Scribd Logo
Upload

Welcome to Scribd!

  • Free Risk Assessment Template

    Uploaded by

    Quantivate
    1K views5 pages
    Information Security Risk Assessment (isra) is a Risk Assessment For system name system description enter R.A. Scope enter Description of system hardware / Software date installed version developer system users / Customers. Rate the likelihood of each risk occurring, considering non-control factors such as network architecture, operating system, applications, etc. Rate the effectiveness of each control as it applies to each risk. Document Mitigation Actions that should be put in place to reduce risk.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Information Security Risk Assessment (isra) is a Risk Assessment For system name system description enter R.A. Scope enter Description of system hardware / Software date installed version developer system users / Customers. Rate the likelihood of each risk occurring, considering non-control factors such as network architecture, operating system, applications, etc. Rate the effectiveness of each control as it applies to each risk. Document Mitigation Actions that should be put in place to reduce risk.

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    1K views5 pages

    Free Risk Assessment Template

    Uploaded by

    Quantivate
    Information Security Risk Assessment (isra) is a Risk Assessment For system name system description enter R.A. Scope enter Description of system hardware / Software date installed version developer system users / Customers. Rate the likelihood of each risk occurring, considering non-control factors such as network architecture, operating system, applications, etc. Rate the effectiveness of each control as it applies to each risk. Document Mitigation Actions that should be put in place to reduce risk.

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 5

    Information Security Risk Assessment

    Risk Assessment For {System Name}


    System Description Risk Assessment Scope Hardware Software Date Installed Version Developer System Customer Details {Enter System Description} {Enter R.A. Scope} {Enter Description of System Hardware} {Enter Description of System Software/Applications} {Enter Date of System Installation} {Enter System Version #} {Enter System Developer} {Enter Description of System Users/Customers}

    Executive Summary
    Total Risk Scoring Calculations Total Raw Risk Score Total Controls in Place Total Residual Risk Score
    Residual Risk Controls

    546 215 331

    Insufficient Skills or Training

    48 48 17 38 18 22 38 22 32 48 0 10 20 30 40 50 20 10 20 25 45 25 25

    15 15

    Insecure Network Engineering

    Data Loss or Inability to Recover

    Wirelss Devices

    Malware

    Uncontrolled Access or Privleges

    Misconfiguration of HW/SW Security

    Insufficient Boudary Defense

    Unsecure Configuration

    Unauthorized Device or Software

    15 60 70

    (C) Quantivate 2011

    Information Security Risk Assessment

    Instructions
    Step 1 Step 2 Determine data types across the organization, enter in the 'System Risks' tab For the data types stored or transmitted by the system, rate the data types in terms of Confidentiality (C), Integrity (I), and Availability (A) in the 'System Risks' tab. 0 is the least critical and 3 is the most critical. Identify risks to the system. e.g. malicious code Rate the likelihood of each risk occurring, considering non-control factors such as network architecture, operating system, applications, etc. Rate the effectiveness of each control as it applies to each risk. If a control does not mitigate a particular risk, enter 0. Document Mitigation Actions that should be put in place to reduce risk.

    Step 3 Step 4

    Step 5

    Step 6

    (C) Quantivate 2011

    Information Security Risk Assessment

    Data Types Public Information Financial Employee Data Corporate Internal Shareholder Data Legal Product Designs Business Processes Trade Secrets High Water Mark System Impact Rating

    Confidentiality 0 2 2 3 2 0 2 2 2 3

    Integrity 0 2 2 2 2 0 2 2 2 2

    Availabiity 0 2 2 2 2 0 2 1 2 2 7

    Risks Unauthorized Device or Software Unsecure Configuration Insufficient Boudary Defense Misconfiguration of HW/SW Security Uncontrolled Access or Privleges Malware Wirelss Devices Data Loss or Inability to Recover Insecure Network Engineering Insufficient Skills or Training

    Impact 7 7 7 7 7 7 7 7 7 7

    Likelihood 9 6 6 9 6 9 9 6 9 9

    Inherent Risk 63 42 42 63 42 63 63 42 63 63

    Controls in Place 15 10 20 25 20 45 25 25 15 15

    Residual Risk 48 32 22 38 22 18 38 17 48 48

    Controls 15 10 20 25 20 45 25 25 15 15

    (C) Quantivate 2011

    Information Security Risk Assessment

    Control Assessment
    U na So uth ftw ori z U ar ed ns e De ec vi ur ce e or Co In nf su ig ffi D ur ef cie at en n io n M se t B is ou co da H n ry W fi /S gu U W ra nc S tio e Pr ont cu n o iv ro rity f le ll M ge ed al w s Acc ar es e s or W i re ls s De vi D ce at s a R Lo ec s s o In ver or In se ab En cur ili e ty gi Ne n to In ee tw s u ri or ffi ng k Tr c ai ie ni nt ng S ki lls or

    Critical Controls
    Control1:InventoryofAuthorizedandUnauthorizedDevices Control2:InventoryofAuthorizedandUnauthorizedSoftware Control3:SecureConfigurationsforHWandSWonPCsandServers Control4:SecureConfigurationsforNetworkDevices Control5:BoundaryDefense Control6:Maintenance,Monitoring,andAnalysisofAuditLogs Control7:ApplicationSoftwareSecurity Control8:ControlledUseofAdministrativePrivileges Control9:ControlledAccessBasedontheNeedtoKnow Control10:ContinuousVulnerabilityAssessmentandRemediation Control11:AccountMonitoringandControl Control12:MalwareDefenses Control13:LimitationandControlofNetworkPorts,Protocols,andServices Control14:WirelessDeviceControl Control15:DataLossPrevention Control16:SecureNetworkEngineering Control17:PenetrationTestsandRedTeamExercises Control18:IncidentResponseCapability Control19:DataRecoveryCapability Control20:SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps

    10 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 15

    0 0 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10

    0 0 0 0 10 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 20

    0 0 0 0 0 0 15 10 0 0 0 0 0 0 0 0 0 0 0 0 25

    0 0 0 0 0 0 0 0 5 15 0 0 0 0 0 0 0 0 0 0 20

    0 0 0 0 0 0 0 0 0 0 15 15 15 0 0 0 0 0 0 0 45

    0 0 0 0 0 0 0 0 0 0 0 0 0 10 15 0 0 0 0 0 25

    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10 15 0 0 0 25

    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10 5 0 15

    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 15 15

    (C) Quantivate 2011

    Information Security Risk Assessment

    Mitigation
    Mitigation Name Description Date Identified Owner

    (C) Quantivate 2011

    You might also like