Please note: This sample shows only a small part of the complete Assessment and Treatment tool. Note all columns are shown in the table below. Asset Group

Risk Owner

Select…

(blank)

Risk Level

Treatment Opti...

Calculated

Select…

Asset-Based Risk Assessment and Treatment Tool Start with your most valuable assets and the most likely threats that will cause the highest impact. RISK DESCRIPTION Ref Asset Group

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select…

PRE-TREATMENT ASSESSMENT Asset

Threat

Vulnerability Risk Type Risk Owner Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select…

Existing Controls Likelihood

Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select…

Likelihood Impact Rationale Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select…

Impact Rationale

Risk Score

Risk Level

Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated

Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated

Examples of Assets The following is an initial list of typical assets that may be use as guidance for your risk assessment. Note: information assets should be captured in more detail in the Information Asset Inventory. ASSET GROUP

SUB-CATEGORY

Business activities

Information

ASSET Business-critical activities Supporting activities Compliance

Cloud customer data Corporate

Sales and Marketing

Human Resources

Finance Buying

Legal

Operations

Audit and Compliance

Personally identifiable information (PII) Non-PII Budgets Sales forecasts Corporate plans Corporate policies Customer records - names, addresses, contacts Customer credit card information Customer bank details e.g. Direct Debits Website information Customer preferences and purchase history Customer correspondence and complaints Employee records - address, DOB, insurance numbers Employee expense claims Payroll information, including bank details Training records Recruitment information Security clearance/check information Employee complaints/disciplinary records Sickness/occupational health records Employment contracts Accounting records - invoices, bills, accounts Business account banking details Supplier contact details Buying plans Commercial terms Supplier contracts Customer contracts Property leases Credit agreements Insurance policies Documents held on behalf of customers Product specifications and bills of materials Process and procedural documentation Intellectual Property specific to the organisation Resource plans Internal audit records External audit reports Risk assessments

Examples of Threats The following is a standard list of typical threats that may be use as guidance for your risk assessment. THREAT CATEGORY

THREAT

EXAMPLE

Human

Malicious outsider

Someone launches a denial of service attack on your cloud service platform An employee or trusted third party accesses cardholder data in an unauthorised manner from inside your network One or more people with key skills or knowledge are unavailable perhaps due to extended sickness An employee accidentally deletes cardholder data A manager loses a memory stick with cardholder data on it

Malicious insider Loss of key personnel Human error Accidental loss

Natural

Fire Flood Severe weather Earthquake Lightning

Technical

Hardware failure Software failure Virus/Malicious code

Physical

Sabotage Theft Arson

Environmental

Hazardous waste Power failure Gas supply failure

Operational

Process error

Crime scene

Your data centre burns down due to an electrical fault The nearby river breaks its banks and your main office is severely flooded Non-one can get into the office due to the weather The area of your main data centre is affected by an earth tremor that damages all your servers All your servers are fried by a lightning strike on the data centre building A key physical server has a processor failure Your financial system processes invoices incorrectly due to a bug A virus spreads throughout your network preventing access to your (and your customers') data A disgruntled ex-employee takes an axe to your server room You come in on Monday morning to find some important drives have been stolen Someone with a grudge against your organisation starts a fire during the night A lorry carrying hazardous waste has an accident outside your office The sub-station supplying your area has a meltdown There is a suspected leak and all supplies are turned off Your new data transfer procedure doesn't cater for unexpected circumstances and cardholder data is lost or sent to the wrong destination A crime happens in or near your office and the area is sealed off by police

Classification of Risk Level The chart below shows the rating scheme used to determine risk level based on a combination of likelihood and impact. RISK SCORE 5 HIGH 4

Risk Likelihood

MEDIUM

3

2 LOW 1

1

2

3

Risk Impact

4

5