isms risk calculator spread sht v0.1

Access Control Asset Classification & Control Business Continuity Management Communications & Operations Management ComplianceOrganizational Security Personnel Security Physical and Environmental Security Security PolicySystems Development

04/19/2023 C BITS 2003. All rights reserved. 2

BITS KEY RISK MEASUREMENT TOOL FOR INFORMATION SECURITY OPERATIONAL RISKS

Threat EventAccess Control

10% 0 0 5 0.50Access Control

5 0.00Access Control Computer crime




5 0.00Access Control DDoS or DoS attacks





5 0.00

ISO Domain Reference

Basel Loss Category

for Operation

al RiskVulnerability

Security Control

Likelihood of Threat

(Input)

Degree to which

Control is Implemente

d

(Input)

Impact if Control is

not Implemente

d

(Input)

Control vs.

Impact Score

Residual Risk Score

Business Disruption and System Failures

Application software failure

Security events are not logged at the application level.

Security events are logged at the application level.



Application testing is not performed.

Application testing is performed.

External Fraud

System access logs are not created and reviewed to identify use or attempted use and modification or attempted modification of critical systems components (files, registry entries, configurations, security settings/parameters,

System access logs are created and reviewed to identify use or attempted use and modification or attempted modification of critical systems components (files, registry entries, configurations, security settings/parameters, audit logs).

External Fraud

System access logs are not stored in a secure fashion with limited access and are not protected from alteration or deletion.

System access logs are stored in a secure fashion with limited access and protected from alteration or deletion.

Internal Fraud

Policies that define the removal of information from company facilities are not in place and are not communicated to all employees.

Policies that define the removal of information from company facilities are in place and communicated to all employees.

External Fraud




Ingress/egress filtering is not enabled/supported on routers.

Network routers do ingress and egress filtering.


Routing access control lists are inappropriately configured or improperly maintained to ensure security.

Routing access control lists are maintained by designated personnel and used for security.


All external connections and/or external IP network access passes bypass firewalls.

All external connections and external IP network access passes through a firewall. External

FraudSNMP best practices have not been implemented.

SNMP best practice has been implemented.


Technology such as encryption, VPN client technology, etc. are not used during remote connectivity.

Confidentiality of sensitive information is ensured during remote connectivity using appropriate technology such as encryption, VPN client technology, etc.

A2

ISO 17799 domains. See "ISO and Basel Categories" tab for list.

B2

The primary focus on operational risk has been in the categories the Committee identified as those with the potential to cause major losses. See "ISO and Basel Categories" tab for list.

C2

A threat event is an occurrence or circumstance that has the potential to have an undesirable impact on an asset. Each threat event could be caused by multiple actors or sources with different motivations. The user of the tool should consider the possible sources of a threat event when completing the input ratings. See "Threat Categories" tab for list.

D2

The threat vulnerability and control content was incorporated from a list of control questions identified by the BITS Security Assessment Project Team of the BITS IT Service Providers Working Group. The group developed a matrix questionnaire outlining security practices, processes and controls in the context of the financial services industry and regulators’ requirements that may be included in an assessment or audit of an IT service provider’s operations. These control questions were converted by into control statements and mapped to corresponding threat/vulnerability pairs.

E2

The threat vulnerability and control content was incorporated from a list of control questions identified by the BITS Security Assessment Project Team of the BITS IT Service Providers Working Group. The group developed a matrix questionnaire outlining security practices, processes and controls in the context of the financial services industry and regulators’ requirements that may be included in an assessment or audit of an IT service provider’s operations. These control questions were converted by into control statements and mapped to corresponding threat/vulnerability pairs.

J2

Users should factor several considerations into their input selection, including the degree of change at the organization, unique system characteristics, potential threat actors/sources, and the available access. The likelihood of threat is defined on a 10 to 100% scale. A threat likelihood of 0% is not an option because, by definition, there is always a likelihood of a threat occurring no matter how low the probability.

K2

An input measure of 0 to 5 is required to indicate the degree to which a control is implemented. 0= No Degree of implementation 5= High Degree of Implementation

L2

“Impact” refers to the magnitude of harm caused by a threat’s exercise of vulnerability. An input measure of 0 to 5 is required to indicate the impact if the control is not implemented. 0- No impact 1- Minor 2-Tangible 3- Significant 4- Serious 5- Grave

M2

A 0-to-10 numeric scoring array quantifies the intersection of the control implemented and impact inputs. The scoring array is defined as follows: 0 = Good Control vs. Low Impact—No room for improvement 10 = Bad Control vs. High Impact—Much room for improvement

N2

The residual risk score equation is the interim score from the intersection of the degree of control implementation and impact multiplied by the likelihood of threat percentage.


Access Control DDoS or DoS attacks





5 0.00Access Control Human error



5 0.00Access Control Lawsuits/ litigation




5 0.00


The remote access client allows split tunneling.

The remote access client prohibits split tunneling.









All external connections and external IP network access passes through a firewall. Business

Disruption and System Failures


All external connections and external IP network access passes through a firewall. Execution ,

Delivery and Process Management

Host level system authorization mechanisms are not in place.

Host level system authorization mechanisms are in place.

Execution , Delivery and Process Management

Operating system master and sub-master consoles are not located in a protected and controlled area.

Operating system master and sub-master consoles are located in a protected and controlled area.


A comprehensive policy outlining remote user requirements is not in place and is not communicated to and/or is not understood or followed by the

A comprehensive policy outlining remote user requirements is in place and communicated via an agreement signed by the employee.

External Fraud

Procedures do not exist to verify the authenticity of the counter party providing electronic instructions or transactions through trusted exchange of passwords, tokens, or cryptographic keys.

Procedures exist to verify the authenticity of the counter party providing electronic instructions or transactions through trusted exchange of passwords, tokens, or cryptographic keys.




Clients, Products and Business Practices







Access Control Lawsuits/ litigation


5 0.00Access Control





5 0.00Access Control Lost or stolen laptops

5 0.00


Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented, and managed.

An authorization, documentation and management process is in place for all external connections.


Session encryption is not used for external IP access.

External IP access, including system-to-system authentication, uses session encryption.

Internal Fraud

Leaving computer screen exposed or

unlocked

Workstation screensaver/lockout features are not enabled/system enforced. Policies/guidelines do

The desktop is configured to log off, lock or use a password protected screen saver whenever the computer is left unattended. External

FraudLeaving computer screen exposed or

unlocked


The desktop is configured to log off, lock or use a password protected screen saver whenever the computer is left unattended. Internal

FraudLeaving computer screen exposed or

unlocked

No limitations or restrictions have been placed on connection times.

Limitations and/or restrictions have been placed on connection times for activities such as batch processing (i.e., restricting connections, time-outs, and/or

External Fraud

Leaving sensitive documents exposed



External Fraud


Security controls for equipment and information used in mobile computers have not been established.

Security controls for equipment and information used in mobile computers have been established including: permissible equipment use and security of that equipment (e.g., double-wrapped envelopes, locked briefcases/cabinets, encrypted data, digital certificates, etc.), security and backup of information

External Fraud


Security controls for equipment and information used in mobile computers have been established including: permissible equipment use and security of that equipment (e.g. double-wrapped envelopes, locked briefcases/cabinets, encrypted data, digital certificates, etc), security and back up of


Access Control Malicious code

5 0.00Access Control Malicious code




5 0.00Access Control Network spoofing










5 0.00





Processes/procedures have not been implemented to ensure third party connections are appropriately authorized, documented,






The internal address range is exposed or unprotected.

The internal address range is protected (e.g., NAT).


Applications in use or considered for use do not conform to the security feature criteria in the BITS Product Certification Program or other recognized product certifications.

Applications in use or considered for use conform to the security criteria in the BITS Product Certification Program or other recognized product certifications.

Internal Fraud



External Fraud






Internal Fraud



FraudAll external connections and/or external IP network access passes bypass firewalls.







The internal address range is protected (e.g., NAT).

External Fraud


The internal address range is protected (e.g. NAT). External

FraudSession encryption is not used for external IP access.


External Fraud

Local and wide area networks are not fully switched.

Local area and wide area networks are fully switched.


Access Control Network spoofing










5 0.00

External Fraud



External Fraud

The remote access client allows split tunneling.

The remote access client prohibits split tunneling.

Internal Fraud

Network/application backdoor

Time, day, or similar restrictions are not enabled.

Access to resources is controlled by a combination of any of the following: (1) method or location of accessing user (2) time-of-day (3) day-of-week (4) calendar date (5) specific program used to access the resource.

External Fraud




Internal Fraud


Authorization engine fails in an open state.

If the authorization engine for the system fails, the access control rules default to ‘no access”.External

FraudNetwork/application

backdoorAuthorization engine fails in an open state.

If the authorization engine for the system fails, the access control rules default to "no access.”Internal


backdoorAccess administration processes do not ensure that user access is based on least privilege or consistent with job function.

User access capabilities are configured with least privilege, and are consistent with the users’ assigned job responsibilities for performing a particular function or transaction.

External Fraud


Access administration processes do not ensure that user access is based on least privilege or consistent with job function.


Internal Fraud


Access administration change (employee status changes) processes are informal or inadequate.

Procedures are in place to amend user access rights when a user changes roles in the organization and revoke rights when a user leaves the organization.

External Fraud



Procedures are in place to amend user access rights when a user changes roles in the organization and revoke rights when a user leaves the


Access Control








5 0.00

Internal Fraud


No processes in place to ensure default user ids are renamed/disabled

Default user IDs are renamed or disabled.

External Fraud


No processes in place to ensure default user ids are renamed/disabled


Internal Fraud


Temporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.

Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. External


backdoorTemporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.

Temporary, generic, guest or anonymous user ids are limited in use and tightly controlled. Internal


backdoorPassword policies/standards have not been established.

Guidelines are provided to users for generating secure passwords including simple instruction such as passwords must not be shared, passwords must not be written down and stored in obvious places, etc.

External Fraud


Password policies/standards have not been established.


Internal Fraud


Policies/procedures addressing security of stored passwords have not been established. Systems features to secure store passwords (e.g., encryption) have not been enabled.

Appropriate controls are established for the secure storage and maintenance of password lists.

External Fraud





Access Control










5 0.00

Internal Fraud


Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures have not been established to remind

The system is configured to require the user to change initial password during first logon.

External Fraud




Internal Fraud


Systems features (strong passwords) are not enabled or do not exist. In absence of systems controls, policies/guidelines encouraging strong passwords have not been established.

Restrictions are placed on user password creation and use including expiration after a certain time period, minimum length, reuse, and appropriate strength (i.e., user ID not equal to password, password not equal to “password”, limit repetitive characters, require alphanumeric and

External Fraud



Restrictions are placed on user password creation and use including expiration after a certain time period, minimum length, reuse, and appropriate strength ((i.e. User Id not equal to password, password not equal to “password”, limit repetitive characters, require alphanumeric and

Internal Fraud


System timeout features have not been enabled or do not exist.

The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.External


backdoorSystem timeout features have not been enabled or do not exist.

The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.Internal


backdoorSystem unsuccessful logon attempt features are not enabled or do not exist.

The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.External


backdoorSystem unsuccessful logon attempt features are not enabled or do not exist.

The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.Internal


backdoorRemote network access paths are not restricted to designated gateways and/or resources.

Remote network access paths are restricted to designated gateways and/or resources.External


backdoorRemote network access paths are not restricted to designated gateways and/or resources.

Remote network access paths are restricted to designated gateways and/or resources.


Access Control











5 0.00

External Fraud


Strong authentication features are not enabled/supported.

Additional forms of access control are used to safeguard against unauthorized access from external connections (e.g., dial back, two-part authentication, challenge-response, time of day or week restriction, read-only restrictions, etc.).

External Fraud




Internal Fraud


Internal network segments are not segregated and do not have controlled access through network level

Internal network segments are segregated and have controlled access through network level authorization.Internal


backdoorSecurity events are not logged at the application level.

Security events are logged at the application level. External


backdoorSecurity events are not logged at the application level.

Security events are logged at the application level. External


backdoorTechnology such as encryption, VPN client technology, etc. are not used during remote connectivity.


Internal Fraud

Network/application time bomb



External Fraud


Time, day, or similar restrictions not enabled.


Internal Fraud



If the authorization engine for the system fails, the access control rules default to "no access.”External


time bombAuthorization engine fails in an open state.

If the authorization engine for the system fails, the access control rules default to ‘no access”.Internal


time bombAccess administration processes do not ensure that user access is based on least privilege or consistent with job function.



Access Control









5 0.00

External Fraud




Internal Fraud



Procedures are in place to amend user access rights when a user changes roles in the organization and revoke rights when a user leaves the External


time bombAccess administration change (employee status changes) processes are informal or inadequate.

Procedures are in place to amend user access rights when a user changes roles in the organization and revoke rights when a user leaves the Internal


time bombNo processes are in place to ensure default user IDs are renamed/disabled.


External Fraud


No processes are in place to ensure default user IDs are renamed/disabled.


Internal Fraud





time bombTemporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.

Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. Internal


time bombPassword policies/standards have not been established.

Guidelines are provided to users for generating secure passwords including simple instruction such as passwords must not be shared, passwords must not be written down and

External Fraud





Access Control








5 0.00

Internal Fraud




External Fraud


Policies/procedures addressing security of stored passwords have not been established. Systems features to secure store passwords


Internal Fraud


Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual


External Fraud



The system is configured to require the user to change their initial password during first logon.

Internal Fraud



Restrictions are placed on user password creation and use including expiration after a certain time period, minimum length, reuse, and appropriate strength (e.g., user ID not equal to password, password not equal to “password”, limit repetitive characters, require alphanumeric and

External Fraud



Restrictions are placed on user password creation and use including expiration after a certain time period, minimum length, reuse, and appropriate strength (e.g., user I not equal to password, password not equal to “password”, limit repetitive characters,

Internal Fraud





time bombSystem timeout features have not been enabled or do not exist.

The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.


Access Control







5 0.00

Internal Fraud


System unsuccessful logon attempt features are not enabled or do not exist.



time bombSystem unsuccessful logon attempt features are not enabled or do not exist



time bombRemote network access paths are not restricted to designated gateways and/or resources.


External Fraud


Remote network access paths are not restricted to designated gateways and/or resources.


External Fraud



Additional forms of access control are used to safeguard against unauthorized access from external connections (e.g., dial back, two-part authentication, challenge-response, time of day or week restriction, read-only restrictions, etc.)

External Fraud






Internal network segments are not segregated and do not have controlled access through network level authorization.

Internal network segments are segregated and have controlled access through network level authorization.


Access Control Robbery

5 0.00Access Control Sabotage

5 0.00Access Control Social engineering

5 0.00Access Control Software defects

5 0.00Access Control System software failure





5 0.00

External Fraud



External Fraud



External Fraud




Applications in use or considered for use do not conform to the security feature criteria in the BITS Product Certification Program or other recognized product certifications.

Applications in use or considered for use conform to security feature criteria in the BITS Product Certification Programor other recognized product certifications.








System access logs are not maintained for an appropriate period of time.

System access logs are maintained for an appropriate period of time (both online and archived).External

FraudUnauthorized network

accessInformal or inadequate access monitoring

User IDs are reviewed for appropriate access.

Internal Fraud

Unauthorized network access

Informal or inadequate access administration/monitoring processes over privileged accounts

Privileged users are controlled and monitored by a formal approval process.


Access Control








5 0.00

Internal Fraud




External Fraud




Internal Fraud



The desktop is configured to log off, lock or use a password protected screen saver whenever the computer is left unattended. External


accessWorkstation screensaver/lockout features are not enabled/system enforced. Policies/guidelines do

The desktop is configured to log off, lock or use a password protected screen saver whenever the computer is left unattended. Internal


accessIngress/egress filtering is not enabled/supported on routers.


External Fraud




Internal Fraud

Unauthorized network or system access



External Fraud


Time, day, or similar restrictions not enabled



Access Control





5 0.00

Internal Fraud



If the authorization engine for the system fails, the access control rules default to "no access.”

External Fraud



If the authorization engine for the system fails, the access control rules default to "no access.”

Internal Fraud


Access administration processes do verify user identities or ensure that access is approved and authorized.

The signature or identity of a person applying for access is verified/authenticated and authorized.

External Fraud


access administration processes do verify user identities or ensure that access is approved and authorized

The signature or identity of a person applying for access is verified/authenticated and authorized. Internal


or system accessAccess administration processes do not ensure that user access is based on least privilege or consistent with job function.



Access Control













5 0.00

External Fraud




Internal Fraud


Informal or inadequate access monitoring processes.

User IDs are reviewed for appropriate access.

Internal Fraud





or system accessAccess administration change (employee status changes) processes are informal or inadequate.



or system accessInformal or inadequate access administration/monitoring processes over privileged accounts

Privileged users are controlled and monitored by a formal approval process.

Internal Fraud


No processes in place to ensure default user IDs are renamed/disabled


External Fraud


No processes in place to ensure default user IDs are renamed/disabled


Internal Fraud





or system accessTemporary, generic, guest or anonymous user IDs are not tightly controlled/monitored.

Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. Internal


or system accessOngoing user security awareness programs have not been implemented.

Users are made aware of their responsibilities for maintaining effective access controls, particularly regarding the security of passwords and user equipment.

External Fraud


Ongoing user security awareness programs have not been implemented.

Users are made aware of their responsibilities for maintaining effective access controls, particularly regarding the security of passwords and user equipment.

Internal Fraud




External Fraud





Access Control












5 0.00

Internal Fraud




External Fraud




Internal Fraud




External Fraud



The system is configured to require the user to change their initial password during first logon.

Internal Fraud





or system accessSystem timeout features have not been enabled or do not exist.

The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.Internal


or system accessSystem unsuccessful logon attempt features are not enabled or do not exist.



or system accessSystem unsuccessful logon attempt features are not enabled or do not exist.



or system accessRemote network access paths are not restricted to designated gateways and/or resources.


External Fraud


Remote network access paths are not restricted to designated gateways and/or resources.


Internal Fraud


Formal modem approval procedures are not in place.

A process is in place for requesting and approving modem connections to servers or desktops.

External Fraud





Access Control












5 0.00

Internal Fraud


Routing access control lists are inappropriately configured or improperly maintained


External Fraud


Routing access control lists are inappropriately configured or improperly maintained


External Fraud



Additional forms of access control are used to safeguard against unauthorized access from external connections (e.g., dial back, two-part authentication, challenge-response, time of day or week restriction, read-only restrictions, etc.)

Internal Fraud



An authorization, documentation and management process is in place for all external connections

External Fraud



An authorization, documentation and management process is in place for all external connections

Internal Fraud





or system accessAll external connections and/or external IP network access passes bypass firewalls.



or system accessSession encryption is not used for external IP access.


External Fraud


Local and wide area networks are not fully switched.

Local area and wide area networks are fully switched. Internal


or system accessInternal network segments are not segregated and do not have controlled access through network level

Internal network segments are segregated and have controlled access through network level authorization.Internal


or system accessNo limitations or restrictions have been placed on connection times.

Limitations and/or restrictions have been placed on connection times for activities such as batch processing (i.e., restricting connections, time-outs, and/or

Internal Fraud


System access and use is not monitored based on current vulnerability and risk analysis, and is not integrated with an incident response

System access and use is monitored based on current vulnerability and risk analysis, and is integrated with an incident response


Access Control












5 0.00

Internal Fraud




Internal Fraud




Internal Fraud


System access logs are not maintained for an appropriate period of time.

System access logs are maintained for an appropriate period of time (both online and archived).Internal


or system accessAlerting mechanisms are not used to notify appropriate individuals that security events related to system access have occurred.

Alerting mechanisms are used to notify appropriate individuals that security events related to system access have occurred.

External Fraud


Alerting mechanisms are not used to notify appropriate individuals that security events related to system access have occurred.

Alerting mechanisms are used to notify appropriate individuals that security events related to system access have occurred.

Internal Fraud


No process is in place to ensure accurate clock synchronization for system access and logging activity.

A process is in place to ensure accurate clock synchronization for system access and logging activity.External


or system accessNo process is in place to ensure accurate clock synchronization for system access and logging activity.

A process is in place to ensure accurate clock synchronization for system access and logging activity.Internal


or system accessTechnology such as encryption, VPN client technology, etc. are not used during remote connectivity.


External Fraud




Internal Fraud


Remote access is not controlled using appropriate authentication controls.

Remote access is controlled using appropriate authentication controls. External


or system accessRemote access is not controlled using appropriate authentication controls.

Remote access is controlled using appropriate authentication controls. External


or system accessA comprehensive policy outlining remote user requirements is not in place and is not communicated to and/or is not understood or followed by the

A comprehensive policy outlining remote user requirements is in place and communicated via an agreement signed by the employee.


Access Control

5 0.00Access Control Unauthorized scans










5 0.00Access Control Viruses



5 0.00Access Control War dialing

5 0.00

Internal Fraud


Remote access user accounts are not reviewed on an appropriate schedule.

Remote access user accounts are reviewed on an appropriate schedule.

Internal Fraud

Routing access control lists are inappropriately configured or improperly maintained to ensure security


External Fraud



Internal Fraud


All external connections and external IP network access pass through a firewall. External

FraudAll external connections and/or external IP network access passes bypass firewalls.

All external connections and external IP network access passes through a firewall. Internal

FraudThe internal address range is exposed or unprotected.

The internal address range is protected (e.g., NAT). External

FraudThe internal address range is exposed or unprotected.

The internal address range is protected (e.g., NAT). Internal

FraudHost level system authorization mechanisms are not in place.

Host level system authorization mechanisms are in place.

Internal Fraud

Operating system master and sub-master consoles are not located in a protected and

Operating system master and sub-master consoles are located in a protected and controlled area.

External Fraud

Alerting mechanisms are not used to notify appropriate individuals that security events

Alerting mechanisms are used to notify appropriate individuals that security events related to system

External Fraud

Remote access user accounts are not reviewed on an appropriate schedule.

Remote access user accounts are reviewed on an appropriate schedule.




External Fraud

SNMP best practices have not been implemented.





Internal Fraud




Access Control War dialing

5 0.00Access Control Web defacements












5 0.00

External Fraud



External Fraud

No processes in place to ensure default user IDs are renamed/disabled.



No processes in place to ensure default user ids are renamed/disabled.

Default user ids are renamed or disabled.






Default user ids are renamed or disabled.

External Fraud


Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. Execution ,



Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled.



Temporary, generic, guest or anonymous user IDs are limited in use and tightly controlled. Clients,

Products and Business Practices



FraudPolicies/procedures addressing security of stored passwords have not been established. Systems features to secure stored passwords (e.g., encryption) have not been enabled.






Policies/procedures addressing security of stored passwords have not been established. Systems features to secure stored passwords (e.g., encryption) have not been enabled.



Policies/procedures addressing security of stored passwords have not been established. Systems features to secure stored passwords (e.g., encryption) have not been enabled.



Access Control Web defacements











5 0.00

External Fraud







Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures



Systems features (forced password change) have not been enabled or do not exist. In absence of systems controls, manual processes/procedures


External Fraud


The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.



The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.Business



The system is configured to disconnect or force re-authentication of users after a specified period of inactivity.Clients,




FraudSystem unsuccessful logon attempt features are not enabled or do not exist.

The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.Execution ,



The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.Business



The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.


Access Control Web defacements

5 0.00Access Control Worms

5 0.00Access Control Worms

5 0.00

5 0.00

5 0.00Dumpster diving


5 0.00Embezzlement

5 0.00Embezzlement

5 0.00Human error

5 0.00



The system is configured to disable or suspend user IDs after a fixed number of unsuccessful logon attempts.Business




External Fraud

SNMP best practices have not been implemented.


Asset Classification and Control

Internal Fraud

Discussing sensitive matters in open

Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure of confidential information.

Information handling procedures for copying, storage, packaging for internal and external mail, electronic and spoken transmission and destruction are established based upon information asset


External Fraud





External Fraud




External Fraud

Confidential/sensitive data located on a disposed of or reassigned asset can be accessed by an unauthorized user.

Data disposal procedures are defined for data on all types of media (e.g., paper, microfiche, and computer disks).


External Fraud

Unauthorized disclosure of sensitive information.

Procedures for labeling printed reports, screen displays, magnetic media, electronic messages and file transfers are defined.


External Fraud





Lack of appropriate level of security controls applied to sensitive information assets. Unlawful disclosure of sensitive information.

Information assets that are processed, stored or transmitted are handled in accordance with asset classification (e.g., confidential, sensitive, and public) and are in compliance with applicable laws and


Lawsuits/ litigation

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00Network spoofing

5 0.00

5 0.00

5 0.00



Lack of appropriate level of security controls applied to sensitive information assets. Unlawful disclosure of sensitive information.

Information assets that are processed, stored or transmitted are handled in accordance with asset classification (e.g., confidential, sensitive, and public) and are in compliance with applicable laws and


External Fraud


Confidential/sensitive data located on a disposed of or reassigned asset can be accessed by an unauthorized user. Licensing penalties can be incurred if not

Procedures and controls for asset handling -- including the introduction or purchase, licensing, transfer, removal, disposal and reuse of assets -- are established.


Internal Fraud





External Fraud





Internal Fraud





External Fraud





External Fraud





External Fraud

Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure of confidential

Data encryption and authentication requirements are established based on information asset classification. Asset

Classification and Control

External Fraud



Data encryption and authentication requirements are established based on information asset classification. Asset

Classification and Control

Internal Fraud



Data encryption and authentication requirements are established based on information asset classification.


Unauthorized scans

5 0.00Biological agent attack

5 0.00Bomb attacks

5 0.00Chemical spill

5 0.00Civil disorder

5 0.00Civil disorder

5 0.00DDoS or DoS attacks


5 0.00DNS failure

5 0.00


External Fraud

Lack of appropriate level of security controls applied to sensitive information assets. Unauthorized disclosure

Data encryption and authentication requirements are established based on information asset Business

Continuity Management


Crisis event management procedures, roles and responsibilities, and communication plans

Crisis event management testing plans are in place including emergency response, escalation and communication plan Business


Damage to Physical Assets

Crisis event management procedures, roles and responsibilities, and communication plans

Crisis event management testing plans are in place including emergency response, escalation and communication plan Business



Crisis event management procedures, roles and responsibilities, and communication plans have not been defined or tested

Crisis event management testing plans are in place including emergency response, escalation and communication plan documentation, and clearly defined individual and organizational responsibilities (including public sector

Business Continuity Management


Crisis event management procedures, roles and responsibilities, and communication plans have not been defined or tested.




There are no legal obligations, accountability or service level agreement for third party service providers engaged in the recovery of business functions and services.

The contract(s) governing the products or services delivered by third parties include terms describing the recovery service levels to be delivered, continuity plans and notification provisions in the event of continuity



Business recovery procedures, roles and responsibilities, and corresponding technology recovery plans have not been defined or tested.

A comprehensive business continuity plan, including technology solutions is in place to address recovery of service during a time of business interruption.



Business continuity and disaster recovery plans will fail to meet the recovery time objectives for critical business functions and services.

End-to-end business continuity and recovery plans are tested at appropriate intervals and results feed into a continuous recovery plan improvement cycle that is based on changes in business, technology,






Floods

5 0.00Floods

5 0.00Human error

5 0.00Hurricane

5 0.00Lawsuits/ litigation

5 0.00Power failure

5 0.00Power failure

5 0.00



Unable to recover critical business capabilities within the required timeframes.

A risk assessment and business impact analysis is conducted to determine the events and environmental surroundings that could adversely impact the continuation of critical services or products and the respective required recovery time and



Crisis event management procedures, roles and responsibilities, and communication plans have not been defined or tested.




There is a lack of responsibility for supporting and enhancing the business continuity program.

Accountability and compliance for the continuity planning program, tests, audits and results are clearly Business




A risk assessment and business impact analysis is conducted to determine the events and environmental surroundings s that could adversely impact the continuation of critical services or products and the respective required recovery time and



There are no legal obligations, accountability or service level agreement for third party service providers engaged in the recovery of business functions and services











Power failure

5 0.00Power failure

5 0.00Power failure

5 0.00Sabotage

5 0.00System software failure

5 0.00

5 0.00

5 0.00

5 0.00



Business recovery procedures, roles and responsibilities, and technology recovery plans have not been defined or tested for key service providers such as disaster recovery hot-sites, telecommunications

Documented business continuity plans and supporting recovery strategies are in place including the consideration of recovery of activities supported by dependent service providers.



Business continuity and disaster recovery plans will fail to meet the recovery time objectives for critical business functions and services.

End-to-end business continuity and recovery plans are tested at appropriate intervals and results feed into a continuous recovery plan improvement cycle that is based on changes in business, technology,



There are no legal obligations, accountability or service level agreement for third party service providers engaged in the recovery of business functions and services




There is a lack of responsibility for supporting and enhancing the business continuity program.

Accountability and compliance for the continuity planning program, tests, audits and results are clearly Business







Telecommunications failure











Business continuity and disaster recovery plans will fail to meet the recovery time objectives

End-to-end business continuity and recovery plans are tested at appropriate intervals and


5 0.00Terrorist attack





5 0.00Airplane crash

5 0.00

5 0.00

5 0.00

5 0.00




There are no legal obligations, accountability or service level agreement for

The contract(s) governing the products or services delivered by third parties include terms describing



Business recovery procedures, roles and responsibilities, and corresponding

A comprehensive business continuity plan, including technology solutions is in place to address recovery











Crisis event management procedures, roles and responsibilities, and communication plans have not been defined or tested

Crisis event management testing plans are in place including emergency response, escalation and communication plan documentation and clearly defined individual and organizational responsibilities (including public sector



There are no legal obligations, accountability or service level agreement for third party service providers engaged in the recovery of business functions and services.


Communications and Operations Management


Lack of information and media protection while in transit.

Procedures and standards to protect information and media in transit are established. Communications

and Operations Management



Lack of release management processes.

System and network operating release management processes and procedures are in place including analysis of new release functionality, testing and deployment




Applications, systems and network architectures lack high availability.

Application, system and network architectures are designed for high availability and operational redundancy. Communications




Acceptance criteria for new applications, systems and networks are not in place.

Formal acceptance procedures and criteria (including security) for new applications, systems and networks are in


5 0.00Automobile crash

5 0.00Bomb threats

5 0.00Computer crime










5 0.00




Design requirements for applications, systems and networks are not met.

Implemented applications, systems and networks meet design requirements. Communications







Lack of procedures for handling external communications in the event of an incident.

Procedures are in place to notify or handle inquiries from external stakeholders; customers or clients, news media, government offices, outside investigators,


Internal Fraud

System and data backups are able to be accessed freely.

On and off-site system and data backups are protected from unauthorized access and tampering.Communications


External Fraud




Internal Fraud

Logs are aren't available for audits, forensics or prosecution.

Operator use logs are retained for an appropriate period of time. Communications


External Fraud




External Fraud

Intrusion detection systems are not used or used ineffectively.

Intrusion detection systems are used appropriately within the overall network Communications


Internal Fraud

Lack of accountability for network security logs.

Sufficient accountability is assigned to logs of security related events to the network.Communications


External Fraud


Sufficient accountability is assigned to logs of security related events to the network.Communications


External Fraud

Lack of strong authentication and authorization to e-commerce applications.

Online registration, authentication and authorization are required before e-commerce information and data exchanges are made. Communications



Lack of documented incident management procedures.

Incident management procedures are in place and well documented including: actions to take in the event of information system failures or loss of service, denial of service attacks, errors resulting from incomplete or inaccurate business data, errors resulting from system or device misconfiguration, breaches or loss of confidentiality, recovery from specific incidents,



Incident response teams are unqualified.

Incident response teams have appropriate qualifications and necessary training.


DDoS or DoS attacks






5 0.00DNS failure


5 0.00Fire

5 0.00Floods

5 0.00Floods

5 0.00Floods

5 0.00Floods

5 0.00



No network penetration testing is performed.

Regular, periodic vulnerability and penetration testing is performed on all networks in accordance with the risk of each security/control domain



Lack of network redundancy

Network redundancy or diverse network routing is maintained.



Network activities are not monitored.

Network activities are monitored (manually and/or using automated tools) through log reviews on a frequent, periodic basis.Communications




Network activities are logged such as: access failures, logon patterns, allocation and use of privileged access accounts, selected transactions, sensitive resources, remote dial-up activity, firewall activity, failed operating system and application access



Firewalls are not used or are used ineffectively.

Firewalls are used appropriately within the overall network architecture. Communications


External Fraud








External Fraud

Lack of record destruction and disposal policies

Record destruction and disposal policies have been established for documents, computer media (tapes, disks, cassettes, etc.), input/output data and



Backup or recovery processes aren't working and no one is aware of it.

Testing of backup systems and timely restoration of data is performed at regular intervals.Communications



System and data backups aren't available for standard or disaster recovery purposes.

Regular system and data backups are performed at appropriate intervals by specific or dedicated units. Communications







Recovery assets are destroyed in the original disaster.

Copies of system and data backups are taken and stored offsite at locations with an adequate distance from the production site and for an adequate period of time.




Testing of backup systems and timely restoration of data is performed at regular intervals.


Hardware failure

5 0.00Hardware failure




5 0.00Human error

5 0.00Human error

5 0.00Human error

5 0.00Human error

5 0.00



No ability to project future system capacity requirements.

Projection and planning for future system capacity requirements is performed. Communications



New system requirements are not documented or tested prior to use.

Operational requirements for new systems is established, documented and tested prior to the system’s acceptance and Communications








Formal acceptance procedures and criteria (including security) for new applications, systems and networks are in Communications



Maintenance logs aren't available for problem management and forensics.

Maintenance and upgrade logs are kept for hardware and/or software. Communications



Lack of instructions for incident response at processing facilities.

Operating instructions for the management of processing facilities include incident response requirements such as escalation via a call tree, methods for handling errors, generating and handling special output and restarting and



No formal change control process is in place.

A formal change control process is in place detailing; testing (including regression and security testing as appropriate), assessment, formal approval, back out or contingency plans, separation of development and production software and systems, separation of development and



System and network changes are not documented.

All system and network operating changes are documented and incorporated back into system manuals. Communications






Human error

5 0.00Human error

5 0.00Human error

5 0.00Human error

5 0.00Human error

5 0.00Hurricane



5 0.00

5 0.00

5 0.00

5 0.00

5 0.00



System monitoring does not have current signature files.

The security event monitoring system has current signature files.




Incident response teams have appropriate qualifications and necessary training.




Sufficient accountability is assigned to logs of security related events to the network



Lack of record retention and storage policies.

Record retention and storage policies have been established for documents, computer media (tapes, disks, cassettes, etc.), input/output data and



Sensitive information can be inadvertently made publicly available.

A review and authorization process is in place to control information that is made publicly available. Communications




Copies of system and data backups are taken and stored offsite at locations with an adequate distance from the production site and for an adequate period of time




Procedures are in place to notify or handle inquiries from external stakeholders; customers or clients, news media, government offices, outside investigators,








Lack of record destruction and disposal policies.

Record destruction and disposal policies have been established for documents, computer media (tapes, disks, cassettes, etc.), input/output data and









Lack of ability to support information and software exchange agreements.

Information and software exchange agreements (including software escrow) can be supported.





A review and authorization process is in place to control information that is made publicly available.


Malicious code

5 0.00Malicious code





5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00







Code scanning is performed, inconsistently performed or not adequately performed.

A code scanning policy is in place and includes the types of security issues to be scanned for (e.g., malicious code, worms, Trojan horses, back doors, form input



Lack of filtering for malicious code.

Filtering for malicious code at the network parameter is employed.


External Fraud




External Fraud

Tools to detect rogue network devices are not used.

Tools are used to detect rogue network devices and services.


External Fraud

Loss or compromise of data related to audits, forensics or prosecution

Network security related event logs are secured against unauthorized access, change and deletion for an adequate period of time.Communications


External Fraud





Internal Fraud





External Fraud





External Fraud


Network management and security / control , domains aren't in place.

Network management security/control domains (perimeter, DMZ, etc.) and perimeters have been designed, applied and implemented on all networks.


External Fraud


Non-secure configuration of network devices.

Network devices are securely configured according to their function within security/control zones (i.e., public/untrusted networks, semi-private networks, DMZs) and


External Fraud





External Fraud





5 0.00

5 0.00Power failure

5 0.00Robbery

5 0.00Sabotage

5 0.00Seismic activity

5 0.00Social engineering

5 0.00Software defects



5 0.00







External Fraud









External Fraud






Procedures are in place to notify or handle inquiries from external stakeholders, customers or clients, news media, government offices, outside investigators,




Copies of system and data backups are taken and stored offsite at locations with an adequate distance from the production site and for an adequate period of time.


External Fraud


A review and authorization process is in place to control information that is made publicly available. Communications




A formal change control process is in place detailing: testing (including regression and security testing as appropriate), assessment, formal approval, back out or contingency plans, separation of development and production software and systems, separation of development and








Formal acceptance procedures and criteria (including security) for new applications, systems and networks are in


Software defects









5 0.00




























Incident response teams have appropriate qualifications and necessary training. Communications



Incident response teams are not accessible in the event of an incident.

Incident response teams are accessible and available as needed.



No ability to project future system capacity requirements.

Projection and planning for future system capacity requirements is performed.


System software failure







5 0.00

5 0.00

5 0.00


5 0.00Tornados

5 0.00Trojans

5 0.00



New system requirements are not documented or tested prior to use.

Operational requirements for new systems is established, documented and tested prior to the system’s acceptance and Communications








Formal acceptance procedures and criteria (including security) for new applications, systems and networks are in Communications















Maintenance logs aren't available for problem management and forensics.

Maintenance and upgrade logs are kept for hardware and/or software. Communications


























Security incidents and suspicious activities are not monitored.

Security incidents are monitored including, security breaches, internal fraud, unauthorized/unacceptable employee activity and other suspicious


Trojans

5 0.00Trojans

5 0.00Trojans

5 0.00Trojans

5 0.00Trojans

5 0.00Trojans

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00



Lack of a comprehensive virus protection policy.

A virus protection policy including a virus protection process and response team is in place and communicated internally. Communications



Anti-virus software is not used or is not effective.

Antivirus software is deployed, updated and maintained.



Anti-virus software is able to be circumvented .

Restrictions on end-user override capabilities are in place with antivirus software.Communications



Remote and laptop users do not have virus protection.

Virus protection applies to remote and laptop users.










Internal Fraud





External Fraud





Internal Fraud





External Fraud





External Fraud



Security incidents are monitored including security breaches, internal fraud, unauthorized/unacceptable employee activity and other suspicious


5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00


Internal Fraud





Internal Fraud





External Fraud





Internal Fraud





External Fraud





External Fraud


Network management and security / control domains aren't in place.



Internal Fraud


Network management and security / control domains aren't in place.



External Fraud


Non secure configuration of network devices.



Internal Fraud


Non-secure configuration of network devices.



External Fraud


Remote access is uncontrolled and unmanaged.

Remote access management utilities or tools are used for remote access to networks and servers (administrator as well as “user” dial-in/dial-out, maintenance dial-in) appropriate to each


Internal Fraud





5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00


Internal Fraud





External Fraud





External Fraud





Internal Fraud





External Fraud





Internal Fraud



Network activities are logged such as: access failures, logon patterns, allocation and us of privileged access accounts, selected transactions, sensitive resources, remote dial-up activity, firewall activity, failed operating system and application access


External Fraud





External Fraud





External Fraud





Internal Fraud



Network security related event logs are secured against unauthorized access, change and deletion for an adequate period of time


5 0.00

5 0.00

5 0.00

5 0.00Unauthorized scans







5 0.00


External Fraud



Online registration, authentication and authorization are required before e-commerce information and data exchanges are made. Communications


Internal Fraud



Online registration, authentication and authorization are required before e-commerce information and data Communications


External Fraud


Access codes are able to be read in the clear while in storage or transmission.

Access codes are encrypted in storage and transmission.


Internal Fraud





External Fraud




Internal Fraud

System monitoring does not have current signature files.

The security event monitoring system has current signature files.


External Fraud




External Fraud

Network management and security / control , domains aren't in place.



External Fraud

Non secure configuration of network devices.



External Fraud




External Fraud


Network activities are monitored (manually and/or using automated tools) through log reviews on a frequent, periodic basis.


Unauthorized scans





5 0.00Virus hoaxes

5 0.00Viruses

5 0.00Viruses

5 0.00Viruses

5 0.00Viruses

5 0.00Viruses

5 0.00Viruses

5 0.00Viruses

5 0.00War dialing

5 0.00


External Fraud




External Fraud




External Fraud




Internal Fraud




External Fraud






Procedures are in place to notify or handle inquiries from external stakeholders, customers or clients, news media, government offices, outside investigators,




Security incidents are monitored including, security breaches, internal fraud, unauthorized/unacceptable employee activity and other suspicious




A virus protection policy including a virus protection process and response team is in place and communicated internally. Communications






















External Fraud


Online registration, authentication and authorization are required before e-commerce information and data exchanges are made.


Worms

5 0.00Worms

5 0.00Worms

5 0.00Worms

5 0.00Worms

5 0.00Worms

5 0.00Worms

5 0.00Worms

5 0.00Compliance DDoS or DoS attacks

5 0.00Compliance Human error



5 0.00








A virus protection policy, including a virus protection process and response team, is in place and communicated internally. Communications
























Firewalls are used appropriately within the overall network architecture. Business


Failure to review standard security configurations for networks, operating systems, applications, desktops and other system components.

Standard security configurations for networks, operating systems, applications, desktops and other system components are implemented and regularly reviewed for compliance. Security configurations may include security patches, vulnerability management, default


Lack of clearly defined roles and responsibilities.

Responsibility for legal and regulatory compliance has been clearly assigned.


Lack of procedures to avoid using material that would infringe on the copyright or intellectual property of others.

Procedures have been implemented to avoid using material that would infringe on the copyright or intellectual property of others. Execution ,


Lack of policy to protect the organization's intellectual property rights and ownership of information systems, source code that is developed (including escrowing issues with third parties) and business processes or

There is a policy in place to protect the organization's intellectual property rights and ownership of information systems, source code that is developed (including escrowing issues with third parties) and business processes or


Compliance Human error








5 0.00Compliance Lawsuits/ litigation



5 0.00


Failure to register software products with the proper authority to afford appropriate

Software products developed internally or by others on behalf of the organization, are


Failure to register internet domain names with the proper authority.

Internet domain names are registered with the proper authority.


Lack of procedures to protect against the use of information processing facilities for unauthorized purposes.

Procedures are in place to protect against the use of information processing facilities for unauthorized purposes.


Lack of process to ensure interoperability, compliance with international law when transferring encrypted information or

When transferring encrypted information or cryptographic controls to another country, there is a process in place to ensure interoperability,


Lack of procedures to aid in collecting adequate evidence in support of a legal action against a person (either internal or external) or

Procedures are in place to aid in collecting adequate evidence in support of a legal action against a person (either internal or external) or organization


Lack of compliance of information systems with published standards or codes of practice for the production of admissible evidence in court.

Information systems are compliant with published standards or codes of practice for the production of admissible evidence in court.





Failure to conduct security policy compliance reviews that include a review of information systems, system providers, owners of information assets, users and

Security policy compliance reviews are conducted and include a review of information systems, system providers, owners of information assets, users and management.



Responsibility for legal and regulatory compliance has been clearly assigned.



Responsibility for legal and regulatory compliance has been clearly assigned. Clients,



Procedures have been implemented to avoid using material that would infringe on the copyright or intellectual property of others.


Compliance Lawsuits/ litigation








5 0.00



Procedures have been implemented to avoid using material that would infringe on the copyright or intellectual property of others. Execution ,


Legal and compliance obligations may effect the execution, delivery and processes to be provided.

All third party relationships must identify all obligations from current, past and future litigation, lawsuits, breaches of contract, regulatory fines, and proceedings against the company, its officers and


Lack of policy to protect the organization's intellectual property rights and ownership of information systems, source code that is developed (including escrowing issues with third parties) and business processes or

There is a policy in place to protect the organization's intellectual property rights and ownership of information systems, source code that is developed (including escrowing issues with third parties) and business processes or


Failure to register software products with the proper authority to afford appropriate patent, trademark or copyright protection in a timely manner.

Software products developed internally or by others on behalf of the organization are registered in a timely manner with the proper authority to afford appropriate patent,


Failure to register internet domain names with the proper authority.

Internet domain names are registered with the proper authority.


Lack of process to ensure interoperability, compliance with international law when transferring encrypted information or cryptographic controls to another country.

When transferring encrypted information or cryptographic controls to another country, there is a process in place to ensure interoperability, compliance to international law and


Lack of procedures to aid in collecting adequate evidence in support of a legal action against a person (either internal or external) or organization such as information systems that are compliant with published standards or codes of practice and strong trail of documents and computer media.

Procedures are in place to aid in collecting adequate evidence in support of a legal action against a person (either internal or external) or organization, such as information systems that are compliant with published standards or codes of practice and a strong trail of documents and computer media.


Lack of compliance of information systems with published standards or codes of practice for the production of admissible evidence in court.

Information systems are compliant with published standards or codes of practice for the production of admissible evidence in court.


Compliance Network spoofing

5 0.00Compliance Sabotage

5 0.00Compliance

5 0.00Compliance

5 0.00Compliance

5 0.00Compliance

5 0.00Compliance Unauthorized scans

5 0.00Compliance Viruses


5 0.00

External Fraud




Lack of procedures to protect against the use of information processing facilities for unauthorized purposes.

Procedures are in place to protect against the use of information processing facilities for unauthorized purposes. External


accessFailure to review standard security configurations for networks, operating systems, applications, desktops and other system components.

Standard security configurations for networks, operating systems, applications, desktops and other system components are implemented and

External Fraud


Failure to use security tools for vulnerability or penetration testing, monitoring, policy compliance, anti-virus, firewall, application gateways and guards.

Security tools are used for vulnerability or penetration testing, monitoring, policy compliance, antivirus, firewall, application gateways and guards.

External Fraud


Failure to correct deficiencies noted in third party audits/assessments.

Deficiencies noted in third party audits/assessments are corrected.

External Fraud


Failure to perform annual third party audit/assessment to test controls and perform on-site validation.

An annual third party audit/assessment is performed including testing of controls and on-site validation. External

FraudFailure to use security tools for vulnerability or penetration testing, monitoring, policy compliance, anti-virus, firewall, application gateways and guards.









Compliance Viruses


5 0.00Compliance Worms




5 0.00Human error

5 0.00

5 0.00Sabotage

5 0.00

5 0.00



An annual third party audit/assessment is performed including testing of controls and on-site validation. Business












An annual third party audit/assessment is performed including testing of controls and on-site validation. Business




Organizational Security


External actor exceeds level of authorized access to the system. External source implements change to the system with out going through proper change control.

A written and comprehensive information security program that includes administrative and technical standards, procedures and policies is in place to protect


External Fraud



Procedures and policies are in place to control and document third-party physical and logical access to information and information systems.



Weak security controls implemented at the third party, increasing the risk of compromise of information assets.

All third party relationships and dependent service providers are identified -- including the services being performed and the clients affected by the services -- and appropriate due diligence


External Fraud











5 0.00

5 0.00


External Fraud


Weak security controls implemented at the third party, increasing the risk of compromise of information assets.

All third party relationships and dependent service providers are identified -- including the services being performed and the clients affected by the services -- and appropriate due diligence





Personnel Security

External Fraud

Incomplete, nonexistent, or insufficient background checks performed on employees and externals. Background checks are not done or a periodic basis.

Perform pre-employment and periodic background checks for all administrators and employees and contractors with access to critical information assets. Background checks encompass criminal checks at local, state, national and international level, credit

Personnel Security

Internal Fraud

Incomplete, nonexistent, or insufficient background checks performed on employees and externals. Background checks are not done or a periodic basis.

Perform pre-employment and periodic background checks for all administrators and employees and contractors with access to critical information assets. Background checks encompass criminal checks at local, state, national and international level, credit

Personnel Security

Internal Fraud

There is a lack of disciplinary action taken for policy violation.

A clearly defined and understood disciplinary process is in place for employees who violate the information security policy. Personnel

SecurityExternal Fraud

There is a lack of awareness on how to report a security incident.

Procedures for reporting security incidents and malfunctions are clearly defined and include detailed actions, reporting hierarchy, escalation triggers relative to the type of incident and potential impact and special provisions related to the

Personnel Security


Procedures for reporting incidents are not current or complete.

Procedures for reporting security incidents and malfunctions are communicated to all Personnel



Confidential discussions take place in open unsecured areas.

Employment provisions include nondisclosure or agreement of confidentiality and a clear statement of information security responsibilities.


5 0.00Human error

5 0.00Human error

5 0.00Human error

5 0.00Human error


5 0.00

Personnel Security

Internal Fraud



Employment provisions include nondisclosure or agreement of confidentiality and a clear statement of information security responsibilities. Personnel

SecurityBusiness Disruption and System Failures

Lack of trained security staff.

Comprehensive information security training commensurate with the position and access role is provided to all new employees and contractors and is

Personnel Security


Employees and externals are not aware of security probes. How to protect, detect, and report.

Information security awareness resources (website, brochure-ware, training modules, etc.) are made available to all employees and Personnel

SecurityExecution , Delivery and Process Management

Lack of formal Security certification oversight can lead to deteriorated knowledge.

Oversight of employee’s security certifications (e.g., CISA, CISSP, TISCA) requirements and maintenance is Personnel

SecurityExecution , Delivery and Process Management

Incident reports procedures are not tested regularly. "People not prepared to report".

Execution of the procedures for reporting security incidents is tested.

Personnel Security



Comprehensive information security training commensurate with the position and access role, is provided to all new employees and contractors and is conducted on a recurring basis.









5 0.00

5 0.00

Personnel Security


Lack of internal and vendor intrusion detection, logging, and security controls.

Information security incidents from internal operations and with third parties are tracked, analyzed and reported for appropriate regulatory requirements and process improvement.

Personnel Security

Internal Fraud


Employment provisions include nondisclosure or agreement of confidentiality and a clear statement of information security responsibilities.

Personnel Security

External Fraud


Employment provisions include nondisclosure or agreement of confidentiality and a clear

Personnel Security

External Fraud


Comprehensive information security training commensurate with the position and

Personnel Security

External Fraud


Information security awareness resources (website, brochure-ware, training modules, etc.) are made available to all employees and Personnel


Employees may be manipulated into giving out sensitive system information.

All employees are specifically made aware of “social engineering” risks. Personnel



Procedures for reporting security incidents and malfunctions are communicated to all Personnel


Tailgating to gain unauthorized access

Proximity badges are the only physical access control in place. "Proximity badges lost or stolen."

Employee and contractor access to physical location and information assets is controlled by biometric devices (fingerprint, retinal scans,


5 0.00

5 0.00


5 0.00

Personnel Security

Internal Fraud


Proximity badges are the only physical access control in place. "Proximity badges lost or stolen."

Employee and contractor access to physical location and information assets is controlled by biometric devices (fingerprint, retinal scans, other).

Personnel Security

Internal Fraud




Personnel Security

External Fraud




Personnel Security

External Fraud


Information security awareness resources (website, brochure-ware, training modules, etc.) are made available to all employees and contractors.


Unauthorized scans


5 0.00Virus hoaxes

5 0.00Virus hoaxes

5 0.00CPU malfunction/failure

5 0.00

Personnel Security

External Fraud


Procedures for reporting security incidents and malfunctions are clearly defined and include detailed actions, reporting hierarchy, escalation triggers relative to the type of incident and potential impact, and special provisions related to the time of day or non-business hour scenario, if any.

Personnel Security

External Fraud


Procedures for reporting security incidents and malfunctions are communicated to all employees.

Personnel Security



Information security awareness resources (website, brochure-ware, training modules, etc.) are made available to all employees and contractors.

Personnel Security

External Fraud


Procedures for reporting security incidents and malfunctions are clearly defined and include detailed actions, reporting hierarchy, escalation triggers relative to the type of incident and potential impact, and special provisions related to the time of day or non-

Physical and Environmental Security


Environmental protection not being tested regularly

Environmental protection equipment (fire suppression, water flooding, heat/air conditioning, power supply, etc.) is installed, tested and monitored at appropriate intervals.


Fire

5 0.00Floods

5 0.00Gas leaks


5 0.00

5 0.00HVAC failure

5 0.00











Lack of disaster recovery and surveying of physical location.

Premises where business information processing occurs is assessed for environmental hazards (e.g., exposure to hazardous facilities, natural gas, petroleum or other pipelines) and the likelihood of natural disasters (e.g., flooding,



Remote maintenance is not done securely and too many administrators.

Maintenance of equipment can be performed remotely through secure and controlled access.



Hazardous waste exposure


Premises where business information processing occurs is assessed for environmental hazards (e.g., exposure to hazardous facilities, natural gas, petroleum or other pipelines) and the likelihood of natural disasters (e.g., flooding, tornadoes or earthquakes).



Environmental protection not being tested regularly.



5 0.00

5 0.00

5 0.00Leaving doors unlocked

5 0.00Leaving doors unlocked

5 0.00

5 0.00

5 0.00


External Fraud


unlocked

Visitors are not being escorted at all times.

Visitors to the physical premise are escorted as necessary.


Internal Fraud


unlocked

Assets are not properly classified nor are control procedures. Users not following procedures.

Procedures to secure information (e.g., locked cabinets, document control, and clear screen/screen timeout policies) are established based on asset classification.


External Fraud


unlocked




External Fraud

There is a lack of physical operating security policies company wide or they are not followed and enforced.

Policies for operational security within the work space (e.g., utilization of shredding equipment, secure storage, and "clean desk" principles) are defined.


External Fraud

Lack of monitoring and control at non-employee entrances. "No guards, video, access control".

Non-employee physical premise access is controlled and monitored.


Internal Fraud





External Fraud





5 0.00

5 0.00Lost or stolen laptops

5 0.00Power failure

5 0.00Power failure Lack of fail over power.

5 0.00Power failure

5 0.00Power fluctuation

5 0.00Power fluctuation Lack of fail over power.

5 0.00


Internal Fraud





External Fraud





External Fraud









Hot swaps or hot fail over capabilities are employed for critical power supply equipment.Physical and

Environmental Security


Exposed wiring in ceilings, closets, floor not secure.

Safeguards are in place to prevent unauthorized interception or damage to network, power, telecommunications cabling or other on and off-site equipment necessary for business or backup activities, (e.g., continuous power supply equipment is installed and maintained for critical systems, phone/cable



Environmental protection not being tested regularly.




Hot swaps or hot fail over capabilities are employed for critical power supply equipment.


Robbery

5 0.00Robbery

5 0.00Robbery

5 0.00Robbery

5 0.00Robbery

5 0.00Robbery

5 0.00Robbery

5 0.00Robbery

5 0.00Sabotage

5 0.00Sabotage

5 0.00Seismic activity

5 0.00Shoulder surfing

5 0.00


External Fraud

Lack of monitoring control at loading and delivery points. "Blind spots with no video camera."

Loading and delivery area access to key data centers or buildings where information processing or storage is performed is controlled and monitored.


External Fraud

Access is not promptly removed or not scrutinized before being granted.

Physical premise access authority (sites, buildings, rooms, etc.) is defined and limited to authorized personnel only using appropriate controls and/or dual controls (badge, reception desk, guards, escorts, locks, biometrics, etc.).


External Fraud

Cameras or motion detectors not in place or contain blind spots.

Physical premise access is monitored using logs, cameras, motion detectors, etc. at appropriate intervals.Physical and


External Fraud

Lack of monitoring and control at non-employee entrances. "No guards, video, access control."



External Fraud




External Fraud

Physical security of data center is not routinely tested.

Penetration tests are performed to verify data center physical security.


External Fraud

Property is removed without being challenged.

Procedures are in place to prevent the authorized removal of property.


Internal Fraud

Property is removed without being challenged.

Procedures are in place to prevent the authorized removal of property.


External Fraud

Lack of monitoring and control at non-employee entrances. "No guards, video, access control."



External Fraud








Internal Fraud




Shoulder surfing

5 0.00

5 0.00

5 0.00

5 0.00





5 0.00


External Fraud




External Fraud



Loading and delivery area access to key data centers or buildings where information processing or storage is performed is controlled Physical and


External Fraud



Physical premise access is monitored using logs, cameras, or motion detectors, etc. at appropriate intervals.Physical and


External Fraud







Exposed wiring in ceilings, closets, floor not secure.

Safeguards are in place to prevent unauthorized interception or damage to network, power, telecommunications cabling or other on and off-site equipment necessary for business or backup activities, (e.g., continuous power supply equipment is installed and maintained for critical systems, phone/cable








Physical premise access authority (sites, buildings, rooms, etc.) is defined and limited to authorized personnel only using appropriate controls and/or dual controls (badge, reception desk, guards, escorts, locks,




Physical premise access is monitored using logs, cameras, or motion detectors, etc. at appropriate intervals.Physical and


External Fraud




Tornados

5 0.00


5 0.00Vandalism

5 0.00Vandalism

5 0.00Vandalism

5 0.00Security Policy Human error

5 0.00Security Policy

5 0.00Security Policy

5 0.00






External Fraud


Lack of Tempest or other measures to protect against electronic interception.

Emissions (wire in conduit, monitors, wireless broadcasts) are shielded to prevent compromise of network security.


External Fraud

Lack of Tempest or other measures to protect against electronic interception.

Emissions (wire in conduit, monitors, wireless broadcasts) are shielded to prevent compromise of network security.Physical and








Physical premise access authority (sites, buildings, rooms, etc.) is defined and limited to authorized personnel only using appropriate controls and/or dual controls (badge, reception desk, guards, escorts, locks,



Cameras or motion detectors are not in place or contain blind spots.

Physical premise access is monitored using logs, cameras, motion detectors, etc. at appropriate intervals.


Insiders/employees are unaware of proper security practices. Proper controls are not applied or if applied not done consistently for protection of information assets.


External Fraud




Internal Fraud





Security Policy Sabotage

5 0.00Security Policy Social engineering

5 0.00

5 0.00Application software failure





5 0.00Human error

5 0.00

External Fraud



External Fraud



Systems Development



Inappropriate or weak access control procedures result in authorized modifications, and/or data integrity issues.

Application access control procedures are in place to protect source code, the binaries or actual database or data.

Systems Development


Lack of tools that provide documentation of data alterations during the application production process.

Tools are available in production application environment to produce an audit trail of all data alterations.

Systems Development


Loss or modification of audit trails and/or activity logs can impede investigation into inappropriate application or human activities.

Audit trails and activity logs are handled and stored in a secure manner.

Systems Development

Internal Fraud

A lack of host-based IDS control eliminates the possibility of collecting evidence of malicious or suspicious application activity in real time and decreases the ability to monitor key system files for evidence of tampering.

Host-based intrusion detection system is employed.

Systems Development

External Fraud



Systems Development


Software patches not tested and applied in a timely manner can allow application vulnerability and render it susceptible to attack.

A process is in place to allow for the prompt testing and application of up-to-date security patches from vendors.

Systems Development


Lack of a consistently applied methodology can result in security exposures, potential loss of data integrity, and performance issues.

A formal application development process/methodology is in place.



5 0.00Lawsuit/litigation

5 0.00



5 0.00Human error

5 0.00Human error




5 0.00

5 0.00

Systems Development


Lack of independent risk assessment of applications can result in the oversight of security holes built into the application.

Applications are independently evaluated or certified.

Systems Development


Lack of strong non-repudiation controls can result in the tampering of message from origin to recipient; integrity issues and loss of potential legal evidence of crime.

Appropriate non-repudiation methods are used, (e.g., time stamping, voice recording, digital signatures).

Systems Development



Unauthorized access to files and libraries can result in modifications, or inappropriate access to files and libraries.

Authorized access to critical system files and source code libraries is established, controlled and maintained.

Systems Development


Lack of backup policy and procedures prevents recovery during a system problem.

System libraries are backed up on a regular basis so that they are available to be recovered in the event of a system problem.

Systems Development


Lack of change control policy and procedures can result in security exposures during changes or modifications.

There is a documented change control process including a review of code changes by information security.

Systems Development


Non-system segregation may result in data integrity issues.

The development/test system is segregated from the operational system.

Systems Development


Developers are not directed on the techniques to program applications in a secure fashion.

A programmer’s development manual guides the creation of safe and secure code. Developers have been trained in programming techniques that provide for more secure

Systems Development


Lack of encryption policy can result in data exposure of sensitive or other types of information and can have regulatory or legal ramifications.

An encryption policy is in place that includes an end-to-end transaction (e.g., origination, storage, network path, backups, recovery and legally mandated provisions).

Systems Development


Lack of independently risk assessment of applications can result in the oversight of security holes built into the application.


Systems Development


Lack of quality assurance procedures to test third party provided code.

For application code that is provided by a third party, procedures are in place for ensuring that the code is free from malicious code. Systems

DevelopmentBusiness Disruption and System Failures

Network/Application backdoors

Lack of code review and assurance procedures .

Application code has been reviewed for security flaws, backdoors and malicious code.


Malicious code




5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

Systems Development


Lack of change control policy and procedures can result in security exposures during changes or modifications.

There is a documented change control process including a review of code changes by information security.

Systems Development



A programmer’s development manual guides the creation of safe and secure code. Developers have been trained in programming Systems

DevelopmentExternal Fraud

Failure to protect the confidentially and integrity of sensitive information.

Internationally or nationally accepted cryptographic methods and key management techniques are employed.

Systems Development

External Fraud

Lack of encryption policy can result in data exposure of sensitive or other types of information that has a regulatory or legal ramification.

There is an encryption policy in place that includes an end-to-end transaction (e.g., origination, storage, network path, backups, recovery and legally

Systems Development





Systems Development









Systems Development

Internal Fraud


Inappropriate or weak access control procedures result in authorized modifications, and/or data integrity issues.

Application access control procedures are in place to protect source code, the binaries, or actual database or data. Systems




Tools are available in the production application environment to produce an audit trail of all data alterations.

Systems Development

Internal Fraud


Lack of application performance stability and integrity of data.

Application access control procedures are in place to protect source code, the binaries or actual database or data.

Systems Development

Internal Fraud


Lack of proper review of application code for security flaws.

Application code has been reviewed for security flaws, backdoors and malicious code.


5 0.00

5 0.00

5 0.00






5 0.00

Systems Development

Internal Fraud


Lack of documentation of data alterations during the application development process.

Development tools used in the production application environment produce an audit trail of all data alterations. Systems





Systems Development









Systems Development



Tools are available in production application environment to produce an audit trail of all data alterations.

Systems Development



A programmer’s development manual guides the creation of safe and secure code. Developers have been trained in programming techniques that provide for more secure

Systems Development


Lack of interoperability testing may result in security exposures, performance issues, loss of productivity, and loss of availability.

Interoperability testing of new and existing applications is a feature of the change control policy.

Systems Development


Lack of tested compatibility between solutions can result in security exposures, performance issues, loss of productivity, and loss of availability .

The use of digital certificates or other public key technology has been tested for interoperability between solutions.

Systems Development


Lack of accountability of actions for systems developers.



System software failure





5 0.00Trojans

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

Systems Development


Lack of accessibility to critical system file and system source libraries.

Critical system files and system source libraries are documented and maintained under controlled access.

Systems Development


System files are not controlled.

Access to system files is controlled and maintained.

Systems Development


System libraries are not available for recovery.

System libraries are backed-up on a regular basis so that they are available to be recovered in the event of a system Systems


Lack of change control policy and procedure that includes review and testing of all changes can result in security exposures, performance issues, loss of productivity, and loss of availability.

All proposed system changes are reviewed and tested to ensure that the security of either the system or the operating environment is not compromised.

Systems Development


System tests do not accurately reflect the impacts and results of changes.

The development/test system is segregated from the operational system.

Systems Development


Software patches not tested and applied in a timely manner can allow application vulnerability and render the application susceptible to attack.


Systems Development

External Fraud


Weak or unauthorized encryption algorithms can result in the exposure of sensitive or confidential information.

The strength and integrity of proprietary encryption algorithms have been certified by an authorized evaluation agency.

Systems Development

Internal Fraud


Lack of risk assessment for encryption methodology can result in the exposure of sensitive or confidential information.

A risk assessment methodology is employed to determine the level of encryption necessary for environment.

Systems Development

External Fraud


Lack of risk assessment for encryption methodology can result in the exposure of sensitive or confidential information.

A risk assessment methodology is employed to determine the level of encryption necessary for environment.

Systems Development

Internal Fraud


Failure to protect sensitive information confidentiality.

Internationally or nationally accepted cryptographic methods and key management techniques are employed. Systems






5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00

5 0.00


5 0.00

Systems Development

External Fraud


Lack of a policy to ensure end-to-end data transaction protection.


Systems Development

Internal Fraud


Lack of a policy to ensure end-to-end data transaction protection.


Systems Development

External Fraud


Lack of customization in the strength of protection for system and user defined sensitive information.

Algorithms and the strength of encryption used for securing authentication credentials (e.g., passwords and PINs) and other data during transmission/storage have been determined based on a risk assessment methodology.Systems

DevelopmentInternal Fraud



Algorithms and the strength of encryption used for securing authentication credentials (e.g., passwords and PINs) and other data

Systems Development

Internal Fraud




Systems Development

External Fraud




Systems Development

Internal Fraud




Systems Development

External Fraud




Systems Development

Internal Fraud




Systems Development

External Fraud




Systems Development

External Fraud




Unauthorized scans

5 0.00Viruses

5 0.00Viruses

5 0.00War dialing

5 0.00Worms

5 0.00Worms

5 0.00

Systems Development

External Fraud


There is an encryption policy in place that includes an end-to-end transaction (e.g., origination, storage, network path, backups, recovery and legally mandated provisions).

Systems Development


Applications are not developed with the appropriate security features and functions.


Systems Development




Systems Development

External Fraud


Algorithms and the strength of encryption used for securing authentication credentials (e.g., passwords and PINs) and other data during transmission/storage have been determined based on a risk assessment

Systems Development


Applications are not developed with the appropriate security features and functions.


Systems Development




ISO DomainAccess Control Asset Classification & Control Business Continuity Management Communications & Operations Management ComplianceOrganizational Security Personnel Security Physical and Environmental Security Security PolicySystems Development

Basel I CategoryInternal FraudExternal FraudEmployee Practices and Workplace SafetyClients, Products and Business PracticesDamage to Physical AssetsBusiness Disruption and System FailuresExecution , Delivery and Process Management

Impact if Not Implemented0 1 2 3 4 5

0 5 6 7 8 9 101 4 4 6 7 8 92 3 3 3 6 7 83 2 2 2 2 6 74 1 1 1 1 1 65 0 0 0 0 0 0

Unknown012345

0.10.20.30.40.50.60.70.80.9

1

Control Implemen

ted

Airplane crashApplication software failureAutomobile crashBiological agent attackBomb attacksBomb threatsChemical spill

Civil disorder

Computer crime

CPU malfunction/failure

DDoS or DoS attacks


DNS failure

Dumpster diving

Dust/sand

Embezzlement

Epidemic

Extortion

Fire

Floods

Gas leaks

Hardware failure

Hazardous waste exposure

Heat

High winds

Human error

Hurricane

HVAC failure


Leaving computer screen exposed or unlocked

Leaving doors unlocked


Lightning

Lost or stolen laptops

Malicious code

Network spoofing



Power failure

Power fluctuation

Radiation contamination

Robbery

Sabotage

Seismic activity

Shoulder surfingSnow/ice stormsSocial engineeringSoftware defectsSolar flaresSystem software failureTailgating to gain unauthorized accessTerrorist attackTelecommunications failureTidal WaveTornadosTrojansTyphoonUnauthorized network or system accessUnauthorized scansUnintentional DDoSUnintentionally bad legislationVandalismVirus hoaxesVirusesVolcanic eruptionWarWar dialingWeb defacementsWork stoppage/ strikeWorms

isms risk calculator spread sht v0.1

Documents