Professional Documents
Culture Documents
0
By Cesare Gallotti
3- Analyze controls In "Controls" sheet put value 1, 2, 3 for "Strength/Vulnerability" following the
criteria in worksheet "Criteria".
Insert the motivations in "Description" and "Vulnerability" fields.
Copy and paste column b in the "Main table" sheet.
Please note that the 133 controls are the ISO/IEC 27001:2005 controls. New
controls can be added, but they need also to be linked with the appropriate
threats in the "Main table" sheet.
4- Calculate risk level The sheet calculate the "inherent risk" with an easy formula that can be
checked in 8th row's cells.
Any and each control is linked to the threats it reduces with an X, and vice
versa (any threat is related to relevant controls with and X).
If inherent risk is lower than the strength of the control, then the cell is green;
otherwise it is red.
Conditional formatting is present for any cell. If new columns or rows are
added, check if and how the conditions are still valid.
5- Treat risks For accepted risks, the "X" shall be substituted by an "A" in the "Main table
sheet" and the cell becomes yellow (because of Conditional formatting). In
this case, the "Risk acceptance" sheet must be compiled.
For risks that are treated via reduction or transfer, the "X" shall be in place
and the "Risk treatment" sheet must be compiled.
Note to this VERA In "Main table" sheet, relations among threats and controls may be incorrect
version (i.e.: they are basically incorrect!)
Note: Criteria shall be customized considering the scope (e.g. industry sector, location, technology, etc.)
None
None
Disclosure 1 C
Data from untrustworhty sources 1 I
Communications infiltration (including 1 CIA
Rerouting of messages)
Repudiation 2 I
Technical failures Equipment failure or malfunction 2 IA
Saturation of the information system 2 IA
Software Malfunction 3 CIA
Harware or Systems maintenance error 3 IA
Physical Damage
Fire Water Pollution -
Damage Dust -
Corrosion -
Freezing
Treath
Probability 1 1 1
Parameters IA A A
Inherent Risk 0.83 1.00 1.00
A.5.1.1 Information security 3
policy document X X X
A.5.1.2 Review of the 3
information security policy X X X
A.6.1.1 Management 2
commitment to information
security X X X
A.6.1.2 Information security 3
coordination X
A.6.1.3 Allocation of 3
information security
responsibilities X X X
A.6.1.4 Authorization process 3
for information processing
facilities X X X
A.6.1.5 Confidentiality 2
agreements
A.6.1.6 Contact with 3
authorities X
A.6.1.7 Contact with special 2
interest groups
A.6.1.8 Independent review of 1
information security X X X
A.6.2.1 Identification of risks 3
related to external parties X X
A.6.2.2 Addressing security 2
when dealing with customers X
A.6.2.3 Addressing security in 2
third party agreements X X
A.7.1.1 Inventory of assets 3 X X X
A.7.1.2 Ownership of assets 3 X X X
A.7.1.3 Acceptable use of 2
assets
A.7.2.1 Classification 3
guidelines
A.7.2.2 Information labelling 1
and handling
A.8.1.1 Roles and 3
responsibilities X
A.8.1.2 Screening 3 X
A.8.1.3 Terms and conditions 3
of employment X
A.8.2.1 Management 2
responsibilities X
A.8.2.2 Information security 2
awareness, education and
training X
A.8.2.3 Disciplinary process 3 X
A.8.3.1 Termination 3
responsibilities
A.8.3.2 Return of assets 1
A.8.3.3 Removal of access 1
rights
A.9.1.1 Physical security 3
perimeter
A.9.1.2 Physical entry controls 2
3 1 1 1 1 1 1
A A A A A A A
3.00 1.00 1.00 1.00 1.00 1.00 1.00
X X X X X X X
X X X X X X X
X X X X X X
X X X X
X X X X X X X
X X X X X X X
X X
X X X X X X X
X X
X X
X X X X
X X X X X X
X X X X X X
X X
X X
X
X
X X
X
X X
X X X X
X X X X
X X
X X X X X X
X X X
X X
X X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X X
X X X
X
X X X
X X X
X X X
X X X
X X X X X X X
X
X
X
X X X
X
X
X
X X X
X X X X X
X X X X X
X X X X X
X X X X X
X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X
X X
X X X
Loss of essential services Disturbance
Loss of power Failure of Transmission Damage to Traffic Staff shortage Electromagnet
supply or telecommunic errors lines overloading ic radiation -
power ation (including Thermal
fluctuation components Misrouting of radiation -
messages) Electromagnet
ic pulses
2 2 1 1 1 1 1
A CIA IA A A A IA
2.00 1.33 0.83 1.00 1.00 1.00 0.83
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X X X X X
X X X X X X
x X
X X X X
X X X X
X X X
X X X X
X X X X X X
X X X X X X
X X X X
X X
X X
X X
X X
X X X
X
X X
X X X
X X X X
X X X
X X X
X X X X X X
X X X X
X X X X X
X X X X X
X X X X X
X X X X
X X X X
X X X
X X X
X X X
X X
X X X
X X X
X X X X
X X X
X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X X
X
X
X X
X X
X X
X X
X X
X
X
X X
X
X
X
X
X X
x X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X
X X
X
Compromise of information
Eavesdroppin Remote Theft of media Theft of Retrieval of Disclosure Data from
g (including spying or documents equipment recycled or untrustworhty
Traffic discarded sources
analysis) media
1 1 3 3 1 1 1
C CIA C CA C C I
0.33 0.67 1.00 2.00 0.33 0.33 0.67
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X X X
X X X X
X X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X X X X
X X X X X X
X X X X X
X X X X X X
X X X X
X X X
X X X X X X
X X X X X X
X X X X X
X X X
X X X
X X X
X X X
X X X
X X
X X X
X X
X X
X
X
X
X
X X
X X
X X
X X
X X X
X X X
X X X
X X
X X X
X X X X X
X X X
X X X
X X
X X
X X X
X X
X X
X
X X
X X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X X
X X
X X
X
X
X X X
X X
X X
X
X X
X X
X X
X X
X
X X
X X
X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X
X X
X X
X X
X X
X
Technical failures
Communicatio Repudiation Equipment Saturation of Software Harware or Unauthorised
ns infiltration failure or the Malfunction Systems use of
(including malfunction information maintenance equipment
Rerouting of system error
messages)
1 2 2 2 3 3 2
CIA I IA IA CIA IA CIA
0.67 1.33 1.67 1.67 2.00 2.50 1.33
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X X X X X X
X X X X X X X
X X X
X X X X
X X X X X X X
X X X X
X X X
X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X
X X
X X X X X
X X X X
X X X
X X X X X
X X
X X X X
X X X X
X X X
X X
X X X X
X X X X
X X
X X X
X X
X X
X
X X
X X
X X
X X X X X
X X
X X
X
X X
X X X X
X X X X
X X X
X
X X X X X
X X X X X
X X X X
X X X
X X X X
X X X X X X X
X X
X X
X A
X X
X X
X X
X X
X X
X X X
X X
X X
X X
X X
X X
X X
X
X X
X X
X
X X X X
X
X
X
X X
X X
X X
X X X
X X
X X X X
X X X
X X
X X X X
X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X X
X X X X
X X
X
Unauthorised actions Compromise of fu
Illegal Business data Malicious Network Use of Business user Use of
import/export alteration by software access by network errors software by
of software malicious user unauthorized facilities in an unauthorized
(fraudolent users unauthorized users
copying of sw, way
use of copied
sw)
3 3 3 1 1 3 1
CIA CIA CIA CIA CIA CIA CIA
2.00 2.00 2.00 0.67 0.67 2.00 0.67
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X
X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X
X X X X X
X X X X X X
X X
X X
X X X X X
X X X
X X X X X X
X X X X X X X
X X X X X
X X X X X X
X X X
X
X X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X X
X X
X
X X X
X X X
X X X
X X X X
X X X X X
X X X X X X X
X
X
X X
X X X X
X X X X
X X X X X
X X X X X
X X
X X
X X X
X X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X
X X X X X X X
X X X X
X X
X X X X X X X
X X
X X X
X X
X X X X
X X X X
X X
X
X X
X X X X
X X
X X X X X
X X X
X X
X X X X
X X X
X X X
X
X
X
X
X X X X
X X
X X X X X
X X X
X
X X X
X X X X
X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X
X X X X X
X X
X X X
X X X
X X X X
X X
Compromise of functions
Deterioration Use of Masquerading
of storage software in an of user
media unauthorized identity
way
2 1 1
IA CIA CIA
1.67 0.67 0.67
X X X 35
X X X 35
X X X 35
X X 28
X X X 34
X X 33
X 6
X X 13
X 16
X X X 32
X X 25
X X 21
X X 28
X X 31
X 29
X 23
X 19
X 15
X 18
X 19
X 14
X 18
X 11
X 7
X 7
X 8
X X 20
X 14
14
X 15
X X 20
X 4
2
X 11
X 13
X 6
X 6
7
4
10
X 7
X 7
X X 18
X 14
X 15
X 4
X 5
X 5
X 10
X 12
X X 7
X 11
X X 18
X X 13
X 11
X X 8
X X 19
X X 20
X X 17
X X 17
X 15
X X X 23
X X 13
X X 12
X X 11
X 8
X X 12
X 8
X 7
X 3
X X 16
X 8
X 10
X 7
X 11
X 10
X 9
X 5
X 6
X 5
X 8
X X 8
X X 7
X X 11
X X 7
X X 8
X X 10
X X 12
X X 8
5
4
X 7
X 7
X X 12
X 3
X 6
X X 15
X X 10
X X 7
X X 7
X X 13
X X 16
X X X 30
X X X 30
X X X 30
X X X 30
X X X 30
X 17
X 17
X 17
X 17
X 17
X X 15
X 3
X 8
X 5
X X 9
X 6
X 10
X X 16
X 6
X 5
Threat Inherent risk Control Strength/Vulnerabilit
y level
Unauthorised use of 2 A.11.2.2 Privilege 1
equipment management
Reason for acceptance
The number of system administrator is too low for having a proper privilege management policy
Threat Inherent risk Control Strength/
Vulnerability
Software Malfunction A.10.1.4 Separation of level
development, test and
3 operational facilities 2
Treatment
Action End date Responsible
A project of separation of facilities January Cesare
will be started in october. The
feasibility study has been done and
a draft project plan has been issued.