickwithcardholderdataonit

Natural Fire

Flood

Severe weather

Earthquake

Yourdatacentre burnsdowndue toanelectrical fault

The nearbyriverbreaksitsbanksandyourmainoffice is severelyflooded

Non-one cangetintothe office due tothe weather

The areaof yourmaindatacentre isaffectedbyanearth tremorthatdamagesall yourservers

Lightning All yourserversare friedbyalightningstrike onthe data centre building

Technical Hardware failure

Akeyphysical serverhasaprocessorfailure

Software failure Yourfinancial systemprocessesinvoicesincorrectlydue toa bug

Virus/Maliciouscode Avirusspreadsthroughoutyournetworkpreventingaccessto your(andyourcustomers') data

Physical Sabotage

Adisgruntledex-employee takesanaxe toyourserverroom

Theft Youcome inonMondaymorningtofindsome important driveshave beenstolen

Arson Someone withagrudge againstyourorganisationstartsafire duringthe night

Environmental Hazardouswaste Alorrycarryinghazardouswaste hasanaccidentoutside your office

Powerfailure

The sub-stationsupplyingyourareahasameltdown

Gassupplyfailure There isasuspectedleakandall suppliesare turnedoff

Operational Processerror

Crime scene

Yournewdatatransferprocedure doesn'tcaterforunexpected circumstancesandcardholderdataislostorsenttothe wrong destination

Acrime happensinornearyouroffice andthe areaissealed off bypolice

Likelihood

This table should be used to decide upon the most appropriate likelihood for a particular threat.

LIKELIHOOD DESCRIPTION SUMMARY

1 Improbable Has never happened before and there is no reason to think it is any more likely now

2 Unlikely There is a possibility that it could happen, but it probably won't

3 Likely On balance, the risk is more likely to happen than not

4 Very Likely It would be a surprise if the risk did not occur either based on past frequency or current circumstances

5 Almost certain Either already happens regularly or there is some reason to believe it is virtually imminent

Impact

IMPACT LEVEL IMPACT AREAS