Information Security

COURSE WORK ON SECURITY MANAGEMENT
MODULE LEADER Dr. H. MOURATIDIS
MODULE CODE SDM023
SUBMITED BY NANI KODURI THISARA SENEVIRATNE 0919879 0931838
ANTHONYS SENEVIRATNE 0931840 MAHENDRARAJAH JOHN THAMILRAJ

SECURITY MANAGEMENT (SDM023)
0747023
Page 1
Index
INTRODUCTION Assets (BS ISO/IEC 27001:2005, Section A.7, sub section A.7.1.1) Ownership of the Assets (BS ISO/IEC 27001:2005, Section A.7, sub section A.7.1.2) Asset Value Identified Threats Threat Applicability Identified Vulnerabilities Vulnerability values for Identified Threats Identification of Required Controls for Identified Risks Conclusion Appendix A- Organization Chart Appendix B - Asset Values and Impacts of an Incident Appendix C- Likelihood of Vulnerability being Exploited by a given Threat 76 References
page no
3 6 6 7 8 9 155 18 41 73 74 75 76 77
Page 2
Introduction
Information is the one of the most significant asset to an organization, when it comes to a university the significance of information is highly crucial because it establishes and maintains the degree of trust between the students and the staff as well as the resources available for the current students, academic staff as well as the prospective students and administration staff. It maintains the compliance with the law and it maintains the ranking and the reputation among other universities. The security of information is the course of protecting its current and reliable data and makes it accessible to the users when it is necessary and also maintains the processed information safely. Information security provides and maintains a major role in the university infrastructure. The security to the universities information is vital because that information could be confidential and because of the privacy of that information. Therefore the university must maintain adequate security for their information based on the level of operations and confidentiality. Information security measures must have strategic level support and much financial support to provide the adequate level of security based on the level of information it possessed. As a general rule organizations do not pay much attention to the information security and they inaccurately perceive the fact that information security is ongoing process and the control measures are just one of the indicators of the overall process, therefore the university should have to have proper ongoing information security strategy to identify the currents threats, technological and legal barriers as well as the current business conditions if they really need to get an competitive advantage among other universities. It is the best practice to mitigate the risks while having a risk assessment plan and continuously assessing it to a risk tolerance level. Organizations such as ISO and IEC that form the specialized system for worldwide standardizations implemented the ISO/IEC standards. Section 27001 of ISO/IEC standardization by defining the and providing a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system . This model provides the guidelines to and enforcement of ISMS functioning will be measured in accordance with the requirements of the institute. Compliance to this ISO/IEC standardization should be a strategic decision and it should be evaluated continuously with the time. As general practice organizations do not establish and maintain proper information security policies, section 27001 of ISO/IEC standardization provides guidelines and enforcement option to be used by the interested internal and external parties. To maintain effective and continues risk assessment plan data should be identified and gathered about the assets of the university of east London, which carries the information, physical, existing security controls, peripheral assets as well as the people, processes and university policies.
Page 3
Risk assessment Risk assessment plan is to analyze the probability or number of occurrences and their impact associated with the identified threats and vulnerabilities to the assets that has been identified while assigning the values. Qualitative Risk Assessment Vs Quantitative Risk Assessment Qualitative risk analysis is used rank risk events according to importance by assessing and combining their likelihood of happening and force to organize the needs for further analysis. As per the name implies qualitative risk assessment is a process that analyses risk using questionnaires and surveys from belongs to different work groups or with different ideas. People can choose information technology managers and staff security experts, stakeholders. In qualitative risk assessment it does not assign hard financial values, by using questionnaires to gather the useful information about the assets the participants identify the owner of the asset and assign the estimated value and the type of vulnerabilities exploit the threat on the asset in future. Even though the basic process for both risk assessment criteria is basically same, but the values that are used in a quantitative approach has to be calculated accurately with the cost, but when it comes to qualitative approach it is a relative figure and the individuals who are taking part in this process do not spend much time in this calculating the precise figures and impact as well as implementing controls. Quantitative approach is bit more challenging than the qualitative approach and its more demanding and it requires the experts from different areas like security experts and administrative staff to approach with their ideas and with controls how to moderate risks along with a cost benefit analysis for a organization. When it comes to the benefits the qualitative approach defeat the dispute of providing perfect statistics and the need of experts to come up with controls how to mitigate the risks associate with the organisation. In general organization spend much time on quantitative analysis because they made their strategic plans for longer period of times based on the cost benefit analysis which would result from an accurate quantitative risk analysis. According to our scenario we would suggest that it s the best practice to use the qualitative approach in our case study because of the lack of information available to us about the assets and who owns those assets as well as the knowledge that we posses is minimum about the university and security measures that they have taken to mitigate the risks. Moreover it is not possible us to analyse the vulnerabilities by going through questionnaires with different peoples who works on different levels of the East London University. Finally we are not going to do a cost benefit analysis which helps in strategic decision making process; therefore we recommend carrying out a qualitative approach rather than a quantitative one.
Page 4
Scope of the Risk Assessment

This International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non profit organizations). This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organizations business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. The ISMS is designed to ensure the selection of adequate proportionate security controls that protect information assets and give confidence to interested parties. (British Standard BS ISO/IEC 27001:2005) Information security is ongoing process and the control measures are just one of the indicators of the overall process, therefore the university should have to have proper ongoing information security strategy to identify the currents threats, technological and legal barriers as well as the current business conditions if they really need to get an competitive advantage among other universities. It is the best practice to mitigate the risks while having a risk assessment plan and continuously assessing it to a risk tolerance level.
Procedures for developing and maintaining the risk register

The document that details all the identified risks, the results from the analysis used to evaluate them, the proposed responses to handle them, and the procedures used to monitor and track the status is known as risk register. When it comes to preparing a proper risk register, initial step is to identified assets and then the assets that have been identified we have to assigning the ownership and then the process of assigning the values to the assets. Exploits vulnerabilities on the assets, and the final calculation of the overall risk values and applying the controls
Page 5
Assets Identification
ASSET SOFTWARE HARDWARE INFORMATION ASSET(ELECTRONIC) TECHNICAL SUPPORT NETWORK SERVICES INTANGIBLE ASSETS STAFF STUDENTS PROPERTY
(BS ISO/IEC 27001:2005, Section A.7, sub section A.7.1.1)
DETAILS OPERATING SYSTEM AND APPLICATIONS SOFTWARE COMPUTERS,TELEPHONE SYSTEMS,SERVERS DATABASE, STUDENT HANDBOOK.STUDENT RECORD FILES. STAFF RECORD FILES, OPERATIONAL PROCEDURES, E-LEARNINGRESOURCES, PROVIDING GOOD SUPPORT FOR LABORATORIES ROUTERS,HUBS,SWITCHES,SUPERJANET CABLING, AUDIO-VISUAL TEACHING EQUIPMENT,LABORATORIES,DEDICATED IT TRAINING GOOD REPUTATION, GOOD WILL,UNIVERSITY RANKING, ACADEMIC STAFF, ADMINISTRATIVE STAFF GRADUATES,POST GRADUATES,RESEARCH STUDENTS BULDINGS,CAMPUSES
Ownership of the Assets

ASSET SOFTWARE HARDWARE
(BS ISO/IEC 27001:2005, Section A.7, sub section A.7.1.2)

OWNER REBECCA LEVENE REBECCA LEVENE A LNGLE
DETAILS OPERATING SYSTEM AND APPLICATIONS SOFTWARE COMPUTERS,TELEPHONE SYSTEMS,SERVERS
INFORMATION DATABASE, STUDENT HANDBOOK.STUDENT RECORD FILES. STAFF ASSET(ELECTRONIC) RECORD FILES, OPERATIONAL PROCEDURES, ELEARNINGRESOURCES, TECHNICAL PROVIDING GOOD SUPPORT FOR LABORATORIES SUPPORT NETWORK ROUTERS,HUBS,SWITCHES,SUPERJANET CABLING, SERVICES INTANGIBLE ASSETS STAFF STUDENTS PROPERTY AUDIO-VISUAL TEACHING EQUIPMENT,LABORATORIES,DEDICATED IT TRAINING GOOD REPUTATION, GOOD WILL,UNIVERSITY RANKING, ACADEMIC STAFF, ADMINISTRATIVE STAFF GRADUATES,POST GRADUATES,RESEARCH STUDENTS BULDINGS,CAMPUSES
TRACY BOAKES REBECCA LEVENE TRACY BOAKES M THRONE M THRONE M THRONE R ALLANACH Page 6
Asset value
ASSET SOFTWARE HARDWARE DETAILS OPERATING SYSTEM AND APPLICATIONS SOFTWARE COMPUTERS,TELEPHONE SYSTEMS,SERVERS OWNER REBECCA LEVENE REBECCA LEVENE A LNGLE VALUE 3 2 4 RISK ASSESMENT UEL HAVING A LARGE NO OF SYSTEM SOFTWARES AND DATABASES THE LOSS WILL BE HIGHER RISK CAN BE IDENTIFIED EASILY , THE LOSS WILL BE MINOR AND EASY TO RELOCARE CHANCE OF TAPPING DATABASES AND STUDENT REGISTERS THEN LOSS AND RISK WILL BE HIGHER CHANCE OF OCCURING DAMAGES IS MAJOR DUE TO POWER DISTURBENCES & PERSONAL ERRORS UEL NETWORK IS UNDER GOOD TECHNICAL SUPPORT THE RISK WILL BE MINOR HIGHLY PROTECTED AND LOCATED IN A SAFETY ZONE SO THE RISK WILL BE LOWER HIGHLY DEPEND ON THE REPUTATION ,IT'S TAKES LONG TIME TO REGAIN NAME AND GOOD WILL VERY GOOD DEDICATED TEACHING STAFF UEL PROVIDING VERY GOOD SAFETY MEASURES FOR THE STUDENTS SO THE RISK IS INSIGNIFICANT SINCE THE CAMPUSESE ARE LOCATED IN SAFETY ZONE AND NEAR CITY AIRPORT THE RISK IS MINOR
INFORMATION DATABASE, STUDENT HANDBOOK.STUDENT RECORD ASSET(ELECTRONIC) FILES. STAFF RECORD FILES, OPERATIONAL PROCEDURES, E-LEARNINGRESOURCES, RESEACH WORK RESEARCH DATA AND RESULTS, LABORATORY EXPERIMENTS NETWORK ROUTERS,HUBS,SWITCHES,SUPERJANET CABLING, SERVICES INTANGIBLE ASSETS STAFF STUDENTS PROPERTY AUDIO-VISUAL TEACHING EQUIPMENT,LABORATORIES,DEDICATED IT TRAINING GOOD REPUTATION, GOOD WILL,UNIVERSITY RANKING, ACADEMIC STAFF, ADMINISTRATIVE STAFF GRADUATES,POST GRADUATES,RESEARCH STUDENTS BULDINGS,CAMPUSES
TRACY BOAKES REBECCA LEVENE TRACY BOAKES M THRONE M THRONE M THRONE R ALLANACH
4 2 2 5 1 1 2
(Please refer Appendix A for values)
Page 7
Identified Threats
Airborne particles or dust Air Conditioning failure Bomb attack Communications Infiltration Damage to communications cables Deterioration of storage media Earthquake Eavesdropping Environmental contamination Extreme of temperature /Extreme humidity conditions Failure of communications services Failure of network components Failure of power supply Failure of water supply Fire Flooding Hardware failure Hurricane Illegal use of software Lightning Maintenance error Malicious software Masquerading of User ID Misrouting or re-routing of messages Misuse of resources Network access by unauthorised persons Operational support staff error Power fluctuations Use of network facilities in unauthorised way Software failure Staff shortage Theft Traffic analysis Traffic overloading Transmission errors Unauthorised use of software Unauthorised use of storage media Use of software by unauthorised users User error Wilful damage
Page 8
Threat Applicability
Research & Experiment works
Information Assets (Electronic)
Threat Hardware Software
Intangible Assets
Students
Airborne particles or dust
4 Unlikely, Due to a hardware failure
6 Probable, crashed due to dust
6 Probable, Due H/W failures
8 Expected, erroneou s experime ntal data 4 Unlikely, due to hardware failures
5 Feasible, crashed due to dust
6 Probable, damaged due to dust
1 Negligible
1 Negligible
1 Negligible
Negligible
Air Conditioning failure
5 Feasible, crashed due to temperat ure
5 Feasible, crashed due to temperat ure 2 Extremel y unlikely
1 Negligible
1 Negligible
1 Negligible
Negligible
Bomb attack
2 Extremel y unlikely
Extremel y unlikely
Page 9
Property
1 1 2
Network
Services
Staff
Communications Infiltration
1 Negligible
1 Negligible
6 Probable, confident iality damage 5 Feasible 5 Feasible 2 Extremel y unlikely 6 Probable 1 Negligible 6 Probable, Due H/W failures
8 Expected, network damages
1 Negligible
1 Negligible
1 Negligible
1 Negligible
Damage to communications lines/cables
1 Negligible
5 Feasible 1 Negligible 2 Extremel y unlikely 1 Negligible 1 Negligible 6 Probable, Due H/W failures
5 Feasible 5 Feasible 2 Extremel y unlikely 6 Probable 6 Probable 8 Expected, erroneou s experime ntal data
5 Feasible 1 Negligible 2 Extremel y unlikely 6 Probable 1 Negligible 6 Probable, Due H/W failures
6 Probable 5 Feasible 2 Extremel y unlikely 1 Negligible 1 Negligible 5 Feasible, crashed due to temperat ure
1 Negligible 1 Negligible 2 Extremel y unlikely 1 Negligible 1 Negligible 1 Negligible
1 Negligible 1 Negligible 2 Extremel y unlikely 1 Negligible 1 Negligible 2 Extremel y unlikely
Deterioration of storage media
1 Negligible
Earthquake
Eavesdropping
1 Negligible
Environmental contamination
1 Negligible
Extreme of temperature / humidity
Page 10
Failure of communications services
5 Feasible, crashed due to no updates
1 Negligible
5 Feasible
5 Feasible
5 Feasible, network can be down 8 Expected
5 Feasible
1 Negligible
1 Negligible
1 Negligible
1 Negligible
Failure of network components
5 Feasible
5 Feasible
5 Feasible
8 Expected
1 Negligible
1 Negligible
1 Negligible
1 Negligible
Failure of power supply
8 Expected
6 Probable, Due H/W failures 2 Extremel y unlikely 6 Probable,
8 Expected
8 Expected
1 Negligible
1 Negligible
1 Negligible
1 Negligible
Failure of water supply
1 Negligible
1 Negligible
1 Negligible
1 Negligible
1 Negligible
1 Negligible
1 Negligible
1 Negligible
1 Negligible
Fire
5 Feasible
5 Feasible
5 Feasible
5 Feasible
1 Negligible
1 Negligible
1 Negligible
3 Very unlikely 2 Extremel y unlikely 1 Negligible
Flooding
2 Extremel y unlikely 6 Probable, Due H/W failures
2 Extremel y unlikely 5 Feasible
2 Extremel y unlikely 1 Negligible
Hardware failure
Page 11
Hurricane
2 Extremel y unlikely 2 Extremel y unlikely 6 Probable, Due H/W failures 6 Probable, 2 Extremel y unlikely 1 Negligible
2 Extremel y unlikely 2 Extremel y unlikely 6 Probable, Due H/W failures 6 Probable, 2 Extremel y unlikely 5 Feasible
2 Extremel y unlikely 2 Extremel y unlikely 3 Very unlikely
2 Extremel y unlikely 2 Extremel y unlikely 6 Probable, Due H/W failures 6 Probable, 5 Feasible
2 Extremel y unlikely 5 Feasible
1 Negligible
3 Very unlikely 1 Negligible
Illegal use of software
6 Probable
5 Feasible
Lightning
5 Feasible
1 Negligible
1 Negligible
1 Negligible
1 Negligible
Maintenance error
6 Probable,
6 Probable, 1 Negligible
6 Probable, 2 Extremel y unlikely 2 Extremel y unlikely 1 Negligibl e
1 Negligible 1 Negligible
5 Feasible 1 Negligible
Malicious software
5 Feasible
Masquerading of User ID
5 Feasible
5 Feasible
1 Negligible
6 Probable,
5 Feasible
1 Negligible
Misrouting or re-routing of messages
1 Negligible
1 Negligible
5 Feasible
5 Feasible
1 Negligible
1 Negligible
1 Negligible
1 Negligible
Page 12
Misuse of resources
2 Extremel y unlikely,
6 Probable,
6 Probable,
6 Probable,
6 Probable,
1 Negligible
1 Negligible
1 Negligible
Network access by unauthorised persons
1 Negligible
1 Negligible 1 Negligible 9 Confident ly Expected 1 Negligible 1 Negligible 5 Feasible 1 Negligible 1 Negligible
1 Negligible 5 Feasible 9 Confident ly Expected 5 Feasible 1 Negligible 1 Negligible 1 Negligible 5 Feasible
1 Negligible 5 Feasible 6 Probable
6 Probable, 1 Negligible 9 Confident ly Expected 1 Negligible 1 Negligible 5 Feasible 5 Feasible 5 Feasible
1 Negligible 1 Negligible 9 Confident ly Expected 1 Negligible 1 Negligible 1 Negligible 1 Negligible 1 Negligible
1 Negligible 1 Negligible 1 Negligible
Operational support staff error
1 Negligible
Power fluctuations
Software failure
6 Probable
5 Feasible 5 Feasible 1 Negligible 1 Negligible 1 Negligible
1 Negligible 1 Negligible 1 Negligible 1 Negligible 1 Negligible
Staff shortage
1 Negligible
Theft
1 Negligible
Traffic overloading
1 Negligible
Transmission errors
1 Negligible
Page 13
Unauthorised use of software
5 Feasible
1 Negligible 1 Negligible 1 Negligible 1 Negligible 1 Negligible 9 Confident ly Expected 6 Probable
1 Negligible 5 Feasible 1 Negligible 1 Negligible 1 Negligible 9 Confident ly Expected 9 Confident ly Expected
1 Negligible 5 Feasible 1 Negligible 1 Negligible 5 Feasible 9 Confident ly Expected 9 Confident ly Expected
5 Feasible 1 Negligible 5 Feasible 1 Negligible 1 Negligible 6 Probable
1 Negligible 1 Negligible 5 Feasible 1 Negligible 5 Feasible 6 Probable
1 Negligible 1 Negligible 1 Negligible 1 Negligible 5 Feasible 1 Negligible
1 Negligible 1 Negligible 1 Negligible 1 Negligible 1 Negligible 1 Negligible
Unauthorised use of storage media
1 Negligible
Use of network facilities in unauthorised way
1 Negligible
Use of software by unauthorised users
5 Feasible
Use of software in unauthorised way
5 Feasible
User error
6 Probable
Wilful damage
6 Probable
6 Probable
6 Probable
6 Probable
1 Negligible
1 Negligible
1 Negligible
Page 14
Identified Vulnerabilities
Hardware
Infrastructure
Inadequate security protection to the premises Inadequate security measures to control the access Low concern about and use of physical access control to the university premises Inadequate maintenance of the buildings, rooms Inadequate facilities of the old fashion structure with less facilities Unstable power grid Unprotected storage Careless access Lack of care at disposal Inadequate administration Lack of periodic replacement schemes Susceptibility to voltage variations: Susceptibility to temperature variations: Susceptibility to humidity, dust, soiling: Sensitivity to electromagnetic radiation: Insufficient maintenance/faulty installation of storage media: Lack of efficient configuration change control: Unclear or incomplete specifications for developers: No or insufficient software testing: Complicated user interface: Lack of identification and authentication mechanisms like user authentication: Lack of audit trail: Page 15
Software
Software
Well-known flaws in the software: Unprotected password tables: Poor password management (easily guessable passwords, storing of passwords in clear, insufficient frequency of change): Wrong allocation of access rights: Uncontrolled downloading and using software: No 'logout' when leaving the workstation: Lack of effective change control: Lack of documentation: Lack of back-up copies: Disposal or reuse of storage media without proper erasure: Unprotected communication lines: Poor joint cabling: Lack of identification and authentication of sender and receiver: Transfer of passwords in clear: Lack of proof of sending or receiving a message: Dial-up lines: Unprotected sensitive traffic: Inadequate network management (resilience of routing): Unprotected public network connections:
Communications
Page 16
Personnel
Environment
Insufficient Administrative staff Absence of personnel Unsupervised outsourced work Insufficient security training Careless user of security access Lack of security awareness Incorrect use of software and hardware Lack of monitoring mechanisms: Lack of policies for the correct use of telecommunications media Inadequate training and lack of policies to use media and messaging Unauthorised use of software Location in an area susceptible to flood
Susceptibility of equipment to soiling
Location area susceptible to fire Inadequate service maintenance

Susceptibility of equipment to overheat
Page 17
Vulnerability values for the identified threats to assets

Asset Owner Value Threat Rating Vulnerability Rating Overall Risk Software AS 2 Airborne particles or dust 4 Susceptibility of equipment to overheat 6 48 Airborne particles or dust exploits susceptibility of the equipment to overheat Air condition failure exploits the susceptibility of the equipment to overheat. Communication infiltration exploits the threat of lack of identification and authentication mechanism Damage to communication lines exploits the treat of single line failure. Damage to communication lines exploits poor maintenance of network infrastructure. Failure of communication services exploits lack of identification and authentication mechanisms like user authentication. Explanation
Software
AS
60
Software
AS
Ease of access to cable cabinets
14
Software
AS
Damage to communications lines/cables Damage to communications lines/cables
Single points of failure
12
Software
AS
Poor maintenance of network infrastructure
12
Software
AS
6 Lack of identification and authentication mechanisms like user authentication
60
Page 18
Software
AS
Unstable power grid
12
Failure of power supply exploits unstable power grid. Illegal use of software exploits wrong allocation of access rights. Maintenance error exploits lack of identification and authentication mechanism like user authentication.
Software
AS
Wrong allocation of access rights
20
Software
AS
Maintenance error
20
Software
AS
Malicious software
Lack of back-up copies
20
Malicious software exploits lack of backup copies. Masquerading of User ID exploits No logout when leaving the workstation. Misuse of resources exploits poor password management. Power fluctuation exploits unstable
Software
AS
No 'logout' when leaving the workstation Poor password management
32
Software
AS
Misuse of resources
24
Software
AS
Power fluctuation.
Unstable power grid
power grid.
Software AS 2 Software failure 5
50
Software failure exploits lack of back-up copies. unauthorized use of software exploits the threat of lack of incorrect use of software
Software
AS
Unauthorized use of software
Incorrect use of software and hardware
Page 19
and hardware Software AS 2 Unauthorized use of storage media 1
Disposal or reuse of storage media without proper erasure
10
Unauthorized use of storage media exploits Disposal or reuse of storage
media without proper erasure

Software AS 2 Use of software in unauthorized way 5
Lack of identification and authentication mechanisms No 'logout' when leaving the workstation Lack of identification and authentication mechanisms
50
Use of software in unauthorized way exploits the threat of lack of identification and authentication mechanisms User error exploits the threat of no logout when leaving the workstation Willful damage exploits careless use of security access.
Software
AS
User error
72
Software
AS
Wilful damage
60
Hardware
MT
Susceptibility to humidity, dust, 5 soiling Susceptibility to temperature variations Lack of identification and authentication mechanisms Lack of identification and
5
150 Airborne particles or dust exploits the threat susceptibility of the equipment to dust. 125 Air condition failure exploits the threat of susceptibility of the equipment to overheat. 25 Communication infiltration exploits the threat of lack of identification and authentication mechanism Damage to Communication lines exploits the threat of lack of identification and
Hardware
MT
Hardware
MT
Hardware
MT
50
Page 20
authentication mechanisms
Hardware MT 5 Environmental contamination 1
authentication mechanism 10 Environmental contamination exploits equipment location where air is polluted.
Equipment location where air is 2 polluted
Hardware
MT
Inadequate network management Unstable power grid
20
Failure of network components exploits inadequate network management. Failure of power supply exploits unstable power grid. Hardware failure exploits lack of periodic replacement scheme.
Hardware
MT
50
Hardware
MT
Hardware failure
Lack of periodic replacement schemes Lack of periodic replacement schemes

No logout when leaving the workstation.
150
Hardware
MT
Maintenance error
125 Maintenance error exploits lack of periodic replacement schemes. 50 Masquerading of User ID exploits No logout when leaving the workstation. Misuse of resources exploits poor password management. Network access by unauthorized persons exploits wrong allocation of access rights. Power fluctuation exploits unstable
Hardware
MT
Hardware
MT
Misuse of resources
Wrong allocation of access
50
Hardware
MT
Network access by unauthorized persons Power fluctuations
Wrong allocation of access rights Unstable power grid
25
Hardware
MT
50
power grid.
Page 21
Hardware
MT
Theft
Lack of security awareness
125 Theft exploits lack of security awareness.
Hardware
MT
Traffic overloading
Uncontrolled downloading and spam

Poor maintenance if network infrastructure
20
Traffic overloading exploits uncontrolled downloading spam. Transmission errors exploits lack of proof of sending receiving a message. Unauthorized use of storage media exploits the threat of disposal or reuse
Hardware
MT
Transmission errors
20
Hardware
MT
Unauthorized use of storage media
20
of storage media without proper erasure

Hardware MT 5 Use of network facilities in unauthorized way 1
Lack of identification and authentication mechanisms
20
Use of network facilities in unauthorized way exploits threat of Lack of
identification and authentication mechanisms

Hardware MT 5 User error 4
80
User error exploits the of lack of identification and authentication mechanism Willful damage exploits careless use of security access. Communication infiltration exploits the threat of poor cable jointing.
Hardware
MT
Willful damage
Careless user of security access 2
60
RA/TB 5
Poor cable jointing
40
Page 22
Information Assets (Electronic) Information Assets (Electronic) Information Assets (Electronic) Information Assets (Electronic) Information Assets (Electronic) Information Assets (Electronic) Information Assets (Electronic) Information Assets
RA/TB 5
40
Damage to communication lines/cables exploits single points of failure.
RA/TB 5
Lack of periodic replacement of media
125
Deterioration of storage media exploits lack of periodic replacement of media.
RA/TB 5
Single point of failure
40
Failure of communication services exploits single point failure.
RA/TB 5
20
Failure of network components exploits single point of failure.
RA/TB 5
Failure to have adequate backup power supply
50
Failure of power supply exploits unstable power grid.
RA/TB 5
Maintenance error
Lack of maintenance procedures
40
Maintenance error exploits lack of maintenance procedures.
RA/TB 5
Malicious software
50
Malicious software exploits lack of backup copies.
RA/TB 5
No 'logout' when leaving the workstation
100 Masquerading of User ID exploits No logout when leaving the workstation.
Page 23
(Electronic) Information Assets (Electronic) Information Assets (Electronic) Information Assets (Electronic) Information Assets (Electronic) Information Assets (Electronic) Information Assets (Electronic) Information Assets (Electronic) RA/TB 5 Misuse of resources 2
Poor password management
40
Misuse of resources exploits poor password management.
RA/TB 5
Power fluctuations
Unstable power grid
20
Power fluctuation exploits unstable
power grid.
RA/TB 5 Theft 1
20
Theft exploits lack of security awareness.
RA/TB 5
Traffic overloading
Uncontrolled downloading and 5 spam Lack of maintenance in network 4 structure Disposal or reuse of storage media without proper erasure
4
25
Traffic overloading exploits uncontrolled downloading spam.
RA/TB 5
Transmission errors
40
Transmission errors exploit lack of proof of sending receiving a message.
RA/TB 5
40
Unauthorized use of storage media exploits disposal or reuse of storage
media without proper erasure

RA/TB 5 Use of network facilities in unauthorized way 1
20
Use of network facilities in unauthorized way exploits the threat of lack of identification and authentication mechanism
Page 24
Information Assets (Electronic) Information Assets (Electronic) Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental
RA/TB 5
User error
No 'logout' when leaving the workstation Careless or lack of security access authentication
60
User error exploits the threat of no logout when leaving the workstation
RA/TB 5
Willful damage
180 Willful damage exploits careless use of security access.
RA/TB 2
Susceptibility to humidity, dust, 5 soiling Unprotected communication lines Unprotected communication lines Inadequate administration
4
80
Airborne particles or dust exploits susceptibility of the equipment to dust
RA/TB 2
16
Communication infiltration exploits the threat of unprotected communication lines Damage to communication lines exploits unprotected communication lines
RA/TB 2
40
RA/TB 2
40
Deterioration of storage media exploits inadequate administration.
RA/TB 2
Eavesdropping
Unprotected communication lines
48
Eavesdropping exploits unprotected communication lines.
RA/TB 2
Equipments susceptible to polluted air
24
Environmental contamination exploits equipments susceptible polluted air.
Page 25
Works Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental Works RA/TB 2 Extreme of temperature / humidity 8
Equipments are susceptible to overheating
80
Extreme of temperature / humidity exploits equipments are susceptible to overheating. Failure of communication services exploits poor joint cabling.
RA/TB 2
Poor joint cabling
30
RA/TB 2
Inadequate network management Unstable power grid
20
Failure of network components exploits inadequate network management.
RA/TB 2
RA/TB 2
Hardware failure
Lack of periodic replacement schemes Lack of periodic replacement schemes Lack of back-up copies
24
Hardware failure exploits lack of periodic replacement scheme.
RA/TB 2
Maintenance error
40
Maintenance error exploits lack of periodic replacement scheme.
RA/TB 2
Malicious software
10
Malicious software exploits lack of backup copies.
Page 26
Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental Works Research & Experimental
RA/TB 2
No 'logout' when leaving the workstation Wrong allocation of access rights Unstable power grid
40
Masquerading of User ID exploits No logout when leaving the workstation.
RA/TB 2
Misuse of resources
40
Misuse of resources exploits poor password management.
RA/TB 2
Power fluctuations
24
Power fluctuation exploits unstable
power grid.
RA/TB 2 Theft 1
RA/TB 2
Traffic overloading
Uncontrolled downloading and 4 spam Lack of network maintenance

4
RA/TB 2
Transmission errors
Transmission errors exploits lack of proof of sending receiving a message.
RA/TB 2
User error
90
User error exploits the threat of no logout when leaving the workstation
RA/TB 2
Willful damage
90
Willful damage exploits careless use of security access.
Page 27
Works Network TB 3 Communications Infiltration 6 Poor cable jointing 5 90 Communication infiltration exploits the threat of poor cabling Damage to communication lines exploits single points of failure Failure of communication services exploits single point of failure. Failure of network components exploits single point of failure. Failure of power supply exploits failure to have adequate backup power supply. Maintenance error exploits lack of maintenance. Masquerading of User ID exploits No logout when leaving the workstation. Misrouting or re-routing of messages exploits unprotected password on tables. Misuse of resources exploits poor password management. Power fluctuation exploits unstable
Network
TB
Damage to communications lines/cables Failure of communications services Failure of network components
60
Network
TB
60
Network
TB
96
Network
TB
30
Network
TB
Maintenance error
Lack of maintenance
60
Network
TB
No 'logout' when leaving the workstation Unprotected password tables
12
Network
TB
Misrouting or re-routing of messages Misuse of resources
Network
TB
18
Network
TB
Power fluctuations
Unstable power grid
12
Page 28
power grid.
Network TB 3 Traffic overloading 5
Uncontrolled downloading and 5 spam Lack of proper network management No 'logout' when leaving the workstation
5
75
Traffic overloading exploits uncontrolled downloading spam. Transmission errors exploits lack of proper network management. User error exploits the threat of no logout when leaving the workstation Willful damage exploits careless use of security access. Communication infiltration exploits the threat of unprotected communication lines. Damage to communication lines exploits unprotected communication lines Hardware failure exploits lack of periodic replacement scheme. Maintenance error exploits lack of proper management and replacement procedure. Malicious software exploits lack of backup copies.
Network
TB
Transmission errors
60
Network
TB
User error
30
Network
TB
Willful damage
72
Services
RL
Unprotected communication lines Unprotected communication lines Lack of periodic replacement schemes
Lack of proper management and replacement procedure
12
Services
RL
Damage to communications lines/cables Hardware failure
36
Services
RL
12
Services
RL
Maintenance error
12
Services
RL
Malicious software
12
Page 29
Services
RL
16
Masquerading of User ID exploits No logout when leaving the workstation. Misuse of resources exploits poor password management. Network access by unauthorized persons exploits wrong allocation of access rights. Traffic overloading exploits uncontrolled downloading spam. Transmission errors exploits the threat of lack of identification and authentication mechanism User error exploits the threat of no logout when leaving the workstation Willful damage exploits careless use of security access. Airborne particles or dust exploits susceptibility of the equipment to dust Air condition failure exploits the susceptibility of the equipment to overheat.
Services
RL
Misuse of resources
16
Services
RL
Network access by unauthorized persons Traffic overloading
Services
RL
Uncontrolled downloading and 4 spam Lack of identification and authentication mechanisms No 'logout' when leaving the workstation
4
Services
RL
Transmission errors
Services
RL
User error
16
Services
RL
Willful damage
48
Intangible Assets Intangible Assets
RL
Susceptibility to humidity, dust, 2 soiling Susceptibility to temperature variations

3
10
RL
15
Page 30
RL
Bomb attack
Inadequate security protection 3 to the premises Unprotected communication lines Unprotected communication lines
Unprotected communication lines 3
30
Bomb attack exploits the inadequate security protection to the premises. Communication infiltration exploits the threat of Unprotected communication lines. Damage to communication lines exploits unprotected communication lines. Eavesdropping exploits unprotected communication lines. Failure of power supply exploits failure to have adequate backup power supply. Maintenance error exploits lack of periodic replacement schemes. Masquerading of User ID exploits No logout when leaving the workstation. Misrouting or re-routing of messages exploits unprotected password on tables.
RL
15
Intangible Assets Intangible Assets Intangible Assets Intangible Assets Intangible Assets Intangible Assets Intangible Assets Intangible Assets
RL
Damage to communications lines/cables Eavesdropping
15
RL
15
RL
15
RL
Maintenance error
Lack of periodic replacement schemes No 'logout' when leaving the workstation Unprotected password tables
15
RL
40
RL
Misrouting or re-routing of messages Misuse of resources
15-
RL
120 Misuse of resources exploits poor password management. 20 Network access by unauthorized persons exploits wrong allocation of access rights.
RL
Network access by unauthorized persons
Page 31
rights
Intangible Assets Intangible Assets Intangible Assets RL 5 Operational support staff error 1
Unclear or incomplete specifications for staff Unstable power grid
15
Operational supports staff error exploits wrong allocation of access rights. Power fluctuation exploits unstable
RL
Power fluctuations
15
power grid.
RL 5 Traffic overloading 1
Uncontrolled downloading and 4 spam
20
RL
Transmission errors
15
Transmission errors exploit lack of proof of sending receiving a message. Unauthorized use of storage media exploits the threat of disposal and reuse of storage media without proper erasure
RL
Disposal or reuse of storage media without proper erasure Lack of identification and authentication mechanisms No 'logout' when leaving the workstation
15
Intangible Assets
RL
Use of network facilities in unauthorized way
100 Use of network facilities in authorized way exploits the threat of lack of identification and authentication mechanism 15 User error exploits the threat of no logout when leaving the workstation Willful damage exploits careless use of security access.
RL
User error
RL
Willful damage
90
Page 32
Staff
CF
Susceptibility to humidity, dust, 2 soiling Susceptibility to temperature variations Unprotected communication lines Unprotected communication lines
Unprotected communication lines 2
Airborne particles or dust exploits susceptibility of the equipment to dust Air condition failure exploits the susceptibility of the equipment to overheat. Communication infiltration exploits the threat of unprotected communication lines. Damage to communication lines exploits unprotected communication lines Eavesdropping exploits unprotected communication lines. Environmental contamination exploits location area susceptible to air pollution.
Staff
CF
Staff
CF
Staff
CF
Damage to communications lines/cables Eavesdropping
Staff
CF
Staff
CF
Location area susceptible to air 2 pollution
Staff
CF
Location in an area susceptible to humidity No 'logout' when leaving the workstation Wrong allocation of access
Extreme of temperature / humidity exploits location in an area susceptible to humidity. Masquerading of User ID exploits No logout when leaving the workstation. Misuse of resources exploits poor
Staff
CF
40
Staff
CF
Misuse of resources
Page 33
rights
Staff CF 2 Theft 1
password management. 3 6 Theft exploits threat of lack of awareness.
Staff
CF
Traffic overloading
Uncontrolled downloading and 4 spam Poor management of network infrastructure Disposal or reuse of storage media without proper erasure Lack of identification and authentication mechanisms No 'logout' when leaving the workstation
3
Traffic overloading exploits uncontrolled downloading and spam. Transmission errors exploits lack of proof of sending receiving a message. Unauthorized use of storage media exploits the threat of disposal and reuse of storage media without proper erasure Use of network facilities in unauthorized exploits the threat of lack of identification and authentication mechanism User error exploits the threat of no logout when leaving the workstation Willful damage exploits careless use of security access. Airborne particles or dust exploits susceptibility of the equipment to dust
Staff
CF
Transmission errors
Staff
CF
Staff
CF
Staff
CF
User error
Staff
CF
Willful damage
Students
AS
Susceptibility to humidity, dust, 2 soiling
Page 34
Students
AS
Susceptibility to temperature variations
Air condition failure exploits the susceptibility of the equipment to overheat.
Students
AS
Unprotected communication lines Unprotected communication lines Inadequate administration
12
Communication infiltration exploits the threat of unprotected communication lines. Damage to communication lines/cables exploits the threat of unprotected communication lines Deterioration of storage media exploits inadequate administration.
Students
AS
12
Students
AS
16
Students
AS
Eavesdropping
12
Eavesdropping exploits unprotected communication lines. Environmental contamination exploits location area susceptible to air pollution .
Students
AS
Students
AS
Poor joint cabling schemes
12
Failure of communication services exploits poor joint cabling scheme.
Page 35
Students
AS
Inadequate network management
16
Failure of network components exploits inadequate network management.
Students
AS
Unstable power grid
Students
AS
Maintenance error
Lack of periodic replacement
Maintenance error exploits lack of periodic replacement. Masquerading of User ID exploits No logout when leaving the workstation. Misuse of resources exploits poor password management. Network access by unauthorized persons exploits wrong allocation of access rights. Operational supports staff error exploits wrong allocation of access rights. Power fluctuations exploits unstable power grid. Software failure exploits lack of back-up
Students
AS
80
Students
AS
Misuse of resources
16
Students
AS
Network access by unauthorized persons Operational support staff error
Wrong allocation of access rights Unclear or incomplete specifications for staff Unstable power grid
16
Students
AS
Students
AS
Power fluctuations
Students
AS
Software failure
12
Page 36
copies. Students AS 4 Staff shortage 1
Unclear or incomplete specifications for staff procedures.
12
Staff shortage exploits unclear or
incomplete specifications staff procedures.

16 Traffic overloading exploits uncontrolled downloading spam. Transmission errors exploits threat of single point of failure. Unauthorized use of software exploits the threat of Incorrect use of software and
Students
AS
Traffic overloading

Single points of failure 3
Students
AS
Transmission errors
12
Students
AS
12
hardware
3 12 Unauthorized use of storage media exploits the threat of disposal and reuse of storage media without proper erasure Use of network facilities in unauthorized way exploits the threat of lack of identification and authentication mechanism User error exploits the threat of no logout when leaving the workstation Airborne particles or dust exploits
Students
AS
Disposal or reuse of storage media without proper erasure Lack of identification and authentication mechanisms
Students
AS
16
Students
AS
User error
64
Properties
AS
Susceptibility to humidity, dust, 1
Page 37
soiling
Properties AS 1 Air Conditioning failure 1
susceptibility of the equipment to dust 1 1 Air condition failure exploits the susceptibility of the equipment to overheat. Bomb attack exploits the inadequate security protection to the premises. Communication infiltration exploits the threat of unprotected communication lines. Damage to communication lines/cables exploits unprotected communication lines. Earthquake exploits the building in location which is in an earthquake zone. Extreme of temperature / humidity exploits location in an area susceptible to overheat. Failure of communication services exploits poor joint cabling. Failure of power supply exploits unstable power grid.
Properties
AS
Bomb attack
Inadequate security protection 4 to the premises Unprotected communication lines Unprotected communication lines
Building in location which is in an earthquake zone 3
Properties
AS
Properties
AS
Properties
AS
Earthquake
Properties
AS
Location in an area susceptible to overheat
Properties
AS
Failure of communications services Failure of power supply
Poor joint cabling
Properties
AS
Unstable power grid
Page 38
Properties
AS
Inadequate facilities of the old fashion structure with less facilities
Failure of water supply exploits inadequate facilities of the old fashion structure with less facilities.
Properties
AS
Fire
Location area susceptible to fire 2
Fire exploits location area susceptible to fire. Flooding exploits location in an area susceptible to flood.
Properties
AS
Flooding
Location in an area susceptible to flood
Properties
AS
Hurricane
Location in an area susceptible to hurricanes Location area susceptible to lightning
Hurricane exploits location in an area susceptible to occur hurricanes. Lightning exploits location area susceptible to lightning
Properties
AS
Lightning
Properties
AS
Maintenance error
Lack of periodic replacement schemes No 'logout' when leaving the workstation Unprotected password tables
Maintenance error exploits lack of replacement scheme. Masquerading of User ID exploits No logout when leaving the workstation. Misrouting or re-routing of messages exploits unprotected password on tables.
Properties
AS
Properties
AS
Page 39
Properties
AS
Misuse of resources
Unclear or incomplete specifications for staff Unstable power grid
Misuse of resources exploits poor password management. Power fluctuation exploits unstable
Properties
AS
Power fluctuations
power grid.
Properties AS 1 Theft 1
Properties
AS
Transmission errors
Transmission errors exploits lack of proof of sending receiving a message. Use of network facilities in unauthorized way exploits the threat of lack of identification and authentication mechanism User error exploits the threat of no logout when leaving the workstation Willful damage exploits careless use of security access.
Properties
AS
Properties
AS
User error
No 'logout' when leaving the workstation Careless use of security access
Properties
AS
Willful damage
Page 40
Identification of Required Controls for Identified Risks

Asset Owner Value Threat Rating Vulnerability Rating Overall ISO 27001 Risk Software AS 2 Airborne particles or dust 4 Susceptibility of equipment to dust 5 40 Control
(A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unres1t& other forms of natural or manmade disaster shall be designed & applied. A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.12.5.3) restriction on changes to software packages. Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled.
Software
AS
60
Software
AS
20
Software
AS
Maintenance error
20
A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user.
Page 41
Software
AS
Malicious software
20
(A.10.4.1) Control against malicious code Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.11.1.1) Access Control Policy An access control policy shall be established , documented and review based on business and security requirement for access (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.12.5.3) restriction on changes to software packages. Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled.
Software
AS
32
Software
AS
Misuse of resources
24
Software
AS
Software failure
50
Software
AS
(A.12.5.3) restriction on changes to software packages. Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled. (A.12.5.3) restriction on changes to software packages. Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly
Software
AS
Use of software by unauthorized users
50
Page 42
controlled.
Software
AS
Use of software in unauthorized way
50
(A.12.5.3) restriction on changes to software packages. Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
Software
AS
User error
72
Software
AS
Wilful damage
60
(A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access (A.9.1.3) Securing Offices, rooms and facilities Physical security for offices, rooms, and facilities shall be designed and applied.
Page 43
Hardware
MT
150
(A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.2.2) Supporting utilities. Equipment shall be protected from power failure and other disruptions caused by failures in supporting utilities. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.10.2.1) Service Delivery It shall be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented operated and maintained by the third party. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and
Hardware
MT
125
Hardware
MT
Bomb attack
Inadequate security protection 5 to the premises
100
Hardware
MT
Unstable power grid
50
Hardware
MT
Hardware failure
Lack of periodic replacement schemes Lack of periodic replacement schemes
150
Hardware
MT
Maintenance error
125
Hardware
MT
50
Page 44
suitable authentication techniques shall be chosen to substantiate the claimed identity of a user.
Hardware
MT
Power fluctuations
Unstable power grid
50
(A.9.2.2) Supporting utilities. Equipment shall be protected from power failure and other disruptions caused by failures in supporting utilities. (A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access (A.9.1.3) Securing Offices, rooms and facilities Physical security for offices, rooms, and facilities shall be designed and applied.
Hardware
MT
Theft
125
Hardware
MT
Traffic overloading
Uncontrolled downloading and spam
20
Hardware
MT
Transmission errors
Poor maintenance if network infrastructure
20
Hardware
MT
20
(A.10.8.3) Physical media in transit. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond organizations physical boundaries. (A.10.8.3) Physical media in transit. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond organizations physical boundaries. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user.
Page 45
(A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
Hardware
MT
20
(A.11.4.1) Policy on use of network services. Users shall only be provided with access to the services that they have been specifically authorized to use. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
Hardware
MT
User error
80
Hardware
MT
Willful damage
60
Page 46
RA/TB 5
Poor cable jointing
40
A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.3) Physical media in transit. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond organizations physical boundaries. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.9.2.3) Cabling security. Power and telecommunication cabling carry data or supporting information services shall be protected from interception or damage. (A.9.2.2) Supporting utilities. Equipment shall be protected from power failure and other disruptions caused by failures in supporting utilities. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity.
RA/TB 5
40
Information Assets (Electronic) Information Assets (Electronic)
RA/TB 5
50
RA/TB 5
Hardware failure
120
Page 47
RA/TB 5
Maintenance error
40
(A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
RA/TB 5
100
RA/TB 5
Misuse of resources
40
RA/TB 5
20
(A.11.4.1) Policy on use of network services. Users shall only be provided with access to the services that they have been specifically authorized to use.
Page 48
Information Assets (Electronic) Information Assets (Electronic)
RA/TB 5
Power fluctuations
Unstable power grid
20
(A.9.2.2) Supporting utilities. Equipment shall be protected from power failure and other disruptions caused by failures in supporting utilities. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.3) Physical media in transit. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond organizations physical boundaries. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
RA/TB 5
Traffic overloading
25
RA/TB 5
Transmission errors
Lack of maintenance in network 4 structure
40
RA/TB 5
User error
60
Page 49
RA/TB 5
Willful damage
Careless or lack of security access authentication
180
(A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access (A.9.1.3) Securing Offices, rooms and facilities Physical security for offices, rooms, and facilities shall be designed and applied.
Research & Experimental Works
RA/TB 2
40
(A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.3) Physical media in transit. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond organizations physical boundaries. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity.
RA/TB 2
16
Research & Experimental
RA/TB 2
Equipments susceptible to polluted air
24
(A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake,
Page 50
Works Research & Experimental Works RA/TB 2 Extreme of temperature / humidity 8
explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied.
Equipments are susceptible to overheating
80
(A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
RA/TB 2
Maintenance error
Lack of periodic replacement schemes
40
RA/TB 2
Misuse of resources
40
RA/TB 2
Power fluctuations
Unstable power grid
24
(A.9.2.2) Supporting utilities. Equipment shall be protected from power failure and other disruptions caused by failures in supporting
Page 51
utilities.
RA/TB 2
Theft
RA/TB 2
Traffic overloading
(A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.3) Physical media in transit. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond organizations physical boundaries. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a
RA/TB 2
Transmission errors
Lack of network maintenance
Research & Experimental
RA/TB 2
User error
90
Page 52
Works
RA/TB 2
Willful damage
90
user (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access (A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access (A.9.1.3) Securing Offices, rooms and facilities Physical security for offices, rooms, and facilities shall be designed and applied.
Network
TB
Poor cable jointing
90-
A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.3) Physical media in transit. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond organizations physical boundaries. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be
Network
TB
60
Page 53
carried out regularly. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.9.2.3) Cabling security. Power and telecommunication cabling carry data or supporting information services shall be protected from interception or damage.
Network
TB
60
(A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.9.2.3) Cabling security. Power and telecommunication cabling carry data or supporting information services shall be protected from interception or damage.
Network
TB
Failure of network components 8
96
(A.9.2.2) Supporting utilities. Equipment shall be protected from power failure and other disruptions caused by failures in supporting utilities. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity.
Network
TB
Hardware failure
48
(A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its
Page 54
continued availability and integrity.
Network
TB
Maintenance error
Lack of maintenance
60
(A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.11.4.7) Network Routing control. Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business application. (A.11.4.1) Policy on use of network services. Users shall only be provided with access to the services that they have been specifically authorized to use. (A.9.2.2) Supporting utilities. Equipment shall be protected from power failure and other disruptions caused by failures in supporting utilities. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities.
Network
TB
12
Network
TB
Unprotected password tables
Network
TB
72
Network
TB
Power fluctuations
Unstable power grid
12
Network
TB
Traffic overloading
75
Page 55
Network
TB
Transmission errors
Lack of proper network management
60
(A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.3) Physical media in transit. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond organizations physical boundaries.
Network
TB
60
(A.11.4.1) Policy on use of network services. Users shall only be provided with access to the services that they have been specifically authorized to use. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access (A.9.1.3) Securing Offices, rooms and facilities Physical security for offices, rooms, and facilities shall be designed and applied.
Network
TB
User error
30
Network
TB
Willful damage
72
Page 56
Services
RL
12
A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.3) Physical media in transit. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond organizations physical boundaries. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity.
Services
RL
36
(A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.9.2.3) Cabling security. Power and telecommunication cabling carry data or supporting information services shall be protected from interception or damage. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities.
Services
RL
Eavesdropping
(A.9.2.3)Cabling Security
Power and telecommunications cabling carrying
Page 57
Services
RL
Poor joint cabling
30
data or supporting information services shall be protected from interception or damage. (A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.9.2.3) Cabling security. Power and telecommunication cabling carry data or supporting information services shall be protected from interception or damage.
Services
RL
Hardware failure

Lack of proper management and replacement procedure
12
(A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.11.4.7) Network Routing control. Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access
Services
RL
Maintenance error
12
Services
RL
16
Services
RL
Unprotected password tables
Page 58
control policy of the business application.
Services
RL
Misuse of resources
16
(A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
Services
RL
(A.11.4.1) Policy on use of network services. Users shall only be provided with access to the services that they have been specifically authorized to use. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.3) Physical media in transit. Media
Services
RL
Traffic overloading
Services
RL
Transmission errors
Page 59
containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond organizations physical boundaries.
Services
RL
40
(A.11.4.1) Policy on use of network services. Users shall only be provided with access to the services that they have been specifically authorized to use. (A.12.5.3) restriction on changes to software packages. Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user.
Services
RL
Services
RL
24
(A.12.5.3) restriction on changes to software packages. Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card
Services
RL
User error
16
Page 60
controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
Services
RL
Willful damage
48
(A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user (A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user.
Intangible Assets
RL
40
Intangible Assets
RL
Misuse of resources
120
Page 61
(A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access (A.9.1.3) Securing Offices, rooms and facilities Physical security for offices, rooms, and facilities shall be designed and applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly
Intangible Assets
RL
User error
15
Intangible Assets
RL
Willful damage
90
Staff
CF
Staff
CF
Unprotected communication
Page 62
lines
monitored and reviewed and audit shall be carried out regularly . (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity.
(A.9.2.3) Cabling security. Power and telecommunication cabling carry data or supporting information services shall be protected from interception or damage.
Staff
CF
Eavesdropping
(A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities.
Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage.
Staff
CF
(A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.10.4.1) Control against malicious code Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented.
Staff
CF
Malicious software
Page 63
Staff
CF
40
(A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.11.4.1) Policy on use of network services. Users shall only be provided with access to the services that they have been specifically authorized to use. (A.12.5.3) restriction on changes to software packages. Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user.
Staff
CF
Traffic overloading
Staff
CF
Staff
CF
Staff
CF
Staff
CF
User error
Page 64
Students
AS
(A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities.
Students
AS
Bomb attack
24
Students
AS
Eavesdropping
12
Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage.
Students
AS
Malicious software
12
(A.10.4.1) Control against malicious code Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented . (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.11.4.1) Policy on use of network services. Users shall only be provided with access to the
Students
AS
80
Students
AS
Network access by
16
Page 65
unauthorized persons Students AS 4 Operational support staff error 1
rights Unclear or incomplete specifications for staff

2 8
services that they have been specifically authorized to use. (A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.11.4.1) Policy on use of network services. Users shall only be provided with access to the services that they have been specifically authorized to use. (A.9.2.2) Supporting utilities. Equipment shall be protected from power failure and other disruptions caused by failures in supporting utilities. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user.
Students
AS
Traffic overloading
16
Students
AS
16
Students
AS
16
Page 66
Students
AS
16
(A.12.5.3) restriction on changes to software packages. Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled.
Students
AS
User error
64
(A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be
Properties
AS
Properties
AS
Properties
AS
Bomb attack
Properties
AS
Page 67
carried out regularly. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity. (A.9.2.3) Cabling security. Power and telecommunication cabling carry data or supporting information services shall be protected from interception or damage.
Properties
AS
Earthquake
Building in location which is in an earthquake zone
(A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly. (A.9.2.4) Equipment Maintenance. Equipment shall be correctly maintained to ensure its continued availability and integrity.
Properties
AS
Properties
AS
Location in an area susceptible to overheat
Properties
AS
Poor joint cabling
Page 68
(A.9.2.3) Cabling security. Power and telecommunication cabling carry data or supporting information services shall be protected from interception or damage.
Properties
AS
Inadequate facilities of the old fashion structure with less facilities
(A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly.
Properties
AS
Fire
Location area susceptible to fire 2
(A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied. (A.9.1.4) Protecting against external and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest& other forms of natural or manmade disaster shall be designed & applied.
Properties
AS
Flooding
Location in an area susceptible to flood
Properties
AS
Hurricane
Location in an area susceptible 2 to hurricanes
Properties
AS
Lightning
Location area susceptible to lightning
Page 69
Properties
AS
Maintenance error
(A.10.2.2) Monitoring and review of third party services. The services reports and records provided by third party shall be regularly monitored and reviewed and audit shall be carried out regularly. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
Properties
AS
Properties
AS
Misuse of resources
Unclear or incomplete specifications for staff
Properties
AS
Power fluctuations
Unstable power grid
(A.9.2.2) Supporting utilities. Equipment shall be protected from power failure and other disruptions caused by failures in supporting utilities. (A.10.2.1) Service Delivery It shall be ensured that the security controls,
Properties
AS
Staff shortage
Unclear or incomplete
Page 70
specifications for staff
service definitions and delivery levels included in the third party service delivery agreement are implemented operated and maintained by the third party.
Properties
AS
Theft
(A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access (A.9.1.3) Securing Offices, rooms and facilities Physical security for offices, rooms, and facilities shall be designed and applied. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.1) Information exchange policies and procedures. Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communication facilities. (A.10.8.3) Physical media in transit. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond organizations physical boundaries.
Properties
AS
Traffic overloading
Properties
AS
Transmission errors
Properties
AS
Use of network facilities in
Lack of identification and
(A.11.4.1) Policy on use of network services. Users shall only be provided with access to the
Page 71
unauthorized way
authentication mechanisms
services that they have been specifically authorized to use.
Properties
AS
User error
(A.11.5.2) User Identification and authentication. All users shall have a unique identifier (user ID) for their personal use only, and suitable authentication techniques shall be chosen to substantiate the claimed identity of a user. (A.9.1.1) Physical Security Perimeter Security perimeters (barriers such as walls , card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities (A.9.1.2) Physical Entry Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access (A.9.1.3) Securing Offices, rooms and facilities Physical security for offices, rooms, and facilities shall be designed and applied.
Properties
AS
Willful damage
Careless use of security access
Page 72
Conclusion
This group report given us the knowledge of proper understanding how to prepare a proper risk register and to analyse the impacts and the controls according to ISO 27001 standards and also it helped us to comprehend the importance of team approach towards preparing the risk register which include identifying the assets of an organisation, identification of threats for the assets, applying ISO standards.
Page 73
School of Computing, Information Technology & Engineering

Mohammad Dastbaz (MD) S Price (SP)
Learning Development Services Directorate

Mandy Estridge (ME)
Pro VC Academic
School of Health & Bio Science

Neville Punchard (NP)
Learning Support Services Directorate

Haydn John (HJ)
Appendix A- organization chart
Chris Pawson (CP)
International office Directorate

Eileen Johnson (EJ)
Secretary & Registrar
School of cultural and Innovation studies

Caroline Dunmore (CD)
East London Business School

Len Shackleton (LS)
M Throne (MT)
Tracy Boakes (TB)
School of Education & Community Studies

Ann Slater (AS)
R Allanach (RA)
Finance Director
Financial Services
Indra Linton (IL)
Student Services Directorate

Mandy Estridge (ME)
School of Architecture
Pete Cobb (PC)
School of Psychology
David Rose (DR)
School of Art & Design

Pete Cobb (PC)
School of Social Sciences

Steven Trevillion (ST)
Combined Honours Office Page 74

Graham Curtis (GC)
Pro VC Research, Outreach, & Infrastructure
Personnel Services
Caroline Frostick (CF)
School of Law
Fiona Fairweather (FF)

A Ingle (AI)
Corporate and External Relations Facilities Directorate IT Services Directorate

A Sibbalad (AS)
Vice Chancellor
Rebecca Levene (RL)
Appendix B - Asset Values and Impacts of an Incident

Value Type of Company Effect Embarrassment Level Personal Implication Personal Privacy Infringement Failure to Meet Legal Obligations Financial Loss () Disruption to Activities () (Time & Effort to Recover from Incident) Up to 10k 10k to 100k
Level
of Effect 1 2 Insignificant Minor
Safety
Hardware Failures
Minor problems to individual Minor problems to staff and students Major problems to every individual Major problem to every student Major problems towards reputation
Highly technical measures taken Personal data can be revealed up to some extent advisory service can solve the problem Chance to corrupt the information Cannot be recovered easily
No Civil damages will occur Civil suit (above 10k).quality regulations. Civil Suits. Large fine (above 10k) Custodial sentence imposed Multiple civil or criminal suits
Up to 10k 10k to 100k
Significant
Software Compliance
100k to 500k
100k - 500k
4 5
Major Acute
Security of information Frauds, money manipulation
500k - 1000k Above 1000k
500k - 1000k Above 1000k
Page 75
Appendix C- Likelihood of Vulnerability being exploited by a given Threat
Vulnerability Likelihood 1 2 3 4 5 6 7 8 9 10
Description
Interpretation
Negligible Extremely unlikely Very unlikely Unlikely Feasible Probable Very probable Expected Confidently expected Certain
Once every 1000 years or less Once every 200 years Once every 50 years Once every 20 years Once every 5 years Annually Quarterly Monthly Weekly Daily
Page 76
References
1. Bernasconi, J. (March, 2004). Part II: Quantitative risk analysis. Article in ABB, retrieved February 5, 2006. 2. Kerzner, H. (2003). Project management: A systems approach to planning, scheduling, and controlling (8th ed.). Hoboken, New Jersey: John Wiley & Sons, Inc. 3. McKinley, K. (November 7, 2005). Qualitative and quantitative risk analysis. Article from Intraver Institute, Inc. Retrieved February 5, 2006. 4. Michael, E.W. & Herbert, J.M.,( 2008). Management of Information Security. 2nd ed. Canada: Thomson Course Technology. 5. Project Management Institute. (2004). A guide to the project management body of knowledge (3rd ed..). Newton Square: PMBOK guide 6. http://www.unesco.org/iau/internationalization/pdf/ueluk.pdf 7. http://security.practitioner.com/introduction/infosec_5_3_9.htm 8. http://tk-strategies.com/17-Risk-Analysis.html 9. https://ecommittees.bsi-global.com/bsi/controller/BCM1-0011_05.pdf 10. British Standard BS ISO/IEC 27001:2005 BS7799-2:2005 Information Technology- Security Techniques- Information Security Management Systems- Requirements 11. David Lilburn Watson, Case Study Pack
Page 77

Information Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security

Uploaded by

Copyright:

Available Formats

COURSE WORK ON SECURITY MANAGEMENT

MODULE LEADER Dr. H. MOURATIDIS

MODULE CODE SDM023

SUBMITED BY NANI KODURI THISARA SENEVIRATNE 0919879 0931838

ANTHONYS SENEVIRATNE 0931840 MAHENDRARAJAH JOHN THAMILRAJ

SECURITY MANAGEMENT (SDM023)

SECURITY MANAGEMENT (SDM023)

SECURITY MANAGEMENT (SDM023)

Scope of the Risk Assessment

Procedures for developing and maintaining the risk register

SECURITY MANAGEMENT (SDM023)

(BS ISO/IEC 27001:2005, Section A.7, sub section A.7.1.1)

Ownership of the Assets

(BS ISO/IEC 27001:2005, Section A.7, sub section A.7.1.2)

DETAILS OPERATING SYSTEM AND APPLICATIONS SOFTWARE COMPUTERS,TELEPHONE SYSTEMS,SERVERS

SECURITY MANAGEMENT (SDM023)

(Please refer Appendix A for values)

SECURITY MANAGEMENT (SDM023)

SECURITY MANAGEMENT (SDM023)

Information Assets (Electronic)

Threat Hardware Software

Airborne particles or dust

4 Unlikely, Due to a hardware failure

6 Probable, crashed due to dust

6 Probable, Due H/W failures

8 Expected, erroneou s experime ntal data 4 Unlikely, due to hardware failures

5 Feasible, crashed due to dust

6 Probable, damaged due to dust

Air Conditioning failure

5 Feasible, crashed due to temperat ure

5 Feasible, crashed due to temperat ure 2 Extremel y unlikely

5 Feasible, crashed due to temperat ure 2 Extremel y unlikely

5 Feasible, crashed due to temperat ure 2 Extremel y unlikely

5 Feasible, crashed due to temperat ure 2 Extremel y unlikely

SECURITY MANAGEMENT (SDM023)

8 Expected, network damages

Damage to communications lines/cables

1 Negligible 1 Negligible 2 Extremel y unlikely 1 Negligible 1 Negligible 1 Negligible

1 Negligible 1 Negligible 2 Extremel y unlikely 1 Negligible 1 Negligible 2 Extremel y unlikely

1 Negligible 1 Negligible 2 Extremel y unlikely 1 Negligible 1 Negligible 2 Extremel y unlikely

1 Negligible 1 Negligible 2 Extremel y unlikely 1 Negligible 1 Negligible 2 Extremel y unlikely

Deterioration of storage media

Extreme of temperature / humidity

6 Probable, Due H/W failures

SECURITY MANAGEMENT (SDM023)

Failure of communications services

5 Feasible, crashed due to no updates

5 Feasible, network can be down 8 Expected

Failure of network components

Failure of power supply

6 Probable, Due H/W failures

6 Probable, Due H/W failures 2 Extremel y unlikely 6 Probable,

Failure of water supply

3 Very unlikely 2 Extremel y unlikely 1 Negligible

2 Extremel y unlikely 6 Probable, Due H/W failures

2 Extremel y unlikely 6 Probable, Due H/W failures

2 Extremel y unlikely 5 Feasible

2 Extremel y unlikely 6 Probable, Due H/W failures

2 Extremel y unlikely 6 Probable, Due H/W failures

2 Extremel y unlikely 1 Negligible

2 Extremel y unlikely 1 Negligible

2 Extremel y unlikely 1 Negligible

SECURITY MANAGEMENT (SDM023)

2 Extremel y unlikely 2 Extremel y unlikely 3 Very unlikely