ISMS Risk Calculator Spread SHT v0.1

Access Control
Asset Classification & Control

Business Continuity Management
Communications & Operations Management
Compliance
Organizational Security
Personnel Security
Physical and Environmental Security
Security Policy
Systems Development
BITS KEY RISK MEASUREMENT TOOL FOR INFORMATION SECURITY OPERATIONAL RISKS
ISO Domain
Reference
Basel Loss
Category for
Operational
Risk Threat Event Vulnerability Security Control
Likelihood of
Threat
(Input)
Degree to which
Control is
Implemented
(Input)
Impact if
Control is not
Implemented
(Input)
Control vs.
Impact
Score
Residual Risk
Score
Access Control Business
Disruption and
System Failures
Application software failure Security events are not logged at
the application level.
Security events are logged at the
application level.
10% 0 0 5 0.50
Disruption and
System Failures
Application software failure Application testing is not
performed.
Application testing is performed.
5 0.00
Access Control External Fraud Computer crime System access logs are not
created and reviewed to identify
use or attempted use and
modification or attempted
modification of critical systems
components (files, registry
entries, configurations, security
settings/parameters, audit logs).
System access logs are created and
reviewed to identify use or
attempted use and modification or
attempted modification of critical
systems components (files, registry
5 0.00
Access Control External Fraud Computer crime System access logs are not
stored in a secure fashion with
limited access and are not
protected from alteration or
deletion.
System access logs are stored in a
secure fashion with limited access
and protected from alteration or
deletion.
5 0.00
Access Control Internal Fraud Computer crime Policies that define the removal
of information from company
facilities are not in place and are
not communicated to all
employees.
Policies that define the removal of
information from company
facilities are in place and
communicated to all employees.
5 0.00
Access Control External Fraud Computer crime Policies that define the removal
employees.
5 0.00
Disruption and
System Failures
DDoS or DoS attacks Ingress/egress filtering is not
enabled/supported on routers.
Network routers do ingress and
egress filtering.
5 0.00
Disruption and
System Failures
DDoS or DoS attacks Routing access control lists are
inappropriately configured or
improperly maintained to ensure
security.
Routing access control lists are
maintained by designated
personnel and used for security.
5 0.00
Disruption and
System Failures
DDoS or DoS attacks All external connections and/or
external IP network access
passes bypass firewalls.
All external connections and
external IP network access passes
through a firewall. 5 0.00
Access Control External Fraud DDoS or DoS attacks SNMP best practices have not
been implemented.
SNMP best practice has been
implemented. 5 0.00
Disruption and
System Failures
DDoS or DoS attacks Technology such as encryption,
VPN client technology, etc. are
not used during remote
connectivity.
Confidentiality of sensitive
information is ensured during
remote connectivity using
appropriate technology such as
encryption, VPN client
technology, etc. 5 0.00
9/29/2014 C BITS 2003. All rights reserved. 2
Disruption and
System Failures
DDoS or DoS attacks The remote access client allows
split tunneling.
The remote access client prohibits
split tunneling.
5 0.00
Disruption and
System Failures
security.
5 0.00
Disruption and
System Failures
security.
5 0.00
Disruption and
System Failures
Disruption and
System Failures
Access Control Execution ,
Delivery and
Process
Management
Human error Host level system authorization
mechanisms are not in place.
Host level system authorization
mechanisms are in place.
5 0.00
Delivery and
Process
Management
Human error Operating system master and
sub-master consoles are not
located in a protected and
controlled area.
Operating system master and sub-
master consoles are located in a
protected and controlled area.
5 0.00
Delivery and
Process
Management
Human error A comprehensive policy
outlining remote user
requirements is not in place and
is not communicated to and/or
is not understood or followed
by the employee.
A comprehensive policy outlining
remote user requirements is in
place and communicated via an
agreement signed by the
employee.
5 0.00
Access Control External Fraud Lawsuits/ litigation Procedures do not exist to verify
the authenticity of the counter
party providing electronic
instructions or transactions
through trusted exchange of
passwords, tokens, or
cryptographic keys.
Procedures exist to verify the
authenticity of the counter party
providing electronic instructions
or transactions through trusted
exchange of passwords, tokens, or
cryptographic keys.
5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Procedures do not exist to verify
cryptographic keys.
cryptographic keys.
5 0.00
Access Control Clients, Products
and Business
Practices
Lawsuits/ litigation Procedures do not exist to verify
cryptographic keys.
cryptographic keys.
5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Ingress/egress filtering is not
egress filtering.
5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Processes/procedures have not
been implemented to ensure
third party connections are
appropriately authorized,
documented, and managed.
An authorization, documentation
and management process is in
place for all external connections.
5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Session encryption is not used
for external IP access.
External IP access, including
system-to-system authentication,
uses session encryption.
5 0.00
Access Control Internal Fraud Leaving computer screen
exposed or unlocked
Workstation
screensaver/lockout features are
not enabled/system enforced.
Policies/guidelines do not exist.
The desktop is configured to log
off, lock or use a password
protected screen saver whenever
the computer is left unattended.
5 0.00
Access Control External Fraud Leaving computer screen
exposed or unlocked
Workstation
5 0.00
Access Control Internal Fraud Leaving computer screen
exposed or unlocked
No limitations or restrictions
have been placed on connection
times.
Limitations and/or restrictions
times for activities such as batch
processing (i.e., restricting
connections, time-outs, and/or
inactivity) 5 0.00
Access Control External Fraud Leaving sensitive documents
exposed
Policies that define the removal
employees.
5 0.00
Access Control External Fraud Leaving sensitive documents
exposed
Security controls for equipment
and information used in mobile
computers have not been
established.
computers have been established
including: permissible equipment
use and security of that equipment
(e.g., double-wrapped envelopes,
locked briefcases/cabinets,
encrypted data, digital certificates,
etc.), security and backup of
information taken or held offsite,
and use of virus protection tools.
5 0.00
Access Control External Fraud Lost or stolen laptops Security controls for equipment
established.
(e.g. double-wrapped envelopes,
etc), security and back up of
5 0.00
Disruption and
System Failures
Malicious code Processes/procedures have not
5 0.00
Disruption and
System Failures
Malicious code Processes/procedures have not
5 0.00
Disruption and
System Failures
Malicious code All external connections and/or
Disruption and
System Failures
Malicious code The internal address range is
exposed or unprotected.
The internal address range is
protected (e.g., NAT).
5 0.00
Disruption and
System Failures
Malicious code Applications in use or
considered for use do not
conform to the security feature
criteria in the BITS Product
Certification Program or other
recognized product
certifications.
Applications in use or considered
for use conform to the security
recognized product certifications.
5 0.00
Access Control Internal Fraud Network spoofing Routing access control lists are
security.
5 0.00
Access Control External Fraud Network spoofing Routing access control lists are
security.
5 0.00
Disruption and
System Failures
Network spoofing Routing access control lists are
security.
5 0.00
Access Control Internal Fraud Network spoofing All external connections and/or
Access Control External Fraud Network spoofing All external connections and/or
Disruption and
System Failures
Network spoofing All external connections and/or
Disruption and
System Failures
Network spoofing The internal address range is
protected (e.g., NAT).
5 0.00
Access Control External Fraud Network spoofing The internal address range is
protected (e.g. NAT). 5 0.00
Access Control External Fraud Network spoofing Session encryption is not used
5 0.00
Access Control External Fraud Network spoofing Local and wide area networks
are not fully switched.
Local area and wide area networks
are fully switched. 5 0.00
Access Control External Fraud Network spoofing Technology such as encryption,
connectivity.
Access Control External Fraud Network spoofing The remote access client allows
split tunneling.
The remote access client prohibits
split tunneling. 5 0.00
Access Control Internal Fraud Network/application backdoor Time, day, or similar restrictions
are not enabled.
Access to resources is controlled
by a combination of any of the
following: (1) method or location
of accessing user (2) time-of-day
(3) day-of-week (4) calendar date
(5) specific program used to access
the resource.
5 0.00
Access Control External Fraud Network/application backdoor Time, day, or similar restrictions
are not enabled.
the resource.
5 0.00
Access Control Internal Fraud Network/application backdoor Authorization engine fails in an
open state.
If the authorization engine for the
system fails, the access control
rules default to no access.
5 0.00
Access Control External Fraud Network/application backdoor Authorization engine fails in an
open state.
rules default to "no access.
5 0.00
Access Control Internal Fraud Network/application backdoor Access administration processes
do not ensure that user access is
based on least privilege or
consistent with job function.
User access capabilities are
configured with least privilege,
and are consistent with the users
assigned job responsibilities for
performing a particular function
or transaction.
5 0.00
Access Control External Fraud Network/application backdoor Access administration processes
or transaction.
5 0.00
Access Control Internal Fraud Network/application backdoor Access administration change
(employee status changes)
processes are informal or
inadequate.
Procedures are in place to amend
user access rights when a user
changes roles in the organization
and revoke rights when a user
leaves the organization.
5 0.00
Access Control External Fraud Network/application backdoor Access administration change
inadequate.
leaves the organization. 5 0.00
Access Control Internal Fraud Network/application backdoor No processes in place to ensure
default user ids are
renamed/disabled
Default user IDs are renamed or
disabled.
5 0.00
Access Control External Fraud Network/application backdoor No processes in place to ensure
renamed/disabled
disabled.
5 0.00
Access Control Internal Fraud Network/application backdoor Temporary, generic, guest or
anonymous user IDs are not
tightly controlled/monitored.
Temporary, generic, guest or
anonymous user IDs are limited in
use and tightly controlled. 5 0.00
Access Control External Fraud Network/application backdoor Temporary, generic, guest or
anonymous user ids are limited in
Access Control Internal Fraud Network/application backdoor Password policies/standards
have not been established.
Guidelines are provided to users
for generating secure passwords
including simple instruction such
as passwords must not be shared,
passwords must not be written
down and stored in obvious
places, etc.
5 0.00
Access Control External Fraud Network/application backdoor Password policies/standards
places, etc.
5 0.00
Access Control Internal Fraud Network/application backdoor Policies/procedures addressing
security of stored passwords
Systems features to secure store
passwords (e.g., encryption)
have not been enabled.
Appropriate controls are
established for the secure storage
and maintenance of password
lists.
5 0.00
Access Control External Fraud Network/application backdoor Policies/procedures addressing
lists.
5 0.00
Access Control Internal Fraud Network/application backdoor Systems features (forced
password change) have not been
enabled or do not exist. In
absence of systems controls,
manual processes/procedures
have not been established to
remind users to do this.
The system is configured to
require the user to change initial
password during first logon.
5 0.00
Access Control External Fraud Network/application backdoor Systems features (forced
5 0.00
Access Control Internal Fraud Network/application backdoor Systems features (strong
passwords) are not enabled or
do not exist. In absence of
systems controls,
policies/guidelines encouraging
strong passwords have not been
established.
Restrictions are placed on user
password creation and use
including expiration after a certain
time period, minimum length,
reuse, and appropriate strength
(i.e., user ID not equal to
password, password not equal to
password, limit repetitive
characters, require alphanumeric
and special characters).
5 0.00
Access Control External Fraud Network/application backdoor Systems features (strong
systems controls,
established.
((i.e. User Id not equal to
5 0.00
Access Control Internal Fraud Network/application backdoor System timeout features have
not been enabled or do not
exist.
disconnect or force re-
authentication of users after a
specified period of inactivity. 5 0.00
Access Control External Fraud Network/application backdoor System timeout features have
exist.
Access Control Internal Fraud Network/application backdoor System unsuccessful logon
attempt features are not enabled
or do not exist.
disable or suspend user IDs after a
fixed number of unsuccessful
logon attempts. 5 0.00
Access Control External Fraud Network/application backdoor System unsuccessful logon
or do not exist.
Access Control Internal Fraud Network/application backdoor Remote network access paths
are not restricted to designated
gateways and/or resources.
Remote network access paths are
restricted to designated gateways
and/or resources. 5 0.00
Access Control External Fraud Network/application backdoor Remote network access paths
and/or resources. 5 0.00
Access Control External Fraud Network/application backdoor Strong authentication features
are not enabled/supported.
Additional forms of access control
are used to safeguard against
unauthorized access from external
connections (e.g., dial back, two-
part authentication, challenge-
response, time of day or week
restriction, read-only restrictions,
etc.).
5 0.00
Access Control External Fraud Network/application backdoor Processes/procedures have not
5 0.00
Access Control Internal Fraud Network/application backdoor Internal network segments are
not segregated and do not have
controlled access through
network level authorization.
Internal network segments are
segregated and have controlled
access through network level
authorization. 5 0.00
Access Control Internal Fraud Network/application backdoor Security events are not logged at
application level. 5 0.00
Access Control External Fraud Network/application backdoor Security events are not logged at
application level. 5 0.00
Access Control External Fraud Network/application backdoor Technology such as encryption,
connectivity.
Access Control Internal Fraud Network/application time
bomb
Time, day, or similar restrictions
are not enabled.
the resource.
5 0.00
Access Control External Fraud Network/application time
bomb
not enabled.
the resource.
5 0.00
bomb
Authorization engine fails in an
open state.
5 0.00
bomb
open state.
rules default to no access.
5 0.00
bomb
Access administration processes
or transaction.
5 0.00
bomb
or transaction.
5 0.00
bomb
Access administration change
inadequate.
bomb
inadequate.
bomb
No processes are in place to
ensure default user IDs are
renamed/disabled.
disabled.
5 0.00
bomb
No processes are in place to
ensure default user IDs are
renamed/disabled.
disabled.
5 0.00
bomb
bomb
bomb
Password policies/standards
places, etc. 5 0.00
bomb
places, etc.
5 0.00
bomb
Policies/procedures addressing
lists.
5 0.00
bomb
lists.
5 0.00
bomb
Systems features (forced
5 0.00
bomb
require the user to change their
initial password during first logon.
5 0.00
bomb
Systems features (strong
systems controls,
established.
(e.g., user ID not equal to
5 0.00
bomb
Systems features (strong
systems controls,
established.
(e.g., user I not equal to password,
password not equal to
and special characters). 5 0.00
bomb
System timeout features have
exist.
bomb
exist.
bomb
System unsuccessful logon
or do not exist.
bomb
or do not exist
bomb
Remote network access paths
and/or resources.
5 0.00
bomb
and/or resources.
5 0.00
bomb
Strong authentication features
etc.)
5 0.00
bomb
Processes/procedures have not
5 0.00
Disruption and
System Failures
Network/application time
bomb
authorization.
5 0.00
Access Control External Fraud Robbery Security controls for equipment
established.
information taken or held offsite
5 0.00
Access Control External Fraud Sabotage Processes/procedures have not
5 0.00
Access Control External Fraud Social engineering Policies that define the removal
employees.
5 0.00
Disruption and
System Failures
Software defects Applications in use or
considered for use do not
conform to the security feature
recognized product
certifications.
Applications in use or considered
for use conform to security
feature criteria in the BITS
Product Certification Programor
other recognized product
certifications.
5 0.00
Disruption and
System Failures
System software failure System access logs are not
5 0.00
Disruption and
System Failures
deletion.
deletion.
5 0.00
Disruption and
System Failures
maintained for an appropriate
period of time.
System access logs are maintained
for an appropriate period of time
(both online and archived).
5 0.00
Access Control External Fraud Unauthorized network access Informal or inadequate access
monitoring processes
User IDs are reviewed for
appropriate access. 5 0.00
Access Control Internal Fraud Unauthorized network access Informal or inadequate access
administration/monitoring
processes over privileged
accounts
Privileged users are controlled and
monitored by a formal approval
process.
5 0.00
Access Control Internal Fraud Unauthorized network access Systems features (strong
systems controls,
established.
5 0.00
Access Control External Fraud Unauthorized network access Systems features (strong
systems controls,
established.
5 0.00
Access Control Internal Fraud Unauthorized network access Workstation
5 0.00
Access Control External Fraud Unauthorized network access Workstation
5 0.00
Access Control Internal Fraud Unauthorized network access Ingress/egress filtering is not
egress filtering.
5 0.00
Access Control External Fraud Unauthorized network access Ingress/egress filtering is not
egress filtering.
5 0.00
Access Control Internal Fraud Unauthorized network or
system access
are not enabled.
the resource.
5 0.00
Access Control External Fraud Unauthorized network or
system access
not enabled
the resource.
5 0.00
system access
open state.
5 0.00
system access
open state.
5 0.00
system access
do verify user identities or
ensure that access is approved
and authorized.
The signature or identity of a
person applying for access is
verified/authenticated and
authorized.
5 0.00
system access
access administration processes
do verify user identities or
ensure that access is approved
and authorized
The signature or identity of a
person applying for access is
verified/authenticated and
authorized. 5 0.00
system access
or transaction.
5 0.00
system access
or transaction.
5 0.00
system access
Informal or inadequate access
monitoring processes.
User IDs are reviewed for
appropriate access. 5 0.00
system access
inadequate.
system access
inadequate.
system access
Informal or inadequate access
administration/monitoring
processes over privileged
accounts
Privileged users are controlled and
monitored by a formal approval
process.
5 0.00
system access
No processes in place to ensure
default user IDs are
renamed/disabled
disabled.
5 0.00
system access
No processes in place to ensure
renamed/disabled
disabled.
5 0.00
system access
system access
system access
Ongoing user security awareness
programs have not been
implemented.
Users are made aware of their
responsibilities for maintaining
effective access controls,
particularly regarding the security
of passwords and user equipment.
5 0.00
system access
Ongoing user security awareness
programs have not been
implemented.
Users are made aware of their
responsibilities for maintaining
effective access controls,
particularly regarding the security
of passwords and user equipment.
5 0.00
system access
places, etc. 5 0.00
system access
places, etc. 5 0.00
system access
lists.
5 0.00
system access
lists.
5 0.00
system access
5 0.00
system access
require the user to change their
initial password during first logon.
5 0.00
system access
exist.
system access
exist.
system access
or do not exist.
system access
or do not exist.
system access
and/or resources.
5 0.00
system access
and/or resources.
5 0.00
system access
Formal modem approval
procedures are not in place.
A process is in place for
requesting and approving modem
connections to servers or
desktops.
5 0.00
system access
Formal modem approval
desktops.
5 0.00
system access
security.
5 0.00
system access
security.
5 0.00
system access
Strong authentication features
etc.)
5 0.00
system access
place for all external connections
5 0.00
system access
documented, and managed
place for all external connections
5 0.00
system access
All external connections and/or
system access
All external connections and/or
system access
Session encryption is not used
5 0.00
system access
Local and wide area networks
are not fully switched.
Local area and wide area networks
are fully switched. 5 0.00
system access
authorization. 5 0.00
system access
No limitations or restrictions
times.
Limitations and/or restrictions
times for activities such as batch
processing (i.e., restricting
connections, time-outs, and/or
inactivity) 5 0.00
system access
System access and use is not
monitored based on current
vulnerability and risk analysis,
and is not integrated with an
incident response capability.
System access and use is
monitored based on current
vulnerability and risk analysis, and
is integrated with an incident
response capability. 5 0.00
system access
System access logs are not
5 0.00
system access
deletion.
deletion.
5 0.00
system access
maintained for an appropriate
period of time.
System access logs are maintained
for an appropriate period of time
(both online and archived).
5 0.00
system access
Alerting mechanisms are not
used to notify appropriate
individuals that security events
related to system access have
occurred.
Alerting mechanisms are used to
notify appropriate individuals that
security events related to system
access have occurred.
5 0.00
system access
Alerting mechanisms are not
occurred.
5 0.00
system access
No process is in place to ensure
accurate clock synchronization
for system access and logging
activity.
A process is in place to ensure
accurate clock synchronization for
system access and logging activity.
5 0.00
system access
No process is in place to ensure
accurate clock synchronization
for system access and logging
activity.
A process is in place to ensure
accurate clock synchronization for
system access and logging activity.
5 0.00
system access
Technology such as encryption,
connectivity.
system access
Technology such as encryption,
connectivity.
system access
Remote access is not controlled
using appropriate authentication
controls.
Remote access is controlled using
appropriate authentication
controls. 5 0.00
system access
Remote access is not controlled
using appropriate authentication
controls.
Remote access is controlled using
appropriate authentication
controls. 5 0.00
system access
A comprehensive policy
outlining remote user
requirements is not in place and
is not communicated to and/or
is not understood or followed
by the employee.
A comprehensive policy outlining
remote user requirements is in
place and communicated via an
agreement signed by the
employee.
5 0.00
system access
Remote access user accounts are
not reviewed on an appropriate
schedule.
reviewed on an appropriate
schedule. 5 0.00
Access Control Internal Fraud Unauthorized scans Routing access control lists are
security
5 0.00
Access Control External Fraud Unauthorized scans Routing access control lists are
security.
5 0.00
Access Control Internal Fraud Unauthorized scans All external connections and/or
external IP network access pass
Access Control External Fraud Unauthorized scans All external connections and/or
Access Control Internal Fraud Unauthorized scans The internal address range is
protected (e.g., NAT). 5 0.00
Access Control External Fraud Unauthorized scans The internal address range is
protected (e.g., NAT). 5 0.00
Access Control Internal Fraud Unauthorized scans Host level system authorization
mechanisms are not in place.
Host level system authorization
mechanisms are in place.
5 0.00
Access Control Internal Fraud Unauthorized scans Operating system master and
sub-master consoles are not
located in a protected and
controlled area.
Operating system master and sub-
master consoles are located in a
protected and controlled area.
5 0.00
Access Control External Fraud Unauthorized scans Alerting mechanisms are not
5 0.00
Access Control External Fraud Unauthorized scans Remote access user accounts are
not reviewed on an appropriate
schedule.
reviewed on an appropriate
schedule.
5 0.00
Disruption and
System Failures
Viruses Processes/procedures have not
5 0.00
Access Control External Fraud Viruses SNMP best practices have not
been implemented.
implemented. 5 0.00
Disruption and
System Failures
Viruses Security controls for equipment
established.
5 0.00
Access Control Internal Fraud War dialing Formal modem approval
desktops. 5 0.00
Access Control External Fraud War dialing Formal modem approval
desktops. 5 0.00
Access Control External Fraud Web defacements No processes in place to ensure
renamed/disabled.
disabled.
5 0.00
Delivery and
Process
Management
Web defacements No processes in place to ensure
renamed/disabled.
Default user ids are renamed or
disabled.
5 0.00
Disruption and
System Failures
renamed/disabled.
disabled.
5 0.00
and Business
Practices
renamed/disabled.
Default user ids are renamed or
disabled.
5 0.00
Access Control External Fraud Web defacements Temporary, generic, guest or
Delivery and
Process
Management
Web defacements Temporary, generic, guest or
use and tightly controlled.
5 0.00
Disruption and
System Failures
and Business
Practices
Access Control External Fraud Web defacements Policies/procedures addressing
Systems features to secure
stored passwords (e.g.,
encryption) have not been
enabled.
lists.
5 0.00
Delivery and
Process
Management
Web defacements Policies/procedures addressing
lists.
5 0.00
Disruption and
System Failures
enabled.
lists.
5 0.00
and Business
Practices
enabled.
lists.
5 0.00
Access Control External Fraud Web defacements Systems features (forced
5 0.00
Delivery and
Process
Management
Web defacements Systems features (forced
5 0.00
Disruption and
System Failures
5 0.00
and Business
Practices
5 0.00
Access Control External Fraud Web defacements System timeout features have
exist.
specified period of inactivity.
5 0.00
Delivery and
Process
Management
Web defacements System timeout features have
exist.
Disruption and
System Failures
exist.
and Business
Practices
exist.
Access Control External Fraud Web defacements System unsuccessful logon
or do not exist.
Delivery and
Process
Management
Web defacements System unsuccessful logon
or do not exist.
Disruption and
System Failures
or do not exist.
and Business
Practices
or do not exist.
Disruption and
System Failures
Worms Processes/procedures have not
5 0.00
Access Control External Fraud Worms SNMP best practices have not
been implemented.
implemented. 5 0.00
Asset Classification
and Control
Internal Fraud Discussing sensitive matters in
open
Lack of appropriate level of
security controls applied to
sensitive information assets.
Unauthorized disclosure of
confidential information.
Information handling procedures
for copying, storage, packaging for
internal and external mail,
electronic and spoken
transmission and destruction are
established based upon
information asset classification.
5 0.00
and Control
External Fraud Discussing sensitive matters in
open
5 0.00
and Control
External Fraud Dumpster diving Lack of appropriate level of
5 0.00
and Control
External Fraud Dumpster diving Confidential/sensitive data
located on a disposed of or
reassigned asset can be accessed
by an unauthorized user.
Data disposal procedures are
defined for data on all types of
media (e.g., paper, microfiche, and
computer disks).
5 0.00
and Control
External Fraud Embezzlement Unauthorized disclosure of
sensitive information.
Procedures for labeling printed
reports, screen displays, magnetic
media, electronic messages and file
transfers are defined.
5 0.00
and Control
External Fraud Embezzlement Confidential/sensitive data
computer disks).
5 0.00
and Control
Execution ,
Delivery and
Process
Management
Human error Lack of appropriate level of
Unlawful disclosure of sensitive
information.
Information assets that are
processed, stored or transmitted
are handled in accordance with
asset classification (e.g.,
confidential, sensitive, and public)
and are in compliance with
applicable laws and regulations.
5 0.00
and Control
Execution ,
Delivery and
Process
Management
Lawsuits/ litigation Lack of appropriate level of
Unlawful disclosure of sensitive
information.
Information assets that are
processed, stored or transmitted
are handled in accordance with
asset classification (e.g.,
confidential, sensitive, and public)
and are in compliance with
applicable laws and regulations.
5 0.00
and Control
External Fraud Leaving sensitive documents
exposed
Confidential/sensitive data
Licensing penalties can be
incurred if not properly
recorded.
Procedures and controls for asset
handling -- including the
introduction or purchase,
licensing, transfer, removal,
disposal and reuse of assets -- are
established.
5 0.00
and Control
Internal Fraud Leaving sensitive documents
exposed
5 0.00
and Control
exposed
5 0.00
and Control
exposed
5 0.00
and Control
exposed
5 0.00
and Control
exposed
Confidential/sensitive data
computer disks).
5 0.00
and Control
External Fraud Network spoofing Lack of appropriate level of
Data encryption and
authentication requirements are
established based on information
asset classification.
5 0.00
and Control
External Fraud Unauthorized network or
system access
Data encryption and
5 0.00
and Control
Internal Fraud Unauthorized network or
system access
Data encryption and
5 0.00
and Control
External Fraud Unauthorized scans Lack of appropriate level of
Data encryption and
asset classification. 5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
Biological agent attack Crisis event management
procedures, roles and
responsibilities, and
communication plans have not
been defined or tested.
Crisis event management testing
plans are in place including
emergency response, escalation
and communication plan
documentation, and clearly
5 0.00
Business Continuity
Management
Damage to
Physical Assets
Bomb attacks Crisis event management
5 0.00
Business Continuity
Management
Damage to
Physical Assets
Chemical spill Crisis event management
been defined or tested
defined individual and
organizational responsibilities
(including public sector
involvement). 5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
Civil disorder Crisis event management
Business Continuity
Management
Business
Disruption and
System Failures
Civil disorder There are no legal obligations,
accountability or service level
agreement for third party service
providers engaged in the
recovery of business functions
and services.
The contract(s) governing the
products or services delivered by
third parties include terms
describing the recovery service
levels to be delivered, continuity
plans and notification provisions
in the event of continuity plan
activation. 5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
DDoS or DoS attacks Business recovery procedures,
roles and responsibilities, and
corresponding technology
recovery plans have not been
defined or tested.
A comprehensive business
continuity plan, including
technology solutions is in place to
address recovery of service during
a time of business interruption.
5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
DDoS or DoS attacks Business continuity and disaster
recovery plans will fail to meet
the recovery time objectives for
critical business functions and
services.
End-to-end business continuity
and recovery plans are tested at
appropriate intervals and results
feed into a continuous recovery
plan improvement cycle that is
based on changes in business,
technology, vulnerabilities and/or
culture. 5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
DNS failure Business recovery procedures,
defined or tested.
5 0.00
Business Continuity
Management
Damage to
Physical Assets
Floods Unable to recover critical
business capabilities within the
required timeframes.
A risk assessment and business
impact analysis is conducted to
determine the events and
environmental surroundings that
could adversely impact the
continuation of critical services or
products and the respective
required recovery time and
recovery point objectives for each
service or product. 5 0.00
Business Continuity
Management
Damage to
Physical Assets
Floods Crisis event management
Business Continuity
Management
Execution ,
Delivery and
Process
Management
Human error There is a lack of responsibility
for supporting and enhancing
the business continuity program.
Accountability and compliance for
the continuity planning program,
tests, audits and results are clearly
defined. 5 0.00
Business Continuity
Management
Damage to
Physical Assets
Hurricane Unable to recover critical
environmental surroundings s that
Business Continuity
Management
Clients, Products
and Business
Practices
Lawsuits/ litigation There are no legal obligations,
and services
activation. 5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
Power failure Business recovery procedures,
defined or tested.
5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
Power failure Unable to recover critical
Business Continuity
Management
Business
Disruption and
System Failures
Power failure Business recovery procedures,
technology recovery plans have
not been defined or tested for
key service providers such as
disaster recovery hot-sites,
telecommunications providers,
and technology vendors.
Documented business continuity
plans and supporting recovery
strategies are in place including the
consideration of recovery of
activities supported by dependent
service providers.
5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
Power failure Business continuity and disaster
services.
plan improvement cycle that is
based on changes in business,
technology, vulnerabilities and/or
culture. 5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
Power failure There are no legal obligations,
and services
activation. 5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
Sabotage There is a lack of responsibility
for supporting and enhancing
the business continuity program.
Accountability and compliance for
the continuity planning program,
tests, audits and results are clearly
defined. 5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
System software failure Business recovery procedures,
service providers.
5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
Telecommunications failure Unable to recover critical
Business Continuity
Management
Business
Disruption and
System Failures
Telecommunications failure Business recovery procedures,
service providers.
5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
Telecommunications failure Business continuity and disaster
5 0.00
Business Continuity
Management
Business
Disruption and
System Failures
Telecommunications failure There are no legal obligations,
5 0.00
Business Continuity
Management
Damage to
Physical Assets
Terrorist attack Business recovery procedures,
5 0.00
Business Continuity
Management
Damage to
Physical Assets
Terrorist attack Unable to recover critical
Business Continuity
Management
Damage to
Physical Assets
Terrorist attack Unable to recover critical
Business Continuity
Management
Damage to
Physical Assets
Terrorist attack Crisis event management
been defined or tested
documentation and clearly defined
individual and organizational
responsibilities (including public
sector involvement).
5 0.00
Business Continuity
Management
Damage to
Physical Assets
Terrorist attack There are no legal obligations,
and services.
activation. 5 0.00
Communications and
Operations
Management
Damage to
Physical Assets
Airplane crash Lack of information and media
protection while in transit.
Procedures and standards to
protect information and media in
transit are established. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Application software failure Lack of release management
processes.
System and network operating
release management processes and
procedures are in place including
analysis of new release
functionality, testing and
deployment schedules. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Application software failure Applications, systems and
network architectures lack high
availability.
Application, system and network
architectures are designed for high
availability and operational
redundancy. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Application software failure Acceptance criteria for new
applications, systems and
networks are not in place.
Formal acceptance procedures and
criteria (including security) for
new applications, systems and
networks are in place. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Application software failure Design requirements for
networks are not met.
Implemented applications,
systems and networks meet design
requirements. 5 0.00
Communications and
Operations
Management
Damage to
Physical Assets
Automobile crash Lack of information and media
Communications and
Operations
Management
Business
Disruption and
System Failures
Bomb threats Lack of procedures for handling
external communications in the
event of an incident.
Procedures are in place to notify
or handle inquiries from external
stakeholders; customers or clients,
news media, government offices,
outside investigators,
shareholders. 5 0.00
Communications and
Operations
Management
Internal Fraud Computer crime System and data backups are
able to be accessed freely.
On and off-site system and data
backups are protected from
unauthorized access and
tampering. 5 0.00
Communications and
Operations
Management
External Fraud Computer crime System and data backups are
tampering. 5 0.00
Communications and
Operations
Management
Internal Fraud Computer crime Logs are aren't available for
audits, forensics or prosecution.
Operator use logs are retained for
an appropriate period of time.
5 0.00
Communications and
Operations
Management
External Fraud Computer crime Logs are aren't available for
5 0.00
Communications and
Operations
Management
External Fraud Computer crime Intrusion detection systems are
not used or used ineffectively.
Intrusion detection systems are
used appropriately within the
overall network architecture. 5 0.00
Communications and
Operations
Management
Internal Fraud Computer crime Lack of accountability for
network security logs.
Sufficient accountability is
assigned to logs of security related
events to the network. 5 0.00
Communications and
Operations
Management
External Fraud Computer crime Lack of accountability for
events to the network. 5 0.00
Communications and
Operations
Management
External Fraud Computer crime Lack of strong authentication
and authorization to e-
commerce applications.
Online registration, authentication
and authorization are required
before e-commerce information
and data exchanges are made.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
DDoS or DoS attacks Lack of documented incident
management procedures.
Incident management procedures
are in place and well documented
including: actions to take in the
event of information system
failures or loss of service, denial of
service attacks, errors resulting
from incomplete or inaccurate
business data, errors resulting
from system or device
misconfiguration, breaches or loss
of confidentiality, recovery from
specific incidents, gathering of
evidence, documentation and
recovery process.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
DDoS or DoS attacks Incident response teams are
unqualified.
Incident response teams have
appropriate qualifications and
necessary training. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
DDoS or DoS attacks No network penetration testing
is performed.
Regular, periodic vulnerability and
penetration testing is performed
on all networks in accordance
with the risk of each
security/control domain and
perimeter. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
DDoS or DoS attacks Lack of network redundancy Network redundancy or diverse
network routing is maintained.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
DDoS or DoS attacks Network activities are not
monitored.
Network activities are monitored
(manually and/or using automated
tools) through log reviews on a
frequent, periodic basis.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
DDoS or DoS attacks Logs are aren't available for
Network activities are logged such
as: access failures, logon patterns,
allocation and use of privileged
access accounts, selected
transactions, sensitive resources,
remote dial-up activity, firewall
activity, failed operating system
and application access attempts,
security administration activity.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
DDoS or DoS attacks Firewalls are not used or are
used ineffectively.
Firewalls are used appropriately
within the overall network
architecture. 5 0.00
Communications and
Operations
Management
External Fraud DDoS or DoS attacks Intrusion detection systems are
Communications and
Operations
Management
Business
Disruption and
System Failures
DNS failure Lack of network redundancy Network redundancy or diverse
5 0.00
Communications and
Operations
Management
External Fraud Dumpster diving Lack of record destruction and
disposal policies
Record destruction and disposal
policies have been established for
documents, computer media
(tapes, disks, cassettes, etc.),
input/output data and system
documentation. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Fire Backup or recovery processes
aren't working and no one is
aware of it.
Testing of backup systems and
timely restoration of data is
performed at regular intervals. 5 0.00
Communications and
Operations
Management
Damage to
Physical Assets
Floods System and data backups aren't
available for standard or disaster
recovery purposes.
Regular system and data backups
are performed at appropriate
intervals by specific or dedicated
units. 5 0.00
Communications and
Operations
Management
Damage to
Physical Assets
Floods System and data backups aren't
recovery purposes.
units. 5 0.00
Communications and
Operations
Management
Damage to
Physical Assets
Floods Recovery assets are destroyed in
the original disaster.
Copies of system and data
backups are taken and stored
offsite at locations with an
adequate distance from the
production site and for an
adequate period of time. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Floods Backup or recovery processes
aware of it.
Communications and
Operations
Management
Business
Disruption and
System Failures
Hardware failure No ability to project future
system capacity requirements.
Projection and planning for future
system capacity requirements is
performed. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Hardware failure New system requirements are
not documented or tested prior
to use.
Operational requirements for new
systems is established,
documented and tested prior to
the systems acceptance and use. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Hardware failure Applications, systems and
availability.
redundancy. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Hardware failure Acceptance criteria for new
Communications and
Operations
Management
Business
Disruption and
System Failures
Hardware failure Maintenance logs aren't
available for problem
management and forensics.
Maintenance and upgrade logs are
kept for hardware and/or
software. 5 0.00
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
Human error Lack of instructions for incident
response at processing facilities.
Operating instructions for the
management of processing
facilities include incident response
requirements such as escalation via
a call tree, methods for handling
errors, generating and handling
special output and restarting and
recovering systems.
5 0.00
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
Human error No formal change control
process is in place.
A formal change control process
is in place detailing; testing
(including regression and security
testing as appropriate),
assessment, formal approval, back
out or contingency plans,
separation of development and
production software and systems,
production teams and provisions
for emergency changes.
5 0.00
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
Human error System and network changes are
not documented.
All system and network operating
changes are documented and
incorporated back into system
manuals. 5 0.00
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
Human error Lack of documented incident
recovery process.
5 0.00
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
Human error System monitoring does not
have current signature files.
The security event monitoring
system has current signature files.
5 0.00
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
Human error Incident response teams are
unqualified.
necessary training.
5 0.00
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
Human error Lack of accountability for
events to the network
5 0.00
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
Human error Lack of record retention and
storage policies.
Record retention and storage
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
Human error Sensitive information can be
inadvertently made publicly
available.
A review and authorization
process is in place to control
information that is made publicly
available. 5 0.00
Communications and
Operations
Management
Damage to
Physical Assets
Hurricane Recovery assets are destroyed in
adequate period of time 5 0.00
Communications and
Operations
Management
Clients, Products
and Business
Practices
Lawsuits/ litigation Lack of procedures for handling
stakeholders; customers or clients,
Communications and
Operations
Management
Clients, Products
and Business
Practices
Lawsuits/ litigation Lack of record retention and
storage policies.
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
Leaving sensitive documents
exposed
Lack of record destruction and
disposal policies.
Record destruction and disposal
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
exposed
Lack of record retention and
storage policies.
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
exposed
Lack of ability to support
information and software
exchange agreements.
Information and software
exchange agreements (including
software escrow) can be
supported. 5 0.00
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
exposed
Sensitive information can be
available.
available. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Malicious code Design requirements for
Communications and
Operations
Management
Business
Disruption and
System Failures
Malicious code Code scanning is performed,
inconsistently performed or not
adequately performed.
A code scanning policy is in place
and includes the types of security
issues to be scanned for (e.g.,
malicious code, worms, Trojan
horses, back doors, form input
validation, SQL injection). 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Malicious code Lack of filtering for malicious
code.
Filtering for malicious code at the
network parameter is employed.
5 0.00
Communications and
Operations
Management
External Fraud Network spoofing Intrusion detection systems are
Communications and
Operations
Management
External Fraud Network spoofing Tools to detect rogue network
devices are not used.
Tools are used to detect rogue
network devices and services.
5 0.00
Communications and
Operations
Management
External Fraud Network spoofing Loss or compromise of data
related to audits, forensics or
prosecution
Network security related event
logs are secured against
unauthorized access, change and
deletion for an adequate period of
time. 5 0.00
Communications and
Operations
Management
External Fraud Network/application backdoor Design requirements for
Communications and
Operations
Management
Internal Fraud Network/application backdoor Design requirements for
Communications and
Operations
Management
External Fraud Network/application backdoor Code scanning is performed,
Communications and
Operations
Management
External Fraud Network/application backdoor Network management and
security / control , domains
aren't in place.
Network management
security/control domains
(perimeter, DMZ, etc.) and
perimeters have been designed,
applied and implemented on all
networks. 5 0.00
Communications and
Operations
Management
External Fraud Network/application backdoor Non-secure configuration of
network devices.
Network devices are securely
configured according to their
function within security/control
zones (i.e., public/untrusted
networks, semi-private networks,
DMZs) and perimeters.
5 0.00
Communications and
Operations
Management
External Fraud Network/application backdoor Network activities are not
monitored.
5 0.00
Communications and
Operations
Management
External Fraud Network/application backdoor Tools to detect rogue network
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
bomb
Code scanning is performed,
Communications and
Operations
Management
External Fraud Network/application time
bomb
Tools to detect rogue network
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Power failure Lack of instructions for incident
requirements such as escalation via
a call tree, methods for handling
errors, generating and handling
special output and restarting and
recovering systems.
5 0.00
Communications and
Operations
Management
External Fraud Robbery Lack of information and media
Communications and
Operations
Management
Business
Disruption and
System Failures
Sabotage Lack of procedures for handling
stakeholders, customers or clients,
Communications and
Operations
Management
Damage to
Physical Assets
Seismic activity Recovery assets are destroyed in
adequate period of time. 5 0.00
Communications and
Operations
Management
External Fraud Social engineering Sensitive information can be
available.
available. 5 0.00
Communications and
Operations
Management
Execution ,
Delivery and
Process
Management
Software defects No formal change control
is in place detailing: testing
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Software defects Lack of release management
processes.
Communications and
Operations
Management
Business
Disruption and
System Failures
Software defects Acceptance criteria for new
Communications and
Operations
Management
Business
Disruption and
System Failures
Software defects Design requirements for
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure Lack of instructions for incident
requirements such as escalation
via a call tree, methods for
handling errors, generating and
handling special output and
restarting and recovering systems.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure No formal change control
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure System and network changes are
not documented.
manuals. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure Lack of release management
processes.
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure Lack of documented incident
recovery process.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure Incident response teams are
unqualified.
necessary training. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure Incident response teams are not
accessible in the event of an
incident.
Incident response teams are
accessible and available as needed.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure No ability to project future
system capacity requirements.
Projection and planning for future
system capacity requirements is
performed. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure New system requirements are
not documented or tested prior
to use.
Operational requirements for new
systems is established,
documented and tested prior to
the systems acceptance and use. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure Applications, systems and
availability.
redundancy. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure Acceptance criteria for new
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure Design requirements for
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure System and data backups aren't
recovery purposes.
units. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure Backup or recovery processes
aware of it.
Communications and
Operations
Management
Business
Disruption and
System Failures
System software failure Maintenance logs aren't
available for problem
management and forensics.
Maintenance and upgrade logs are
kept for hardware and/or
software. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Telecommunications failure Lack of instructions for incident
requirements such as escalation
via a call tree, methods for
handling errors, generating and
handling special output and
restarting and recovering systems.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Telecommunications failure Backup or recovery processes
aware of it.
Communications and
Operations
Management
Business
Disruption and
System Failures
Telecommunications failure Lack of network redundancy Network redundancy or diverse
5 0.00
Communications and
Operations
Management
Damage to
Physical Assets
Terrorist attack Recovery assets are destroyed in
Communications and
Operations
Management
Damage to
Physical Assets
Tornados Recovery assets are destroyed in
Communications and
Operations
Management
Business
Disruption and
System Failures
Trojans Security incidents and
suspicious activities are not
monitored.
Security incidents are monitored
including, security breaches,
internal fraud,
unauthorized/unacceptable
employee activity and other
suspicious activities. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Trojans Lack of a comprehensive virus
protection policy.
A virus protection policy
including a virus protection
process and response team is in
place and communicated
internally. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Trojans Anti-virus software is not used
or is not effective.
Antivirus software is deployed,
updated and maintained.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Trojans Anti-virus software is able to be
circumvented .
Restrictions on end-user override
capabilities are in place with
antivirus software. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Trojans Remote and laptop users do not
have virus protection.
Virus protection applies to remote
and laptop users.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Trojans Code scanning is performed,
Communications and
Operations
Management
Business
Disruption and
System Failures
Trojans Firewalls are not used or are
used ineffectively.
Communications and
Operations
Management
system access
No formal change control
5 0.00
Communications and
Operations
Management
system access
No formal change control
5 0.00
Communications and
Operations
Management
system access
System and network changes are
not documented.
manuals. 5 0.00
Communications and
Operations
Management
system access
System and network changes are
not documented.
manuals. 5 0.00
Communications and
Operations
Management
system access
Security incidents and
monitored.
including security breaches,
internal fraud,
Communications and
Operations
Management
system access
Security incidents and
monitored.
internal fraud,
Communications and
Operations
Management
system access
Incident response teams are not
incident.
5 0.00
Communications and
Operations
Management
system access
Incident response teams are not
incident.
5 0.00
Communications and
Operations
Management
system access
Logs are aren't available for
5 0.00
Communications and
Operations
Management
system access
5 0.00
Communications and
Operations
Management
system access
Network management and
security / control domains
aren't in place.
Network management
networks. 5 0.00
Communications and
Operations
Management
system access
Network management and
security / control domains
aren't in place.
Network management
networks. 5 0.00
Communications and
Operations
Management
system access
Non secure configuration of
network devices.
5 0.00
Communications and
Operations
Management
system access
Non-secure configuration of
network devices.
5 0.00
Communications and
Operations
Management
system access
Remote access is uncontrolled
and unmanaged.
Remote access management
utilities or tools are used for
remote access to networks and
servers (administrator as well as
user dial-in/dial-out,
maintenance dial-in) appropriate
to each security/control domain. 5 0.00
Communications and
Operations
Management
system access
Remote access is uncontrolled
and unmanaged.
Communications and
Operations
Management
system access
No network penetration testing
is performed.
perimeter. 5 0.00
Communications and
Operations
Management
system access
No network penetration testing
is performed.
perimeter 5 0.00
Communications and
Operations
Management
system access
Network activities are not
monitored.
5 0.00
Communications and
Operations
Management
system access
Network activities are not
monitored.
5 0.00
Communications and
Operations
Management
system access
5 0.00
Communications and
Operations
Management
system access
allocation and us of privileged
5 0.00
Communications and
Operations
Management
system access
Communications and
Operations
Management
system access
Tools to detect rogue network
5 0.00
Communications and
Operations
Management
system access
Loss or compromise of data
prosecution
time. 5 0.00
Communications and
Operations
Management
system access
Loss or compromise of data
prosecution
time 5 0.00
Communications and
Operations
Management
system access
Lack of strong authentication
5 0.00
Communications and
Operations
Management
system access
Lack of strong authentication
and data exchanges are made. 5 0.00
Communications and
Operations
Management
system access
Access codes are able to be read
in the clear while in storage or
transmission.
Access codes are encrypted in
storage and transmission.
5 0.00
Communications and
Operations
Management
system access
Access codes are able to be read
transmission.
5 0.00
Communications and
Operations
Management
External Fraud Unauthorized scans Security incidents and
monitored.
internal fraud,
Communications and
Operations
Management
Internal Fraud Unauthorized scans System monitoring does not
have current signature files.
The security event monitoring
system has current signature files.
5 0.00
Communications and
Operations
Management
External Fraud Unauthorized scans System and data backups are
tampering. 5 0.00
Communications and
Operations
Management
External Fraud Unauthorized scans Network management and
security / control , domains
aren't in place.
Network management
networks. 5 0.00
Communications and
Operations
Management
External Fraud Unauthorized scans Non secure configuration of
network devices.
5 0.00
Communications and
Operations
Management
External Fraud Unauthorized scans Remote access is uncontrolled
and unmanaged.
Communications and
Operations
Management
External Fraud Unauthorized scans Network activities are not
monitored.
5 0.00
Communications and
Operations
Management
External Fraud Unauthorized scans Logs are aren't available for
5 0.00
Communications and
Operations
Management
External Fraud Unauthorized scans Intrusion detection systems are
Communications and
Operations
Management
External Fraud Unauthorized scans Tools to detect rogue network
5 0.00
Communications and
Operations
Management
Internal Fraud Unauthorized scans Loss or compromise of data
prosecution
time. 5 0.00
Communications and
Operations
Management
External Fraud Unauthorized scans Access codes are able to be read
transmission.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Virus hoaxes Lack of procedures for handling
stakeholders, customers or clients,
Communications and
Operations
Management
Business
Disruption and
System Failures
Viruses Security incidents and
monitored.
including, security breaches,
internal fraud,
Communications and
Operations
Management
Business
Disruption and
System Failures
Viruses Lack of a comprehensive virus
protection policy.
A virus protection policy
process and response team is in
internally. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Viruses Anti-virus software is not used
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Viruses Anti-virus software is able to be
circumvented .
Communications and
Operations
Management
Business
Disruption and
System Failures
Viruses Remote and laptop users do not
and laptop users.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Viruses Backup or recovery processes
aware of it.
Communications and
Operations
Management
Business
Disruption and
System Failures
Viruses Firewalls are not used or are
used ineffectively.
Communications and
Operations
Management
External Fraud War dialing Lack of strong authentication
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Worms Security incidents and
monitored.
internal fraud,
Communications and
Operations
Management
Business
Disruption and
System Failures
Worms Lack of a comprehensive virus
protection policy.
A virus protection policy,
process and response team, is in
internally. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Worms Anti-virus software is not used
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Worms Anti-virus software is able to be
circumvented .
Communications and
Operations
Management
Business
Disruption and
System Failures
Worms Remote and laptop users do not
and laptop users.
5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Worms System and data backups aren't
recovery purposes.
units. 5 0.00
Communications and
Operations
Management
Business
Disruption and
System Failures
Worms Backup or recovery processes
aware of it.
Communications and
Operations
Management
Business
Disruption and
System Failures
Worms Firewalls are not used or are
used ineffectively.
Compliance Business
Disruption and
System Failures
DDoS or DoS attacks Failure to review standard
security configurations for
networks, operating systems,
applications, desktops and other
system components.
Standard security configurations
for networks, operating systems,
system components are
implemented and regularly
reviewed for compliance. Security
configurations may include
security patches, vulnerability
management, default passwords,
registry settings, version
management and file directory
rights and permissions. 5 0.00
Compliance Execution ,
Delivery and
Process
Management
Human error Lack of clearly defined roles and
responsibilities.
Responsibility for legal and
regulatory compliance has been
clearly assigned.
5 0.00
Delivery and
Process
Management
Human error Lack of procedures to avoid
using material that would
infringe on the copyright or
intellectual property of others.
Procedures have been
implemented to avoid using
material that would infringe on
the copyright or intellectual
property of others. 5 0.00
Delivery and
Process
Management
Human error Lack of policy to protect the
organization's intellectual
property rights and ownership
of information systems, source
code that is developed
(including escrowing issues with
third parties) and business
processes or concepts created.
There is a policy in place to
protect the organization's
intellectual property rights and
ownership of information systems,
source code that is developed
5 0.00
Delivery and
Process
Management
Human error Failure to register software
products with the proper
authority to afford appropriate
patent, trademark or copyright
Software products developed
internally or by others on behalf
of the organization, are registered
in a timely manner with the proper
5 0.00
Delivery and
Process
Human error Failure to register internet
domain names with the proper
authority.
Internet domain names are
registered with the proper
authority.
5 0.00
Delivery and
Process
Management
Human error Lack of procedures to protect
against the use of information
processing facilities for
unauthorized purposes.
Procedures are in place to protect
5 0.00
Delivery and
Process
Management
Human error Lack of process to ensure
interoperability, compliance
with international law when
transferring encrypted
information or cryptographic
controls to another country.
When transferring encrypted
controls to another country, there
is a process in place to ensure
interoperability, compliance to
international law and support.
5 0.00
Delivery and
Process
Management
Human error Lack of procedures to aid in
collecting adequate evidence in
support of a legal action against
a person (either internal or
external) or organization such as
information systems that are
Procedures are in place to aid in
support of a legal action against a
person (either internal or external)
or organization such as
5 0.00
Delivery and
Process
Management
Human error Lack of compliance of
information systems with
published standards or codes of
practice for the production of
admissible evidence in court.
Information systems are
compliant with published
standards or codes of practice for
the production of admissible
evidence in court.
5 0.00
Delivery and
Process
Management
Human error Failure to review standard
system components.
Delivery and
Process
Management
Human error Failure to conduct security
policy compliance reviews that
include a review of information
systems, system providers,
owners of information assets,
users and management.
Security policy compliance reviews
are conducted and include a
review of information systems,
system providers, owners of
information assets, users and
management.
5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Lack of clearly defined roles and
responsibilities.
clearly assigned.
5 0.00
Compliance Clients, Products
and Business
Practices
Lawsuits/ litigation Lack of clearly defined roles and
responsibilities.
clearly assigned. 5 0.00
Compliance Clients, Products
and Business
Practices
Lawsuits/ litigation Lack of procedures to avoid
Delivery and
Process
Management
Lawsuits/ litigation Lack of procedures to avoid
Delivery and
Process
Management
Lawsuits/ litigation Legal and compliance
obligations may effect the
execution, delivery and
processes to be provided.
All third party relationships must
identify all obligations from
current, past and future litigation,
lawsuits, breaches of contract,
regulatory fines, and proceedings
against the company, its officers
and employees.
5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Lack of policy to protect the
organization's intellectual
property rights and ownership
of information systems, source
code that is developed
There is a policy in place to
protect the organization's
intellectual property rights and
ownership of information systems,
source code that is developed
5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Failure to register software
products with the proper
protection in a timely manner.
Software products developed
internally or by others on behalf
of the organization are registered
in a timely manner with the proper
protection. 5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Failure to register internet
domain names with the proper
authority.
Internet domain names are
registered with the proper
authority. 5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Lack of process to ensure
interoperability, compliance
with international law when
transferring encrypted
controls to another country.
When transferring encrypted
controls to another country, there
is a process in place to ensure
interoperability, compliance to
international law and support.
5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Lack of procedures to aid in
support of a legal action against
a person (either internal or
external) or organization such as
standards or codes of practice
and strong trail of documents
and computer media.
Procedures are in place to aid in
support of a legal action against a
person (either internal or external)
or organization, such as
standards or codes of practice and
a strong trail of documents and
computer media.
5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Lack of compliance of
information systems with
published standards or codes of
practice for the production of
admissible evidence in court.
Information systems are
standards or codes of practice for
the production of admissible
evidence in court.
5 0.00
Compliance External Fraud Network spoofing Failure to review standard
system components.
Delivery and
Process
Management
Sabotage Lack of procedures to protect
Procedures are in place to protect
unauthorized purposes. 5 0.00
Compliance External Fraud Unauthorized network access Failure to review standard
system components.
5 0.00
Compliance External Fraud Unauthorized network access Failure to use security tools for
vulnerability or penetration
testing, monitoring, policy
compliance, anti-virus, firewall,
application gateways and guards.
Security tools are used for
compliance, antivirus, firewall,
5 0.00
Compliance External Fraud Unauthorized network access Failure to correct deficiencies
noted in third party
audits/assessments.
Deficiencies noted in third party
audits/assessments are corrected.
5 0.00
Compliance External Fraud Unauthorized network or
system access
Failure to perform annual third
party audit/assessment to test
controls and perform on-site
validation.
An annual third party
audit/assessment is performed
including testing of controls and
on-site validation. 5 0.00
Compliance External Fraud Unauthorized scans Failure to use security tools for
5 0.00
Compliance Business
Disruption and
System Failures
Viruses Failure to review standard
system components.
Compliance Business
Disruption and
System Failures
Viruses Failure to use security tools for
5 0.00
Compliance Business
Disruption and
System Failures
Viruses Failure to perform annual third
validation.
Compliance Business
Disruption and
System Failures
Viruses Failure to correct deficiencies
audits/assessments.
5 0.00
Compliance Business
Disruption and
System Failures
Worms Failure to review standard
system components.
Compliance Business
Disruption and
System Failures
Worms Failure to use security tools for
5 0.00
Compliance Business
Disruption and
System Failures
Worms Failure to perform annual third
validation.
Compliance Business
Disruption and
System Failures
Worms Failure to correct deficiencies
audits/assessments.
5 0.00
Organizational
Security
Business
Disruption and
System Failures
Human error External actor exceeds level of
authorized access to the system.
External source implements
change to the system with out
going through proper change
control.
A written and comprehensive
information security program that
includes administrative and
technical standards, procedures
and policies is in place to protect
information and information
assets. 5 0.00
Organizational
Security
External Fraud Network/application backdoor External actor exceeds level of
control.
Procedures and policies are in
place to control and document
third-party physical and logical
access to information and
information systems.
5 0.00
Organizational
Security
Business
Disruption and
System Failures
Sabotage Weak security controls
implemented at the third party,
increasing the risk of
compromise of information
assets.
All third party relationships and
dependent service providers are
identified -- including the services
being performed and the clients
affected by the services -- and
appropriate due diligence for
those service providers has been
completed. 5 0.00
Organizational
Security
system access
External actor exceeds level of
control.
5 0.00
Organizational
Security
system access
Weak security controls
implemented at the third party,
increasing the risk of
compromise of information
assets.
All third party relationships and
dependent service providers are
identified -- including the services
being performed and the clients
affected by the services -- and
appropriate due diligence for
those service providers has been
completed. 5 0.00
Organizational
Security
Business
Disruption and
System Failures
Malicious code External actor exceeds level of
control.
5 0.00
Personnel Security External Fraud Computer crime Incomplete, nonexistent, or
insufficient background checks
performed on employees and
externals. Background checks
are not done or a periodic basis.
Perform pre-employment and
periodic background checks for all
administrators and employees and
contractors with access to critical
information assets. Background
checks encompass criminal checks
at local, state, national and
international level, credit check,
drug screening, and reference
verification.
5 0.00
Personnel Security Internal Fraud Computer crime Incomplete, nonexistent, or
insufficient background checks
performed on employees and
externals. Background checks
are not done or a periodic basis.
Perform pre-employment and
periodic background checks for all
administrators and employees and
contractors with access to critical
information assets. Background
checks encompass criminal checks
at local, state, national and
international level, credit check,
drug screening, and reference
verification.
5 0.00
Personnel Security Internal Fraud Computer crime There is a lack of disciplinary
action taken for policy violation.
A clearly defined and understood
disciplinary process is in place for
employees who violate the
information security policy.
5 0.00
Personnel Security External Fraud Computer crime There is a lack of awareness on
how to report a security
incident.
Procedures for reporting security
incidents and malfunctions are
clearly defined and include
detailed actions, reporting
hierarchy, escalation triggers
relative to the type of incident and
potential impact and special
provisions related to the time of
day or non-business hour scenario,
if any. 5 0.00
Personnel Security Business
Disruption and
System Failures
DDoS or DoS attacks Procedures for reporting
incidents are not current or
complete.
communicated to all employees. 5 0.00
Personnel Security External Fraud Discussing sensitive matters in
open
Confidential discussions take
place in open unsecured areas.
Employment provisions include
nondisclosure or agreement of
confidentiality and a clear
statement of information security
responsibilities. 5 0.00
Personnel Security Internal Fraud Discussing sensitive matters in
open
Confidential discussions take
responsibilities. 5 0.00
Disruption and
System Failures
Human error Lack of trained security staff. Comprehensive information
security training commensurate
with the position and access role is
provided to all new employees and
contractors and is conducted on a
recurring basis. 5 0.00
Personnel Security Execution ,
Delivery and
Process
Management
Human error Employees and externals are not
aware of security probes. How
to protect, detect, and report.
Information security awareness
resources (website, brochure-ware,
training modules, etc.) are made
available to all employees and
contractors. 5 0.00
Delivery and
Process
Management
Human error Lack of formal Security
certification oversight can lead
to deteriorated knowledge.
Not Current.
Oversight of employees security
certifications (e.g., CISA, CISSP,
TISCA) requirements and
maintenance is established 5 0.00
Delivery and
Process
Management
Human error Incident reports procedures are
not tested regularly. "People
not prepared to report".
Execution of the procedures for
reporting security incidents is
tested.
5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Lack of trained security staff. Comprehensive information
with the position and access role,
is provided to all new employees
and contractors and is conducted
on a recurring basis.
5 0.00
Personnel Security Clients, Products
and Business
Practices
Lawsuits/ litigation Lack of internal and vendor
intrusion detection, logging, and
security controls.
Information security incidents
from internal operations and with
third parties are tracked, analyzed
and reported for appropriate
regulatory requirements and
process improvement.
5 0.00
Personnel Security Internal Fraud Social engineering Confidential discussions take
responsibilities.
5 0.00
Personnel Security External Fraud Social engineering Confidential discussions take
5 0.00
Personnel Security External Fraud Social engineering Lack of trained security staff. Comprehensive information
with the position and access role is
provided to all new employees and
5 0.00
Personnel Security External Fraud Social engineering Employees and externals are not
contractors. 5 0.00
Personnel Security External Fraud Social engineering Employees may be manipulated
into giving out sensitive system
information.
All employees are specifically
made aware of social
engineering risks. 5 0.00
Personnel Security External Fraud Social engineering Procedures for reporting
complete.
communicated to all employees. 5 0.00
Personnel Security External Fraud Tailgating to gain unauthorized
access
Proximity badges are the only
physical access control in place.
"Proximity badges lost or
stolen."
Employee and contractor access
to physical location and
information assets is controlled by
biometric devices (fingerprint,
retinal scans, other). 5 0.00
Personnel Security Internal Fraud Tailgating to gain unauthorized
access
Proximity badges are the only
physical access control in place.
"Proximity badges lost or
stolen."
Employee and contractor access
to physical location and
information assets is controlled by
biometric devices (fingerprint,
retinal scans, other).
5 0.00
Personnel Security Internal Fraud Unauthorized network access Lack of internal and vendor
security controls.
5 0.00
Personnel Security External Fraud Unauthorized network access Lack of internal and vendor
security controls.
5 0.00
Personnel Security External Fraud Unauthorized scans Employees and externals are not
contractors.
5 0.00
Personnel Security External Fraud Unauthorized scans There is a lack of awareness on
incident.
potential impact, and special
day or non-business hour scenario,
if any.
5 0.00
Personnel Security External Fraud Unauthorized scans Procedures for reporting
complete.
5 0.00
Disruption and
System Failures
Virus hoaxes Employees and externals are not
contractors.
5 0.00
Personnel Security External Fraud Virus hoaxes There is a lack of awareness on
incident.
potential impact, and special
day or non-business hour scenario
if any.
5 0.00
Physical and
Environmental
Security
Business
Disruption and
System Failures
CPU malfunction/failure Environmental protection not
being tested regularly
Environmental protection
equipment (fire suppression, water
flooding, heat/air conditioning,
power supply, etc.) is installed,
tested and monitored at
appropriate intervals.
5 0.00
Physical and
Environmental
Security
Damage to
Physical Assets
Fire Environmental protection not
5 0.00
Physical and
Environmental
Security
Damage to
Physical Assets
Floods Environmental protection not
5 0.00
Physical and
Environmental
Security
Damage to
Physical Assets
Gas leaks Lack of disaster recovery and
surveying of physical location.
Premises where business
information processing occurs is
assessed for environmental
hazards (e.g., exposure to
hazardous facilities, natural gas,
petroleum or other pipelines) and
the likelihood of natural disasters
(e.g., flooding, tornadoes or
earthquakes).
5 0.00
Physical and
Environmental
Security
Business
Disruption and
System Failures
Hardware failure Remote maintenance is not
done securely and too many
administrators.
Maintenance of equipment can be
performed remotely through
secure and controlled access.
5 0.00
Physical and
Environmental
Security
Damage to
Physical Assets
Hazardous waste exposure Lack of disaster recovery and
earthquakes).
5 0.00
Physical and
Environmental
Security
Business
Disruption and
System Failures
HVAC failure Environmental protection not
being tested regularly.
5 0.00
Physical and
Environmental
Security
External Fraud Leaving computer screen
exposed or unlocked
Visitors are not being escorted
at all times.
Visitors to the physical premise
are escorted as necessary.
5 0.00
Physical and
Environmental
Security
Internal Fraud Leaving computer screen
exposed or unlocked
Assets are not properly classified
nor are control procedures.
Users not following procedures.
Procedures to secure information
(e.g., locked cabinets, document
control, and clear screen/screen
timeout policies) are established
based on asset classification.
5 0.00
Physical and
Environmental
Security
External Fraud Leaving computer screen
exposed or unlocked
5 0.00
Physical and
Environmental
Security
External Fraud Leaving doors unlocked There is a lack of physical
operating security policies
company wide or they are not
followed and enforced.
Policies for operational security
within the work space (e.g.,
utilization of shredding
equipment, secure storage, and
"clean desk" principles) are
defined. 5 0.00
Physical and
Environmental
Security
External Fraud Leaving doors unlocked Lack of monitoring and control
at non-employee entrances.
"No guards, video, access
control".
Non-employee physical premise
access is controlled and
monitored.
5 0.00
Physical and
Environmental
Security
exposed
There is a lack of physical
defined. 5 0.00
Physical and
Environmental
Security
exposed
There is a lack of physical
defined. 5 0.00
Physical and
Environmental
Security
exposed
5 0.00
Physical and
Environmental
Security
exposed
5 0.00
Physical and
Environmental
Security
External Fraud Lost or stolen laptops There is a lack of physical
defined.
5 0.00
Physical and
Environmental
Security
Business
Disruption and
System Failures
Power failure Environmental protection not
5 0.00
Physical and
Environmental
Security
Business
Disruption and
System Failures
Power failure Lack of fail over power. Hot swaps or hot fail over
capabilities are employed for
critical power supply equipment. 5 0.00
Physical and
Environmental
Security
Business
Disruption and
System Failures
Power failure Exposed wiring in ceilings,
closets, floor not secure.
Safeguards are in place to prevent
unauthorized interception or
damage to network, power,
telecommunications cabling or
other on and off-site equipment
necessary for business or backup
activities, (e.g., continuous power
supply equipment is installed and
maintained for critical systems,
phone/cable closets are secured,
etc.).
5 0.00
Physical and
Environmental
Security
Business
Disruption and
System Failures
Power fluctuation Environmental protection not
being tested regularly.
5 0.00
Physical and
Environmental
Security
Business
Disruption and
System Failures
Power fluctuation Lack of fail over power. Hot swaps or hot fail over
capabilities are employed for
critical power supply equipment. 5 0.00
Physical and
Environmental
Security
External Fraud Robbery Lack of monitoring control at
loading and delivery points.
"Blind spots with no video
camera."
Loading and delivery area access
to key data centers or buildings
where information processing or
storage is performed is controlled
and monitored.
5 0.00
Physical and
Environmental
Security
External Fraud Robbery Access is not promptly removed
or not scrutinized before being
granted.
Physical premise access authority
(sites, buildings, rooms, etc.) is
defined and limited to authorized
personnel only using appropriate
controls and/or dual controls
(badge, reception desk, guards,
escorts, locks, biometrics, etc.).
5 0.00
Physical and
Environmental
Security
External Fraud Robbery Cameras or motion detectors
not in place or contain blind
spots.
Physical premise access is
monitored using logs, cameras,
motion detectors, etc. at
appropriate intervals. 5 0.00
Physical and
Environmental
Security
External Fraud Robbery Lack of monitoring and control
control."
monitored.
5 0.00
Physical and
Environmental
Security
External Fraud Robbery Visitors are not being escorted
at all times.
5 0.00
Physical and
Environmental
Security
External Fraud Robbery Physical security of data center
is not routinely tested.
Penetration tests are performed to
verify data center physical security.
5 0.00
Physical and
Environmental
Security
External Fraud Robbery Property is removed without
being challenged.
Procedures are in place to prevent
the authorized removal of
property. 5 0.00
Physical and
Environmental
Security
Internal Fraud Robbery Property is removed without
being challenged.
Procedures are in place to prevent
the authorized removal of
property. 5 0.00
Physical and
Environmental
Security
External Fraud Sabotage Lack of monitoring and control
control."
monitored.
5 0.00
Physical and
Environmental
Security
External Fraud Sabotage Physical security of data center
5 0.00
Physical and
Environmental
Security
Damage to
Physical Assets
Seismic activity Lack of disaster recovery and
earthquakes). 5 0.00
Physical and
Environmental
Security
Internal Fraud Shoulder surfing There is a lack of physical
defined. 5 0.00
Physical and
Environmental
Security
External Fraud Shoulder surfing Visitors are not being escorted
at all times.
5 0.00
Physical and
Environmental
Security
External Fraud Tailgating to gain unauthorized
access
Lack of monitoring control at
camera."
and monitored. 5 0.00
Physical and
Environmental
Security
access
Cameras or motion detectors
spots.
monitored using logs, cameras, or
Physical and
Environmental
Security
access
Visitors are not being escorted
at all times.
5 0.00
Physical and
Environmental
Security
Business
Disruption and
System Failures
Telecommunications failure Exposed wiring in ceilings,
closets, floor not secure.
Safeguards are in place to prevent
unauthorized interception or
damage to network, power,
telecommunications cabling or
other on and off-site equipment
necessary for business or backup
activities, (e.g., continuous power
supply equipment is installed and
maintained for critical systems,
phone/cable closets are secured,
etc.).
5 0.00
Physical and
Environmental
Security
Damage to
Physical Assets
Terrorist attack Lack of monitoring control at
camera."
Physical and
Environmental
Security
Damage to
Physical Assets
Terrorist attack Access is not promptly removed
granted.
5 0.00
Physical and
Environmental
Security
Damage to
Physical Assets
Terrorist attack Cameras or motion detectors
spots.
monitored using logs, cameras, or
Physical and
Environmental
Security
External Fraud Terrorist attack Physical security of data center
5 0.00
Physical and
Environmental
Security
Damage to
Physical Assets
Tornados Lack of disaster recovery and
earthquakes). 5 0.00
Physical and
Environmental
Security
system access
Lack of Tempest or other
measures to protect against
electronic interception.
Emissions (wire in conduit,
monitors, wireless broadcasts) are
shielded to prevent compromise
of network security.
5 0.00
Physical and
Environmental
Security
External Fraud Unauthorized scans Lack of Tempest or other
measures to protect against
electronic interception.
Emissions (wire in conduit,
monitors, wireless broadcasts) are
shielded to prevent compromise
of network security.
5 0.00
Physical and
Environmental
Security
Damage to
Physical Assets
Vandalism Lack of monitoring control at
camera."
Physical and
Environmental
Security
Damage to
Physical Assets
Vandalism Access is not promptly removed
granted.
5 0.00
Physical and
Environmental
Security
Damage to
Physical Assets
Vandalism Cameras or motion detectors
are not in place or contain blind
spots.
monitored using logs, cameras,
5 0.00
Security Policy Business
Disruption and
System Failures
Human error Insiders/employees are unaware
of proper security practices.
Proper controls are not applied
or if applied not done
consistently for protection of
information assets.
assets. 5 0.00
Security Policy External Fraud Leaving sensitive documents
exposed
Insiders/employees are unaware
information assets.
assets. 5 0.00
Security Policy Internal Fraud Leaving sensitive documents
exposed
Insiders/employees are unaware
information assets.
assets. 5 0.00
Security Policy External Fraud Sabotage Insiders/employees are unaware
information assets.
assets. 5 0.00
Security Policy External Fraud Social engineering Insiders/employees are unaware
information assets.
assets. 5 0.00
Systems Development Business
Disruption and
System Failures
Unauthorized network or
system access
Inappropriate or weak access
control procedures result in
authorized modifications,
and/or data integrity issues.
Application access control
procedures are in place to protect
source code, the binaries or
actual database or data.
5 0.00
Disruption and
System Failures
Application software failure Lack of tools that provide
documentation of data
alterations during the
application production process.
Tools are available in production
application environment to
produce an audit trail of all data
alterations.
5 0.00
Disruption and
System Failures
Application software failure Loss or modification of audit
trails and/or activity logs can
impede investigation into
inappropriate application or
human activities.
Audit trails and activity logs are
handled and stored in a secure
manner.
5 0.00
Systems Development Internal Fraud Computer crime A lack of host-based IDS
control eliminates the
possibility of collecting
evidence of malicious or
suspicious application activity
in real time and decreases the
ability to monitor key system
files for evidence of tampering.
Host-based intrusion detection
system is employed.
5 0.00
Systems Development External Fraud Computer crime A lack of host-based IDS
system is employed.
5 0.00
Disruption and
System Failures
DDoS or DoS attacks Software patches not tested
and applied in a timely manner
can allow application
vulnerability and render it
susceptible to attack.
A process is in place to allow for
the prompt testing and
application of up-to-date security
patches from vendors.
5 0.00
Disruption and
System Failures
Human error Lack of a consistently applied
methodology can result in
security exposures, potential
loss of data integrity, and
performance issues.
A formal application
development
process/methodology is in place.
5 0.00
Disruption and
System Failures
Application software failure Lack of independent risk
assessment of applications can
result in the oversight of
security holes built into the
application.
Applications are independently
evaluated or certified.
5 0.00
Systems Development Execution ,
Delivery and
Process
Management
Lawsuit/litigation Lack of strong non-repudiation
controls can result in the
tampering of message from
origin to recipient; integrity
issues and loss of potential
legal evidence of crime.
Appropriate non-repudiation
methods are used, (e.g., time
stamping, voice recording, digital
signatures).
5 0.00
Delivery and
Process
Management
Unauthorized network or
system access
Unauthorized access to files
and libraries can result in
modifications, or inappropriate
access to files and libraries.
Authorized access to critical
system files and source code
libraries is established,
controlled and maintained.
5 0.00
Delivery and
Process
Management
Application software failure Lack of backup policy and
procedures prevents recovery
during a system problem.
System libraries are backed up on
a regular basis so that they are
available to be recovered in the
event of a system problem.
5 0.00
Disruption and
System Failures
Application software failure Lack of change control policy
and procedures can result in
security exposures during
changes or modifications.
There is a documented change
control process including a review
of code changes by information
security.
5 0.00
Delivery and
Process
Management
Human error Non-system segregation may
result in data integrity issues.
The development/test system is
segregated from the operational
system.
5 0.00
Disruption and
System Failures
Human error Developers are not directed on
the techniques to program
applications in a secure fashion.
A programmers development
manual guides the creation of safe
and secure code. Developers have
been trained in programming
techniques that provide for more
secure applications.
5 0.00
Delivery and
Process
Management
Lawsuits/ litigation Lack of encryption policy can
result in data exposure of
sensitive or other types of
information and can have
regulatory or legal
ramifications.
An encryption policy is in place
that includes an end-to-end
transaction (e.g., origination,
storage, network path, backups,
recovery and legally mandated
provisions). 5 0.00
Disruption and
System Failures
Malicious code Lack of independently risk
application.
5 0.00
Disruption and
System Failures
Malicious code Lack of quality assurance
procedures to test third party
provided code.
For application code that is
provided by a third party,
procedures are in place for
ensuring that the code is free from
malicious code. 5 0.00
Disruption and
System Failures
Network/Application
backdoors
Lack of code review and
assurance procedures .
Application code has been
reviewed for security flaws,
backdoors and malicious code.
5 0.00
Disruption and
System Failures
Malicious code Lack of change control policy
and procedures can result in
security exposures during
changes or modifications.
There is a documented change
control process including a review
of code changes by information
security.
5 0.00
Disruption and
System Failures
Malicious code Developers are not directed on
5 0.00
Systems Development External Fraud Network spoofing Failure to protect the
confidentially and integrity of
Internationally or nationally
accepted cryptographic methods
and key management techniques
are employed.
5 0.00
Systems Development External Fraud Network spoofing Lack of encryption policy can
result in data exposure of
sensitive or other types of
information that has a
regulatory or legal
ramification.
There is an encryption policy in
place that includes an end-to-end
provisions).
5 0.00
Disruption and
System Failures
Network/application backdoor Lack of independent risk
application.
5 0.00
Disruption and
System Failures
Network/application backdoor Lack of quality assurance
provided code.
Disruption and
System Failures
Network/application backdoor A lack of host-based IDS
system is employed.
5 0.00
Systems Development Internal Fraud Network/application backdoor Inappropriate or weak access
control procedures result in
authorized modifications,
and/or data integrity issues.
source code, the binaries, or actual
database or data. 5 0.00
Systems Development External Fraud Network/application backdoor Lack of tools that provide
Tools are available in the
production application
environment to produce an audit
trail of all data alterations.
5 0.00
Systems Development Internal Fraud Network/application backdoor Lack of application performance
stability and integrity of data.
source code, the binaries or actual
database or data.
5 0.00
Systems Development Internal Fraud Network/application backdoor Lack of proper review of
application code for security
flaws.
Application code has been
reviewed for security flaws,
backdoors and malicious code. 5 0.00
Systems Development Internal Fraud Network/application backdoor Lack of documentation of data
application development
process.
Development tools used in the
production application
environment produce an audit
trail of all data alterations. 5 0.00
Disruption and
System Failures
bomb
Lack of independent risk
application.
5 0.00
Disruption and
System Failures
bomb
Lack of quality assurance
provided code.
Disruption and
System Failures
bomb
A lack of host-based IDS
system is employed.
5 0.00
Disruption and
System Failures
Software defects Lack of tools that provide
Tools are available in production
application environment to
produce an audit trail of all data
alterations.
5 0.00
Disruption and
System Failures
Software defects Developers are not directed on
5 0.00
Disruption and
System Failures
System software failure Lack of interoperability testing
may result in security
exposures, performance issues,
loss of productivity, and loss of
availability.
Interoperability testing of new
and existing applications is a
feature of the change control
policy.
5 0.00
Disruption and
System Failures
System software failure Lack of tested compatibility
between solutions can result in
security exposures,
performance issues, loss of
productivity, and loss of
availability .
The use of digital certificates or
other public key technology has
been tested for interoperability
between solutions.
5 0.00
Disruption and
System Failures
System software failure Lack of accountability of actions
for systems developers.
signatures).
5 0.00
Disruption and
System Failures
System software failure Lack of accessibility to critical
system file and system source
libraries.
Critical system files and system
source libraries are documented
and maintained under controlled
access.
5 0.00
Disruption and
System Failures
System software failure System files are not controlled. Access to system files is controlled
and maintained.
5 0.00
Disruption and
System Failures
System software failure System libraries are not available
for recovery.
System libraries are backed-up on
a regular basis so that they are
available to be recovered in the
event of a system problem. 5 0.00
Disruption and
System Failures
System software failure Lack of change control policy
and procedure that includes
review and testing of all
changes can result in security
exposures, performance issues,
loss of productivity, and loss of
availability.
All proposed system changes are
reviewed and tested to ensure
that the security of either the
system or the operating
environment is not compromised.
5 0.00
Disruption and
System Failures
System software failure System tests do not accurately
reflect the impacts and results of
changes.
The development/test system is
segregated from the operational
system.
5 0.00
Disruption and
System Failures
Trojans Software patches not tested
vulnerability and render the
application susceptible to
attack.
the prompt testing and application
of up-to-date security patches
from vendors.
5 0.00
Systems Development External Fraud Leaving sensitive documents
exposed
Weak or unauthorized
encryption algorithms can
result in the exposure of
sensitive or confidential
information.
The strength and integrity of
proprietary encryption algorithms
have been certified by an
authorized evaluation agency.
5 0.00
Systems Development Internal Fraud Unauthorized network or
system access
Lack of risk assessment for
encryption methodology can
information.
A risk assessment methodology
is employed to determine the
level of encryption necessary for
environment.
5 0.00
Systems Development External Fraud Unauthorized network or
system access
Lack of risk assessment for
encryption methodology can
information.
A risk assessment methodology
is employed to determine the
level of encryption necessary for
environment.
5 0.00
system access
Failure to protect sensitive
information confidentiality.
are employed. 5 0.00
system access
Failure to protect sensitive
system access
Lack of a policy to ensure end-
to-end data transaction
protection.
provisions).
5 0.00
system access
Lack of a policy to ensure end-
to-end data transaction
protection.
provisions).
5 0.00
system access
Lack of customization in the
strength of protection for
system and user defined
Algorithms and the strength of
encryption used for securing
authentication credentials (e.g.,
passwords and PINs) and other
data during transmission/storage
have been determined based on a
risk assessment methodology.
5 0.00
system access
Lack of customization in the
5 0.00
system access
information.
5 0.00
system access
information.
5 0.00
system access
Lack of strong non-repudiation
signatures).
5 0.00
system access
Lack of strong non-repudiation
signatures).
5 0.00
system access
System files are not controlled. Access to system files is controlled
and maintained.
5 0.00
system access
System files are not controlled. Access to system files is controlled
and maintained.
5 0.00
Systems Development External Fraud Unauthorized scans Failure to protect sensitive
Systems Development External Fraud Unauthorized scans Lack of strong non-repudiation
provisions).
5 0.00
Disruption and
System Failures
Viruses Applications are not developed
with the appropriate security
features and functions.
5 0.00
Disruption and
System Failures
Viruses Software patches not tested
attack.
from vendors.
5 0.00
Systems Development External Fraud War dialing Lack of customization in the
risk assessment methodology.
5 0.00
Disruption and
System Failures
Worms Applications are not developed
with the appropriate security
features and functions.
5 0.00
Disruption and
System Failures
Worms Software patches not tested
attack.
from vendors.
5 0.00
ISO Domain
Access Control
Asset Classification & Control
Business Continuity Management
Communications & Operations Management
Compliance
Organizational Security
Personnel Security
Physical and Environmental Security
Security Policy
Systems Development
Basel I Category
Internal Fraud
External Fraud
Employee Practices and Workplace Safety
Clients, Products and Business Practices
Damage to Physical Assets
Business Disruption and System Failures
Execution , Delivery and Process Management
0 1 2 3 4 5
0 5 6 7 8 9 10
1 4 4 6 7 8 9
2 3 3 3 6 7 8
3 2 2 2 2 6 7
4 1 1 1 1 1 6
5 0 0 0 0 0 0
Unknown
0
1
2
3
4
5
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Impact if Not Implemented
Control
Implement
ed
Airplane crash
Application software failure
Automobile crash
Biological agent attack
Bomb attacks
Bomb threats
Chemical spill
Civil disorder
Computer crime
CPU malfunction/failure
DDoS or DoS attacks
Discussing sensitive matters in open
DNS failure
Dumpster diving
Dust/sand
Embezzlement
Epidemic
Extortion
Fire
Floods
Gas leaks
Hardware failure
Hazardous waste exposure
Heat
High winds
Human error
Hurricane
HVAC failure
Lawsuits/ litigation
Leaving computer screen exposed or unlocked
Leaving doors unlocked
Leaving sensitive documents exposed
Lightning
Lost or stolen laptops
Malicious code
Network spoofing
Network/application backdoor
Network/application time bomb
Power failure
Power fluctuation
Radiation contamination
Robbery
Sabotage
Seismic activity
Shoulder surfing
Snow/ice storms
Social engineering
Software defects
Solar flares
System software failure
Tailgating to gain unauthorized access
Terrorist attack
Telecommunications failure
Tidal Wave
Tornados
Trojans
Typhoon
Unauthorized network or system access
Unauthorized scans
Unintentional DDoS
Unintentionally bad legislation
Vandalism
Virus hoaxes
Viruses
Volcanic eruption
War
War dialing
Web defacements
Work stoppage/ strike
Worms

ISMS Risk Calculator Spread SHT v0.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISMS Risk Calculator Spread SHT v0.1

Uploaded by

Copyright:

Available Formats

Access Control

Asset Classification & Control

You might also like