Risk Assessment Worksheets - NCSP - V4 User(1)

NATIONAL CYBER SECURITY POLICY - ENTITY/SUB-ENTITY RISK ASSESSMENT PROCESS

Worksheets in this Workbook1. Process Charts - this worksheet2. Summary & Declaration - Summary of risk assessment and declaration by officer submitting the risk assessment3. Part 1 - CNI Entity Information - Profile of Entity/Sub-Entity submitting the risk assessment (Please read the instructions in this CNII Entity Information worksheet to start doing the risk assessment)4. High level risk assessment worksheets: a. Part 2 - HL Impact - High level impact analysis b. Part 3 - HL Dependency - High level dependency (on ICT or cyber systems) analysis c. Part 4 - HL Controls - High level controls analysis5. Detailed risk assessment worksheets: a. Part 5 - Detailed Impact Analysis - Impact to various segments/elements of the Nation/National Economy b. Part 6 - Detailed Threat Analysis - Likelihood of threats exploiting vulnerabilities c. Part 7 - Detailed Risk Assessment Result

Summary of Charts In This Worksheet (for infomation only)Chart 1 : Risk Assessment FrameworkChart 2 : Risk Assessment Process Framework (that is referred in Chart 1)Chart 3 : Compliance Governance Framework (that is referred in Chart 1)Chart 4 : High Level Risk Assessment and Detailed Risk Assessment

Note : Adjust the appropriate zoom factor to be able to see each complete chart within your screen.

1. CGSO ASSEMBLES ANNUAL QUESTIONNAIREWITH INPUTS FROM MKN AND NC3-PT6

1. CGSO ASSEMBLES ANNUAL QUESTIONNAIREWITH INPUTS FROM MKN AND NC3-PT6

2. CGSO SENDS QUESTIONNAIRE TO REGULATORYBODIES AND CNI ENTITIES

2. CGSO SENDS QUESTIONNAIRE TO REGULATORYBODIES AND CNI ENTITIES

3. CNI ENTITIES FILL QUESTIONNAIRE AND SENDRESPONSE TO PT6

3. CNI ENTITIES FILL QUESTIONNAIRE AND SENDRESPONSE TO PT6

4. NC3-PT6 CONSOLIDATE OVERALL AND SENDTO CGSO FOR KEY POINTS COMMITTEE APROVAL

4. NC3-PT6 CONSOLIDATE OVERALL AND SENDTO CGSO FOR KEY POINTS COMMITTEE APROVAL

Includes Risk AssessmentInformation

Required

5. KEY POINTS COMMITTEE APPROVES ANDCGSO PROVIDES UPDATED LIST TO NC3-PTs5. KEY POINTS COMMITTEE APPROVES ANDCGSO PROVIDES UPDATED LIST TO NC3-PTs

6. NC3-PTs USE UPDATED LIST/COMPLIANCE INFOTO PRIORITIZE ACTIVITIES AND FOCUS AREAS

6. NC3-PTs USE UPDATED LIST/COMPLIANCE INFOTO PRIORITIZE ACTIVITIES AND FOCUS AREAS

Compliance and Risk

AssessmentInformation

Compliance Information

Risk-Impact Rank

Information

CHART 3 : COMPLIANCE GOVERNANCE FRAMEWORK

04/08/2023 11:17:37 document.xls (Summary & Declaration)

SUMMARY AND DECLARATION - ENTITY/SUB-ENTITY RISK ASSESSMENT

Ref Code : For Office Use Only

Low Impact

Dependency Analysis Not Required

Controls Assessment Not Required

FILL IN THE PARTICULARS OF RESPONDENT AND REVIEWER/APPROVER BELOW (Items 1 to 4 to be filled in Part 1, not here)

1 CNI ENTITY : Lembaga Pelabuhan Johor2 CNI SUB-ENTITY : 3 4A1-8A1, Pusat Perdagangan Pasir Gudang, Jalan Bandar, 81700 Pasir Gudang, Johor

4

8 NAME OF RESPONDENT :

9 DESIGNATION : 1011 CORRESPONDENCE ADDRESS :

12 TELEPHONE NOS. :

13 FAX NOS. :14 EMAIL ADDRESS : Signature and Stamp15 WEBSITE/PORTAL ADDRESS : Date :

16

17 POSITION : 1819 CORRESPONDENCE ADDRESS :

20 TELEPHONE NOS. : 21 FAX NOS. :22 EMAIL ADDRESS : Signature and Stamp

Date :

SUMMARY FOR (SUB-) ENTITY'S SERVICE OR PRODUCT HIGH LEVEL RISK ASSESSMENT

Detailed Risk Assessment Not

Compulsory

ADDRESS WHERE SERVICE IS CENTERED/DELIVERED/ORIGINATED FROM OR ADDRESS WHERE PRODUCT IS PRODUCED :

SHORT NAME OF SERVICE OR PRODUCT (GROUP) :

To the best of my knowledge, I declare that information submitted here are true and assessments submitted in the remaining worksheets are fair reflection of the organisation.DEPARTMENT/ DIVISION / SECTION

/UNIT:

NAME OF REVIEWER/APPROVER OF RESPONSE :

DEPARTMENT/ DIVISION / SECTION /UNIT:

04/08/2023 11:17:37 5 document.xls (Part 1 - CNI Entity Information)

PART 1 : GENERAL INFORMATION

Low Impact

Dependency Analysis Not Required

Controls Assessment Not Required

SECTION A

FILL IN THE PARTICULARS OF THE ENTITY AND SUB-ENTITY

1 CNI ENTITY : Lembaga Pelabuhan Johor2 CNI SUB-ENTITY : 3 4A1-8A1, Pusat Perdagangan Pasir Gudang, Jalan Bandar, 81700 Pasir Gudang, Johor

Instructions : a. Please fill in this Part 1 and then do the high level risk assesment by providing inputs in Part 2 - HL Impact Worksheet, Part 3 - HL Dependency Worksheet and Part 4 - HL Controls Worksheet. b. If the verdict from the high level risk assessment (see cell G5 in this worksheet) indicates that a detailed risk assessment is necessary, then please proceed to do the detailed risk assessment by filling in Part 5 - Detailed Impact Analysis Worksheet and Part 6 - Threats-Vulnerability Analysis Worksheet and view the results in Part 7 - Detailed Risk Assessment Result Worksheet. The summary of the detailed risk assessment (if required) will appear in cells E9 to G12 of this worksheet. c. In the detailed risk assessment, if it is obvious that the impact of disrpution of the critical services and products is medium to very high, then this input can be entered direct in cell G12 in Part 7 - Detailed Risk Assessment Result Worksheet instead of filling the details in the Part 5 - Detailed Impact Analysis Worksheet.

SUMMARY FOR (SUB-) ENTITY'S SERVICE OR PRODUCT

HIGH LEVEL RISK ASSESSMENT

Detailed Risk Assessment Not

Compulsory

Note : 1. This part must be filled by all CNI (sub-)Entities, irrespective whether they are doing the high level risk assessment first (See Part 2, Part 3 and Part 4), or whether they are bypassing the high level risk assessment and doing the full risk assessment only (Parts 5, 6 and 7). (To bypass high level risk assessment, go to Part 2 and put Y in a 'High Impact' column.) 2. IMPORTANT : Please fill and submit one set of response separately for EACH SERVICE OR PRODUCT (GROUP) from the same Sub-Entity if there are several services or products (group) from the same Sub-Entity.3. Entities are to use their own internally devised identifier codes for the following: a. Service or Product Code in Section B b. Critical Systems Code (non cyber) in Section D c. Critical Cyber Systems Code in Section D.

ADDRESS WHERE SERVICE IS CENTERED/DELIVERED/ORIGINATED FROM OR ADDRESS WHERE PRODUCT IS PRODUCED :


4

5

6 Johor

7 Perairan Johor

SECTION B

1 2 3 4 5 6 7 8 9

10 11

SHORT NAME OF SERVICE OR PRODUCT (GROUP) * :(See note 2 above)

DESCRIPTION OF SERVICE OR PRODUCT (GROUP) * :(Please describe what is the service or product and not what the entity does to produce the service or product. For GROUP, please list each service/product in section B below)

AREA OF COVERAGE OF SERVICE OR PRODUCT : (Please provide the name or unique identifier of the Region, State, District, Township, Industrial Area, Operations Area, Business District etc)

KEY PARAMETERS OF AREA OF COVERAGE : 1. Residential Population (estimated numbers)2. Commercial Population (number of companies)3. Industries (number of industries)4. Business Value (estimated RM value of business)5. Others (Please describe)Please enter for all the major ones in the particular area of coverage that apply.

* ITEMISE THE CRITICAL SERVICES OR PRODUCTS INCLUDED IN THE DEFINED GROUP, IF THESE CRITICAL SERVICES OR PRODUCTS ARE TO BE ADDRESSED AS ONE GROUP (in Section A4 and Section A5 above) IN THE RISK ASSESSMENT.

SERVICE OR PRODUCT CODE


12 13 14 15

SECTION C

1 2 3 4 5 6 7 8 9

10 11 12 13 14 15

SECTION D

CRITICAL SYSTEMS (NON-CYBER)

123

* ITEMISE THE LIST OF SERVICES OR PRODUCTS LOGICALLY IN THE GROUP (in Sections A4 and A5 above) THAT ARE NOT CATEGORISED AS CRITICAL SERVICES OR PRODUCTS

MAP THE SERVICE OR PRODUCT (GROUP) TO CRITICAL (NON-CYBER) SYSTEMS (IF ANY) AND CRITICAL CYBER SYSTEMS THAT DELIVER/PRODUCE THE SERVICE OR PRODUCT (GROUP)

CRITICAL SYSTEMS

CODE

CRITICAL CYBER SYSTEMS (NOTE : ONE CYBER SYSTEM CAN MANAGE/CONTROL MORE THAN ONE CRITICAL SYSTEM TO DELIVER THE

SERVICE OR PRODUCT)

CRITICAL CYBER

SYSTEMS CODE

DEGREE OF DEPENDENCY ** (see

guide on right)


456789

10

04/08/2023 11:17:37 9 document.xls (Part 2 - HL Impact)

PART 2 : HIGH LEVEL IMPACT ASSESSMENT

Dimensions

Defense and Security x y x x xLow Impact

Economy x y x x xLow Impact

National Image x y x x xLow Impact

Government Services x y x x xLow Impact

Health and Safety x y x x xLow Impact

Maximum Level >> Low Impact

Explanation on Dimensions Defense and Security Compromise or weakening of our ability to defend (MAF, APMM) and ensure security (Police etc).Economy

National Image

Government Services

Health and Safety Hospital services, emergency services including ambulance, fire brigade, civil defense, seach and rescue and public safety

For each of the following dimensions that may be impacted in the event of the disruption to your critical services or products (group) in Part 1 , select the appropriate estimated level of impact with a 'Y' in the appropriate impact column. Note : Do not factor in any dependency on cyber systems at this stage. Just focus on your service or product and the impact of its disruption.

Very Low

ImpactLow

ImpactMedium Impact

High Impact

Very High

Impact

Covers commerce, banking, industrial activity, logistics and transportation including airport and port management, domestic and international trade, stock exchange etc

Online and core government services dependent on ICT like RTD, Immigration, Customs, NRD, e-Procurement, e-SPKB, GFMAS, SPEKS, SAGA etc

04/08/2023 11:17:37 10 document.xls (Part 3 - HL Dependency)

PART 3 : HIGH LEVEL ASSESSMENT OF DEPENDENCY ON INFORMATION OR CYBER SYSTEMS

You need not respond below as the impact assessment shows that impact is low.

Online Applications x y x x xLow Dependency

Backend Applications x y x x xLow Dependency

Databases/Repository x y x x xLow Dependency

SAN/NAS x y x x xLow Dependency

Corporate Network x x x y xHigh Dependency

Private Network x y x x xLow Dependency

Internet y x x x xVery Low Dependency

Control Systems Network y x x x xVery Low Dependency

Remote Services x y x x xLow Dependency

Maximum Level >> High Dependency

Cyber Systems Main Components

Very Low

Dependency

Low Depende

ncy

Medium Depende

ncy

High Depende

ncy

Very High

Dependency

04/08/2023 11:17:37 11 document.xls (Part 4 - HL Controls)

You need not respond below as the Impact is low or Dependency on Cyber Systems is low.

Information Security Dimensions

Risk Assessment/Treatment x x y x x Medium Controls

Security Policy x x y x x Medium Controls

Organization of Information Security x y x x x High Controls

Asset Management x x x y x Low Controls

Human Resources Security x x y x x Medium Controls

Physical & Environmental Security x x y x x Medium Controls

Communications and Operations Mgmt y x x x x Very High Controls

Access Control x x y x x Medium Controls

Info Systems Acqusition, Dev & Maintenan x x y x x Medium Controls

Information Security Incident Mgmt x x y x x Medium Controls

Business Continuity Management x x y x x Medium Controls

Compliance x x y x x Medium Controls

Minimum Level >> Low Controls

PART 4 : HIGH LEVEL ASSESSMENT OF STATUS OF CONTROLS ON INFORMATION OR CYBER SYSTEMS THAT ARE USED IN THE DELIVERY OF CRITICAL PRODUCTS AND SERVICES

Very High

ControlsHigh

ControlsMedium Controls

Low Controls

Very Low Controls

04/08/2023 11:17:37 12 document.xls (Part 5-Detailed Impact Analysis)

You need not respond here as the High Level Risk Assessment indicates that risk is low.

SEIGH Dimensions >> TOTAL

Mili

tary

Readin

ess

Polic

e O

pera

tions

APM

M O

pera

tions

E-C

om

merc

e

Secu

riti

es

Inte

rnati

onal Tra

de

Dom

est

ic T

rade

Fore

ign E

xch

ange

Invest

or

Perc

epti

on

Cit

izen P

erc

epti

on

Fore

ign P

erc

epti

on

E-G

overn

ment

E-P

aym

ent

Tota

ls

Healt

h S

erv

ices

Public

Healt

h

Public

Safe

ty

Tota

ls

Critical Products and Services Group

4.0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ### 4 4 4 ###

PART 5 : CNII (SUB-)ENTITIES' DETERMINATION OF IMPACT DUE TO UNAVAILABILITY/COMPROMISE OF THEIR CRITICAL PRODUCTS AND SERVICES

PLEASE IGNORE THE TABLE BELOW. YOU NEED NOT FILL IN THE DETAILS IN ROW 11.

Impact to National

Defense and Security

Impact to National Economic Strength

Impact to National Image

Impact to Government

Capabilities to Function

Impact to Public Health and Safety

Components of SEIGH Dimensions >>

Imp

act

(Wei

gh

t A

vera

ged

)

Imp

act

(Ro

un

ded

Wt

Avg

)

Indu

stri

al

Pro

duct

ion

Banki

ng a

nd

Finance

People

Id

enti

ty a

nd

Imm

igra

tion

Serv

ices

Public

Pensi

ons,

Tru

sts

and S

avin

gs

04/08/2023 11:17:37 13 document.xls (Part 6-Detailed Threat Analysis)


Asset Group Asset Name Threats Vulnerabilities

People

4

PART 6 : CNII (SUB-)ENTITY'S DETAILED ANALYSIS OF THREATS-VULNERABILITIES-COUNTERMEASURES THAT WILL ASSURE THE DELIVERY OF THEIR CRITICAL PRODUCTS AND SERVICES

PLEASE IGNORE THE TABLE BELOW. YOU NEED NOT FILL IN THE DETAILED THREATS-VULNERABILITIES LIKELIHOOD TABLE BELOW.

Controls/ Safeguards/ Countermeasures

Likelihood of Threats

Exploiting Vulnerabilities (0

to 4)

Asset Group Likelihood (0

to 4)

Overall Likelihood (0

to 4)

Logical Access Procedures

Perimeter Protection Measures

Patch Control and Updates Measures









to 4)


to 4)


to 4)

4

Hardware

Software

Network

Patch Control and Updates Measures









to 4)


to 4)


to 4)

Network

4

Physical Security

Environmental & Support Systems

04/08/2023 11:17:38 16 document.xls (Part 7 - Detailed Results)

Risk Rating Matrix

Very Low-0 Low-1 Medium -2 High-3 Very High-4

Very Low-0 0 1 2 3 4

Low-1 1 2 3 4 5

Medium-2 2 3 4 5 6

High-3 3 4 5 6 7

Very High-4 4 5 6 7 8

Low Risk : 0 to 2 Impact rating manually entered (only allowed if rating is 2,3 or 4):

Medium Risk : 3 to 5 Impact from Part 5 (Detailed Impact Analysis): 4

High Risk : 6 to 8 SUMMARY OF DETAILED RISK ANALYSIS FOR :

Impact rating from Part 5 used: 4

Threats Likelihood from Part 6 (Threats-Vulnerability Analysis): 4

Overall Risk : HIGH RISK

Numerical Risk Rating (Threat Likelihood and Impact) : 8

PART 7 : CNII (SUB-)ENTITIES' RISK ASSESSMENT TAKING THE OVERALL IMPACT FROM PART 5 AND THE OVERALL THREATS EXPLOITING VULNERABILITIES LIKELIHOOD FROM PART 6

THIS TABLE IS IGNORED AS THE HIGH LEVEL RISK ASSESSMENT INDICATES THAT RISK IS LOW.

Likelihood of Incident Scenario(i.e. Likelihood of Threats Exploiting Vulnerabilities)

Impact of Incident to Nation

Compatibility Report for Risk Assessment Worksheets - NCSP - V4 User(1).xls

Run on 10/23/2009 10:31

Significant loss of functionality # of occurrences

29

The following features in this workbook are not supported by earlier versions of Excel. These features may be lost or degraded when you save this workbook in an earlier file format.

Some cells have more conditional formats than are supported by the selected file format. Only the first three conditions will be displayed in earlier versions of Excel.

'Summary & Declaration'!C5:C7

'Part 1 - CNI Entity Information'!E5:F7

'Part 2 - HL Impact'!G7:G12

'Part 2 - HL Impact'!S7:S9

'Part 3 - HL Dependency'!G9:G17

'Part 3 - HL Dependency'!R9:R11

'Part 3 - HL Dependency'!S9

'Part 3 - HL Dependency'!R13:S14

'Part 4 - HL Controls'!G9:G20

'Part 4 - HL Controls'!R9:R11

'Part 4 - HL Controls'!S9

'Part 4 - HL Controls'!R13:S14

'Part 5-Detailed Impact Analysis'!AF15:AF17

22

24

'Part 6-Detailed Threat Analysis'!K53:K55

'Part 6-Detailed Threat Analysis'!L53

'Part 6-Detailed Threat Analysis'!K57:L58

'Part 7 - Detailed Results'!J4:J6

Some cells have overlapping conditional formatting ranges. Earlier versions of Excel will not evaluate all of the conditional formatting rules on the overlapping cells. The overlapping cells will show different conditional formatting.

'Summary & Declaration'!C11:C12

'Part 1 - CNI Entity Information'!E11:E12

'Part 2 - HL Impact'!S13:S14

'Part 3 - HL Dependency'!R15:R16

'Part 4 - HL Controls'!R15:R16

'Part 5-Detailed Impact Analysis'!AF21:AF22

'Part 6-Detailed Threat Analysis'!K59:K60

'Part 7 - Detailed Results'!J10:J11

Some cells contain conditional formatting with the 'Stop if True' option cleared. Earlier versions of Excel do not recognize this option and will stop after the first true condition.

Minor loss of fidelity

89

'Part 2 - HL Impact'!B7:F11

'Part 2 - HL Impact'!G7:G14

'Part 3 - HL Dependency'!B9:G17

'Part 3 - HL Dependency'!G19:G20

'Part 4 - HL Controls'!B9:G20

'Part 4 - HL Controls'!G22:G23

Some cells or styles in this workbook contain formatting that is not supported by the selected file format. These formats will be converted to the closest format available.

Documents

Risk Assessment Worksheets - NCSP - V4 User(1)