Process / Asset Information Threat Information

Asset
Business Criticality
Asset Description Threat Description
Process (VH / H/
M/ L/ N)

Compromise of device
Web Server High security
Information
Technology
Airtel Internet
Medium
Leased Line
 Risk Assessment
Threat Information Vulnerability Information Consequences

Consequence
Threat Source Vulnerability Description Incident Scenario
Value

Hacker / cracker /
Data theft / misuse Legal Issues High
cyber criminal / insider

Medium
nces Probability Information Risk Assessment Risk Treatment
Risk Response
Risk
Recommendatio
Likelihood of Likelihood Risk Ranking
Consequence ns (Accept/
Occurrence Value Value (VH / H/ M/
Transfer/
L/ N)
Mitigate/ Avoid)

4 High 4 16 Very High

0 0 0
0 0 0
0 0 0
3 Very High 5 15 High
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
 Risk Response
Risk Treatment Revised Risk Valuation

Revised Revised
Suggested Controls to Treat Revised Risk
Likelihood of Likelihood
the Risk Level
Occurance Value

Medium 3 12

0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
n Residual Risk

Managements
Revised
Acceptance /
Risk
Decision on
Ranking
Residual Risk

High
 Sample List of Threats and Threat Source
Threat Description
Application failure
Breach of licenses
Compromise of device security
Compromise of firewall security
Data corruption

Data theft / misuse

Disputes with service providers
Dumpster diving
Dust particles
Epidemics
Epidemics / absence / resignation
Failure of supporting utilities
Fire
Food poisoning
Hacking
Hazard due to failure of supporting utilities
Inability to operate in disaster
Information leakage
Information security breach / sabotage
IPR leakage / theft
Issues with log traceability
IT hardware / software malfunctioning
Legal liability
Loss of human life
Loss of information
Malware / virus attack
Man-made disaster (terrorist / mob attacks / bomb scare)
Misuse of software licenses
Natural calamities (floods / earthquake)
Non compliance of law
Password sniffing
Risk of data theft / misuse
Server / hardware failure
Server /hardware failure
Social engineering
Spying
System (hardware / software failure)
System (hardware / software failure) / unavailability of equipment
Technical faults
Theft / loss
Theft / wilful damage
Unauthorized access

Unauthorized access / modification

Unauthorized access
(read / modify)
Unauthorized changes
Unauthorized copying
Unauthorized disclosure / information leakage
Unauthorized logical access
Unauthorized modification

Unauthorized modifications
Unauthorized physical access
Unavailability / poor quality of services
Unavailability of cables
Unavailability of data / data corruption
Unavailability of equipment
Unavailability of information
Uncontrolled copying
User error
Wardriving
Threats and Threat Source
Threat Source
Employees / Insiders
Employees / Insiders
Hacker / cracker / cyber criminal / insider
Outsider / insider with malicious intentions
Electromagnetic interferences
Industrial spying / espionage / third party staff
Outsider / insider with malicious intentions
Accidental / deliberate service disruptions
Hacker / cracker / cyber criminal
Accidents
Influenza / flu / seasonal pandemics
Health issues / shortage / attrition
Industrial spying / espionage / third party staff
Accidents
Infection
Hacker / cracker / cyber criminal / insider
Accidental
Natural / man-made disasters
Industrial spying / espionage / third party staff
Employees / Insiders
Employees / Insiders
Disastrous events / hacker / insider
Employees / Insiders
Industrial spying / espionage
Civil unrest / riots
Disastrous events / hacker / insider
Hacker / cracker / cyber criminal
Disastrous events
Hacker / cracker / cyber criminal / insider
Disastrous events
Industrial spying / espionage / third party staff
Hacker / cracker / cyber criminal / insider
Employees / contract personnel
Technology events
Technology events
Industrial spying / espionage
Industrial spying / espionage
Technology faults / events
Technology faults / events
Technology incidents
Employees
Outsider / insider with malicious intentions
Employees
Employees / Insiders
Hacker / cracker / cyber criminal / insider
Hacker/ cracker/ cyber criminal / insider
Employees
Hacker / cracker / cyber criminal / insider
Accidental / deliberate attempts to change
Hacker / cracker / cyber criminal
Employees / Insiders
Hacker / cracker / cyber criminal / insider
Hacker / cracker / insider
Accidental / deliberate attempt
Employees
Industrial spying / espionage / third party staff
Accidental / deliberate service disruptions
Rodents
Electromagnetic interferences
Natural / manmade disasters
Hacker / cracker / cyber criminal
Employees / Insiders
Employees / Insiders
Hacker / cracker / cyber criminal / insider
 List of Threats and Threat Source considered for the exercise
Threat Description Threat Source
Breach of licenses Employees / Insiders
Compromise of device security Hacker / cracker / cyber criminal / insider
Industrial spying / espionage / third party staff
Data theft / misuse
Outsider / insider with malicious intentions
Disputes with service providers Accidental / deliberate service disruptions
Dust particles Accidents
Fire Accidents
Hacking Hacker / cracker / cyber criminal / insider
Information leakage Industrial spying / espionage / third party staff
Legal liability Industrial spying / espionage
Non compliance of law Industrial spying / espionage / third party staff
Technical faults Technology incidents
Theft / loss Employees
Employees / Insiders
Unauthorized access / modification Hacker / cracker / cyber criminal / insider
Hacker/ cracker/ cyber criminal / insider
Unauthorized physical access Industrial spying / espionage / third party staff
 Sample List of Vulnerabilities (Threat Specific)
Threat Description Vulnerability Description
Absence of BCP & DR plans
Lack of system planning and acceptance
Application failure
Technical review not carried out after making changes at
OS level
Breach of licenses Lack of control over software installation
Vulnerable services on the operating systems not disabled

Compromise of device security Vulnerable services on the servers not disabled

Firewall is having vulnerable OS version

Firewall rule base (i.e. anti-spoofing filters, stealth rule,
imp echo requests, imp masquerading etc.) miss-
configuration.
Compromise of firewall security No measures against various attacks like port scanning,
buffer overflow, Do's, Dodos etc.
SNMP traps not enabled
Unnecessary / default ports open on firewall interface

Data is corrupted due to software / Hardware malfunction

Data corruption
Data cables and power cables are in same cable panel.

Disposal of media policy & procedure not in place

Improper labelling

Lack of physical security controls

Data theft / misuse

Media handling procedure is not defined.

Media movement register is not maintained.

Background check of third party is not verified.

Disputes with service providers Changes to the third party services are not managed
Service requirements and scope of work are not defined in
SLA including service levels, security, availability etc.

Absence of data destruction procedure

Dumpster diving
No paper shredder machine
Inadequate cleaning activities like dropping / spillage of
Dust particles food particle, liquid on the equipment, papers, removable
media causing damage.
Epidemics Lack of awareness
Lack of cleanliness / poor housekeeping
Disgruntled / unmotivated staff / inappropriate rotation of
Epidemics / absence / resignation employees shift

No / inadequate AMCs
Failure of supporting utilities
Failure of supporting utilities
Preventive maintenance is not carried out
Lack of fire drills /emergency plan
No smoke detection /fire suppression equipment
Fire Open electrical fittings
Smoking within the premises
Storage of combustible material
Food poisoning Poor quality food served by the caterer
Contact with special security groups not maintained to
remain updated about new technology / vulnerabilities /
Hacking threats
Vulnerability Assessment and Penetration Testing is not
carried out periodically
Improper rotation of shifts / extended working hours
Hazard due to failure of supporting
utilities Inadequate HVAC arrangements
No / inadequate lighting
Inability to operate in disaster Unavailability of BCP & DR plans
"return of assets" procedure is not followed
Agreements do not address information exchange
mechanism / terms of non-disclosure of information
Confidentiality clause not addressed in agreements
Data not encrypted between client and server
Lack of internal security controls allowing Trojans,
backdoor traps etc.
Information leakage No separation between development, test and production
environment
Password of default account is not changed. (default
account provided by application vendor)
Terminated application admin's ID has not been disabled.

User rights are not reviewed periodically to ensure any

kind the unauthorized modifications
Absence of disciplinary process
Disgruntled employee / integrity issue
Information security breach /
sabotage Lack of awareness of organizational responsibilities
including security responsibility
Unavailability of employee agreements / NDA
IPR leakage / theft Uncontrolled access / copy rights
Issues with log traceability Device clocks are not synchronized
IT hardware / software Improper patch management
malfunctioning
Cryptographic keys are not compliant to applicable laws
and regulation
Pirated versions of software / applications in use
Legal liability
Regulatory body's requirements applicable to organization
has not been identified & complied
User licenses exceed.
Entry to the premises is not restricted
Personnel evacuation is not performed.
Loss of human life Personnel evacuation plan is not present
Smoke detection and prevention mechanism is not present
 Absence of / inadequate backup policy / inadequate
backup frequency / retention period
Backups are not moved to offsite location
Loss of information No / improper incident management
No / inadequate BCP & DR plans
Restoration tests are not performed
Retention period is not identified for backup media.
Antivirus systems are not installed / antivirus definitions
are not regularly updated
Malware / virus attack
External media used without scanning
Internal / production network connected to internet
Inadequate physical entry controls
Man-made disaster (terrorist / mob No business continuity plans / DR site
attacks / bomb scare) No process to address unidentified objects in premises

Misuse of software licenses List of users are not maintained.

Data Centre situated in high seismic zone
Improper civil structure
Natural calamities (floods /
earthquake) Located in an area susceptible to flood
No earth pit
No lightening arrestors
No proper contact and coordination is kept with external
Non compliance of law
law authorities, special security forums etc.
Password sniffing Login through ftp and telnet
Risk of data theft / misuse Unavailability of secure storage of devices
Server / hardware failure Internet access is not restricted.
Server /hardware failure AMC / warranty is not in place
Inadequate security training
Lack of security awareness
Social engineering User awareness
absence of clearly defined HR policies and procedures

Weaker security controls allowing easy access to

Spying
organizational information
Mis-configured system
System (hardware / software
failure) No system maintenance
Power outage
System (hardware / software Inadequate capacity planning & management process
failure) / unavailability of
equipment
Inadequate maintenance
Lack of equipment replacement scheme on periodic basis
Technical faults
Susceptibility to humidity, dust, soiling
Temperature variations in the data centre
Theft / loss Unauthorized device movement
Equipment are not stored in locked racks
Lack of physical access controls
No monitoring of data centre
Theft / wilful damage Public areas are not separated from critical areas such as
data centre
Theft / wilful damage

Uncontrolled asset movements within / outside

organization
Absence of clear desk clear screen policy
Data is stored on mobile devices without any security
control
Default accounts not disabled
Detection of default SNMP community strings
Firewall remote access (external) for managing is available
through weak communication channel.
Firewall web GUI management console accessible from
entire network remotely (internally / externally)
Improper password management
Logon banner displaying router or organizational
information not disabled
No / improper classification in terms of criticality
No logging for configuration-changes and authentication-
failures
No monitoring policy
Unauthorized access
No policy defined for issuance of data card
No policy for acceptable usage of internet
Organization’s IT assets are placed in a manner which
allows unauthorized people to overlook restricted
information displayed on the screen
Passwords not encrypted
Segregation of duties is not followed
Session time out not configured
Telnet access enabled for remote management
Traffic (internal / external) not allowed based on service
access policy
Unauthorized telnet access available
Unavailability of role-based user management procedure
(e.g. user accounts exist with higher privileges than
required to perform a responsibility)
Unnecessary rules are present in the firewall
Administrator logs are not reviewed
Log monitoring systems are not password protected.
Unauthorized access / modification
Logs are not stored in a form of 'read only'. administrator
can modify the logs
Unauthorized access Baseline configuration document is not maintained
(read / modify) Guest account is enabled
Incident management process not in place
Non-essential ports / services are opened
Operating system is not hardened / latest patches are not
applied
Terminated user accounts are not disabled.
Third party can connect from remote location
Unrestricted access to third party employee
Use registration forms are not signed before creating user
on system.
User rights are not reviewed periodically
 Vendor default accounts and passwords are not disabled

Absence of asset management

Absence of change management
Absence of change management for firewall related
Unauthorized changes changes
Baseline configuration document is not maintained for
each devices.
User rights are not defined
Absence of asset management procedure
Unauthorized copying
Unauthorized photocopies
Disgruntled /corrupt employees
Lack of security awareness
No “exit procedure” in place to ensure return of assets /
removal of access rights
No agreement in place with third party / contract personnel
Unauthorized disclosure /
information leakage
No agreement signed with employees on terms and
conditions of employment and non-disclosure
No disciplinary process
Transferring the data through email / internet
Unclear responsibilities
Absence of password policy
Audit logging not enabled or reviewed.
Data is not encrypted before transmission
Database information is not classified in terms of its
criticality.
Direct access to database
Lack of clear desk & clear screen policy
Lack of identification and authentication mechanism like
user based authentication
Level of access is not implemented as per its criticality.
Unauthorized logical access
No / improper classification in terms of criticality
No / incorrect access control policy
No account lock-out policy
No review of user access rights
No segregation of network
No stringent password policy, Poor password management
(easily guessable passwords, storing of passwords,
inadequate frequency of change)
User ID given by vendor is used / active in production
environment
Operational (live) environment and live data is used for
development and testing of the software
Unauthorized modification
Testing database and live database are kept on the same
server
Inadequate change control
Inadequate configuration control
Unauthorized modifications Incident management process not in place
Segregation of duties is not followed
Unauthorized modifications

User activities are not logged e.g. audit trails

Asset inventory is not maintained
Employee after termination / separation is allowed to
access the premises
Inadequate physical entry controls
Inappropriate equipment siting
Lack of physical security controls
No separation between public access area like delivery
Unauthorized physical access
area and operations area
Ownership of assets is not defined
Unrestricted physical access
Unsupervised visitor movement / unsupervised work by
third party
Weak sitting of servers allowing unauthorized view to
onlookers
Contract renewal is not identified
Unavailability / poor quality of Lack of training
services Penalty clause is not defined in SLA
Third party services are not monitored
Inadequate protection to cables
Unavailability of cables
Pest control is not done regularly
Backup media is not properly protected against dust,
Unavailability of data / data electromagnetic etc.
corruption
Periodic restoration drills are not carried out
Absence of change control
Adequate redundancies are not planned
Backup files not stored in a secured environment
Capacity management is not carried out
Lack of supporting utilities such as UPS, DG sets
No / inadequate backup of router configuration files
No / inadequate backup of firewall configuration / rule base
Unavailability of equipment
files
No consideration of redundancy in case of failure of device

SLA / AMCs not in place

Unavailability of BCP & DR plans
Unavailability of incident management
Unstable power grid
Unavailability of information Backup is not present
Absence of asset management procedure
Computing equipment are sent for maintenance / repair
without sanitization
Uncontrolled copying
Data owner is not defined
Unauthorized data copy transfer through portable media
like usb, zip drives, cds
Inadequate user skills
User error
Lack of user training
Wireless router is not configured with password /wap key.
Wardriving
 List of Vulnerabilities considered for the exercise
Threat Description Vulnerability Description
Application failure Lack of system planning and acceptance
Breach of licenses Lack of control over software installation
Compromise of Vulnerable services on the servers not disabled
device security
Data theft / misuse Lack of physical security controls
Disputes with service Service requirements and scope of work are not defined in
providers SLA including service levels, security, availability etc.
Inadequate cleaning activities like dropping / spillage of food
Dust particles particle, liquid on the equipment, papers, removable media
causing damage.
No smoke detection /fire suppression equipment
Open electrical fittings

Fire
Smoking within the premises

Storage of combustible material

Vulnerability Assessment and Penetration Testing is not
Hacking
carried out periodically
Regulatory body's requirements applicable to organization has
Legal liability
not been identified & complied
Non compliance of No proper contact and coordination is kept with external law
law authorities, special security forums etc.
Technical faults Inadequate maintenance
Lack of physical access controls
Theft / wilful damage

Log monitoring systems are not password protected.

Unauthorized
access / modification

Unauthorized Lack of security awareness

disclosure / No agreement in place with third party / contract personnel
information leakage
Unauthorized Lack of physical security controls
physical access
 Risk Ranking Template

Consequences Negligible Low Medium

Probability Value 1 2 3
Very High 5 5 10 15
High 4 4 8 12
Medium 3 3 6 9
Low 2 2 4 6
Negligible 1 1 2 3
High Very High
4 5
20 25
16 20
12 15
8 10
4 5