Upload
razak-misban
View
217
Download
0
Embed Size (px)
Citation preview
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
1/39
Ser!i"e
Risk Owner Service Sevice Component
IT Governance
IT Service Management Team
Project Sponsor
Staff s
Long le
Service Management Representative Staff s
+ocument Controller
Staff s
Long le
0uman
Process Champions 1 Team Members
Staff s
Long le
Service +esk "gent %rongl
IT Service Management Tools
CM+- +ata lo
5+MS Sstem
Service +esk Sstem
IT Service Management +ocuments
IS/ +ocuments Loss o
IS/ Records Loss o
8et%ork
0ard%are &8et%ork 59uipments ' Servers( 0ard%
0ard%are &8et%ork 59uipments ' Servers( 0ard%
0ard%are &!PS( -atter
0ard%are &Structured Cabling( ;ater
8et%ork "dministrator Sstem
Soft%are !nauth
Managed IP=P8 Router, IS+8 -ackup IP=P8
Managed =S"T I+!, /+!, Router, Modem =S"T
Storag0ard%area( Storage Server
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
2/39
Program
S(stem Maintenance ' S"pport
ons"ltation Service
Lack of
Integration Service
)rd Part( *"tso"rcing
Rel on
!ntreprise ontent Management
ABAPProgram
Plantation "pplications
;eighbridge 1 Mill "pplications
5nterprise Transport Management
;ebsite 1 PortalIIS stop
Technolog Integration Solution &TIS(
8e% +imension Product &8+P(
/thers "pplications
Rel on
rd Parties "pplications
Rel on
;rongl
B"siness Application+IT Services
&ew #e,"est-
S(stem Development .Implementation
0ard%are Soft%are Sstem interfaces +ata and information People Sstem mission
$*+ata 2*Progr
$ Progr2 Comm*+ata
$* ;eb 2* Stora
-usiness "pplication
&5.isting "pplication Sstem(
Server 'Internet Service do%n,0ard%are Soft%are
Sstem interfaces +ata and information People Sstem mission
Lost co
$*Secur2*Misus
$*8et%o2*+atab*5IS S
$* IIS st2* +ata * +LL 6* =irus
$* ;eb 2* Scan* Stora
S"P 5CC >*3'S"P Customi7ed J ConfigurationManagement
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
3/39
3O8A33AD 9A3RI, IS3AI,
IT /OV-R2A2C-
1 3ar 4610
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
4/39
Risk Owner Service
S(stem Maintenance ' S"pport
ons"ltation Service
Integration Service
)rd Part( *"tso"rcing
!ntreprise ontent Management
ABAP
Plantation "pplications
;eighbridge 1 Mill "pplications
5nterprise Transport Management
;ebsite 1 Portal
Technolog Integration Solution &TIS(
B"siness Application+IT Services
&ew #e,"est-
S(stem Development .
Implementation
-usiness "pplication&5.isting "pplication Sstem(
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
5/39
8e% +imension Product &8+P(
/thers "pplications
rd Parties "pplications
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
6/39
Ser!i"e
Sevice Component Threats
Program errors&Logic 1 formula(
Lack of latest technolog update
Rel on =endor
Program errors&Logic 1 formula(
IIS stop functioning
0ard%are
Soft%are Sstem interfaces +ata and information People Sstem mission
$*+ata not ke in timel2*Program errors&Logic 1 formula(
$ Program errors&Logic 1 formula(2 Communication line not stable*+ata corrupted
$* ;eb "pplication Server Stop
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
7/39
Rel on =endor
Rel on =endor
$* ;eb "pplication Server Stop
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
8/39
Ris# Re$iste
Vulnerabilities Risk Description
;rong reports produced, Competent programmer Reports
5nd user could not perfom dail task in appropriate manner Sstem errors and not functioning as usual*
Sstem or program is inaccessible
;rong reports produced, Competent programmer
Lack of support from =endor Creating the risk of deliver disruption or failure
;rong reports produced, Competent programmer Impact on Cmp'unit -usiness /peration
Lack of monitoring b the Server Team !nable to retrieve latest data from S"P'RML
!nauthori7ed personnel misuse the confidential information Securit access control &authori7ation(
Lack of monitoring b the 8et%ork'Server Team Impact on dail business operation and companBs profit*
Lack of monitoring b the Server Team "pplication %ill not fuctioning*
Reports could be produced in timel manner due to dela inposting*
$* "pplication %ill not functioning2* Sstem %ill be slo%
$* Patches not up to date2*8ot %ell monitored
$* "pplication %ill not functioning
$* 8ot %ell monitor2* 8ot proper stop the program &during process in progressrunning**Related to the /S6* "ntivirus not up to date or is not function
$* "pplication %ill not functioning2* Sstem %ill be slo%
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
9/39
Lack of support from =endor Creating the risk of deliver disruption or failure
Lack of support from =endor Creating the risk of deliver disruption or failure
$* Patches not up to date2*8ot %ell monitored
$* "pplication %ill not functioning
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
10/39
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
11/39
C,I # $#
" 4
" 4
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
12/39
Ris# Treatmen
Risk ID Current Control Risk Treatment
Treat
Treat
Transfer
Transfer
Treat
Satem Landscape &+ev,E"S,Prd( Threat
Restart service "S"P %hen connectivit is restored Transfer
"uthori7ation matri. Threat
Threat
Transfer
/nl "uthorised person has access right onlChange re9uest &CR( should be established for anprograms change*
Change re9uest &CR( should be established for anprograms change*
$* Moniter b Server Team2* Replace the file or repare the file that has beencorrupted* re)Register +LL6*"ntivirus update
$* Treat2*Replace*Treat6*Treat
+evelopers need to ensure their soft%are meets thehighest standards for 9ualit from vendor
$* Monitored b Server Team
2*Monitored b
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
13/39
Treat
Transfer
Transfer
$* Monitored b Server Team2*Monitored b
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
14/39
Plan
Controls to be implemented Target Risk Level
M
M
M
L
Send "bapers to "bap Training* M
"l%as monitor the condition of the servers* M
To strengten on authori7ation L
To suggest the best method of commnucation line L
"l%as monitor the condition of the servers* M
M
$*!ser acceptance test&!"T( and training shall beconducted and sign off b user*/ne of the scope ofproject implementation*2*!nauthori7ed change to the program & abapers 1programmer(*Send abapers'programmer to attend training
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
15/39
L
To choose preferred vendor b technical evaluation* L
To choose preferred vendor b technical evaluation*L
Perform dail health check'monitoring the condition ofthe server
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
16/39
Risk Owner Service
5RP Consulting
Training
Create'Maintain Master +ata
Sstem support
S"P 5CC >*3'
S"P Customi7ed J ConfigurationManagement
S"P 5CC >*3'S"P Customi7ed J 5nhancementManagement
S"P 5CC >*3'S"P Customi7ed J Program ChangeManagement
S"P 5CC >*3'S"P Customi7ed J 5SS integration%ith S"P 5CC> sstem
S"P 5CC >*3'S"P Customi7ed JMSS integration %ith S"P 5CC>sstem
S"P 5CC >*3'S"P Customi7ed JIntegration bet%een other sstems%ith S"P 5CC>*3&8on)S"P(
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
17/39
Ser!i"e
Sevice Component Threats
;rongl transport* ;rongl configuration
Misconcept
Misconcept
Sstem not accessible
Sstem not accessible
Lack of trainer* Trainer not read for training*
Late creation or double creation*
Slo% speed at peak time*
S"P PR+S"P E"SS"P +5=5SS, MSS8on S"P "pplication
Integration sstem do%n* Sstem cannot beaccess* Po%er failure*
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
18/39
Ris# Re$iste
Vulnerabilities Risk Description
Re9uirement from user are not clearl configure and analse*
Re9uirement from user are not clearl configure and analse*
Server failure, no backup performed regularl Sstem not accessible*
Server failure, no backup performed regularl Sstem not accessible*
Left out transport number* 8e% staff doing config* Staff left outsome steps to config*
If configuration %rongl transport or done, PR+ might haveproblem especiall %hen its involved %ith dail routine likeprinting invoice, check, deliver process and etc*
If re9uirement from user not clear and functional misconcepton user demand the enhancement not being accepted buser eventhough confirmation %ith user has been done*
If re9uirement from user not clear and functional misconcepton user demand the enhancement not being accepted buser eventhough confirmation %ith user has been done*
Most probabl for schedule job to integrate bet%een 8on)S"Pand S"P sstem*
;henever the schedule job fail to perform then need to domanuall t interface the information and data from the non)S"P sstem such ;-S*
Trigger for crash course training or %henever there are certainperiod that staff is leave*
Staff still not competent to give training especiall for ne%staff* 8o staff to provide training as number of staff isinsufficient to fulfill t%o services %hich are for sstem supportand training*
+ata duplicate as ke in data entr in S"P %ithout checkingfirst* Missing details to ease the creation* 8e% staff donBt kno%th procedure*
If detail of master data is not completel provided, buffer time%ill increase as need to gather the info from user and fulfillan other relevant data*
+ail routine cannot be carried out eg, print che9ue, invoice,deliver process, etc*
Sometimes at peak times&closing( some process is not up toe.pectation*
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
19/39
r
",C,I
",C,I
",C,I
C,I
C,I
",C,I
"
",C,I
",C,I
!A"Availabilit#$ C"Con%i&entialit#$I"Inte'rit#(
Impact ) Severit#!Score 1*+(
robabilit#) ,ikelihoo&!Score 1*+(
Result o% Risk!Total Score(
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
20/39
Ris# Treatmen
Risk ID Current Control Risk Treatment
Testing in E"S before transport to PR+* Trreat
!ser acceptance testing* Treat
!ser acceptance testing* Treat
Perform regular monitoring and maintenance* Treat
Perform regular monitoring and maintenance* Treat
Perform regular monitoring and maintenance* Treat
Senior %i ll replace trainer and junior %ill join the training* Treat
+o verfication %ith user* Confirm all the relevant details* Treat
5nsure server run at the most availabilit* Treat
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
21/39
Plan
Controls to be implemented Target Risk Level
L
L
L
L
L
L
L
L
L
Re)config or re)transport if the should have an
problem* Testing again at E"S before transport to PR+*
Meeting user to gather the re9uirement clearl and getthe user confirmation on the user re9uest*
Meeting user to gather the re9uirement clearl and getthe user confirmation on the user re9uest*
Monitor, check and reporting*
Monitor, check and reporting*
Monitor, check and reporting*
Funior trainer need to undergo relevant training to build
up competenc skills to conduct training*
Checking the master table before do the ne% creationof master data* Checking all relevant info are sufficientto create the ne% master data*Make sure ever staffunderstand and follo% the S/P
+uring peak time server need to provide the mostusage at practical speeds*
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
22/39
Risk Owner Service
Managed !nterprise Services
Rental Service
5)mail
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
23/39
Ser!i"e
Sevice Component Threats
PC , 8otebook, Server
Lost of data due to hard%are failure
!ncontrolled viruses attack ' intrusion
Server 0ard%are failure
Po%er failure
8et%ork failure
Soft%are Spam
Soft%are !nauthori7ed access
Soft%are 5)mail missing
Soft%are Phishing
Soft%are &;ebmail( "pache and +ovecot not running
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
24/39
Ris# Re$iste
Vulnerabilities Risk Description
Lack of maintenance
a( 8ot properl shutdo%n b( /ld 0ard%are
Lack of patch updates
5mail services inaccessible*
Susceptibilit to voltage variations 5mail services inaccessible*
Lack of net%ork maintenance 5mail services inaccessible*
Published email address 5mail addresses harvested b spammer*
Lack of patch updates and poor pass%ord management 5mail server is compromised*
Misconfiguration Important emails are lost*
Lack of server maintenance and user a%areness
Lack of monitoring mechanism ;ebmail service is inaccessible*
PC, 8otebook, Server harvested b viruses, spammer andma affected other PC, 8otebook or server %ithin the =L"8
5mail accounts are compromised and server being blacklisted b e.ternal mail servers*
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
25/39
r
C, "
"
"
"
"
C
C
"
C, I
"
!A"Availabilit#$ C"Con%i&entialit#$I"Inte'rit#(
Impact ) Severit#!Score 1*+(
robabilit#) ,ikelihoo&!Score 1*+(
Result o% Risk!Total Score(
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
26/39
Ris# Treatmen
Risk ID Current Control Risk Treatment
Perform preventive maintenance Treat
Perform preventive maintenance Treat
Perform regular maintenance Treat
Regular check b
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
27/39
Plan
Controls to be implemented Target Risk Level
L
L
L
Periodic checks and updates b
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
28/39
Risk Owner Service
8et%ork
Managed IP=P8
Managed =S"T
Managed CCT= surveillance
Managed L"8
Managed omm"nication '
Data Sec"rit(
Managed +oor "ccess SecuritSstem
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
29/39
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
30/39
Ser!i"e
Sevice Component Threats
0ard%are &8et%ork 59uipments ' Servers( 0ard%are failure
0ard%are &8et%ork 59uipments ' Servers( 0ard%are failure
0ard%are &!PS( -atter dr out
0ard%are &Structured Cabling( ;ater leakage and pests attack
8et%ork "dministrator Sstem hacked
Soft%are !nauthori7ed access
Router, IS+8 -ackup IP=P8'IP=P8 =alue
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
31/39
!nauthori7ed access
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
32/39
Ris# Re$iste
Vulnerabilities Risk Description
Lack of maintenance 8et%ork services are inaccessible*
Susceptibilit to voltage variations 8et%ork services are inaccessible*
Lack of maintenance
Lack of periodic building maintenance and pest control 8et%ork is intermittent or inaccessible*
Poses a securit threat
Lack of maintenance and poor pass%ord management 8et%ork services are inaccessible *
Lack of maintenance 8et%ork services are inaccessible *
Lack of maintenance 8et%ork services are inaccessible
Lack of maintenance CCT= unable to operates
Lack of net%ork maintenance CCT= unable to operates
Susceptibilit to voltage variations CCT= unable to operates
Lack of maintenance
Lack of net%ork maintenance
Susceptibilit to voltage variations
Lack of net%ork maintenance 8et%ork services are inaccessible
8et%ork services are inaccessible %hen there is no electricit*
Lack of competent of monitoring da to da net%ork activitiesand securit of the sstems
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
33/39
Misconfiguration
Sstem being hacked and information stolen b hackers
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
34/39
r
"
"
"
"
C, I, "
"
"
"
"
"
"
C, "
C, "
C, "
"
!A"Availabilit#$ C"Con%i&entialit#$I"Inte'rit#(
Impact ) Severit#!Score 1*+(
robabilit#) ,ikelihoo&!Score 1*+(
Result o% Risk!Total Score(
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
35/39
C, I, "
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
36/39
Ris# Treatmen
Risk ID Current Control Risk Treatment
Perform regular maintenance Transfer
Regular check b 8et%ork Team ' /SS Treat
Perform regular maintenance Treat
Regular check b
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
37/39
Regular check b 8et%ork Team Treat
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
38/39
Plan
Controls to be implemented Target Risk Level
L
Periodic checks and updates b 8et%ork Team ' /SSL
L
Periodic updates b
7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)
39/39
M
a( Implement Intrusion Prenvention Sstem &IPS(b( Sstem penetration test