Chapter 7: Preparation 3 - MyRAM Technical.pdf · 2018. 7. 17. · Committee (Refer to Pekeliling. 4 Tahun 2004: Garis Panduan Mengenai Tatacara Memohon Kelulusan Teknikal Projek

Chapter 7 - 39

MyRAM

MA

MPU

Preparation: Introduction

Chapter 7: Preparation

7.0 Introduction

The preparation stage as illustrated in Figure 7.1: Preparation Diagram is not part of the risk assessment process in MyRAM. However, it is vital in determining the successful start of a MyRAM. It is at this preparation stage that the risk assessment team formed will understand the pre-requisites for a successful risk assessment exercise. Prior to the Preparation stage, one must recall that there is the High-Level Risk Assessment (HiLRA) which determines whether a detail RA using MyRAM is necessary or not. For the High-Level Risk Assessment, the senior management will be the approving authority for this exercise.

Figure 7.1: Preparation Diagram

7.1 Overview of this process

The senior management of an agency has the responsibility for meeting mission requirement and business objectives. As part as of a good conduct of due diligence, senior management must ensure that the necessary resources are effectively applied in the information security initiatives to meet the mission requirement. The Preparation stage is when decision has to be made with regards to the feasibility of a proper risk assessment project. At the agency level an existing ICT Steering Committee (Refer to Pekeliling. 4 Tahun 2004: Garis Panduan Mengenai Tatacara Memohon Kelulusan Teknikal Projek ICT Agensi Kerajaan) may commission an initial feasibility study for a RA project.

Goals

The preparation stage has the following goals;

1 To identify the requirements and justifications for a risk assessment exercise.

2. To specify the objectives and the resources (budget, manpower, time line) required to successfully complete the RA exercise.

3. To obtain endorsement from the senior management to proceed with the risk assessment exercise.

Chapter 7 - 40

MyRAM

MA

MPU


Tasks

1. Setting Up A Preliminary Risk Assessment Team

The preliminary risk assessment team should have a representative from the core business areas and the ICT department. The personnel selected should possess good understanding and knowledge of the targeted area of operations in the organisation. It is advisable that the ICTSO, or any other personnel member who has a role and responsibilities similar to those of the ICTSO to lead the team. These personnel members usually are those who are familiar with Information security in general. The team should consist of one to three people, based on the anticipated action group workload that may include writing activities, presentations, and discussions.

2. Deliverables of the Preparation Stage

The deliverable is a proposal to conduct risk assessment exercise or project depending on the extent or size. The proposal should highlight the importance and key benefits of a risk assessment exercise in the context of the organisation’s security objectives.

The following elements need to be presented to the senior management for approval of the risk assessment activity.

i. Scope or Review Boundary – It is advisable that the scope is determined based on core functions of the agency. When the scoping is done for the first RA, only one (1) or two (2) core functions should be looked at. Once experience in performing RA activities is acquired, the agency can extend the boundary to include more processes or functions. Examples of documents that can be reviewed to determine the scope are:

• Client’s charter

• Work procedure manual

• Organisational structure

• Ketua Pengarah’s desk file/ fail meja

• Standard operating procedures

• Annual report.

ii. Manpower – Normally, it will take two (2) full-time RA team members and two (2) part-time staff to identify and analyze risks associated with two (2) core business functions.

iii. Duration – For core functions with approximately 100 assets, and at least two (2) full-time and two (2) part-time RA team members, the whole exercise may take approximately three (3) to four (4) months.

iv. Allocation of Budget – If the personnel of the agency perform the exercise, then the agency must look at costs associated with possible needs for training, software tools, and hiring external consultants. If no internal officers are available, the senior management will need to find alternatives to ensure that the risk assessment activity is performed.

Tasks (Preparation):1. Setting Up A

Preliminary Risk Assessment Team

2. Identify Required Resources

3. Obtain Senior Management Commitment And Approval

Chapter 7 - 41

MyRAM

MA

MPU


3. Obtain Senior Management Commitment and Approval

The proposal may be presented by the preliminary RA team in any suitable platform such as, a simple discussion session, a formal meeting or a more serious formal forum. All pertinent information that would assist in decision making should be tabled clearly and rationalized. The written approval to proceed or otherwise with the RA exercise should be obtained from the senior management.

Besides the endorsement on scope, objectives and timeline, the following

commitment must be solicited:

i. Transparent, continual support of risk assessment activities by senior management.

ii. Formal assignment of RA team members.

iii. General directive to all relevant organisational personnel who may be required to cooperate in terms of information gatherings and sharing.

iv. Agreement on the roles and responsibilities within the risk assessment process.

v. Budget allocation if relevant.

vi. Commitment to review the results and to make informed decisions upon presentation of the RA deliverables at every crucial stage of the RA exercise.

The written approval or acknowledgment from the senior management can be in a form of a letter, memo, e-mail or any formal communication method specifying all the elements being endorsed.

Chapter 7 - 42

MyRAM

MA

MPU


Output:a) Proposalb) A formalcommunicat ion method specifying the members of the preliminary RA team

Table 7.1: Proposal

Table 7.2: Sample of Memo/Letter on Acknowledgement of RA Exercise to Be Conducted

Output (Preparation)

1. Proposal

The output of the preparation stage is a proposal as in table 7.1 and a formal communication in the formal of a memo or letter approving the RA exercise to be conducted as per table 7.2.

Proposal

1.0 Introduction

2.0 Purpose

3.0 Background of Risk Assessment

3.1 Objectives

3.2 Benefits

3.3 Implications

4.0 Recommended Scope

4.1 Scope

4.2 Resources

4.3 Budget

4.4 Timeline

5.0 Authorization

2. Sample of Memo/Letter

Memo/Letter Subject: Acknowledgement of Undertaking RA Exercise

Thanks.

_______________________________

< Approving Authority >

Chapter 8 - 43

MyRAM

MA

MPU

Risk Assessment Process: Risk Assessment Steps

Cha

pter

8: R

isk

Ass

essm

ent P

roce

ss

Intr

oduc

tion

Figu

re 8

.1 b

elow

sho

ws

that

ther

e ar

e te

n (1

0) e

ssen

tial s

teps

alto

geth

er in

a ri

sk a

sses

smen

t (R

A) a

ctiv

ity o

r exe

rcis

e.

Figu

re 8

.1: R

isk

Ass

essm

ent P

roce

ss D

iagr

am

Chapter 8 - 44

MyRAM

MA

MPU

Risk Assessment Process: Introduction

The input for one step of the RA activity may be taken from the output of one of its previous steps.

Table 8.1 below provide the description of each step in the RA process and the subtasks involved in each step.

Table 8.1: Description of RA Steps

Steps Description Task(s) Involved

Establishment of Creates a basic component of a (a) Identify the risk Team (Step 1) risk assessment exercise. The assessment team team members that possess vast members knowledge of the organisation (b) Draw up Tasking are identified. The schedule and Schedule List logistics are also established to ensure the smooth implementation of the whole exercise. Establishment of Determines the scope of the risk (a) Identify the scope of Review Boundary assessment process. The final the risk assessment (Step 2) scope will be submitted to the (b) Obtain approval from senior management for approval. senior management Upon approval, the risk (c) Gather information assessment team will collect all related to the review the relevant materials and boundary information related to the review (d) Prepare the Review boundary. Boundary Document (e) Revisit Step 1 as necessary

Identification of Identifies all the assets which (a) Identify related assets Assets (Step 3) are within the scope of the risk (b) Group and classify assets assessment (review boundary). (c) Identify assets’ owners and custodians (d) Verify and validate the findings of the questionnaires

Valuation of Assets Assigns semi-quantitative values (a) Identify dependencies and Establishment to the assets and determines associated with the of Dependencies their dependencies. assets Between Assets (b) Assign a quantified (Step 4) value to each asset (c) Verify and validate the findings of the questionnaires

Chapter 8 - 45

MyRAM

MA

MPU

Risk Assessment Process: Introduction

Steps Description Task(s) Involved

Assessment of Determines types of threats (a) Create a generic Threat (Step 5) associated with the assets, and threat profile their relative levels. (b) Identify all relevant threats to assets (c) Verify and validate the findings of the questionnaires

Assessment of Identifies all potential (a) Identify potential Vulnerability vulnerabilities which may be vulnerabilities exploited (Step 6) exploited by threats. In addition, by threats it will rate the relative (b) Verify and validate vulnerability exposure levels. the findings of the questionnaires

Identification of Identifies all types of existing & (a) Review existing and Existing & Planned planned safeguards which have planned safeguards for Safeguards been or will be deployed to protecting the assets (Step 7) protect the assets. (b) Verify and validate the findings of the questionnaires

Analysis of Impact Quantifies the business impacts (a) Determine the business (Step 8) of the assets accordingly. The loss calculation will be based on the (b) Determine the impact assets’ values & business loss. levels (c) Verify and validate the findings of the questionnaires

Analysis of Ascertains the likelihood of (a) Determine the likelihood Likelihood threats & vulnerabilities that of threats & (Step 9) may happen, with or without vulnerabilities that safeguard(s) in place. may happen (b) Verify and validate the findings of the questionnaires

Calculation of Calculates the risk level for (a) Calculate the risk level Risk each asset, based on the for each asset (Step 10) impact value & likelihood results.

Chapter 8 - 46

MyRAM

MA

MPU


8.1 Risk Assessment Steps

8.1.1 Step 1: Establishment of Team

Overview of this process

The establishment of the RA Team entails the appointment of RA team leader and members. It is suggested that team leader should be the designated ICTSO of the organisation. As for team members the number and the area of representation depends on the scale of the exercise and the targeted area for risk assessment. The team members are selected carefully based on their level of involvement in the organisation, as well as their experience particularly in the ICT infrastructure and the organisation’s core business.

Goals

The goals of this process are:

1. To obtain dedicated team members.

2. To assign tasks to al l team members with associated roles and responsibilities.

Tasks

1. Identify The Risk Assessment Team Members

The RA team plays a major role in ensuring the success of this exercise. Since this team plays such a role in the assessment, it is of utmost importance to select a string of team members who possess sufficient skills and experience in the ICT infrastructure of the organisation to ensure the smooth implementation of the entire exercise.

a. Risk Assessment Team

The organisational chart for the RA team consists of the project advisor, project manager, team leader(s) or team member(s). It is important to acknowledge that the project advisor plays a vital role in an RA project. The role played is not only as and when advise is required but must conduct final evaluation, reviews and authorization of all output and documents before they are presented to the senior management at all stages and steps of the project.

Members should possess good knowledge of and experience in their organisation’s procedures and have relatively ample knowledge of the ICT infrastructure of the organisation. Representatives from the management and operational (technical) levels are needed to ensure the success of the RA activity.

Tasks (Step 1):1. Identify The Assessment Team Members

2. Draw up Tasking Schedule List

Chapter 8 - 47

MyRAM

MA

MPU


Below is an example of the risk assessment team organisation chart.

Figure 8.2: RA Team Organisation Chart

b. Roles and Responsibilities

The RA Team will be responsible for defining the boundary of the assessment. The members will gather and analyze information as well as produce the risk assessment’s final report. Some other roles and responsibilities include:

i. Stating roles and responsibilities in general for all team members to set the participation expectation for all members.

ii. Gathering, analyzing and reporting the findings of the risk assessment exercise.

iii. Making sure that all tasks are performed properly.

iv. Coordinating logistics and schedules for the exercise.

Depending on the scope or the review boundary of the RA exercise, agency may determine who should be appointed as the project advisor. For example, the role of project advisor could be executed by the Head of Section, Head of Department or business owner. Below are the specific responsibilities for every designated personnel member who is involved in the risk assessment exercise.

ProjectAdvisor

ProjectManager

Team Leader (s)

Team Member (s)

Chapter 8 - 48

MyRAM

MA

MPU


Table 8.2: Roles and Responsibilities for the Risk Assessment Team

Function in RA Team Responsibilities

Project Advisor (a) As the main and only advisory person for the RA exercise.

(b) Ensure the required process(es) and procedure(s) are followed.

(c) Resolve any RA exercise issues. (d) Conduct final evaluations, reviews and authorization of

all output and documents before they are presented to the senior management.

Project Manager (a) Manage the exercise as a whole on a daily basis. (b) Ensure timely completion of the exercise. (c) Works closely with the team leader and team

members. (d) Conduct reviews of all output and documents before

they are presented to the Project Advisor. (e) Reports to: Project Advisor.

Team Leader(s) (a) Regularly ascertain the scope of work. (b) Evaluate results, assess gaps and provide feedback. (c) Perform(s) all tasks defined under each step. (d) Report(s) to: Project Manager.

Team (a) Perform all tasks defined under each step. Member(s) (b) Report(s) to: Team Leader(s).

The recommended experience level in corresponding areas for

other risk assessment team members is as follows:

i. Team Leader: at least one (1) year experience in ICT projects. A background in information security would greatly aid the entire RA exercise’s success.

ii. Team Members: no risk assessment experience or training necessary, though experience in ICT recommended.

2. Draw up Tasking Schedule List

The risk assessment team will identify some basic necessities of logistics and will notify the management of its scheduled tasks. The purpose of the schedule is to ensure that all team members are aware of the time allocated for specific tasks and to make sure that none of the organisation’s operations is interrupted.

The activities included in the schedule (using a Gantt Chart as one of the tools) are:

(a) Activities (Tasks) (b) Duration (c) Start Date and Finish Date (d) Assigned Personnel (e) Venue

Chapter 8 - 49

MyRAM

MA

MPU


Resources (such equipment) need to be allocated for the following tasks: (a) Establishment of Review Boundary (b) Identification and Valuation of Assets (Step 3 and Step 4) (c) Assessment of Threats (Step 5) (d) Assessment of Vulnerabilities (Step 6) (e) Identification of Safeguards (Step 7) (f) Analysis of Impacts (Step 8) (g) Analysis of Likelihood (Step 9) (h) Calculation of Risk (Step 10)

Documents produced for Establishment of Team (Step 1): 1. Team Member List 2. Tasking Schedule List

Chapter 8 - 50

MyRAM

MA

MPU


Output (Step 1):a) Team Member Listb) Tasking Schedule List

MyRAM/Form/S1-1.0

Output (Step 1):

1. Team Member List

The team member list contains the names of the team members, their respective job functions, and the associated sector/unit/department/division/vendor. A letter, memo, e-mail or any formal communication method of appointment will be attached together with this Team Member List for the official establishment of this RA team. The format of the memo or letter can vary depending on the agency’s format. CIO as the senior management personnel would approve the form. A sample format of the Team Member List is as in Table 8.3.

Table 8.3: Team Member List

No. Name Job Sect/Unit/Dept/ RA Function Function Div/Vendor

Prepared by: Reviewed by: Approved by:

Note: The sign-offs should be with the official stamp.

2. Tasking Schedule List

The tasking schedule list contains tasks, personnel, and duration. Table 8.4 is a sample format of the Tasking Schedule List.

Table 8.4: Tasking Schedule List

No Activity Venue SRA Team Date Task Details

1.0 Activity Name (Y Days : Start Date – End Date)

Output: 1. Output A



MyRAM/Form/S1-2.0

Chapter 8 - 51

MyRAM

MA

MPU


8.1.2 Step 2: Establishment of Review Boundary


The appointed Team Leader(s) and Project Manager should initiate this step, Step 2: Establishment of Review Boundary. The team will gather some basic information on key business operations of the organisation. Several key personnel should be interviewed as part of the information-gathering activity related to the ICT infrastructure. A review boundary must be identified and justified. The results should be tabled for further approval and endorsement by the senior management before the risk assessment process is taken to another level.

Goals

The goals of this process are;

1. To identify the appropriate review boundary.

2. To get consensus and approval from the senior management on the agreed review boundary.

Tasks

1. Identify the Scope of the Risk Assessment

The team will gather basic information regarding the key business operations of the organisation. All the relevant business processes are reviewed and studied closely. At this point, there will be several discussion sessions, interviews and meetings with the operational area key personnel. The requirements put forward will be officially documented and presented to the senior management. The scope of the review boundary can take various forms as outlined below:

(a) By assets.

(b) By business processes or functions.

(c) By departments.

Nevertheless, it is recommended that the team use the core business functions or processes as its review boundary. This is in line with the requirement stipulated in BS 7799.

However, if they deem it fit, agencies can use assets or departments/divisions as the basis of their scope of boundary. Those agencies that do not have a significant amount of ICT assets (hardware, software, services, people, or data/information) may want to use assets as their scope of review boundary. Agencies that have multiple complex departments/divisions may choose to use those departments/divisions as their scope of review boundary.

Final approval and endorsement from the senior management is required before the whole exercise of analyzing and identifying risks can commence. The subsequent steps for the entire RA activity are based on the review boundary approved by the senior management.

Tasks (Step 2):1. Identify the scope of the risk assessment2. Obtain approval from senior management3. Gather information related to the review boundary4. Prepare the Review Boundary Statement Document5. Revisit Step 1 as necessary.

Chapter 8 - 52

MyRAM

MA

MPU


2. Obtain Approval from Senior Management

Before obtaining approval from senior management on the review boundary or scope of the risk assessment, the project advisor must review and finalize the documents for approval. Approval from senior management is required to ensure senior management is committed to the RA activity.

3. Gather Information Related to the Review Boundary

The list of questionnaires as listed in Annex D must be answered by the asset owner, custodian or relevant personnel and noted by the RA team. Some of the questions may need to be forwarded to others, either from the management or operational groups, for answers and clarification. The findings to the questionnaires in Annex D will assist the RA team in analyzing the current posture of the infra and info structure of the defined scope. These questionnaires are not limited to this step only. Some of the questions may need to be asked at other steps, namely Step 3 through Step 9. Some of the findings may need to be re-examined to ensure completeness and authenticity at other steps as well.

Relevant documentation, files (in hard and soft copies), and agreements as well as any proprietary documentation which relates directly and indirectly to the agreed scope are gathered.

Some means of information gathering include the following documents:

(a) Network Topology.

(b) Service-Level Agreements.

(c) Security Policies.

(d) Standard Operating Procedures.

(e) Corporate Information security Statements.

(f) Process Flow of Business Functions.

To complement the above documents, the RA team may use other means for information gathering, such as interviews and additional tools, for example network topology scanning tool.

The documents required during this task are not limited to those of the list above. Any relevant documents deemed necessary should be analyzed as well.

MyRAM must also benefit by making use of existing support services and recorded information in the Malaysian Public Sector. The risk assessment team may obtain relevant information from the Jabatan Perkhidmatan Awam (JPA), Jabatan Kerja Raya (JKR), building maintenance contractor, Office of Chief Government Security Officer (CGSO) and other supporting agencies.

4. Prepare the Review Boundary Document

The Review Boundary Document is as per Output (Step 2) of this methodology. The risk assessment team needs to justify the content for every topic in the document. It is in this document that we will know vital information such as purpose of the risk assessment (RA) exercise, core businesses, supporting business process and external interfaces involved in the RA scope. Apart from that, personnel, information assets, sites/buildings information are also analyzed.

Chapter 8 - 53

MyRAM

MA

MPU


Risks which are imported and exported to and from an agency are disclosed in the External Interfaces section. This section deliberates on third parties (external interfaces) involved and the risks they carry into or out of an agency. The RA team should take note of these risks in order for them to estimate the final risk. Depending on the scope or the review boundary of the RA exercise, only then can an agency determine who will give approvals for the output produced in the RA steps. For example, approval can be given by the Head of Section, Head of Department or business owner. Senior management must also be made aware of these risks in order for them to decide whether to accept, reduce, transfer or avoid them.

5. Revisit Step 1 as Necessary

After the review boundary is established, it may be necessary to revisit Step 1 to ensure that the team established is sufficient in number and skill.

Documents produced for the Review Boundary (Step 2):

1. Review Boundary Statement.

2. List of Related Materials Used.

3. List of Questionnaires With Findings

Output (Step 2)

The following are sample output documents of step 2.

1. Review Boundary Document

Table 8.5: Review Boundary Document

Output:

a) Review Boundary Documentb) List of Related Materials Usedc) List of Questionnaires With Findings

Table of ContentAcronymsList of FiguresList of Tables

1.0 Purpose2.0 Background of Review Boundary3.0 Review Boundary Statement4.0 Key Business Processes and Functions5.0 Supporting Business Processes6.0 External Interfaces7.0 Personnel Involved in the Scope8.0 Information Assets9.0 Sites/Buildings10.0 Conclusion


< Project Manager > < Project Advisor > < Senior Management Personnel >


Chapter 8 - 54

MyRAM

MA

MPU


2. List of Related Materials Used

Table 8.6: List of Related Materials Used

MyRAM/Form/S2-2.0

Name Description

Prepared by: Approved by:

< Team Leader > < Project Manager >


3. List of Questionnaires With Findings

Table 8.7: List of Questionnaires

MyRAM/Form/S2-3.0

By Who (Function No. Question Answer Remark or Name – If Applicable)

Notes: (a) A sign-off for the questionnaires is required at the High-level Recommendations

stage. (b) The sign-offs should be with the official stamp.

Chapter 8 - 55

MyRAM

MA

MPU


8.1.3 Step 3: Identification of Assets


The appointed Team Leader(s) should initiate this step, Step 3: Identification of Assets. The team members will be heavily involved throughout the process. Discussions as well as interviews with all relevant systems owners and custodians are means of getting necessary information on assets. Assets in the context of information security management may be in three forms;

• information assets represent the organisation’s critical data and information, either physical or electronic form;

• technical assets represent those that support the storage, transmission, and processing of data and information which are an important means to transforming data and information for use by the organisation;

• people can be an asset to the organisation because they can be the primary way of storing, transporting, and processing data.

All relevant assets within the review boundary established in Step 2 needs to be identified by the risk assessment team. These assets will be placed in their respective categories for ease of processing at a later step. The assets will be verified for the correctness of the classification, assets’ descriptions and further un-documented utilization of the assets.

Goals

The goals of this step are;

1. To gather all the assets to be assessed (in relation to the agreed review boundary).

2. To verify the validity of each asset before the assessment begins.

Tasks

1. Identify Related Assets

This is one of the most important steps in the entire risk assessment activity. All assets that are within the scope of the review boundary are to be identified. Various techniques of asset-gathering can be utilized. The most popular gathering method is by scheduling brainstorming sessions where the risk assessment team sits down with all the participants and comes up with answers to questions like:

• “What are your most important assets in your daily job?”

• “Are there any specific policies to protect the assets?”

• “What will happen if an asset is compromised?”

2. Group and Classify Assets

After gathering all the important assets that need to be assessed, the team has to classify all the assets based on each one’s classification:

(a) Hardware (b) Software (c) Services (d) Data or Information (e) People

Tasks (Step 3):

1. Identify Related Assets2. Group and Classify Assets3. Identify Assets’ Owners and Custodians4. Verify & Validate the Findings of the Questionnaires

Chapter 8 - 56

MyRAM

MA

MPU


In some cases, the ICTSO will decide whether the identified asset is a hardware, software or services asset based on the more dominant classification of the asset. For example, in certain cases, a firewall can either be a hardware or software asset. Following is the asset classification with detailed descriptions.

Table 8.8: Asset Classification and Description

Classification Definitions

Hardware A tangible asset which is used to support the information-processing and storage facilities of the organisation.

Examples: computers, servers, communication equipment, safes, etc.

Software Application software or system software such as operating systems, database systems, networking system software, or office applications that provide information-processing facilities to the organisation.

Examples: applications, development tools, utilities, system software, etc.

Services Services or systems (not in nature of standalones (Accessibility physical hardware or software) that support other assets Services and to perform their functions. For examples:SupportingServices) (a) Accessibility services ii. Network services such as LAN, WAN, etc. iii. Access Restriction System such as card access

system. (b) Supporting services – utilities such as electricity, air-

condition, and suppression fire system, etc.Data or Documented (paper or electronic) information or Information intellectual information which is used to meet the missions

and/or objectives of the organisation. Examples: system documentation, operational procedures,

business records, clients’ profiles, etc.People Persons who have knowledge and skills to conduct the

daily in-scope business functions of agencies in order to achieve business objectives or missions. The People assets are listed based on their respective job functions, instead of the individual personnel members.

Examples: general managers, software engineers, system administrators, etc.

3. Identify Assets Owners and Custodians

Each asset identified must have its owner and/or a custodian. The owners and custodians will need to verify the validity and correctness of the related information gathered. The assets identified are those owned by the processes or departments defined in the previous step – Step 2. In order to minimize efforts in identifying relevant assets within the Review Boundary, the RA team may refer to the Borang KEW 313 which contains a comprehensive inventory list of assets in government agencies.

Chapter 8 - 57

MyRAM

MA

MPU


4. Verify and Validate the Findings of the Questionnaires

The questionnaires distributed and asked in Step 2 need to be revisited. The findings need to be verified and validated to ensure completeness and authenticity.

Note: A sign-off for the questionnaires is required at the High-level Recommendations stage.

Document produced for Identification of Assets (Step 3):

1. List of Assets.

Output (Step 3)


1. List of Assets

Table 8.9: List of Assets

Output:a) List of Assets

MyRAM/Form/S3-1.0




No. Asset Asset Asset Owner Custodian Location Description Group ID Name of Asset

8.1.4 Step 4: Valuation of Assets and Establishment of Dependencies between Assets


The appointed Team Leader(s) should initiate this step, Step 4: Valuation of Asset and Establishment of Dependencies between Assets. The team members will be heavily involved in this step. Discussions as well as interviews will be held during this period of time to gather necessary information for valuing of assets.

All of the identified assets will be assigned with values based on the concept of Confidentiality, Integrity and Availability (CIA). Each rating will be based on the value of the assets in relation to CIA that is agreed upon by the owners or custodians.

In addition, the dependencies of the assets are determined to gauge their criticality within the infrastructure.

Chapter 8 - 58

MyRAM

MA

MPU


Tasks:1. Identify Dependencies Associated with The Assets2. Assign a Quantified Value to Each Asset3. Verify & Validate the Findings of the Questionnaires

Goals


1. To establish the dependencies of the assets.

2. To assign a quantified value to each identified asset.

Tasks

1. Identify Dependencies Associated with The Assets

Most of the assets in any organisation are not independent or ‘stand-alone’. Usually they interact with other assets - hardware, software, services, information. The dependency relationship must be identified and verified by the owners and custodians, including the owners of any supporting assets. Only immediate “neighbours” of the assets which are within the scope of the review boundary will be examined. For example, the asset in question (or within the scope), asset A, depends on asset B. B is also within the scope, but it depends on C, which is not. When considering the dependencies between assets, we look only at the immediate “neighbours” (in this example, asset B. Asset C is not considered as an immediate “neighbour”).

2. Assign a Quantified Value to Each Asset

As it is hard for the team as well as the owners to place a monetary value on each asset, a quantified value based on the Confidentiality, Integrity and Availability (CIA) will be assigned instead.

Notes:

(a) Agencies can modify the example criteria used to fit into the agencies’ environments.

(b) Project advisor must advise the RA team the importance of giving realistic asset values to ensure no false risk rating result.

Table 8.10 details out the descriptions of CIA.

Table 8.10: CIA Descriptions

CIA Description

Confidentiality (C) This is the effect on the system and/or the organisation that would result from the deliberate, unauthorized or inadvertent disclosure of the asset. The effect of unauthorized disclosure of confidential information can result in loss of public confidence, embarrassment, or legal action against the organisation.

Integrity (I) This is the effect on the system and/or the organisation that would result from deliberate, unauthorized or inadvertent modification of the asset. If the loss of system or data integrity is not corrected, continued use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions. Also, violation of integrity may be the first step in a successful attack against system availability or confidentiality. For all these reasons, loss of integrity reduces the assurance of a system.

Chapter 8 - 59

MyRAM

MA

MPU


Availability (A) This is the effect on the system and/or the organisation that would result from deliberate or accidental denial of the asset’s use. If a mission-critical system is unavailable to its end users, the organisation’s mission may be affected. Loss of system functionality and operational effectiveness, for example, may result in loss of productive time, thus impeding the end users’ performance of their functions in supporting the organisation’s mission.

The next table (Table 8.11: Assets Group with Their Respective CIA) explains

that the Confidentiality, Integrity, and Availability values must be taken into consideration when it comes to asset groups of Hardware, Software, Services and Data/Information. For the asset group of People, only the Confidentiality and Availability values need to be considered.

Table 8.11: Assets Group with Their Respective CIA

Asset Group Confidentiality(C) Integrity (I) Availability(A)

Hardware √ √ √

Software √ √ √

Services

(a) Accessibility Services √ √ √

(b) Supporting Services N/A N/A √

Data/Information √ √ √

People √ N/A √

Notes:

(a) Integrity is not applicable for People Asset Group as it is immeasurable or unquantifiable.

(b) Confidentiality and integrity for Supporting Services Asset Group is immeasurable or unquantifiable.

Legend:

√ Taken into consideration

N/A Not applicable (Not taken into consideration)

In considering the values of the CIA for assets identified, the RA team, owners and custodians must be mindful of the dependencies of assets. Some assets may not be critical on their own, however may become critical when considering the type of information stored or when other assets depend on availability of the assets in question.

Agencies must decide what the acceptable, tolerable downtime for the Hardware, Software, Services and Data/Information types of assets when considering the Availability factor. The next tables (Table 8.12: Hardware Value Rating, 8.13:

CIA Description

Chapter 8 - 60

MyRAM

MA

MPU


Software Value Rating, 8.14: Accessibility Services Value Rating, 8.15: Supporting Services Value Rating, 8.16: Data/Information Value Rating and 8.17: People Value Rating) provide examples of tolerable downtime.

If there is a case where the attributes fall under two (2) or more different levels (for example, the “Description” falls under both Low and Medium levels in Table 8.12: Hardware Value Rating), then best judgment must be made. The owners must at the end decide what would best describe the asset value rating for the hardware piece in question.

The following are guidelines on assigning a value to asset. Each agency must decide what is the best way of determining the asset values):

(a) Identify the highest value among the CIA values and use this value as the final value for the asset. For example for Hardware asset #1, the “C” value is Medium, the “I” value is Low, and the “A” value is High, then the final asset value is High. The same concept applies to all types of assets.

(b) A three (3)-quadrant value-rating table is used in evaluating the CIA values resulting in a three (3)-level asset values. The following six (6) tables provide guidelines on how to determine assets’ values. Agencies can modify the criteria used in the following tables (Table 8.12: Hardware Value Rating, 8.13: Software Value Rating, 8.14: Accessibility Services Value Rating, 8.15: Supporting Services Value Rating, 8.16: Data/Information Value Rating and 8.17: People Value Rating) to fit into the agencies environments.

Table 8.12: Hardware Value Rating

Value Rating Description

C:

The hardware device is used maximally in processing and/or storing information that is classified as “Terbuka” in the Malaysian Public Sector.

I:

Low Security breaches to the device could result in loss of public confidence. However, information is insignificantly affected and the loss of functionality is minimal.

A:

The processes will still be operational or functional but slow if the time of unavailability of the devices is more than 2 weeks.

C:

The hardware device is used maximally in processing and/or storing information that is classified as restricted and/or confidential or termed as “Terhad” and/or “Sulit” in the Malaysian Public Sector.

I:

Medium Security breaches to the device could result in loss of public confidence, inaccuracy, fraud, or erroneous decisions, as well as cause the organisation’s mission to be affected with some losses of functionality and operational effectiveness.

A:

Some of the operations/functions will be suspended if the time of unavailability of the device is between 1 to 2 weeks.

Chapter 8 - 61

MyRAM

MA

MPU



C:

The hardware device is used maximally in processing and/or storing information that is classified as highly confidential or termed as “Rahsia” and/or “Rahsia Besar” in the Malaysian Public Sector.

I:

High Security breaches to the device could result in loss of public confidence, inaccuracy, fraud, or erroneous decisions, as well as cause significant loss of core functions and operational effectiveness.

A:

The operations/functions will stop if the time of unavailability of the device is less than or equal to 1 week.

Table 8.13: Software Value Rating


Low C:

The software package or application is used maximally in processing and/or storing information that is classified as “Terbuka” in the Malaysian Public Sector.

I:

Security breaches to the software could result in loss of public confidence; however, information is insignificantly affected and the loss of functionality is minimal.

A:

The processes will still be operational or functional but slow if the time of unavailability of the software is more then 2 weeks.

C:

The software package or application is used maximally in processing and/or storing information that is classified as restricted and/or confidential or termed as “Terhad” and/or “Sulit” in the Malaysian Public Sector.

I:

Medium Security breaches to the software could result in loss of public confidence, inaccuracy, fraud, or erroneous decisions, as well as cause the organisation’s mission to be affected with some losses of functionality and operational effectiveness.

A:

Some of the operations/functions will be suspended if the time of unavailability of the software is between 1 to 2 weeks.

Chapter 8 - 62

MyRAM

MA

MPU


C:

The software package or application is used maximally in processing and/or storing information that is classified highly confidential or termed as “Rahsia” and/or “Rahsia Besar” in the Malaysian Public Sector.

I:

High Security breaches to the software could result in loss of public confidence, inaccuracy, fraud, or erroneous decisions, as well as cause significant loss of core functions and operational effectiveness.

A:

The operations/functions will stop if the time of unavailability of the software is less than or equal to 1 week.

Table 8.14: Accessibility Services Value Rating


C:

The services are used maximally in transferring information that is classified as “Terbuka” in the Malaysian Public Sector.

I:

Low Security breaches to the services component could result in loss of public confidence; however, information is insignificantly affected and the loss of functionality is minimal.

A:

The processes will still be operational or functional but slow if the time of unavailability of the services is more than 2 weeks.

C:

The services are used maximally in transferring information that is classified as restricted and/or confidential or termed as “Terhad” and/or “Sulit” in the Malaysian Public Sector.

I:

Medium Security breaches to the services could result in loss of public confidence, inaccuracy, fraud, or erroneous decisions, as well as cause the organisation’s mission to be affected with some losses of functionality and operational effectiveness.

A:

Some of the operations/functions will be suspended if the time of unavailability of the services is between 1 to 2 weeks.


Chapter 8 - 63

MyRAM

MA

MPU



High C:

The services are used maximally in transferring information that is classified as highly confidential or termed as “Rahsia” and/or “Rahsia Besar” in the Malaysian Public Sector.

I:

Security breaches to the services could result in loss of public confidence, inaccuracy, fraud, or erroneous decisions, as well as cause significant loss of core functions and operational effectiveness.

A:

The operations/functions will stop if the time of unavailability of the services are less than or equal to 1 week.

Table 8.15: Supporting Services Value Rating


Low A:

The processes will still be operational or functional but slow if the time of unavailability of the services is more than 24 hours.

Medium A:

Some of the operations/functions will be suspended if the time of unavailability of the services is between 6 to 24 hours.

High A:

The operations/functions will stop if the time of unavailability of the services are less than or equal to 5 hours.

Table 8.16: Data/Information Value Rating


C:

The data/information that is classified as “Terbuka” in the Malaysian Public Sector.

I:

Low Any security breaches would affect the security objectives of the organisation. However, they would NOT introduce operational issues.

A:

The processes will still be operational or functional but slow if the time of unavailability of information is more than 2 weeks.

Chapter 8 - 64

MyRAM

MA

MPU


C:

The data/information that classified as restricted and/or confidential or termed as “Terhad” and/or “Sulit” in the Malaysian Public Sector.

I:

Medium Any security breaches would not cause significant damages; however, they would introduce operational issues as well as insignificant loss of public confidence.

A:

The non-critical operations/functions will be temporarily suspended if the time of unavailability of information is between 1 to 2 weeks.

C:

The data/information that is classified as highly confidential or termed as “Rahsia” and/or “Rahsia Besar” in the Malaysian Public Sector.

I:

High Any security breaches would cause significant damages to some of the business functions and threaten the survival of the organisation.

A:

The operations/functions will stop if the time of unavailability of information is less than or equal to 1 week.

Table 8.17: People Value Rating


C:

The role of the personnel requires him/her to handle* “Rahsia” and/or “Rahsia Besar” information less than 10% of the time, and “Sulit” and/or “Terhad” information less than 10% of the time,

Low and “Terbuka” information most of the time.

A:

If the personnel is unavailable,

• operations in the organisation will meet objectives, however

• operations are slow compared to normal/usual.


Chapter 8 - 65

MyRAM

MA

MPU


C:

The role of the personnel requires him/her to handle* “Rahsia” and/or “Rahsia Besar” information less than 20% of the time, and “Sulit” and/or “Terhad” information less than 20% of the time.

Medium A:

If the personnel is unavailable:

• operations in the organisation will meet objectives, however

• certain operations will be put on hold temporarily, nevertheless, it can still be passed on to another personnel member with the same role for handling.

C:

The role of the personnel requires him/her to handle “Rahsia” and “Rahsia Besar” information more than 20% of the time.

A:

High If the personnel is unavailable:

• operations in the organisation will fail to meet their objectives.

• most or all critical processes will have to be suspended with no substitutions.

Note:

The term “handle” here does NOT refer to handling by couriers. It refers to handling of information by authorized personnel who can read or see the information.




Document produced for Valuation of Assets and Establishment of Dependencies between Assets (Step 4):

1. Summary of Asset Value and Dependencies.


Chapter 8 - 66

MyRAM

MA

MPU


Output:a) Summary of Asset Value and Dependencies

Output (Step 4)


1. Summary of Asset Value and Dependencies

Table 8.18: Summary of Asset Value and Dependencies

MyRAM/Form/S4-1.0

8.1.5 Step 5: Assessment of Threats


\The appointed Team Leader(s) should initiate this step, Step 5: Assessment of Threats. The team members will be heavily involved in this step. Discussions as well as interviews will be held during this period of time to gather necessary information for determining threats.

A generic threat profile now needs to be created. It will consist of the related threat list (based on the catalogue provided in Annex A), as well as other related threats that are not on the list. For consistency and relevance, owners and custodians will need to be consulted accordingly. Each asset will then be mapped to the associated threats.

Goals


1. To produce a generic organisational threat profile.

2. To identify all relevant threats to assets.

Tasks

1. Create A Generic Threat Profile

Based on the provided threat list in Annex A, the team will come up with a threat profile specific to the organisation. The simple guidelines below can be used to create the generic organisational threat profile.

C I ANo. Asset

GroupAsset

IDAsset Name

Value Asset Depended

On

Dependent Asset

Asset Value


< Team Leader >


Tasks (Step 5):1. Create A Generic Threat Profile2. Identify All Relevant Threats

Chapter 8 - 67

MyRAM

MA

MPU


To Asset3. Verify and Validate The Findings of The Questionnaires

Output:a) Generic Threat Profileb) Relevant Threats


(a) Threats which have occurred before.

(b) Threats which may occur if there is no pro-active prevention action taken.

(c) Threats which may occur even if proactive prevention has been taken.

2. Identify All Relevant Threats To Assets

All assets that have been identified in Step 3 are mapped to their relevant threats. One asset may correspond to various threats. This task will be initiated by the risk assessment team and will, at a later stage, be verified by owners and custodians.


The questionnaires (provided in Annex D) distributed and asked in Step 2 need to be revisited. The findings need to be verified and validated to ensure completeness and authenticity.

Notes:

(a) To avoid a ‘false’ risk rating at the end of the risk assessment process, careful assessment must be done when identifying the threats.

(b) A sign-off for the questionnaires is required at the High-level Recommendations stage.

Document(s) produced for Threat Assessment (Step 5) are:

1. Generic Threat Profile.

2. Relevant Threats to Assets.

Output (Step 5)


1. Generic Threat Profile

Table 8.19: Generic Threat Profile

MyRAM/Form/S5-1.0

Threat Threat ID Threat Name Threat Description Group


< Team Leader >

Chapter 8 - 68

MyRAM

MA

MPU


2. Relevant Threats to Assets

Table 8.20: Relevant Threats

8.1.6 Step 6: Assessment of Vulnerabilities


The appointed Team Leader(s) should initiate this step, Step 6: Assessment of Vulnerabilities. The team members will be heavily involved in this step. Discussions as well as interviews will be held during this period of time to gather necessary information for determining vulnerabilities.

All potential vulnerabilities that may be exploited by threats (Step 5) are identified. The generic vulnerability catalogue is in Annex B. These vulnerabilities must be thoroughly reviewed.

Goals

The goal of this step is specifically to determine the vulnerabilities for each asset.

Tasks

1. Identify Potential Vulnerabilities Exploited By Threats The respective vulnerabilities which may compromise the security of assets need to

be identified. In most cases, assets that belong to the same classification or group have the same vulnerabilities. However, this is not always true.

Based on the vulnerability list provided in Annex B, the team will come up with a vulnerability profile specific to the assets identified. One asset may have several vulnerabilities. The list created needs to be verified by the team, the owners, and the custodians of the assets.

2. Verify and Validate the Findings of the Questionnaires The questionnaires distributed and asked in Step 2 need to be revisited. The findings

need to be verified and validated to ensure completeness and authenticity.


Document produced for Vulnerability Assessment (Step 6):

1. List of Potential Vulnerabilities to Assets.

MyRAM/Form/S5-2.0

No. Asset Group

Asset ID Asset Name

Threat Group

Threat ID Threat Name


< Team Leader >


Tasks (Step 6):1. Identify Potential Vulnerabilities Exploited By Threats2. Verify and Validate Findings of The Questionnaires

Chapter 8 - 69

MyRAM

MA

MPU


Out

put (

Step

6)

A s

ampl

e ou

tput

doc

umen

t for

this

ste

p is

as

per t

able

8.2

1.

1.

Lis

t of P

oten

tial V

ulne

rabi

litie

s To

Ass

ets

Tabl

e 8.

21: L

ist o

f Pot

entia

l Vul

nera

bilit

ies

to A

sset

s

M

yRAM

/For

m/S

6-1.

0

N

o.

Ass

et

Ass

et I

D

Ass

et

Thr

eat

Thr

eat

Thr

eat

Vuln

erab

ility

Vu

lner

abili

ty

Vuln

erab

ility

Gro

up

N

ame

Gro

up

ID

Nam

e G

roup

ID

N

ame

Pr

epar

ed b

y:

Rev

iew

ed b

y:

App

rove

d by

:

<

Team

Lea

der >

<

Proj

ect M

anag

er >

N

ote:

The

sig

n-of

fs s

houl

d be

with

the

offic

ial s

tam

p.

Out

put:

a) L

ist O

f Po

tent

ial

Vul

nera

bilit

ies

to A

sset

s

Chapter 8 - 70

MyRAM

MA

MPU


8.1.7 Step 7: Identification of Existing and Planned Safeguards


The appointed Team Leader(s) should initiate this step, Step 7: Identification of Existing and Planned Safeguards. This step is to determine the relevant existing or planned safeguards for each identified asset. Chosen planned safeguard must be based on Annex C: Generic Safeguard List.

Goal

The goal of this step is specifically to identify all relevant existing and planned safeguards or controls for each asset.

Tasks

1. Review Existing and Planned Safeguards For Protecting the Assets

Safeguards (control)s are identified. The types of safeguards that need to be considered are classified according to the ten (10) domains in Annex C which are as the following:

(a) Security Policy

(b) Organisational Security

(c) Asset Classification and Control

(d) Personnel Security

(e) Physical and Environmental Security

(f) Communications and Operations Management

(g) Access Control

(h) System Development and Maintenance

(i) Business Continuity Management

(j) Compliance

One asset may have several safeguards already in-placed or planned. Project advisors must consider the most cost effective safeguards in his/her recommendations.




Document produced for Identification of Existing and Planned Safeguards/Controls (Step 7):

1. Existing and Planned Safeguards.

Tasks (Step 7):1. Review Existing and Planned Safeguards for Protecting The Assets2. Verify and Validate The Findings of The Questionnaires

Chapter 8 - 71

MyRAM

MA

MPU


Out

put (

Step

7)

A s

ampl

e ou

tput

doc

umen

t for

this

ste

p is

as

per t

able

8.2

2.

1.

Exi

stin

g an

d Pl

anne

d Sa

fegu

ards

Tabl

e 8.

22: E

xist

ing

and

Plan

ned

Safe

guar

ds

M

yRAM

/For

m/S

7-1.

0

N

o.

Ass

et

Ass

et I

D

Ass

et

Thr

eat

Thr

eat

Thr

eat

Safe

guar

d

Cur

rent

Ty

pe

Gro

up

N

ame

Gro

up

ID

Nam

e ID

with

Sa

fegu

ard

Rel

ated

So

lutio

n

Sa

fegu

ard

Nam

e

Exi

stin

g Pl

anne

d

Pr

epar

ed b

y:

Rev

iew

ed b

y:

App

rove

d by

:

<

Team

Lea

der >

<

Proj

ect M

anag

er >

N

ote:

The

sig

n-of

fs s

houl

d be

with

the

offic

ial s

tam

p.

Out

put:

a) E

xist

ing

and

Plan

ned

Safe

guar

ds

Chapter 8 - 72

MyRAM

MA

MPU


8.1.8 Step 8: Analysis of Impact


The appointed Team Leader(s) should initiate this step, Step 8: Analysis of Impact. The team members will be heavily involved in this step. Discussions as well as interviews will be held during this period of time to gather necessary information for determining impact to the agencies if an asset is compromised.

The impact value resulting from a specific asset being compromised (damaged, destroyed, or stolen) is quantified. Output from several of the previous steps is used here as input.

Goals

The goals for this step are;

1. To determine the business loss if an asset is compromised.

2. To determine the impact level of each compromised asset.

Tasks

1. Determine The Business Loss

When considering the business loss on assets, it may be necessary to consider not only the replacement value of the assets, but also their reputation value, since not all assets can be quantified. However, while it is hard to put a value on reputation, business loss calculation due to compromise of reputation may be determined by the highest decision-making authority with consensus from the respective people involved with the asset.

In determining the business loss of each asset, the following guidelines can be used. Agencies can modify the criteria used in the tables (Table 8.23: Business Loss Value Rating - Hardware, 8.24: Business Loss Value Rating - Software, 8.25: Business Loss Value Rating - Services, 8.26: Business Loss Value Rating – Data/Information and 8.27: Business Loss Value Rating - People) to fit into the agencies’ environments. As one can see, three (3)-quadrant value-rating tables are used here in evaluating the business impact.

For the asset group of Hardware, Software and Services, the business loss value rating tables 8.23, 8.24 and 8.25 are used respectively. Please refer to the aforementioned tables when assigning hardware, software or services values.

Notes:

(a) Agencies can modify the criteria used to fit into the agencies’ environments.

(b) Project advisor must advise the RA team the importance of giving realistic asset values to ensure no false risk rating result.

Tasks (Step 8):1. Determine The Business Loss2. Determine The Impact Levels3. Verify and Validate The Findings of The Questionnaires

Chapter 8 - 73

MyRAM

MA

MPU


Table 8.23: Business Loss Value Rating – Hardware

Business Explanation and OutcomeLoss Level

Low The impact of loss or unavailability of the asset is minor or negligible and will NOT bring any financial loss. Security breaches to the device will NOT cause disruptions to conduct daily operations of the organisations.

Medium The impact of loss or unavailability of the asset is considerable and could possibly bring financial loss. Security breaches to the device could result in inconveniences/disruptions to conduct daily operations of the organisations.

High The impact of loss or unavailability of the asset is intolerable and could bring high financial loss. Security breaches to the device could result in total disruptions to conduct daily operations of the organisations.

Table 8.24: Business Loss Value Rating – Software


Low The impact of loss or unavailability of the software package or application is minor or negligible and will NOT bring any financial loss. Security breaches to the software will NOT cause disruptions to conduct daily operations of the organisations.

Medium The impact of loss or unavailability of the software package or application is considerable and could possibly bring financial loss. Security breaches to the software could result in inconveniences /disruptions to conduct daily operations of the organisations.

High The impact of loss or unavailability of the software package or application is intolerable and could bring high financial loss. Security breaches to the software could result in total disruptions to conduct daily operations of the organisations.

Chapter 8 - 74

MyRAM

MA

MPU


Table 8.25: Business Loss Value Rating – Services


Low The impact of loss or unavailability of the asset is minor or negligible and will NOT bring any financial loss. Security breaches or interruption to the service(s) will NOT cause disruptions to conduct daily operations of the organisations.

Medium The impact of loss or unavailability of the asset is considerable and could possibly bring financial loss. Security breaches or interruption to the service(s) could result in inconveniences /disruptions to conduct daily operations of the organisations.

High The impact of loss or unavailability of the asset is intolerable and could bring high financial loss. Security breaches or interruption to the service(s) could result in total disruptions to conduct daily operations of the organisations.

For the asset group of Data/Information, reputation values, as well as efforts required in replacing and/or recovering information compromised can be used. To better explain the process in determining business loss for asset group of Data/Information, please refer to the guideline in Table 8.26: Business Loss Value Rating – Data/Information. If there is a case where the attributes fall under two (2) different levels (for example, the “Explanation and Outcome” falls under both Low and Medium levels in Table 8.26: Business Loss Value Rating – Data/Information), then best judgment must be made. The owners must then decide what would best describe the business loss value rating for the data or information in question.

Table 8.26: Business Loss Value Rating – Data/Information


Low No loss of confidence by the public or other parties. Requires very minimal resources in terms of time, and personnel with minimal skills needed to replace and/or recover the information.

Medium Some loss of confidence by the public or other parties. Requires some resources, in terms of time, with personnel with minimal skills needed to replace and/or recover the information.

High Total loss of confidence by the public or other parties. Requires significance resources in terms of time, with skilful and qualified personnel needed to replace and/or recover the information.

For the asset group of People, qualitative replacement values can be used. To do so, the RA team needs to consider the knowledge, and skills required by the job functions. To better explain the process in determining business loss for asset group of People, please refer to the guideline Table 8.27.

Chapter 8 - 75

MyRAM

MA

MPU


Table 8.27: Business Loss Rating – People


Low Understanding of the business processes and some skills required.

Medium Substantial knowledge and skills in handling business process with minimal guidance required.

High Must be extremely knowledgeable and the only reference for the subject matters with vast skills in relation to the business processes.

2. Determine The Impact Levels

At this point the asset value variable that was discovered in Step 4 is utilized. Impact is a function of asset value and business loss of a particular asset.

The impact level matrix table below is a recommended table. It is derived from experiences in RA activities carried out for telecommunication and financial institutions. An agency may come up with another matrix table that may represent its organisation better than what is presented here.

Impact = Function (Asset Value, Business Loss)

If three (3)-quadrant value-rating tables are used throughout the whole exercise, then a three (3)-quadrant matrix table needs to be used here as well.

Table 8.28: Impact Level Matrix

Business Asset Value

Loss Low Medium High

Low L L M

Medium L M H

High M H H

Legend of Impact Level:

Low Medium High




Chapter 8 - 76

MyRAM

MA

MPU


Document produced for Impact Analysis (Step 8): 1. Impact Level List.

Output:a) Impact Level List

Output (Step 8)

A sample output document for this step is as per table 8.29.

1. Impact Level List

Table 8.29: Impact Level List

MyRAM/Form/S8-1.0

No. Asset Asset Asset Asset Business Group ID Name Value Loss Impact Level




8.1.9 Step 9: Analysis of Likelihood


The appointed Team Leader(s) should initiate this step, Step 9: Analysis of Likelihood. The team members will be heavily involved in this step. Discussions as well as interviews will be held during this period of time to gather necessary information for determining likelihood of the threats happening.

The probability or likelihood of an asset being compromised must be assessed as precisely as possible. This will ensure that critical assets are not overlooked and non-critical assets are not over-protected.

Goal

The goal of this step is specifically to determine the likelihood values of threats and vulnerabilities, taking into consideration the existing and planned controls.

Tasks

1. Determine The Likelihood Of Threats And Vulnerabilities That May Happen

The output from Step 5: Assessment of Threats, Step 6: Assessment of Vulnerabilities and Step 7: Identification of Existing/Planned Safeguards will be used in determining the likelihood values.

Tasks (Step 9):1. Determine The Likelihood Of Threats And Vulnerabilities That May Happen2. Verify and Validate The Findings of The Questionnaires

Chapter 8 - 77

MyRAM

MA

MPU


Table 8.30: Result From Selected Step

From Step Result

Step 5 Threats

Step 6 Vulnerabilities

Step 7 Safeguards

It is also recommended that the worst-case scenarios (key disaster scenarios) be examined when the likelihood is determined.

By analysing the threats, vulnerabilities and controls which have been identified earlier on, the risk assessment team can gauge the approximate likelihood that a specific asset may be compromised.

When possible, the following attributes should be taken into consideration.

(a) Past experiences. Historical data should be considered whenever possible.

(b) Probability of future occurrences. Current trends of threat occurrences should be taken into consideration to see the viability of probability of future occurrences.

(c) Implementation of safeguards or controls. Any existing or planned safeguards should be considered as this will most likely cause reduction to the likelihood of a threat compromising assets.

Guidelines on assigning a value to likelihood:

(a) If there are more than one match of the attributes (in the column named “Explanation and Outcome” in Table 8.31: Likelihood Value Rating) for one particular level of likelihood, choose the level which has the most matches.

(b) If there are more than two levels which have the same count of matches, then choose the higher level value rating. This is as a precautionary measure to ensure that the asset is given the best protection when and where possible.

As one can see, a three (3)-quadrant value-rating table is used here in evaluating the likelihood. Agencies can modify the criteria used in the following table (Table 8.31: Likelihood Value Rating) to fit into the agencies’ environments. An example of a likelihood rating table that can be utilized is as follows:

Chapter 8 - 78

MyRAM

MA

MPU


Table 8.31: Likelihood Value Rating

Likelihood Explanation and Outcome Level

Low • Threats seldom occur and the type of threats that occur may cause minimal operational danger.

• Little or not capable in exploiting vulnerabilities, however, would act if provoked. Or, possesses knowledge and skills to exploit vulnerabilities (with not enough resources), or has enough resources with lack of knowledge and skills but not inclined to breach the security.

• Security controls in placed have been tested and effective.

Medium • Threats often occur and they may slow down some operations.

• Possesses knowledge, skills, and resources to exploit vulnerabilities but not inclined to breach the security. Or, little or not capable in exploiting vulnerabilities but very motivated to attempt attacks. Or, possesses knowledge and skills to exploit vulnerabilities (with not enough resources), or has enough resources with lack of knowledge and skills and would attempt to attack if provoked.

• Security controls exist; however, they are not very effective.

High • Threats occur frequently and they may suspend most of critical operations.

• Possesses knowledge, skills, and resources to exploit vulnerabilities and would attempt to attack if provoked. Or, possesses knowledge and skills to exploit vulnerabilities (with not enough resources), or has enough resources with lack of knowledge and skills and very motivated to attempt attacks.

• Security controls are not planned yet.


The questionnaires distributed and asked in Step 2 need to be revisited. The findings need to be verified and validated to ensure completeness and authenticity. At this stage, ensure that all the questions have some valid answers.


Document produced for Likelihood Analysis (Step 9):

1. Likelihood List.

Chapter 8 - 79

MyRAM

MA

MPU


Out

put:

a) L

ikel

ihoo

d Li

st

Out

put (

Step

9)

A s

ampl

e ou

tput

doc

umen

t for

this

ste

p is

as

per t

able

8.2

2.

1.

Lis

tliho

od L

ist

Tabl

e 8.

32: L

istli

hood

Lis

t

M

yRAM

/For

m/S

9-1.

0

N

o.

Ass

et

Ass

et

Ass

et

Thr

eat

Thr

eat

Vuln

erab

ility

Vu

lner

abili

ty

Cur

rent

Gro

up

ID

Nam

e ID

N

ame

ID

Nam

e Sa

fegu

ard

Lik

elih

ood

So

lutio

n

Pr

epar

ed b

y:

Rev

iew

ed b

y:

App

rove

d by

:

<

Team

Lea

der >

<

Proj

ect M

anag

er >

N

ote:

The

sig

n-of

fs s

houl

d be

with

the

offic

ial s

tam

p.

Chapter 8 - 80

MyRAM

MA

MPU


Tasks (Step 10):1. Calculate The Risk Level For Each Asset

Low Medium High

8.1.10 Step 10: Calculation of Risk


The appointed Team Leader(s) should initiate this step, Step 10: Calculation of Risk. The team members will be heavily involved in this step as well. The risk levels determined are verified with the designated owners and custodians.

A risk matrix or index is then produced. The risk levels of all the identified assets are calculated. A combination of impacts and likelihood is used as the basis for the calculation. When calculating risks, a qualitative method is used. It is important to note that not all assets have quantitative values. Most assets nowadays, like health information of citizens, are not assets that can easily be quantified. However, with a careful valuation process, they can be given values (Low, Medium and High) via a qualitative method.

Goals

The goal of this step is specifically to get each asset’s risk level rating based on the risk matrix table.

Tasks

1. Calculate The Risk Level For Each Asset

The team will calculate the risk level for each asset based on a risk matrix table. The attributes that are used in this matrix are impact values (Step 8) and likelihood values (Step 9).

Risk = Function (Impact, Likelihood)

Risk can be expressed as a function of impact and likelihood. It is a likelihood (probability) of identified threats exploiting the vulnerabilities taking into consideration the existing and planned safeguards in the context of business loss and values of the associated assets.

The risk matrix in Table 8.33: Risk Level is a recommended table. It is derived from experiences in RA activities carried out for telecommunication and financial institutions. An agency may come up with another matrix table that may represent its risk distribution better than what is presented here. If three (3)-quadrant value-rating tables are used throughout the whole exercise, then a three (3)-quadrant matrix table needs to be used here as well.

Table 8.33: Risk Level

Impact Likelihood

Low Medium High

Low L L M

Medium L M H

High M H H

Legend of Risk Level:

Document produced for Risk Calculation (Step 10): 1. Risk Matrix.

Chapter 8 - 81

MyRAM

MA

MPU


Output (Step 10)

A sample output document for this step is as per table 8.34.

1. Risk Matrix

Table 8.34: Risk Matrix

MyRAM/Form/S8-1.0

No Asset Asset Asset Threat Threat Impact Like Risk Group ID Name ID Name Level lihood Level




Chapter 9 - 82

MyRAM

MA

MPU

High-Level Recommendations: Introduction

Chapter 9: High-level Recommendations

9.0 Introduction

Figure 9.1 shows that decisions of whether to accept, reduce, transfer, or avoid risks that have been identified must be made only after the risk assessment exercise has been completed.

Figure 9.1: High-level Recommendations Diagram

This chapter explains how users can decide on the next cause of action after risk levels are obtained for all identified assets.

From a technical standpoint, risk assessment results obtained can be useful in identifying appropriate safeguard measures. However, the final decision to either accept, reduce, transfer, or avoid is left to the senior management. For this reason, the Summary Report to the senior management should assist the management in making the required decisions. This report lists the groups to which the assets belong, the assets’ names, and their appropriate risk levels. This technical report should assist audiences or users in Part I: Management to choose the proper approach to safeguard their assets that are critical to the survival of the core business functions.

Chapter 9 - 83

MyRAM

MA

MPU

High-Level Recommendations: Decisions

9.1 Decisions

Overview

The appointed Project Manager should initiate this stage. The Project Advisor will advise on the suitability of the decisions made. The team must now advise the senior management on what to do with the risks identified.

When selecting an option (whether to accept, reduce, transfer, or avoid risks), the attributes of risks must be thoroughly and carefully examined.

Tasks

1. Analyse The Attributes To Be Considered Prior To The Decision-Making

The decision of whether to accept, reduce, transfer, or avoid the risks catalogued must take the following factors into consideration:

(a) Time: Time is normally a constraint in successfully executing a plan. It is everybody’s enemy. However, it is a crucial factor when deciding what to do with a particular identified risk in relation to each critical asset. For example, if there is downtime that causes Server A containing all e-commerce activities to fail, how long will it take for the Server to be fully functioning?

(b) Money: Should an asset be compromised, what would be the cost to the agency? Frequently, monetary values are not available; however, one can quantify the values by considering the following principles: Confidentiality, Integrity, and Availability.

(c) Manpower: Human resources play a very active role when controls need to be deployed in order to reduce risk to an acceptable level.

(d) Equipment: Facilities or instruments involved must also be taken into consideration.

2. Determine The Option Of How To Handle The Risk

(a) The result of Step 10: Calculation of Risk (from Chapter 8: Risk Assessment Process) details out the risk level associated with each identified asset.

(b) If the risks are accepted, there is no immediate plan carried out or action taken to protect the asset.

(c) The risks are reduced when they are regarded as having High/H or Medium/M impact. Here, risks are mitigated by deploying the proper controls (counter-measures) to ensure that critical business operations continue with no downtime.

(d) In transferring risks, the risks are moved to another organisation or entity or cause. However, transferring of risks in this context means partial transfer of risks (sharing of risks) between the organisation and a third party. One may want to transfer risks when they are at the level of Low/L or Medium/M. An example of this is transferring risks to a third party organisation.

Chapter 9 - 84

MyRAM

MA

MPU


(e) Risks should be avoided altogether when there is no reasonable control available to be implemented by the organisation. This decision needs to be treated with caution, since most of the time the only way to avoid risks is to totally disconnect the system.

(f) Good security controls combine most of the options above. When an asset has a high value of business impact as well as a high likelihood of getting “attacked”, it is advisable to first reduce the risk by deploying more controls and then transfer the remaining risk to a third party organisation. In the end, what is left is an acceptable residual risk level for that particular asset.

The presentation to the senior management on risk analysis information obtained contains the following information:

(a) An understanding of the relation between risk calculation results and senior management decisions in protecting critical assets.

(b) Any terms and concepts that may be new or different - for example, assets, threats, risk and risk profile - explained precisely and concisely.

(c) Composite, analysed results of the survey data, presented in a table or graphical easy-to-read information. Each identified level of risk should also state specific implications.

(d) Data on protection strategy practices and organisational vulnerabilities, segregated in tables according to practice areas.

(e) Threat, risk and vulnerability information for each critical asset tabled.

The senior management will then determine the best approach to combat all identified risks – do some of them need to be mitigated? If so, then how would that affect the resources and budget of the organisation?

Chapter 9 - 85

MyRAM

MA

MPU


Out

put

(Dec

isio

ns)

A s

ampl

e ou

tput

doc

umen

t fo

r th

is s

tep

is a

s pe

r ta

ble

9.1.

1. D

ecis

ion

on O

ptio

ns

Tabl

e 9.

1: D

ecis

ion

on O

ptio

ns

M

yRAM

/For

m/S

9-1.

0

N

o.

Ass

et

Ass

et

Ass

et

Thr

eat

Thr

eat

Cur

rent

R

isk

Rec

omm

enda

tion

Dec

isio

n

G

roup

ID

N

ame

ID

Nam