Professional Documents
Culture Documents
IMS Risk Assessment - DRAFT - v3 1 (Ori)
IMS Risk Assessment - DRAFT - v3 1 (Ori)
RISK ASSESSMENT
Service
Risk Owner
Service
Risk Register
Sevice Component
Threats
Vulnerabilities
Risk Description
Impact / Severity
(Score 1-5)
Probability/ Likelihood
(Score 1-5)
Result of Risk
(Total Score)
Risk ID
Control Annex
Current Control
Risk Treatment
Treat
Staff shortage
Delay,
Train backup
Staff shortage
Treat
Staff shortage
Treat
Human error
C,I
Staff shortage
10
Treat
Treat
Controls to be implemented
Project Sponsor
Accept
Buddy System
IT Governance
EDMS
A
A, I
A, I
3
4
3
3
1
1
4
3
Treat
Accept
Treat
Treat
Treat
Service Desk
Lack of maintenance
10
Treat
ISO Documents
Loss of documents
Unavailability of documents.
Treat
ISO Records
Loss of records
Unavailability of records.
Treat
Hardware failure
Lack of maintenance
Hardware failure
Treat
Hardware (UPS)
Lack of maintenance
Treat
Network Administrator
System hacked
C, I, A
Software
Unauthorized access
Treat
Lack of maintenance
Treat
Transfer
Network
Managed IPVPN
L
Use tool (ISO Portal)
Transfer
L
Progress update to SMR and DC. Encourage for ITIL
certification
L
L
L
L
L
L
L
45%
45%
45%
10%
45%
50%
VSAT Failure
Lack of maintenance
Transfer
Hardware
a) Storage Server
b) Camera
Lack of maintenance
Treat
Network
Network failure
Treat
Electricity
Power failures.
Treat
Lack of maintenance
C, A
Treat
50%
b) NMS software to monitor
a) Monitoring and maintenance checking on daily,
monthly and yearly basis to ensure sustain of operation.
b) Troubleshoot server
c) Preventive maintainance (SLA)
d) Disaster recovery
e) Check network availability & performance
f) Reset camera's power & network cable
g) Repair or change camera
45%
Hardware
a) Server
b) Controller
c) Card reader
45%
45%
45%
Network down.
C, A
Treat
Electricity
Power failures.
System will fail to function (i.e. door not secure) after battery
backup runs out
C, A
Treat
45%
45%
Treat
Misconfiguration
1. Virus Attack
2. Antivirus installed cannot communicate with
server (not connected to Felda network)
C, I, A
Program error
Treat
2. Antivirus
45%
45%
C, I, A
Spam
A
1. PC not properly shutdown
2.Old Hardware
Basis
Asset Management
PC Hardware
HDD failure
Printer
1.Missing Driver
2. Printer cable loose
2.
3. install
1. Preventive maintenance
UPS
Data Centre
C, A
More than one UPS module breakdown at same When any one UPS module fail, same servers have to be shut
time ( currently 3X30KVA )
down.
unexpected downtime
Hardware failure
Managed Enterprise Services E-mail
Server
A
Email services inaccessible.
Power failure
Network failure
Treat
Transfer
Treat
L
L
L
FPSSB/IMS/REC/RISK-001
Template Version: 1.0
RISK ASSESSMENT
System Development /
Implementation
Reports
Treat
Treat
Consultation Service
Business Application
(IT Services
New Request)
Integration Service
Hardware
Software
System interfaces
Data and information
People
System mission
Rely on Vendor
Transfer
C,I
1. Treat
2.Replace
3.Treat
4.Treat
FPSSB will make sure all user who use the system get
enough training before they can start using the
application.
Transfer
A,C,I
15
15
C,I
15
C,I
15
Authorization matrix
Threat
To strengten on authorization
1.Network Failure
2.Databases corrupted
3.EIS Server Failure
A,C,I
15
Threat
C, I
15
Only Server Team are able to direct access & look into
the server.
Rely on Vendor
Rely on Vendor
Left out transport number. New staff doing config. Staff left out
some steps to config.
Misconcept
Misconcept
ABAP
Treat
Threat
Plantation Applications
Lost connectivity to SAP/AS400 servers
Weighbridge & Mill Applications
Transfer
Transfer
C,I
15
C,I
15
Transfer
Transfer
A,C,I
Trreat
A,C,I
16
Treat
A,C,I
16
Treat
1. Treat
2.Replace
3.Treat
4.Treat
Others Applications
ERP Consulting
Treat
C,I
Treat
L
Monitor, check and reporting.
SAP PRD
SAP QAS
SAP DEV
ESS, MSS
Non SAP Application
C,I
Treat
L
Monitor, check and reporting.
A,C,I
Treat
Senior will replace trainer and junior will join the training.
Treat
Training
A,C,I
Treat
Treat
Administration
A,C,I
25
Ask to Shift location/ Too many user training at one time (not
enough lab)/Staff Growth.
Telephone/Fax
Receptionist/ Telephonist
Staff SAP
1. 24 Hours Notice
2. Senior/certified staff resign
Management
24 Hours Notice
Replacement staff.
- Project
HR & Admin
Human Resource
All
Documentation
Documentation
Administrative
Personnel
Human errors
Personnel
Operation degraded
High-rate of turn-over
12
39
10
61
A, C, I
Treat
Treat
Treat
A, C, I
16
Existing team member to take over the job until the new
replacement is in place
Transfer
L
L
L
M
RISK ASSESSMENT
ALI MUSTAFA
GENERAL MANAGER
1 Mar 2013
1 Mar 2013
FPSSB/IMS/REC/RISK-001
Template Version: 1.0
Service
Risk Owner
Service
System Development /
Implementation
Business Application
(IT Services
New Request)
Integration Service
ABAP
Plantation Applications
Business Application
(Existing Application System)
Others Applications
Service
Sevice Component
Threats
Rely on Vendor
Software
System interfaces
Data and information
People
System mission
1. Web Application Server Stop Functioning
2. Scanner Problem
3. Storage Full
Rely on Vendor
Rely on Vendor
Risk Register
Vulnerabilities
Risk Description
Reports
Risk Register
(A=Availability, C=Confidentiality,
I=Integrity)
Impact / Severity
(Score 1-5)
Probability/ Likelihood
(Score 1-5)
Result of Risk
(Total Score)
C,I
A,C,I
15
15
C,I
15
C,I
15
A,C,I
15
C, I
15
C,I
15
C,I
15
Current Control
Risk Treatment
Treat
Treat
Transfer
1. Treat
2.Replace
3.Treat
4.Treat
Transfer
Treat
Threat
Transfer
Authorization matrix
Threat
Threat
Only Server Team are able to direct access & look into
the server.
1. Moniter by Server Team
2. Replace the file or repare the file that has been
corrupted
3. re-Register DLL
4.Antivirus update
Transfer
1. Treat
2.Replace
3.Treat
4.Treat
Treat
Transfer
Transfer
k Treatment Plan
Controls to be implemented
FPSSB will make sure all user who use the system get
enough training before they can start using the
application.
To strengten on authorization
Service
Risk Owner
Service
SAP ECC 6.0/
SAP Customized Configuration
Management
ERP Consulting
Training
System support
Service
Sevice Component
Threats
Misconcept
Misconcept
SAP PRD
SAP QAS
SAP DEV
ESS, MSS
Non SAP Application
Risk Register
Vulnerabilities
Risk Description
Left out transport number. New staff doing config. Staff left out
some steps to config.
Risk Register
(A=Availability, C=Confidentiality,
I=Integrity)
A,C,I
A,C,I
A,C,I
C,I
C,I
A,C,I
A,C,I
A,C,I
Impact / Severity
(Score 1-5)
Probability/ Likelihood
(Score 1-5)
Result of Risk
(Total Score)
Current Control
Risk Treatment
Trreat
Treat
Treat
Treat
Treat
Treat
Senior will replace trainer and junior will join the training.
Treat
Treat
Treat
k Treatment Plan
Controls to be implemented
Re-config or re-transport if the should have any
problem. Testing again at QAS before transport to PRD.
Service
Risk Owner
Service
Rental Service
Service
Sevice Component
Threats
PC , Notebook, Server
Uncontrolled viruses attack / intrusion
Server
Hardware failure
Power failure
Network failure
Software
Spam
Software
Unauthorized access
Software
E-mail missing
Software
Phishing
Software (Webmail)
Risk Register
Vulnerabilities
Risk Description
a) Not properly shutdown
b) Old Hardware
Lack of maintenance
Misconfiguration
Risk Register
(A=Availability, C=Confidentiality,
I=Integrity)
C, A
A
A
A
C
C
A
C, I
A
Impact / Severity
(Score 1-5)
Probability/ Likelihood
(Score 1-5)
Result of Risk
(Total Score)
Current Control
Risk Treatment
Treat
Treat
Treat
Transfer
Treat
Treat
Treat
Treat
Treat
Treat
k Treatment Plan
Controls to be implemented
a) Propose file server for data backup (PC , Notebook)
b) Establish Data Recovery Center (DRC) for non SAP
c) Execute preventive maintenance
L
L
Service
Risk Owner
Service
Network
Managed IPVPN
Managed VSAT
Managed LAN
Managed LAN
Service
Sevice Component
Threats
Hardware failure
Hardware failure
Hardware (UPS)
Network Administrator
System hacked
Software
Unauthorized access
VSAT Failure
Hardware
a) Storage Server
b) Camera
Network
Network failure
Electricity
Power failures.
Hardware
a) Server
b) Controller
c) Card reader
Network
Network down.
Electricity
Power failures.
Risk Register
Vulnerabilities
Risk Description
Lack of maintenance
Lack of maintenance
Lack of maintenance
Lack of maintenance
Lack of maintenance
Lack of maintenance
System will fail to function (i.e. door not secure) after battery
backup runs out
Risk Register
(A=Availability, C=Confidentiality,
I=Integrity)
A
A
A
A
C, I, A
A
A
A
A
A
C, A
C, A
C, A
Impact / Severity
(Score 1-5)
Probability/ Likelihood
(Score 1-5)
Result of Risk
(Total Score)
C, I, A
Current Control
Risk Treatment
Transfer
Treat
Treat
Transfer
Treat
Treat
Transfer
Treat
Treat
Treat
Treat
Treat
Treat
Treat
Treat
k Treatment Plan
Controls to be implemented
Continous monitor, check and reporting. Engaged
vendors for maintenance
Periodic checks and updates by Network Team / OSS
Monitor, check and reporting. Introduce IP-based UPS
system
Periodic updates by FES.
L
L
L
L
L
L
L
L