Business Processes and information asset for CISO

Marketing
Server
Checking the programs and
hardware condition, as well as
HR Server monitored and maintenance
the server performance Server
Company server metadata
HAZEL
(CEO, MOO
CFO, CISO, Technical and physical
and Technical) condition CISO
Department
information
Manufacturing
Server Implement the
guideline
Secure guidelines
R & D Server

- A dedicated server is used by each department except for CEO, CFO, CISO and
technical. This would allow the company to separate the critical business process and
avoid a centralised failure in case one server machine is failed. The server hardware
responsibility is fall under technical department and CISO department responsibility
is to ensure the security elements to protect the server is achieved.
- Consequently, the nature of server in which contains a sensitive information and it’s
become the backbone for company data processing equipment, making this hardware
become an information asset that needed to be protected.
- The output from this process would be a set of guidelines for protecting the server
from various threat and ensuring its availability in case of emergency situation occurs.
 CEO HR Department
Information Asset, Information Asset,
procedures, standard, procedures, standard,
controls, etc. controls, etc.

Information Asset,
Information Asset, procedures, standard, Manufacturing
procedures, standard, controls, etc. Department
controls, etc. CISO collect the
CFO data and do the
Risk management
process
Information Asset,
RD Department
Information Asset, procedures, standard,
procedures, standard, controls, etc.

Technical controls, etc.

Department Information Asset,
procedures, standard,
Output Risk controls, etc. Marketing
Registers Department

Risk Registers
- All potential risks from each department are identified based on the information asset
under each department that may affect the company business services, then what
actions should be taken to address the potential risks, prepare the appropriate responds
to each risk and what procedures to follow in case the risks are appeared.
- The document provided from the risk management process in this case the risk
registers would be considered as an asset because the information contained within
the document relate to the existing risk that may affecting the company business
process.
- The output of the document would be a list of risks related to the information asset,
procedures, standard, and the implemented control from each department.
Risk Scenario

Server

1. Data Corruptions
Scenario: errors in maintenance process by the lack of skill and knowledge by the
employee on how to do a proper maintenance process.
Record of events: One case happened last year
Control: Outsourcing the maintenance process
2. Natural Disaster
Scenario: Earthquake destroying the server
Records of events: Not occurred
Control: Implement a fail-safe server cloud backup
3. Stolen Data
Scenario: lack of security awareness of employee clicking phishing email and the
attacker manage to get access to the server
Record of Events: One case last year
Control: Implement a routine vulnerability assessment and security awareness
programs
4. Inadequate Access control
Scenario: Employee abusing privilege for accessing a certain part of server data
storage because the insufficient access control rules
Record of Events: One case last year
Control: Develop a proper access control
5. Misconfigured
Scenario: inadequate employee skill and knowledge and no configuration checklists
are developed resulting unnecessary services is active.
Record of Events: one case last year
Control: Develop a checklist for server configuration and routine security scans

Risk Register

1. Misidentification
Scenario: insufficient employee knowledge about company asset and no checklist
used.
 Record of Events: One case last year
Control: Data re-identification process conducted by employee with sufficient
knowledge
2. Environment changes
Scenario: new business process is implemented creating a new unidentified risk
Record of Events: one case happened last year
Control: Develop a comprehensive risk scenario for covering all scenarios of
environment changes
3. Insufficient data
Scenario: unclear risk identification process is resulted by the employee lack of
knowledge.
Record of Events: One case last year
Control: Data re-identification process
4. Poor planning
Scenario: poor communication by the team resulted in the planning problem.
Record of Events: One case last year
Control: Develop a proper planning strategy
5. Lack of update
Scenario: The company decided not to prioritizing the update process because the
employee is focusing on another project
Record of events: Not occurred
Control: Implement a quarterly update schedule
6. Data Loss
Scenario: stored in unsecured place such as USB drive
Record of Events: Not occurred
Control: Stored the data in both digital form within the server only accessed by the
authorised personnel and paper form in cabinet files with locks