IMS Risk Assessment _DRAFT_v3 1(Ori)

7/25/2019 IMS Risk Assessment _DRAFT_v3 1(Ori)

1/39

Ser!i"e

Risk Owner Service Sevice Component

IT Governance

IT Service Management Team

Project Sponsor

Staff s

Long le

Service Management Representative Staff s

+ocument Controller

Staff s

Long le

0uman

Process Champions 1 Team Members

Staff s

Long le

Service +esk "gent %rongl

IT Service Management Tools

CM+- +ata lo

5+MS Sstem

Service +esk Sstem

IT Service Management +ocuments

IS/ +ocuments Loss o

IS/ Records Loss o

8et%ork

0ard%are &8et%ork 59uipments ' Servers( 0ard%

0ard%are &8et%ork 59uipments ' Servers( 0ard%

0ard%are &!PS( -atter

0ard%are &Structured Cabling( ;ater

8et%ork "dministrator Sstem

Soft%are !nauth

Managed IP=P8 Router, IS+8 -ackup IP=P8

Managed =S"T I+!, /+!, Router, Modem =S"T

Storag0ard%area( Storage Server


2/39

Program

S(stem Maintenance ' S"pport

ons"ltation Service

Lack of

Integration Service

)rd Part( *"tso"rcing

Rel on

!ntreprise ontent Management

ABAPProgram

Plantation "pplications

;eighbridge 1 Mill "pplications

5nterprise Transport Management

;ebsite 1 PortalIIS stop

Technolog Integration Solution &TIS(

8e% +imension Product &8+P(

/thers "pplications

Rel on

rd Parties "pplications

Rel on

;rongl

B"siness Application+IT Services

&ew #e,"est-

S(stem Development .Implementation

0ard%are Soft%are Sstem interfaces +ata and information People Sstem mission

$*+ata 2*Progr

$ Progr2 Comm*+ata

$* ;eb 2* Stora

-usiness "pplication

&5.isting "pplication Sstem(

Server 'Internet Service do%n,0ard%are Soft%are

Sstem interfaces +ata and information People Sstem mission

Lost co

$*Secur2*Misus

$*8et%o2*+atab*5IS S

$* IIS st2* +ata * +LL 6* =irus

$* ;eb 2* Scan* Stora

S"P 5CC >*3'S"P Customi7ed J ConfigurationManagement


3/39

3O8A33AD 9A3RI, IS3AI,

IT /OV-R2A2C-

1 3ar 4610


4/39

Risk Owner Service

S(stem Maintenance ' S"pport

ons"ltation Service

Integration Service

)rd Part( *"tso"rcing

!ntreprise ontent Management

ABAP

Plantation "pplications

;eighbridge 1 Mill "pplications

5nterprise Transport Management

;ebsite 1 Portal

Technolog Integration Solution &TIS(

B"siness Application+IT Services

&ew #e,"est-

S(stem Development .

Implementation

-usiness "pplication&5.isting "pplication Sstem(


5/39

8e% +imension Product &8+P(

/thers "pplications

rd Parties "pplications


6/39

Ser!i"e

Sevice Component Threats

Program errors&Logic 1 formula(

Lack of latest technolog update

Rel on =endor

Program errors&Logic 1 formula(

IIS stop functioning

0ard%are

Soft%are Sstem interfaces +ata and information People Sstem mission

$*+ata not ke in timel2*Program errors&Logic 1 formula(

$ Program errors&Logic 1 formula(2 Communication line not stable*+ata corrupted

$* ;eb "pplication Server Stop


7/39

Rel on =endor

Rel on =endor

$* ;eb "pplication Server Stop


8/39

Ris# Re$iste

Vulnerabilities Risk Description

;rong reports produced, Competent programmer Reports

5nd user could not perfom dail task in appropriate manner Sstem errors and not functioning as usual*

Sstem or program is inaccessible

;rong reports produced, Competent programmer

Lack of support from =endor Creating the risk of deliver disruption or failure

;rong reports produced, Competent programmer Impact on Cmp'unit -usiness /peration

Lack of monitoring b the Server Team !nable to retrieve latest data from S"P'RML

!nauthori7ed personnel misuse the confidential information Securit access control &authori7ation(

Lack of monitoring b the 8et%ork'Server Team Impact on dail business operation and companBs profit*

Lack of monitoring b the Server Team "pplication %ill not fuctioning*

Reports could be produced in timel manner due to dela inposting*

$* "pplication %ill not functioning2* Sstem %ill be slo%

$* Patches not up to date2*8ot %ell monitored

$* "pplication %ill not functioning

$* 8ot %ell monitor2* 8ot proper stop the program &during process in progressrunning**Related to the /S6* "ntivirus not up to date or is not function

$* "pplication %ill not functioning2* Sstem %ill be slo%


9/39



$* Patches not up to date2*8ot %ell monitored

$* "pplication %ill not functioning


10/39


11/39

C,I # $#

" 4

" 4


12/39

Ris# Treatmen

Risk ID Current Control Risk Treatment

Treat

Treat

Transfer

Transfer

Treat

Satem Landscape &+ev,E"S,Prd( Threat

Restart service "S"P %hen connectivit is restored Transfer

"uthori7ation matri. Threat

Threat

Transfer

/nl "uthorised person has access right onlChange re9uest &CR( should be established for anprograms change*

Change re9uest &CR( should be established for anprograms change*

$* Moniter b Server Team2* Replace the file or repare the file that has beencorrupted* re)Register +LL6*"ntivirus update

$* Treat2*Replace*Treat6*Treat

+evelopers need to ensure their soft%are meets thehighest standards for 9ualit from vendor

$* Monitored b Server Team

2*Monitored b


13/39

Treat

Transfer

Transfer

$* Monitored b Server Team2*Monitored b


14/39

Plan

Controls to be implemented Target Risk Level

M

M

M

L

Send "bapers to "bap Training* M

"l%as monitor the condition of the servers* M

To strengten on authori7ation L

To suggest the best method of commnucation line L

"l%as monitor the condition of the servers* M

M

$*!ser acceptance test&!"T( and training shall beconducted and sign off b user*/ne of the scope ofproject implementation*2*!nauthori7ed change to the program & abapers 1programmer(*Send abapers'programmer to attend training


15/39

L

To choose preferred vendor b technical evaluation* L

To choose preferred vendor b technical evaluation*L

Perform dail health check'monitoring the condition ofthe server


16/39

Risk Owner Service

5RP Consulting

Training

Create'Maintain Master +ata

Sstem support

S"P 5CC >*3'

S"P Customi7ed J ConfigurationManagement

S"P 5CC >*3'S"P Customi7ed J 5nhancementManagement

S"P 5CC >*3'S"P Customi7ed J Program ChangeManagement

S"P 5CC >*3'S"P Customi7ed J 5SS integration%ith S"P 5CC> sstem

S"P 5CC >*3'S"P Customi7ed JMSS integration %ith S"P 5CC>sstem

S"P 5CC >*3'S"P Customi7ed JIntegration bet%een other sstems%ith S"P 5CC>*3&8on)S"P(


17/39

Ser!i"e


;rongl transport* ;rongl configuration

Misconcept

Misconcept

Sstem not accessible

Sstem not accessible

Lack of trainer* Trainer not read for training*

Late creation or double creation*

Slo% speed at peak time*

S"P PR+S"P E"SS"P +5=5SS, MSS8on S"P "pplication

Integration sstem do%n* Sstem cannot beaccess* Po%er failure*


18/39

Ris# Re$iste


Re9uirement from user are not clearl configure and analse*

Re9uirement from user are not clearl configure and analse*

Server failure, no backup performed regularl Sstem not accessible*

Server failure, no backup performed regularl Sstem not accessible*

Left out transport number* 8e% staff doing config* Staff left outsome steps to config*

If configuration %rongl transport or done, PR+ might haveproblem especiall %hen its involved %ith dail routine likeprinting invoice, check, deliver process and etc*

If re9uirement from user not clear and functional misconcepton user demand the enhancement not being accepted buser eventhough confirmation %ith user has been done*

If re9uirement from user not clear and functional misconcepton user demand the enhancement not being accepted buser eventhough confirmation %ith user has been done*

Most probabl for schedule job to integrate bet%een 8on)S"Pand S"P sstem*

;henever the schedule job fail to perform then need to domanuall t interface the information and data from the non)S"P sstem such ;-S*

Trigger for crash course training or %henever there are certainperiod that staff is leave*

Staff still not competent to give training especiall for ne%staff* 8o staff to provide training as number of staff isinsufficient to fulfill t%o services %hich are for sstem supportand training*

+ata duplicate as ke in data entr in S"P %ithout checkingfirst* Missing details to ease the creation* 8e% staff donBt kno%th procedure*

If detail of master data is not completel provided, buffer time%ill increase as need to gather the info from user and fulfillan other relevant data*

+ail routine cannot be carried out eg, print che9ue, invoice,deliver process, etc*

Sometimes at peak times&closing( some process is not up toe.pectation*


19/39

r

",C,I

",C,I

",C,I

C,I

C,I

",C,I

"

",C,I

",C,I

!A"Availabilit#$ C"Con%i&entialit#$I"Inte'rit#(

Impact ) Severit#!Score 1*+(

robabilit#) ,ikelihoo&!Score 1*+(

Result o% Risk!Total Score(


20/39

Ris# Treatmen


Testing in E"S before transport to PR+* Trreat

!ser acceptance testing* Treat

!ser acceptance testing* Treat

Perform regular monitoring and maintenance* Treat



Senior %i ll replace trainer and junior %ill join the training* Treat

+o verfication %ith user* Confirm all the relevant details* Treat

5nsure server run at the most availabilit* Treat


21/39

Plan


L

L

L

L

L

L

L

L

L

Re)config or re)transport if the should have an

problem* Testing again at E"S before transport to PR+*

Meeting user to gather the re9uirement clearl and getthe user confirmation on the user re9uest*

Meeting user to gather the re9uirement clearl and getthe user confirmation on the user re9uest*

Monitor, check and reporting*



Funior trainer need to undergo relevant training to build

up competenc skills to conduct training*

Checking the master table before do the ne% creationof master data* Checking all relevant info are sufficientto create the ne% master data*Make sure ever staffunderstand and follo% the S/P

+uring peak time server need to provide the mostusage at practical speeds*


22/39

Risk Owner Service

Managed !nterprise Services

Rental Service

5)mail


23/39

Ser!i"e


PC , 8otebook, Server

Lost of data due to hard%are failure

!ncontrolled viruses attack ' intrusion

Server 0ard%are failure

Po%er failure

8et%ork failure

Soft%are Spam

Soft%are !nauthori7ed access

Soft%are 5)mail missing

Soft%are Phishing

Soft%are &;ebmail( "pache and +ovecot not running


24/39

Ris# Re$iste


Lack of maintenance

a( 8ot properl shutdo%n b( /ld 0ard%are

Lack of patch updates

5mail services inaccessible*

Susceptibilit to voltage variations 5mail services inaccessible*

Lack of net%ork maintenance 5mail services inaccessible*

Published email address 5mail addresses harvested b spammer*

Lack of patch updates and poor pass%ord management 5mail server is compromised*

Misconfiguration Important emails are lost*

Lack of server maintenance and user a%areness

Lack of monitoring mechanism ;ebmail service is inaccessible*

PC, 8otebook, Server harvested b viruses, spammer andma affected other PC, 8otebook or server %ithin the =L"8

5mail accounts are compromised and server being blacklisted b e.ternal mail servers*


25/39

r

C, "

"

"

"

"

C

C

"

C, I

"






26/39

Ris# Treatmen


Perform preventive maintenance Treat

Perform preventive maintenance Treat

Perform regular maintenance Treat

Regular check b


27/39

Plan


L

L

L

Periodic checks and updates b


28/39

Risk Owner Service

8et%ork

Managed IP=P8

Managed =S"T

Managed CCT= surveillance

Managed L"8

Managed omm"nication '

Data Sec"rit(

Managed +oor "ccess SecuritSstem


29/39


30/39

Ser!i"e


0ard%are &8et%ork 59uipments ' Servers( 0ard%are failure

0ard%are &8et%ork 59uipments ' Servers( 0ard%are failure

0ard%are &!PS( -atter dr out

0ard%are &Structured Cabling( ;ater leakage and pests attack

8et%ork "dministrator Sstem hacked

Soft%are !nauthori7ed access

Router, IS+8 -ackup IP=P8'IP=P8 =alue


31/39

!nauthori7ed access


32/39

Ris# Re$iste


Lack of maintenance 8et%ork services are inaccessible*

Susceptibilit to voltage variations 8et%ork services are inaccessible*

Lack of maintenance

Lack of periodic building maintenance and pest control 8et%ork is intermittent or inaccessible*

Poses a securit threat

Lack of maintenance and poor pass%ord management 8et%ork services are inaccessible *

Lack of maintenance 8et%ork services are inaccessible *

Lack of maintenance 8et%ork services are inaccessible

Lack of maintenance CCT= unable to operates

Lack of net%ork maintenance CCT= unable to operates

Susceptibilit to voltage variations CCT= unable to operates

Lack of maintenance

Lack of net%ork maintenance

Susceptibilit to voltage variations

Lack of net%ork maintenance 8et%ork services are inaccessible

8et%ork services are inaccessible %hen there is no electricit*

Lack of competent of monitoring da to da net%ork activitiesand securit of the sstems


33/39

Misconfiguration

Sstem being hacked and information stolen b hackers


34/39

r

"

"

"

"

C, I, "

"

"

"

"

"

"

C, "

C, "

C, "

"






35/39

C, I, "


36/39

Ris# Treatmen


Perform regular maintenance Transfer

Regular check b 8et%ork Team ' /SS Treat

Perform regular maintenance Treat

Regular check b


37/39

Regular check b 8et%ork Team Treat


38/39

Plan


L

Periodic checks and updates b 8et%ork Team ' /SSL

L

Periodic updates b


39/39

M

a( Implement Intrusion Prenvention Sstem &IPS(b( Sstem penetration test

Documents

IMS Risk Assessment _DRAFT_v3 1(Ori)