Professional Documents
Culture Documents
Executive Summary
Total Risk Scoring Calculations Total Raw Risk Score Total Controls in Place Total Residual Risk Score
Residual Risk Controls
48 48 17 38 18 22 38 22 32 48 0 10 20 30 40 50 20 10 20 25 45 25 25
15 15
Wirelss Devices
Malware
Unsecure Configuration
15 60 70
Instructions
Step 1 Step 2 Determine data types across the organization, enter in the 'System Risks' tab For the data types stored or transmitted by the system, rate the data types in terms of Confidentiality (C), Integrity (I), and Availability (A) in the 'System Risks' tab. 0 is the least critical and 3 is the most critical. Identify risks to the system. e.g. malicious code Rate the likelihood of each risk occurring, considering non-control factors such as network architecture, operating system, applications, etc. Rate the effectiveness of each control as it applies to each risk. If a control does not mitigate a particular risk, enter 0. Document Mitigation Actions that should be put in place to reduce risk.
Step 3 Step 4
Step 5
Step 6
Data Types Public Information Financial Employee Data Corporate Internal Shareholder Data Legal Product Designs Business Processes Trade Secrets High Water Mark System Impact Rating
Confidentiality 0 2 2 3 2 0 2 2 2 3
Integrity 0 2 2 2 2 0 2 2 2 2
Availabiity 0 2 2 2 2 0 2 1 2 2 7
Risks Unauthorized Device or Software Unsecure Configuration Insufficient Boudary Defense Misconfiguration of HW/SW Security Uncontrolled Access or Privleges Malware Wirelss Devices Data Loss or Inability to Recover Insecure Network Engineering Insufficient Skills or Training
Impact 7 7 7 7 7 7 7 7 7 7
Likelihood 9 6 6 9 6 9 9 6 9 9
Inherent Risk 63 42 42 63 42 63 63 42 63 63
Controls in Place 15 10 20 25 20 45 25 25 15 15
Residual Risk 48 32 22 38 22 18 38 17 48 48
Controls 15 10 20 25 20 45 25 25 15 15
Control Assessment
U na So uth ftw ori z U ar ed ns e De ec vi ur ce e or Co In nf su ig ffi D ur ef cie at en n io n M se t B is ou co da H n ry W fi /S gu U W ra nc S tio e Pr ont cu n o iv ro rity f le ll M ge ed al w s Acc ar es e s or W i re ls s De vi D ce at s a R Lo ec s s o In ver or In se ab En cur ili e ty gi Ne n to In ee tw s u ri or ffi ng k Tr c ai ie ni nt ng S ki lls or
Critical Controls
Control1:InventoryofAuthorizedandUnauthorizedDevices Control2:InventoryofAuthorizedandUnauthorizedSoftware Control3:SecureConfigurationsforHWandSWonPCsandServers Control4:SecureConfigurationsforNetworkDevices Control5:BoundaryDefense Control6:Maintenance,Monitoring,andAnalysisofAuditLogs Control7:ApplicationSoftwareSecurity Control8:ControlledUseofAdministrativePrivileges Control9:ControlledAccessBasedontheNeedtoKnow Control10:ContinuousVulnerabilityAssessmentandRemediation Control11:AccountMonitoringandControl Control12:MalwareDefenses Control13:LimitationandControlofNetworkPorts,Protocols,andServices Control14:WirelessDeviceControl Control15:DataLossPrevention Control16:SecureNetworkEngineering Control17:PenetrationTestsandRedTeamExercises Control18:IncidentResponseCapability Control19:DataRecoveryCapability Control20:SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps
10 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 15
0 0 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10
0 0 0 0 10 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 20
0 0 0 0 0 0 15 10 0 0 0 0 0 0 0 0 0 0 0 0 25
0 0 0 0 0 0 0 0 5 15 0 0 0 0 0 0 0 0 0 0 20
0 0 0 0 0 0 0 0 0 0 15 15 15 0 0 0 0 0 0 0 45
0 0 0 0 0 0 0 0 0 0 0 0 0 10 15 0 0 0 0 0 25
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10 15 0 0 0 25
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10 5 0 15
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 15 15
Mitigation
Mitigation Name Description Date Identified Owner