DOC.17.1.

1 F 01

RISK AND OPPORTUNITIES

Probability: Refer procedure for Risk Severity :refer procedure for risk and opportunity Controlls : Refer procedure for Risk asses
assessment and Incident Investigation and Incident Investigation

C Risk Related Category of Probability Severity (S) Controlls in Rating Impact

to QMS & ISMS issues (Internal/ (P) place© (PxSxC)
external)
1 Inappropriate Internal 1 2 2 4
Maintenance of
Assets

2 The Internal 1 2 1 2
responsibility of
Assets are not
allocated
3 The assets are Internal 1 2 1 2
not being
returned to the
organization
after completion
of contract or
termination that
belongs to the
organization
4 In adequate Internal 1 1 2 2
control on Media
through V-lan
and fire wall
policies

5 Rejected Media Internal 1 2 1 2

disposed without
verification and
formating

6 Policies of the Internal 1 1 1 1

network access
and network
services are not
defined and
followed
adequately

7 The user Internal 2 2 1 4

registartion and
de-registration
are not defined
adequately

8 Access are not Internal 1 1 1 1

reviewed
adequately with
the asset owner

9 The password Internal 3 3 1 9 Discloser of

management is Company/Employee's
not adequately password to unauthorized
controlled person, may the cause of lose
of compny and company's
client's confidential data
10 Antivirus are not Internal 1 2 1 2
renewed timely

11 The data back Internal 3 1 2 6 loose organization's crusial

up of the laptops data
/ Desktop by the
staff is not done
on regular basis

12 The installation Internal 1 1 3 3

of the
operational
software are not
adequately
controlled

13 Business Internal 1 1 3 3
process audits
are not done in
order to
minimise the
disruption

14 The information Internal 1 2 1 2

Transfer policies
and procedures
are not
adequately
implemented
15 Security of Internal 1 3 1 3
network services
are not practiced
adequately and
policies are not
implemented as
per requirements

16 The information Internal 1 1 1 1

involved in the
electronic
messaging are
not appropriately
practiced

17 Non-availability Internal 1 3 1 3
of Business
continuity plan
18 Physical entry Internal 3 2 1 6
controls are not
done for the
portable media
etc.

19 clear desk and Internal 1 2 1 2

clear screen
policy are not
being followed
20 Natural Disasters External 1 2 1 2
21 Customised Internal 1 3 1 3
softwares are
not adequate for
operatons
efficiency

22 Network External 1 3 1 3
Connectivity is
not adequate
23 High Employee Internal 1 2 1 2
Turnover
24 system screen Internal 1 2 1 2
are not being
locked while
working inside or
out side the
office

25 password are Internal 1 3 1 3

being shared
with in or out of
the organization

26 Email, software Internal 2 2 1 4

login from other
computer system
and do not
logout

27 allow other to Internal 1 2 1 2

use your system
in the absence of
yourself
28 accessing email Internal 1 1 1 1
or other software
from personal
mobile, and lost
the mobile phone
or let others use
your mobile
phone

29 Personal Mobile, Internal 3 2 1 6

USB and other
storage media
allowed at work
station to
employee

30 Employee, Keep Internal 3 1 2 6

using same
password from
long time

31 Don’t follow Internal 1 2 1 2

security check
points, firewall,
routrers,
Integration
Server.

32 No system of Internal 1 2 1 2
monitor spam
activity by MX
tool box which
blocks our
public IP
33 Financial and Internal 3 2 2 12 Important document can miss
important place and missused, which
document left leads to organization's heavy
lying arround lose.

34 Printing Access Internal 3 1 2 6 Employees can use printer for

their personal work and print
organization's important
documents

35 Access control in Internal 1 3 1 3

server and finance
area not defined/
applied.
36 Visitors control Internal 1 3 2 6 Visitor can steal companies
policy is not important document/assets. add
available/ not virus infected files to our system.
followed which leads to heavy information
lose.

37 fire control and Internal 1 3 1 3

evacuation system
is not available.

38 If documents are External 1 2 1 2

lost during courier
transit
39 The informations Internal 1 2 1 2
are send at
incorrect address
40 Fire wall system is Internal 1 3 1 3
not present in the
company network
41 personal Internal 1 2 1 2
information of
clients are not
secured.
42 Making systems Internal 1 1 1 1
connections by
unauthorised
persons

43 The external Internal 1 2 1 2

storage devices
are allowed for
transfer of data
from one media to
otherone

44 the server room is Internal 1 3 1 3

not fire protected.

45 social media External 1 2 1 2

profiles are getting
hacked ie. Linkdin,
facebook etc.

46 Segregation of Internal 1 2 1 2
Duties not done
47 If the Internal 3 1 1 3
teleworking/remot
e allowed to all the
employees
48 background Internal 1 1 1 1
verification of
employees prior to
the appointment
not done

49 NDA after Internal 1 3 1 3

termination of
employees not
done
50 Acceptable use of Internal 1 3 1 3
assests is not
defined/ not
known to the
employees
51 Physical entry Internal 1 2 1 2
controls are not
done for the
visitors etc.
52 Equipment Internal 2 3 1 6 Equipment can stop working
maintenance not suddenly which leads to
done as per information lose and rework
defined schedule
53 Non-compliance of Internal 1 3 1 3
legal requirements

54 No specific Internal 1 2 1 2
guideline to share
information
relevant to specific
dept/ person only

55 Theft of laptop External 1 2 1 2

outside of the
organization
56 No password Internal 1 2 1 2
protection of client
files while in
transit.
57 NDA with Routine Internal 2 2 1 4
and critical
suppliers for
information &
communication
supply chain

58 Post mortem Internal 1 2 2 4

analysis of the
projects are not in
practice
 Document No.: - DOC.17.1.1 F01
VERSION No.: -

TIES 01.0
Issue Date: - 18.01.2019
Page No.: - 01 of
01
procedure for Risk assessment Risk: if rating (RL=1 to 3- negligible - no action recommended )
cident Investigation (if rating 4 to 12 -
Opportunity for improvement)
if rating (RL= 13 to 27 - Pure Risk)

Control of Risk Opportunity for Responsibility Documents / Target Date

Improvement Records

Shall do assets IT-Support DOC.11.2.4 F02

maintenance quarterly (Preventive
maintenance
Record)

Shall assign responisbility Manager ITSM Information/IT

to a person Assets register

HR will get signed NDA HR

from the responsible team
before completeing or
terminating contract.
Shall improve firewall rules Technology

Ensure media get IT-Support

formated before to be
desposed

Will define user HR

registration and de-
registration process or
procedure

Control Password IT-Support

Management according to
password policy
Renew Antivirus timely in IT-Support
monthly preventive
maintaince

Aware staff, to do data All Employee

backup on regular basis
and data backup policy.
Shall not allow employee
to carry personal USB in
office permises and
disable the USB port.
Get all employee aware to
keep it in practice to
logout, while using others
laptop/desktop.

Get all employee aware, to

not to allow others to use
laptop/desktop allocated to
them in thier the absence
Shall not allow employee
to carry personal USB in
office permises and
disable the USB port.

Shall encurage all

employee to change thier
password after some time.
 Shall provide lockable
drawers store confidential
document

Provide priniting access to

limited employees

Guide visitor to follow visitor Visitor policy ref.

policy, provide visto card. DOC 11.1 version
Shall provide limited access 1.0
to the network and working
area.
 Will maintain Equipments IT-Support Preventive
regular baisis, according to Maintenance
Preventive Maintenance
check list