DocumentNo:eSAFEGD300

Version:1.0 January,2010

ESecurityAssuranceFramework: GuidelinesforInformationSecurityRisk AssessmentandManagement eSAFEGD300

Government of India Department of Information Technology Ministry of Communications and Information Technology New Delhi 110 003

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Guidelinesfor Information SecurityRisk Assessmentand Management

GD300
DepartmentofIT
GovernmentofIndia MinistryofCommunications&IT ElectronicsNiketan,6CGOComplex NewDelhi110003

VersionNo:1.0

January,2010

Page2of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Introduction
Giventhesophisticationoftoday'scyberthreatsandtherichtargetsthatgovernmentinformationsystems provide, eSAFE security standards and guidelines need to be flexible and extensible. In that light, risk assessmentplaysanimportantpartineGovernanceISprogramandoverallprotectionstrategy. Once a eGovernance project choose and tailor the baseline security controls based on the initial security categorizationasperGD100andtherespectivebaselinesecuritycontrolsets(GD201,GD202,GD203),they must select additional controls based on risk assessment. The assessment is employed in a more targeted manner to consider additional threat information, specific mission requirements, operating environments, andanyotherfactorsthatmightaffectaccomplishmentoftheprojectsmissionorfunctions. The eGovernance projects can add appropriate security controls or control improvements from the GD200 catalog, demonstrating the commitment to increasing informationsystem security levels beyond required minimumbaselines.Onceagreedonthesecuritycontrols,thoseneedtobedocumentedandimplementedin theeGovernanceproject. This guideline documents information security risk assessment and management methodology for eGovernance projects and is one of the documents identified in the eGovernance Security Assurance Framework(eSAFE).Thelistofthedocumentsisgivenbelow. Document No. ISF 01 GD 100 Document Title Information Security Assessment Framework Guidelines for Security Categorization of eGovernance Information Systems Catalog of Security Controls Baseline Security Controls for LOW IMPACT INFORMATION SYSTEMS Baseline Security Controls for MEDIUM IMPACT INFORMATION SYSTEMS Baseline Security Controls for HIGH IMPACT INFORMATION SYSTEMS Guidelines for Implementation of Security Controls Guidelines for Assessment of Effectiveness of Security Controls Guidelines for Information Security Risk Assessment and Management

GD 200 GD 201

GD 202

GD 203

GD 210 GD 220 GD 300

VersionNo:1.0

January,2010

Page3of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Contents
Introduction............................................................................................................................................3 Contents.................................................................................................................................................4 1.0Scope.........................................................................................................................................................6 1.1Objective................................................................................................................................................6 1.2Description............................................................................................................................................6 2.0TargetAudience ........................................................................................................................................6 . 3.0TypeofDocument.....................................................................................................................................6 4.0DefinitionsandAcronyms.........................................................................................................................6 5.0InformationSecurityRiskManagementProcess......................................................................................7 6.0RiskAssessment ........................................................................................................................................8 . 6.1Step1:InformationSystemAssetIdentification .................................................................................9 . 6.2Step2:RiskIdentification.....................................................................................................................9 6.3Step3:RiskLikelihoodAssessment....................................................................................................10 6.4Step4:RiskImpactAssessment.........................................................................................................11 6.5Step5:RiskEstimation.......................................................................................................................12 7.0RiskTreatment........................................................................................................................................13 . 8.0RiskMonitoringandReview....................................................................................................................14 9.0References...............................................................................................................................................15 10.0Acknowledgementstothecontributors...............................................................................................15 Appendix1:ATypicalListofInformationSystemAssets.............................................................................16 Appendix2:RiskAssessmentSheet..............................................................................................................18 Appendix3:RiskAssessmentExample1......................................................................................................19 Appendix4:RiskAssessmentExample2......................................................................................................20

Tables
Table1:InformationSecurityRiskManagementProcessvisvisISMSPDCA.....................................8 Table2:RiskLikelihoodDefinition......................................................................................................10 Table3:RiskImpactDefinition.............................................................................................................12 Table4:RiskLevelMatrix.....................................................................................................................12 Table5:RiskLevel................................................................................................................................13

VersionNo:1.0

January,2010

Page4of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Figures
Figure1:RiskManagementProcess ......................................................................................................7 . Figure2:RiskAssessmentMethod........................................................................................................9 . Figure3:RiskTreatment......................................................................................................................13

VersionNo:1.0

January,2010

Page5of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

1.0Scope
1.1Objective ThisdocumentprovidesguidelinesforInformationSecurityRiskAssessmentandManagementin aneGovernanceproject,supportingtheeGovernanceSecurityStandardsFramework(eSAFE).This documentcanalsobeusedtoconductriskassessmentandriskmanagementtocomplythe requirementsofISO/IEC27001. 1.2Description Asystematicapproachtoinformationsecurityriskmanagementisnecessarytoidentify organizationalneedsregardinginformationsecurityrequirementsandtocreateaneffective informationsecuritymanagementsystem(ISMS).Thisapproachshouldbesuitableforthe organizationsenvironment,andinparticularshouldbealignedwithoverallenterpriserisk management.Securityeffortsshouldaddressrisksinaneffectiveandshouldbeanintegralpartof allinformationsecuritymanagementactivitiesandshouldbeappliedbothtotheimplementation andtheongoingoperationofISMS.

2.0TargetAudience
Thisdocumentisrelevanttoconcernedmanagersandstaffforinformationsecurityriskassessment andmanagementwithinanorganization.Itisalsorelevantfortheexternalpartiessupportingsuch activities.

3.0TypeofDocument
ItisaGuidelinesdocumentrecommendedforenforcementinsystemsforeGovernance.

4.0DefinitionsandAcronyms
Forthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC27001,ISO/IEC 27002,ISO/IEC27005,ISO/IECGuide73:2002,NISTSP80030andthefollowingapply. Impact:Adversechangetothelevelofbusinessobjectivesachieved Informationsecurityrisk:Potentialthatagiventhreatwillexploitvulnerabilitiesofanassetor groupofassetsandtherebycauseharmtotheorganization. (NOTE:Itismeasuredintermsofacombinationofthelikelihoodofaneventanditsconsequence.) Riskavoidance:Decisionnottobecomeinvolvedin,oractiontowithdrawfrom,arisksituation [ISO/IECGuide73:2002] Riskidentification:Processtofind,listandcharacterizeelementsofrisk[ISO/IECGuide73:2002] Riskreduction:Actionstakentolessentheprobability,negativeconsequences,orboth,associated witharisk[ISO/IECGuide73:2002] Riskretention:Acceptanceoftheburdenoflossorbenefitofgainfromaparticularrisk[ISO/IEC Guide73:2002]

VersionNo:1.0

January,2010

Page6of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

(NOTE:Inthecontextofinformationsecurityrisks,onlynegativeconsequences(losses)are consideredforriskretention.) Risktransfer:Sharingwithanotherpartytheburdenoflossorbenefitofgain,forarisk[ISO/IEC Guide73:2002] (NOTE:Inthecontextofinformationsecurityrisks,onlynegativeconsequences(losses)are consideredforrisktransfer.) Threat:Thepotentialforathreatsourcetoexploit(accidentallytriggerorintentionallyexploit)a specificvulnerability. Threatsource:Either(1)intentandmethodtargetedattheintentionalexploitationofa vulnerabilityor(2)asituationandmethodthatmayaccidentallytriggeravulnerability. Vulnerability:Aflaworweaknessinsystemsecurityprocedures,design,implementation,or internalcontrolsthatcouldbeexploited(accidentallytriggeredorintentionallyexploited)and resultinasecuritybreachoraviolationofthesystemssecuritypolicy.

5.0InformationSecurityRiskManagementProcess
Riskmanagementprocessconsistsofthreebroadsubprocessesriskassessment,risktreatment andriskmonitoringandreview.TheprocessdiagramisgiveninFigure1

Figure1:RiskManagementProcess

VersionNo:1.0

January,2010

Page7of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Figure1illustrates,theinformationsecurityriskmanagementprocessisaniterativeprocess.The iterativeapproachprovidesagoodbalancebetweenminimizingthetimeandeffortspentin identifyingorimprovingcontrols. Thetable1summarizestheinformationsecurityriskmanagementactivitiesrelevanttothefour phasesoftheISMSprocess:

Table1:InformationSecurityRiskManagementProcessvisvisISMSPDCA

ISMSProcess Plan

InformationSecurityRiskManagementProcess Riskassessment,Risktreatmentplan

Do Check Act

Implementationoftherisktreatmentplan Continualmonitoringandreviewingoftherisks MaintainandimprovetheInformationSecurityRisk ManagementProcess

6.0RiskAssessment
Riskassessmentisthefirstsubprocessoftheriskmanagementprocess.Riskassessmentisusedto estimatelevelsoftheidentifiedrisksonthetargetinformationsystemassets.Therisksare functionsofthelikelihoodofagiventhreatsourcesexploitingpotentialvulnerabilities,andthe resultingimpactsofthatadverseeventonthesystemortheorganization. Riskassessmentmethodconsistsoffourprimarysteps,(1)identificationofinformationsystem assets,(2)identificationofrisksforeachoftheassets,(3)assessmentofrisklikelihood,(4) assessmentofriskimpactontheassetand/ortheorganization,(5)Estimationoflevelofrisk.The riskassessmentmethodisrepresenteddiagrammaticallyinFigure2

VersionNo:1.0

January,2010

Page8of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Figure2:RiskAssessmentMethod

6.1Step1:InformationSystemAssetIdentification Purposeofthisstepistoestablishthescopeofriskassessmentbyidentifyingthetargetinformation systemassets.Theseareusuallyallinformationsystemswhichhelptocarryoutvarious business/missionprocessesorservices.Eachinformationsystemmayconsistofagroupof supportingassetslikehardware,software,network,data/information,users/operators,interfaces etc.However,theriskassessmentcanbedoneonindividualsupportingassetsalsoifrequired.A typicallistofinformationsystemsisgiveninAppendix1 6.2Step2:RiskIdentification Inthisstepforeachtargetassetsidentifiedinstep1asetofpotentialrisksareidentified.These risksarenothingbutsomeincidentscenarios.Anincidentscenariodescribesathreatsourcewhich maycausedamagetotheassetbyexploitingavulnerabilityorsetofvulnerabilities.Outputofthis

VersionNo:1.0

January,2010

Page9of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

stepwillbeanarrayofriskswithuniqueriskid,riskdescriptionandassociatedthreatsand vulnerabilities.AlltheseinformationshouldbecapturedintheRiskAssessmentSheets(Refer Appendix2foratypicalRiskAssessmentSheet).CreateRiskAssessmentSheetsforeachidentified risks. 6.3Step3:RiskLikelihoodAssessment Afteridentifyingtherisksorincidentscenarios,itisnecessarytoassessthelikelihoodofeachrisk. Levelofriskdependsuponthislikelihoodvalue.Thisshouldtakeaccountofhowoftenthethreats occurandhoweasilythevulnerabilitiesmaybeexploited,considering: I. II. Experienceandapplicablestatisticsforthreatlikelihood. Fordeliberatethreats:themotivation,capabilitiesandresourcesavailabletothethreat sources,aswellastheperceptionofattractivenessandvulnerabilityofthetargetassetsfor thethreatsource. foraccidentalthreats:geographicalfactorse.g.proximitytochemicalorpetroleumplants, thepossibilityofextremeweatherconditions,andfactorsthatcouldinfluencehumanerrors andequipmentmalfunction. Identifiedvulnerabilities,bothindividuallyandinaggregation. Existingcontrolsorthebaselinecontrolsandhoweffectivelytheyreducethevulnerabilities.

III.

IV. V.

Thelikelihoodofariskorincidentscenariocanbedescribedashigh,medium,orlow.Table2below definesthesethreelikelihoodlevels. Outputofthisstepwillberisklikelihoodlevelforeachidentifiedriskswhichwillberecordedinthe respectiveRiskassessmentsheets.

Table2:RiskLikelihoodDefinition

Likelihood Level(L) High(1)

LikelihoodDefinition Thethreatsourceishighlymotivatedandsufficientlycapableandhaving adequateresources,andcontrolstopreventexploitationofthe vulnerabilitiesareineffective. Thethreatsourceismotivatedandcapablewithadequateresources, butcontrolsareinplacethatmayimpedesuccessfulexploitationofthe vulnerabilities Thethreatsourcelacksmotivationorcapabilityorwithoutadequate resources,orcontrolsareinplacetoprevent,oratleastsignificantly impede,theexploitationofthevulnerabilities.

Medium(0.5)

Low(0.1)

VersionNo:1.0

January,2010

Page10of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

6.4Step4:RiskImpactAssessment Inthissteplevelofadverseimpactisassessedwhichisrequiredinestimatingrisklevel.Theadverse impactofasecurityincidentcanbedescribedintermsoflossordegradationofany,ora combinationofthefollowingthreesecuritygoals:confidentiality,integrityandavailability.The following I. LossofIntegrity:Systemanddataintegrityreferstotherequirementthatinformationbe protectedfromimpropermodification.Integrityislostifunauthorizedchangesaremadeto thedataorITsystembyeitherintentionaloraccidentalacts.Ifthelossofsystemordata integrityisnotcorrected,continueduseofthecontaminatedsystemorcorrupteddata couldresultininaccuracy,fraud,orerroneousdecisions.Also,violationofintegritymaybe thefirststepinasuccessfulattackagainstsystemavailabilityorconfidentiality.Forallthese reasons,lossofintegrityreducestheassuranceofanITsystem. LossofAvailability:IfamissioncriticalITsystemisunavailabletoitsendusers,the organizationsmissionmaybeaffected.Lossofsystemfunctionalityandoperational effectiveness,forexample,mayresultinlossofproductivetime,thusimpedingtheend usersperformanceoftheirfunctionsinsupportingtheorganizationsmission. LossofConfidentiality:Systemanddataconfidentialityreferstotheprotectionof informationfromunauthorizeddisclosure.Theimpactofunauthorizeddisclosureof confidentialinformationcanrangefromthejeopardizingofnationalsecuritytothe disclosureofPrivatedata.Unauthorized,unanticipated,orunintentionaldisclosurecould resultinlossofpublicconfidence,embarrassment,orlegalactionagainsttheorganization.

II.

III.

Sometangibleimpactscanbemeasuredquantitativelyinlostrevenue,thecostofrepairingthe system,orthelevelofeffortrequiredtocorrectproblemscausedbyasuccessfulthreataction. Otherimpacts(e.g.,lossofpublicconfidence,lossofcredibility,damagetoanorganizations interest)cannotbemeasuredinspecificunitsbutcanbequalifiedordescribedintermsofhigh, medium,andlow.Alltypesofimpactscaneasilybedescribedashigh,medium,andlow.Table3 belowdefinesthisimpactlevels. Outputofthisstepwillberiskimpactlevelforeachidentifiedriskswhichwillberecordedinthe respectiveRiskassessmentsheets.

VersionNo:1.0

January,2010

Page11of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Table3:RiskImpactDefinition

ImpactLevel(I) High(10)

ImpactDefinition
Exploitation of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organizations mission, reputation, or interest; or (3) may result in human death or serious injury. Exploitation of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organizations mission, reputation, or interest; or (3) may result in human injury. Exploitation of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organizations mission, reputation, or interest.

Medium(5)

Low(1)

6.5Step5:RiskEstimation InthisstepriskisestimatedasafunctionofRiskLikelihoodandRiskImpact(RiskLevel= LikelihoodLevelxImpactLevel)fromthefollowingRiskLevelMatrix(Ref:Table4).TheRisk LevelswillbeLow,MediumorLow.Table5brieflydescribestheimplicationsoftheRiskLevels. RecordtherisklevelsintherespectiveRiskAssessmentSheets.

Table4:RiskLevelMatrix

Likelihood Level(L) HIGH(1) MEDIUM(0.5) LOW(0.1) LOW(1)

ImpactLevel(I) MEDIUM(5) HIGH(10)

Low(1x1=1) Low(0.5x1=0.5) Low(0.1x1=0.1)

Medium(1x5=5) Medium(0.5x5=2.5) Low(0.1x5=0.5)

High(1x10=10) Medium(0.5x10=5) Low(0.1x10=1)

RiskLevel:Low(1),Medium(>1and5),High(>5)

VersionNo:1.0

January,2010

Page12of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Table5:RiskLevel

RiskLevel High

RiskDescription Riskneedstobemitigatedassoonaspossible.Risktreatmentplanwith identifiedadditionalcontrolsandcontrolimprovementsandtimeframe forimplementationneedstobeprepared. Riskneedstobemitigatedwithinareasonableperiodoftime.Risk treatmentplanwithidentifiedadditionalcontrolsandcontrol improvementsandtimeframeforimplementationneedstobe prepared. Riskisacceptableandnoothercontrolorcontrolimprovementsare required.

Medium

Low

7.0RiskTreatment
Risktreatmentisasystematicapproachtomitigatetheassessedrisksbyexercisingvariousoptions available.Therearefouroptionsavailableforrisktreatment:riskreduction,riskretention,risk avoidanceandrisktransfer.Figure3illustratestherisktreatmentactivity.

RiskAssessment Results

RiskTreatmentOptions
Risk Risk

Reduction

Retention

Risk Avoidance

Risk

Transfer

ResidualRisk
.
Figure3:RiskTreatment

Riskreduction:Riskcanbereducedbyselectingadditionalcontrolsorimprovingtheexisting controls.Forexampleselectionofthecontrolsandthecontrolimprovementsmaybedonefrom thedocumentGD200,overandabovetheexistingbaselinecontrols.

VersionNo:1.0

January,2010

Page13of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Riskretention:Ifthelevelofriskmeetstheriskacceptancecriteriatheriskcanberetainedor accepted.ISO27001usesthetermriskacceptanceinsteadofriskretention.Forexample,risk levelof4canberetainediftheriskisacceptableifitislessthan5. Riskavoidance:Whenanidentifiedriskistoohighortherisktreatmentcostexceedsthebenefit, theriskmaybeavoidedbywithdrawingtheconcernedactivitiesandlookingforsuitable alternatives.Forexampleifitisperceivedthatoutsourcingofnetworkmanagementactivityhas veryhighriskduetosensitivityofaproject,takethedecisiontonotoutsourceinsteadbuildyour ownteamfornetworkmanagement. Risktransfer:Sometypeofriskscanbetransferredtoexternalparties.E.g.purchasingofinsurance, outsourcingorobtainingmanagedservicesfromexternalparties. Risktreatmentoptionsshouldbeselectedbasedtheexpectedcostforimplementingtheseoptions andtheexpectedbenefitsfromtheseoptions.Whenlargereductionsinrisksmaybeobtainedwith relativelylowexpenditure,suchoptionsshouldbeimplemented. Ingeneral,theadverseconsequencesofrisksshouldbemadeaslowaspossible.Forsomerareand severeriskscontrolsarenotjustifiableonstrictlyeconomicgroundsbutneedtobeimplemented. (Forexample,businesscontinuitycontrolsconsideredtocoverspecifichighrisks). Thefouroptionsforrisktreatmentarenotmutuallyexclusive.Sometimesitisbeneficialtouse thoseoptionsincombination. Oncetherisktreatmentoptionshavebeendecidedandarisktreatmentplanismade,residualrisks needtobedetermined.Thisinvolvesanupdateoftherisklevels(inthecorrespondingRisk AssessmentSheets),determinedearlierbyconsideringtheeffectsoftherisktreatment.

8.0RiskMonitoringandReview
Risksarenotgenerallystaticasthreats,vulnerabilities,likelihoodorimpactmaychangeanytime. Therefore,constantmonitoringisnecessarytodetectthechanges.Monitoringofthefollowingis necessary. I. II. III. IV. V. VI. VII. VIII. Additionofnewassets Changeinassetvalues Newthreatsthathasnotbeenconsideredduringlastassessments Newvulnerabilitiesdiscovered Informationsecurityincidents Changeinriskimpact Changeincontrols/countermeasures Changeinbusiness/legal/contractualrequirements

Theoutcomeofriskmonitoringactivitiesmaybeinputtoriskreview.Therisksshouldbereviewed regularlyandinlightoftheabovechanges.

VersionNo:1.0

January,2010

Page14of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

9.0References
[1]eSAFEGD100:GuidelinesforSecurityCategorizationofInformationSystems [2]eSAFEGD200:CatalogofSecurityControls [3]FIPSPUB199:StandardsforSecurityCategorizationofFederalInformationandInformation Systems [4]NISTSP80053:RecommendedSecurityControlsforFederalInformationSystems [5]NISTSP80030:RiskManagementGuideforInformationTechnologySystems [6]ISO/IEC27001InformationtechnologySecuritytechniquesInformationsecurity managementsystemsRequirements [7]ISO/IEC27002InformationtechnologySecuritytechniquesCodeofpracticeforinformation securitymanagement [8]ISO/IEC27005:InformationtechnologySecuritytechniquesInformationsecurityrisk management [9]ISO/IECGuide73:2002:RiskmanagementVocabularyGuidelinesforuseinstandards

10.0Acknowledgementstothecontributors
MembersofthecoregroupinSTQC Ms.MitaliChatterjee,SeniorDirector(Convener) Mr.ArvindKumar,Director Mr.N.E.Prasad,Director Mr.B.K.Mondal,Director Mr.AlokeSain,Director Mr.SubhenduDas,Director

VersionNo:1.0

January,2010

Page15of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Appendix1:ATypicalListofInformationSystemAssets
# 1 AssetDescription FinanceManagementSystem SupportingAssets Hardware: Software Data/Information Services 2 3 4 5 6 7 8 9 HRManagementSystem SalaryProcessingSystem ProductionManagementSystem InternetPortal IntranetPortal EmailService InternetService VPN(RemoteAccess)Service do do do do do do do do do do do do do do

10 RoutingService 11 DNSService 12 FTPService 13 FileServer 14 LDAPServer 15 AntiVirusSystem

VersionNo:1.0

January,2010

Page16of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

# AssetDescription SupportingAssets do do do do do do do do do do do do do do

16 CentralLoggingServer 17 OSUpdateServices 18 BackupSystem 19 NetworkManagementSystem 20 PrintingService 21 ScanningService 23 UserWorkstations 24 LAN 25 WiFiService 26 Firewall 27 IDS/IPS 28 LeasedLine 29 Support:ServicePowerSupply 30 SupportServiceAirConditioning

VersionNo:1.0

January,2010

Page17of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Appendix2:RiskAssessmentSheet

RISKASSESSMENTSHEET Asset: RiskNo: <RiskID> Risk Description: ThreatDescription: Vulnerabilities: ExistingControls: LikelihoodLevel: ImpactLevel: <Value> <Value> <Rationale> <Rationale> RiskLevel: RiskTreatmentActions: <Value> <Remarks> <ListSelctedControlsorCotrolImprovementsoranyotheractions> RevisedLikelihoodLevel: <Value> <Rationale> RevisedImpactLevel: <Value> <Rationale> ResidualRiskLevel: <Value> <Remarks> <Listrelevantexistingorplannedcontrolsorbaselinecontrols> <Listrelevantvulnerabilities> <Describethethreat,threatsource> <NameoftheTargetInformationSystemAsset> <Describetheriskorincidentscenario>

VersionNo:1.0

January,2010

Page18of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Appendix3:RiskAssessmentExample1
RISKASSESSMENTSHEET Asset: RiskNo: R0012 IntranetInformationPortalforEmployees Risk Description: AttackersaccesstoemployeeprivatedatabyDictionaryorBruteForceAttackon theLoginpage. ThreatDescription: Attackercanbeanyuserhavinglegitimateaccesstotheportal.Hecanuseeasilyavailable passwordcrackingtoolorwritescriptstofindoutauserspasswordandcangetaccesstoher privatedata. Vulnerabilities: Theapplicationusesformbasedauthenticationbutithasnotincorporatedanymechanismto limitunsuccessfulattemptsoflogin. ExistingControls: (i)TheportalcanbeaccessedfromtheLAN.NoaccessispossiblefromInternetorpublic network,(ii)Allusersaremadeawareaboutselectionofqualitypasswords,(iii)Physicaland logicalaccesstotheLANworkstationsarerestrictedtotheemployeesonly. LikelihoodLevel: Low 0.1 ImpactLevel: 5 Medium RiskLevel: RiskTreatmentActions: 0.5 RisklevelisLowsinceitislessthan1.Riskisacceptable. NA RevisedLikelihoodLevel: <Value> <Rationale> RevisedImpactLevel: <Value> <Rationale> ResidualRiskLevel: 0.5 LowRisk Somepersonalinformationlikedateofbirth,panno.etc.maybemisusedand whichcancausesomeimpactonanemployee. SinceitisrestrictedtoLANenvironment,andtheothersprivateinformationmay notbethatattractivetomotivatetheemployeestoattack.

VersionNo:1.0

January,2010

Page19of20

ESecurityAssuranceFramework

DocumentNo:eSAFEGD300

Appendix4:RiskAssessmentExample2
RISKASSESSMENTSHEET Asset: RiskNo: R0006 GovernmentInformationPortal Risk Description: Defacingofthewebsite ThreatDescription: Vulnerabilities: ExistingControls: Defacementofwebpagesbymalicioususers. Lackofregularvulnerabilityassessmentofthewebapplication. (i)Thewebserverisplacedbehindasophisticatedfirewallandaccesstothesiteispossible throughport80and443onlywithassociatedsecuritymeasureslikeIPS,(ii)Nouploadingof contentstothesiteisallowedfromInternet,(iii)Webapplicationisthoroughlytestedandthe associatedinfrastructureandoperatingenvironmentishardendbeforeopeningtotheInternet, (iv)Allchangesofcontentsofthesiteiscarriedoutbyauthorisedpersonsbyfollowingchange controlprocedure.(iv)Thewebserverislocatedinthedatacentre,whichisunderstrictphysical andlogicalaccesscontrol,(v)Theserverisprotectedbyantiviruswithfacilitytoautoupdate,(vi) TheOSandapplicationserversareregularlypatchedforsecurityassoonastheyareavailable. Medium 0.5 Althoughmanycontrolshavebeenimplemented,stillmoderatelikelihoodexists because,(i)ItisaGovernmentsiteandmanyantiGovernment/Countryactivists arethereinInternet,(ii)Thewebapplicationisnotassessedforvulnerabilityand configurationmistakesregularly. HugelossofreputationandimageoftheGovernment/Country.

LikelihoodLevel:

ImpactLevel:

High 10

RiskLevel: RiskTreatmentActions:

RisklevelisMedium.Riskisnotacceptableandneedstobetreated.

DefineandImplementatechnicalvulnerabilityassessmentpolicyandproceduretoconduct vulnerabilityassessmentoftheapplicationafteranychangesintheapplicationoroperating environmentaswellasataregularinterval(sayatleastonceinaquarter) Low 0.1 Theaboveadditionalcontrolwillreducetherisklikelihood. Nochange. TheresidualRiskisLowandacceptable.

RevisedLikelihoodLevel:

RevisedImpactLevel:

High 10

ResidualRiskLevel:

VersionNo:1.0

January,2010

Page20of20