Reporte Ejecutivo Del Analisis Activos PDF

Risk Management
Executive Analysis Report

01 Proyecto
PRJR13011
Issued:
The information in this document and any attachments is intended for users of Modulo Risk
Manager, a product developed by Modulo Security LLC. If you do not have permission to access this
information, know that it is prohibited to read, release, or copy this information. Improper use will be subject
to the legislation in effect based on the confidentiality agreements.
The controls in the knowledge bases created by Modulo Security LLC are protected by copyright and
ownership laws.
The full or partial unauthorized reproduction of the information in this report shall result in civil and
criminal punishments.
06/11/2013 7:58:08
riskmanagersupport@modulo.com
The information in this document and any attachments is intended for users of
Modulo Risk Manager, a product developed by Modulo Security LLC. If you do not have
permission to access this information, know that it is prohibited to read, release, or copy
this information. Improper use will be subject to the legislation in effect based on the
confidentiality agreements.
The controls in the knowledge bases created by Modulo Security LLC are
protected by copyright and ownership laws.
The full or partial unauthorized reproduction of the information in this report
shall result in civil and criminal punishments.
ATTENTION
www.modulo.com
Modulo Security LLC
Copyright 2013 Modulo Solutions for GRC 2 of 17
PRJR13011
1. INTRODUCTION
This report presents the results of the risk analysis carried out in the 01 Proyecto project. The
investigations included the organization's assets and may have used various methods for collecting
evidence, such as: automated collectors, documental analyses, interviews, facility inspections,
and others.
Some of the main issues address in this report include:
1) What are the major threats to the business?
2) What are the risk levels of the non-implemented controls?
3) What are the recommendations to reduce these risks?
4) How can the security actions to be taken be prioritized?
More detailed information and technical recommendations can be found in the Risk Analysis Report
and in the Operational Risks Report, which are generated by Modulo Risk Manager, the system
designed by Modulo Security LLC based on the GRC Metaframework methodology. This
methodology is in compliance with the guidelines provided in the ISO/IEC 27001, ISO/IEC 27002,
ISO/IEC 27005, ISO 31000, and ISO Guide 73 standards. Thus, Modulo Risk Manager provides
increased productivity, control, and standardization in activities and helps the organization
achieve the desired results.
Abierto
The following table displays the project data, as shown below:
Name:
Administrator
usuario1
01 Proyecto
Substitute Leader:
If the project is open when the report is issued, only partial results will be presented.
Status:
Author:
Leader:
PRJR13011
06/04/2013
06/04/2013
Code:
Project Created:
usuario1 Analysis End Date:
Project Closed:
Analysis Start Date:
PRJR13011
Risk = Probability x Severity x Relevance
The probability and severity factors are scored during technical analyses, whereas the relevance
factor is scored according to the importance of the asset to the organization.
1.1 Calculating the PSR
This is the degree of importance the
asset holds to the organization, which
may take into consideration the business
components it supports.
This severity scores the level of impact
on the organization if the risk
materializes. This means that if the
incident occurs, the severity will score
the degree the performance, reliability,
or quality of the asset will be
compromised.
This is the probability that vulnerabilities
or weaknesses are exploited by one or
more threats due to the absence of
controls.
RELEVANCE SEVERITY PROBABILITY
Probability x Severity x Relevance
ISO Guide 73 states that risk is expressed as the value of the combination of the score of an
event and its consequences. Modulo Risk Manager considers the PSR to calculate the risk, which
represents the estimate of these combined factors. These factors are scored on a scale from 1 to
5. The PSR then represents the degree of risk associated with the absence of a control, and is
calculated through the following formula:
PRJR13011
1.2 Risk Indices
Awareness of the risks and their assessment is no longer a technical need. It has become a
strategy for organizations to meet the requirements set by the market, the government,
regulatory agencies, and others.
To provide a risk estimate, Modulo Risk Manager uses the following indices:
PSR: Calculated by summing the PSR scores of the controls. The product of the P, S, and R factors
of each control is calculated and the results are then summed. The PSR can be consolidated by
asset, asset type, perimeter, control grouping, knowledge base, questionnaire, business
component, etc., and may vary between 0 and 100%.
Risk Index: Calculated by dividing the PSR of the non-implemented controls (identified risks) by
the PSR of the applicable controls. It's expressed as a percentage and may vary from 0 to 100%.
Security Index: Calculated by dividing the PSR of the implemented controls (avoided risk) by the
PSR of the applicable controls, thus complementing the Risk Index. It's also expressed as a
percentage and may vary from 0 to 100%.
Control Index: Calculated by dividing the number of implemented controls by the number of
applicable controls. It's expressed as a percentage and may vary from 0 to 100%.
Gap Index: Calculated by dividing the number of non-implemented controls by the number of
applicable controls, thus complementing the Control Index. It's also expressed as a percentage and
may vary from 0 to 100%.
PRJR13011
2.1 Gap Analysis (by Number of Controls)
From a list of 329 controls investigated, 99 were considered applicable. From this total, 62
controls were identified as implemented (Control Index
1
of 62,63%) and 37 controls were identified
as non-implemented (Gap Index
2
of 37,37%).
Note that the higher the control index, the greater the number of controls in accordance with the
recommendations in the knowledge bases used in the analysis.
2. SUMMARY
Figure 1 - Number of Controls by Status
PRJR13011
PRJR13011
Considering the risk with a total PSR
3
of 14209, 4322 were considered applicable. Of this total,
3024 can be considered controlled risks (implemented controls), representing a Security Index
4
of
69,97%. In addition, the 1298 risk related to the non-implemented controls (identified risk)
represent a Risk Index of 30,03%.
Note that the higher the Security Index, the lower the risk level in the assets in question.
2.2 Risk Analysis (by PSR)
Figure 2 - PSR Index by Risk Analysis Status
(1)TheControl Indexiscalculatedbydividingthenumberofimplementedcontrolsbythenumberofapplicablecontrols.
(2)TheGapIndexiscalculatedbydividingthenumberofnon-implementedcontrolsbythenumberofapplicablecontrols.
(3)ThePSRrepresentsthedegreeofriskassociatedwiththeabsenceofacontrol,andiscalculatedbymultiplyingtheProbabilityxSeverityxRelevance.
(4)TheSecurity Indexiscalculatedbydividingthecontrolledrisks(PSR)bytheapplicablerisks.
(5)TheRiskIndexiscalculatedbydividingtheidentifiedrisks(PSR)bytheapplicablerisks.
IMPORTANT: When the Security Index is greater than the Control Index, it can be inferred that there is
greater effectiveness in the risk management process, since the implemented controls correspond to
those with higher risks (higher PSRs). Otherwise, it can be inferred that there is less effectiveness in the
risk management process, since most of the implemented controls correspond to the lower risks (with
lower PSRs). If the values are similar, it can be concluded that there is a homogenous distribution
between the level of risk and the priority given to the implemented controls.
PRJR13011
30,03% of identified risks
RISK INDEX
69,97% of controlled risks
SECURITY INDEX
Figure 3 - Distribution of Risks (PSR) by Risk Level
The risks considered applicable in the analysis can be divided into:
2.3 Distribution of Risks (PSR) by Risk Level
PRJR13011
Table 3 below presents the consolidated results by threat. It shows the absolute values and
percentages of the controlled and identified risks for the 10 threats with the highest risk indices,
presenting in descending order of this index.
The identified risk (PSR) associated with each threat (potential incident) is calculated by summing
the PSR scores of all the non-implemented controls associated with this threat. The Risk Index is
calculated by dividing the value of the identified risks by the value of the applicable risks for each
control associated with the threats.
2.4 Risks by Threat
Risk Index
Identified
Risk (PSR)
Security
Index
Controlled
Risk (PSR)
Applicable
Risk (PSR)
Threat
100,0% 40 0,0% 0 40 Repudiation
75,0% 216 25,0% 72 288 Drop in Performance
57,1% 40 42,9% 30 70 Non-Compliance with Regulations
53,0% 620 47,0% 549 1169 Loss of Traceability
27,7% 568 72,3% 1484 2052 Unavailability of Services or Information
13,2% 381 86,8% 2506 2887 Unauthorized Logical Access
13,1% 54 86,9% 359 413 Errors, Omissions, or Improper Use
0,6% 10 99,4% 1624 1634 Fraud or Sabotage
0,0% 0 0,0% 0 0 Administrative Sanctions
0,0% 0 100,0% 60 60 Copyright Infringement
Table 3 - Risks by Threat
These results should be used to prioritize the actions for the most critical business components
and assets, in terms of the risks resulting from the main threats to the organization (see Figure 4):
Figure 4 - RIsks by Threat
PRJR13011
The risks identified in the assets, which support the organizations business components, were
consolidated in the two levels that categorize these components: strategic and tactical levels.
2.5 Risks by Business Component
PRJR13011
Table 4 below presents the consolidated indices by strategic business component. It shows the
absolute values and percentages of the risks for the 0 components with the highest risk indices.
2.5.1 Strategic-Level Risks
Risk
Index
Security
Index
Identified
Risk (PSR)
Controlled
Risk (PSR)
Gap Index Control Index
Non-
Implemented
Controls
Implemented
Controls
Relevance Component
Table 4 - Risks per Strategic Level
The value of the identified risk for each strategic business component is composed of the sum of
the identified risk (PSR of the non-implemented controls) for all the assets that support it.
The Risk Index is calculated by dividing the value of the identified risk by the value of the
applicable risk, for each business component as well as for all the components.
These results should be used to prioritize actions in the assets supporting the strategic business
components with the highest risk indices (see Figure 5):
Figure 5: Risk Index for Strategic Business Components
PRJR13011
2.5.2 Tactical-Level Risks
Table 5 below presents the consolidated risks by tactical business component. It shows the
absolute values and percentages for the 1 component(s) with the highest risk indices.
Risk
Index
Security
Index
Identified
Risk
Controlled
Risk
Gap Index Control Index
Non-
Implemented
Controls
Implemented
Controls
Relevance
Organizational
System
30,03% 69,97% 1298 3024 37,37% 62,63% 37 62 Medium
01_PC_Banking_e
mpresas
Table 5 - Tactical-Level Risks
The value of the identified risk for each tactical business component is comprised of the sum of
the identified risks (PSR) of all the assets support it.
The Risk Index for each business component is calculated by dividing the value of the identified
risks by the value of the applicable risk, in each business component as well as in all the
components.
These results should be used to prioritize actions in the assets that support the tactical business
components with the highest risk indices (see Figure 6).
Table 6 - Risk Index in Tactical Business Components
PRJR13011
2.6 Risks by Asset (PSR)
The 2 assets listed in the following table correspond to 30,03% of the total of applicable risks.
These assets should be prioritized for treatment in order to reduce the risks identified.
Contribution to
Risk Index
Risk Index
Identified
PSR
Security
Index
Controlled
PSR
Applicable
PSR
Relevance Asset Type Asset
22,4% 27,5% 970 72,5% 2560 3530 Very High Tecnologa 01 Servidor Back End
7,6% 41,4% 328 58,6% 464 792 High Tecnologa 01 Firewall
30,03% 34,4% 1298 65,6% 3024 4322 Consolidated (2)
Table 6 - Risks Identified in the Assets (by PSR)
PRJR13011
2.7 Risk Levels of Non-Implemented Controls
Table 7 below presents the number and percentage of each risk level for the non-implemented
controls in both the quantitative and qualitative overviews.
Total Very Low Low Medium High Very High Overview
RISKS LEVELS
100% 0,00% 2,00% 53,00% 15,18% 29,82% %
1298 0 26 688 197 387 PSR Qualitative
100,00% 0,00% 5,41% 64,86% 13,51% 16,22% %
37 0 2 24 5 6 Controls Quantitative
Table 7 - Risk Levels of Non-Implemented Controls
According to the table above, it can be noted that 16,22% of the non-implemented controls represent
29,82% of the risks considered Very High in the organization.
PRJR13011
3. NEXT STEPS
This analysis identified the main asset risks, and its results will assist the decision-making process
to address the situations that affect the organization's objectives. The risk levels and the
interpretations for each value are presented in the table below:
The results of the analysis provide important information for the next steps: risk evaluation and
treatment. Using Modulo Risk Manager to evaluate risks and monitor their treatment allows for
increased productivity and the use of additional tools, such as the What-If treatment simulator,
which allows results to be evaluated in different possible scenarios.
In addition, the evaluation and treatment phases are also integrated with the analysis phase in
Modulo Risk Manager, allowing for the proper use of the results. Thus, when it is decided that a
certain risk will be sent for treatment, the system will allow treatment events to be created,
which can be monitored and which allow for the evolution of the results found in the analysis.
For the next steps, the evaluation phase of the system should be used and the following approach
should be adopted:
Identify the controls with "Very High" and "High" risk levels;
Evaluate the possible impacts of implementing these controls in the assets, systems, and
business operations;
Send the controls with "Very High" and "High" risk levels for immediate treatment;
Identify the controls with "Medium" risk levels;
Evaluate the need to implement, in the short term, controls with "Medium" risk levels;
Identify the benefits of reducing the risks in the organization, using the Risk Index;
1, 2, 3, 4, 5, 6 These are acceptable risks, and asset managers should be informed of them. Very Low
8, 9, 10, 12, 15, 16
These are risks which may be acceptable once reviewed and confirmed by the
asset managers.
Low
18, 20, 24, 25, 27, 30
These are risks which may be acceptable once reviewed and confirmed by the
asset managers; however, their acceptance should be done formally.
Medium
32, 36, 40, 45, 48, 50
These are unacceptable risks, and asset managers should at least be oriented
on how to control them.
High
60, 64, 75, 80, 100, 125
These are unacceptable risks, and asset managers should be oriented on how
to minimize them immediately.
Very High
PSR Values Definition Risk Level
Table 8 - Possible PSR Values
Risk Management Process
PRJR13011
Identify the benefits of reducing the risks in the organization, using the Risk Index;
Verify if the residual risks of the evaluation are satisfactory;
Evaluate the impacts of accepting the controls with lower risk levels;
Accept the risks for controls with lower risk levels;
If the residual risks are not satisfactory, continue the process for controls with "Low"
and "Very Low" risk levels;
Close the project and constantly monitor the residual risk during the treatments.
PRJR13011

Reporte Ejecutivo Del Analisis Activos PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Reporte Ejecutivo Del Analisis Activos PDF

Uploaded by

Copyright:

Available Formats

Risk Management

Executive Analysis Report

You might also like