IMS Risk Assessment - DRAFT - v3 1 (Ori)

FPSSB/IMS/REC/RISK-001
Template Version: 1.0
RISK ASSESSMENT
Service
Risk Owner
Service
Risk Register
Sevice Component
Threats
Vulnerabilities
Risk Description
Risk Treatment Plan

(A=Availability, C=Confidentiality,
I=Integrity)
Impact / Severity
(Score 1-5)
Probability/ Likelihood
(Score 1-5)
Result of Risk
(Total Score)
Risk ID
Control Annex
Current Control
Risk Treatment
Treat
Staff shortage
Lack of commitment, resign, and unavailability
Unable to maintain certification,
Attend all SMS related meetings, workshops and training
Long leave (accident /illness)
Lack of back-up person to approve ITSM documents.
Delay,
Train backup
Staff shortage
Lack of knowledge, direction, experiences and commitment,

resign
Unable to maintain certification ,
Perform regular monitoring by Project Sponsor and

Consultant
Treat
Staff shortage
Lack of knowledge, experiences and commitment, resign
Assign backup person
Treat
Lack of back-up person to maintain the process
Assign backup person
Human error
Lack of knowledge and experience
Unable to maintain the process,
C,I
Attend workshop or training
Staff shortage
Lack of knowledge, experiences and commitment, resign
10
Perform regular monitoring by SMR and DC. Attend SMS

workshop or training
Treat
Lack of back-up person to maintain the process
Assign Process Team Member
Treat
Perform regular monitoring by SMR and DC. Attend SMS

workshop or training
Controls to be implemented
Target Risk Level
Progress update to Management Meeting
Project Sponsor
Accept
Buddy System
Progress update to Project Sponsor.

Service Management Representative
IT Service Management Team

Document Controller
IT Governance
Process Champions & Team Members
Service Desk Agent

CMDB
IT Service Management Tools
wrongly assigning ticket

Data loss, Data integrity
EDMS
System not accessible
Lack of knowledge and experiences
Cause delay for re-assigning ticket
Manually control for ERP & BA
Data corrupted, lost track of latest version Excel files.
Server failure, no backup performed regularly
System not accessible, data corrupted.
A
A, I
A, I
3
4
3
3
1
1
4
3
Backup, scattered files locations

Maintain hardcopy
Treat
Use tool (ISO Portal)
Accept
Treat
Treat
Treat
Service Desk
Lack of maintenance
System not accessible.
10
Perform regular monitoring and maintenance.
Treat
ISO Documents
Loss of documents
Lack of documents maintenance
Unavailability of documents.
Perform regular checking and updating
Treat
ISO Records
Loss of records
Lack of records maintenance
Unavailability of records.
Perform regular checking and updating
Treat
Hardware (Network Equipments / Servers)
Hardware failure
Lack of maintenance
Network services are inaccessible.
Perform regular maintenance
Hardware failure
Susceptibility to voltage variations
Regular check by Network Team / OSS
Treat
Hardware (UPS)
Battery dry out
Lack of maintenance
Network services are inaccessible when there is no electricity.
Treat
Hardware (Structured Cabling)
Water leakage and pests attack
Lack of periodic building maintenance and pest control
Network is intermittent or inaccessible.
Regular check by FES
Network Administrator
System hacked
Lack of competent of monitoring day to day network activities

and security of the systems
Poses a security threat
C, I, A
Software
Unauthorized access
Lack of maintenance and poor password management
Network services are inaccessible .
Treat
Router, ISDN Backup
IPVPN/IPVPN Value Failure
Lack of maintenance
Treat
IT Service Management Documents
Transfer
Network
Managed IPVPN
L
Use tool (ISO Portal)
Transfer
L
Progress update to SMR and DC. Encourage for ITIL
certification
L
L
Progress update to SMR. Encourage for regular

awareness
Backup, centralized storage for Excel master files
ISO Portal will took place EDMS in 2013
L
L
L
Monitor, check and reporting. Perform quarterly

maintenance. Plan to change to a new system ITIL
compliance
regular update and review the documents
L
L
regular update and review the records
Continous monitor, check and reporting. Engaged

vendors for maintenance
Periodic checks and updates by Network Team / OSS
Monitor, check and reporting. Introduce IP-based UPS
system
Periodic updates by FES.
45%
45%
45%
10%
Manager alerts, evaluates and verifies new software

updates.
a) Not guarantee -base on best effort
45%
50%
a) Sign up SLA with Telekom (Max 2 days resolution)

Managed VSAT
Managed CCTV surveillance
IDU, ODU, Router, Modem
VSAT Failure
Lack of maintenance
Network services are inaccessible
Transfer
Hardware
a) Storage Server
b) Camera
Storage server down and camera faulty.
Lack of maintenance
CCTV unable to operates
Treat
Network
Network failure
Lack of network maintenance
Regular check by Network Team
Treat
Electricity
Power failures.
Treat
Lack of maintenance
Fail delivery of attendance data to server ( TMS and SAP)

due to malfunction of Controller or Card reader
C, A
Perform preventive maintenance
Treat
50%
b) NMS software to monitor
a) Monitoring and maintenance checking on daily,
monthly and yearly basis to ensure sustain of operation.
b) Troubleshoot server
c) Preventive maintainance (SLA)
d) Disaster recovery
e) Check network availability & performance
f) Reset camera's power & network cable
g) Repair or change camera
45%
Managed Network & Desktop

Services
Hardware
a) Server
b) Controller
c) Card reader
Malfunction Controller or Card reader.
Check network availability & performance
45%
Back up power must be on standby

a) Preventive maintenance ( twice a year) to make sure
all hardware and software in good condition
b) Repair or change controler or controller's power &
network cable
c) Reset or change card reader
45%
45%
a) Check network availability & performance

b) Check and reset communication converter
c) Change communication converter (faulty)
Managed Door Access Security

System
Network
Network down.
Data stuck or pending at controller & not transferred to

server. Thus causing data will not be updated with the latest
data and no access report.
C, A
Treat
Electricity
Power failures.
System will fail to function (i.e. door not secure) after battery
backup runs out
C, A
Regular check by Network Team / FES
Treat
45%
45%
a) Sign Maintenance aggreement with vendors

Core switches failures
Managed LAN
Treat
Core Switch, Access Switch

System being hacked and information stolen by hackers
Unauthorized access
Misconfiguration
1. Virus Attack
2. Antivirus installed cannot communicate with
server (not connected to Felda network)
1. Antivirus software not updated

agent corrupted
3. No scanning for external device ie pen drive
4. Stand alone / streamyx
C, I, A
Program error
To many unauthorized software/application installed in the

user's place
Treat
2. Antivirus
b) Used Network management

system(NMS) software to monitor daily activity
a) Implement Intrusion Prenvention System (IPS)
b) System penetration test
45%
45%
1. Execute with Symantec Endpoint installation to

FGC.
2. Install new updates/ set user pc or notebook
unmanaged (live update from internet).
C, I, A
1. to make sure only authorized software approve by

management installed at users PC
2. to ensure Symantec Gateway
always filter incoming email and eliminate the spam.
PC Windows OS / Software (MS-Office )

C, I, A
3. Blue Coat Implementation

Field Services
Hardware Services & Support

Email Program
To ensure Symantec Gateway always filter incoming

email and eliminate the spam.
Spam
A
1. PC not properly shutdown
2.Old Hardware
Basis
Asset Management
PC Hardware
HDD failure
Printer
Printer error / Cannot print
1.Missing Driver
2. Printer cable loose
2.
3. install
1. Preventive maintenance
User Authorisation and Administration

Asset Rental
No redundancy for Genset at Wisma Felda
Generator Set
UPS
Data Centre
1. propose file server

backup to keep at external device
UPS at critical PC.
4. Preventive Maintenance
C, A
All equipments in computer room will be down after about 30

mins
More than one UPS module breakdown at same When any one UPS module fail, same servers have to be shut
time ( currently 3X30KVA )
down.
1.To ensure that FESSB to maintain and test the genset

periodically
2. To move Data Centre to different location
1. To replace UPS battery every year.

2. To get new UPS for back-up
3. To prepare a listing of less critical servers
To have in place a real time online disaster recovery

plan
Data Centre Managament

SKB IBM i570 machine
SKB IBM DR i570 machine
Air cond
SKB system not available or compromise
Felda group business operation interrupted
SKB system not available or compromise
Cannot provide business continuity in the event of a disaster.
unexpected downtime
3 out of 4 units is very old (more than 10 years)
Hardware failure
Managed Enterprise Services E-mail
Server
To develop SOP -'backup process'
1. to sign maintenance contract

2.Monthly service
A
Email services inaccessible.
Hardware monitoring and sign hardware maintenance

contract
Power failure
Maintain Datacenter UPS
Network failure
Perform regular monitoring and maintenance
Treat
Transfer
Treat
Hardware monitoring and sign hardware maintenance

contract
Periodic checks and updates Datacenter UPS
Monitor, check and reporting. Perform monthly
maintenance
L
L
L
RISK ASSESSMENT
System Development /
Implementation
System Maintenance & Support
Program errors(Logic & formula)
Wrong reports produced, Competent programmer
Reports
Only Authorised person has access right only

Change request (CR) should be established for any
programs change.
Treat
1.Data not key in timely

2.Program errors(Logic & formula)
End user could not perfom daily task in appropriate manner
System errors and not functioning as usual.

programs change.
Treat
Lack of latest technology update
Reports could be produced in timely manner due to delay in

posting.
1.User acceptance test(UAT) and training shall be

conducted and sign off by user.One of the scope of
project implementation.
2.Unauthorized change to the program ( abapers &
programmer)
3.Send abapers/programmer to attend training
Consultation Service
Business Application
(IT Services
New Request)
Integration Service
Hardware
Software
System interfaces
Data and information
People
System mission
System or program is inaccessible
1 Program errors(Logic & formula)

2 Communication line not stable
3.Data corrupted
1. Application will not functioning

2. System will be slow
Rely on Vendor
Lack of support from Vendor
Creating the risk of delivery disruption or failure
1. Web Application Server Stop Functioning

2. Storage Full
1. Patches not up to date

2.Not well monitored
Impact on Cmp/unit Business Operation
Lack of monitoring by the Server Team
1.Security and control of access to system.

2.Misuse Information
Transfer
C,I
1. Moniter by Server Team

2. Replace the file or repare the file that has been
corrupted
3. re-Register DLL
4.Antivirus update
Developers need to ensure their software meets the

highest standards for quality from vendor
1. Treat
2.Replace
3.Treat
4.Treat
FPSSB will make sure all user who use the system get
enough training before they can start using the
application.
1. Monitor the condition of the server

corrupted
3. re-Register DLL
4. Monitor Antivirus update
User acceptance test(UAT) and training shall be

Perform daily health check/monitoring the condition of

the server
Send Abapers to Abap Training.
Always monitor the condition of the servers.
3rd Party Outsourcing
Entreprise Content Management
Transfer
A,C,I
15
1. Monitored by Server Team

2.Monitored by Functional Team
15
Syatem Landscape (Dev,QAS,Prd)
Unable to retrieve latest data from SAP/RML
C,I
15
Restart service ASAP when connectivity is restored
Unauthorized personnel misuse the confidential information
Security access control (authorization)
C,I
15
Authorization matrix
Threat
To strengten on authorization
1.Network Failure
2.Databases corrupted
3.EIS Server Failure
Lack of monitoring by the Network/Server Team
Impact on daily business operation and company's profit.
A,C,I
15
1. Monitored by server team

2. Restart server
3.System monitoring by BA team.
4. Train and expose new staff
Threat
To suggest the best method of commnucation line
IIS stop functioning
Application will not fuctioning.
C, I
15
Only Server Team are able to direct access & look into
the server.
1. IIS stop functioning

2. Data corrupted
3. DLL Library not well function
4. Virus
1. Not well monitor

2. Not proper stop the program (during process in progress
running.
3.Related to the OS
4. Antivirus not up to date or is not function


corrupted
3. re-Register DLL

2. Scanner Problem
3. Storage Full


the server
Rely on Vendor
To choose preferred vendor by technical evaluation.
Rely on Vendor
Wrongly transport. Wrongly configuration
Left out transport number. New staff doing config. Staff left out
some steps to config.
SAP ECC 6.0/

SAP Customized Enhancement
Management
Misconcept
SAP ECC 6.0/

SAP Customized Program Change
Management
Misconcept
ABAP
Treat
Threat
Plantation Applications
Lost connectivity to SAP/AS400 servers
Weighbridge & Mill Applications
Enterprise Transport Management
Website & Portal

(Existing Application System)
Server /Internet Service down,

Hardware
Technology Integration Solution (TIS) Software
System interfaces
People
System mission
Transfer
Transfer
C,I
15

corrupted
3. re-Register DLL
4.Antivirus update
C,I
15


Transfer

Transfer
If configuration wrongly transport or done, PRD might have

problem especially when its involved with daily routine like
printing invoice, check, delivery process and etc.
A,C,I
Testing in QAS before transport to PRD.
Trreat
Requirement from user are not clearly configure and analyse.
If requirement from user not clear and functional misconcept

on user demand the enhancement not being accepted by
user eventhough confirmation with user has been done.
A,C,I
16
User acceptance testing.
Treat
Meeting user to gather the requirement clearly and get

the user confirmation on the user request.

A,C,I
16
Treat

1. Treat
2.Replace
3.Treat
4.Treat
New Dimension Product (NDP)
Others Applications
3rd Parties Applications
SAP ECC 6.0/

SAP Customized Configuration
Management
ERP Consulting

L
Re-config or re-transport if the should have any
problem. Testing again at QAS before transport to PRD.
Monitor, check and reporting.
SAP ECC 6.0/

SAP Customized ESS integration
with SAP ECC6 system
SAP ECC 6.0/
SAP Customized
MSS integration with SAP ECC6
system
Treat
C,I
Treat
L
SAP PRD
SAP QAS
SAP DEV
ESS, MSS
Non SAP Application
Most probably for schedule job to integrate between Non-SAP

and SAP system.
Whenever the schedule job fail to perform then need to do

manually t interface the information and data from the nonSAP system such WBS.
C,I
Treat
L
SAP ECC 6.0/

SAP Customized
Integration between other systems
with SAP ECC6.0
(Non-SAP)
Integration system down. System cannot be

access. Power failure.
Lack of trainer. Trainer not ready for training.
Trigger for crash course training or whenever there are certain

period that staff is leave.
Staff still not competent to give training especially for new

staff. No staff to provide training as number of staff is
insufficient to fulfill two services which are for system support
and training.
A,C,I
Treat
Junior trainer need to undergo relevant training to build

up competency skills to conduct training.
A
Senior will replace trainer and junior will join the training.
Treat
Training
Late creation or double creation.
Data duplicate as key in data entry in SAP without checking

If detail of master data is not completely provided, buffer time
first. Missing details to ease the creation. New staff don't know will increase as need to gather the info from user and fulfill
th procedure.
any other relevant data.
A,C,I
Do verfication with user. Confirm all the relevant details.
Treat
Checking the master table before do the new creation

of master data. Checking all relevant info are sufficient
to create the new master data.Make sure every staff
understand and follow the SOP
Treat
During peak time server need to provide the most

usage at practical speeds.
Create/Maintain Master Data

Slow speed at peak time.
System support
Administration
Daily routine cannot be carried out eg, print cheque, invoice,

delivery process, etc.
Sometimes at peak times(closing) some process is not up to

expectation.
A,C,I
25
Ensure server run at the most availability.
Building ( Computer Lab, Server Room) - Rent
Not enough space / space less for staff/server
Ask to Shift location/ Too many user training at one time (not
enough lab)/Staff Growth.
a. additional rented space.

- Technical staffs transfer to City 1
rooms transfer to Anjung
Telephone/Fax
Breakdown of Communication with customer
Telephone and fax system breakdown.
Upgrade Red Tone System
Receptionist/ Telephonist
No answer call (15-25 calls) will effect the

company reputation.
EL / MC & Notice 24 Hours
Standby staff to perform the task
Staff SAP
Improper Job Handover / specialist
1. 24 Hours Notice
2. Senior/certified staff resign
a. Ensure support staff has equivalent knowledge and

skill (increase competency).
b. Document all activities and project.
c. work with Prodata's
subsidiaries
Management
Job handover/ specialist
24 Hours Notice
Successor plan inplace & submitted to FHB
Internal Staff Transfer
Unauthorise access (ID SAP, restricted area)
Confidential document/information might be stolen by

unauthorized person
1. Staff to conduct handover job

2. Fill in HR007 form (Inter Deparmental Staff Transfer
Form)
Replacement staff.
- Project
HR & Admin
Human Resource
Temporary Access Card
1. Admin shall reminds the respective Head of Unit on

1. The staff (Security) change without the written
approval.
2. Admin did not raise request to extend the
expired access card.
All
the expiry of the access card.

2. If necessary, Head of Unit shall fill-up HR05 Form to
extend the access card.
Documentation
Unauthorize access to documentation
Lack of proper place to store the documents
Documents may not be accessible efficiently.
Documentation
Unable to performs tasks efficient
Lack of proper documentation and policies in place
New staff may find it difficult to understand and perform the

daily operation work.
Administrative
Number of risks by Matrix

Number of Risks in High Risk Zone
Number of Risks in Moderate Risk Zone
Number of Risks in Low Risk Zone
Total Number of Risks
Personnel
Human errors
Lack of training or incompetent staff
Insufficient training / knowledge / experiences in managing

the tasks.
Personnel
Operation degraded
High-rate of turn-over
Unable to provide excellent services.
12
39
10
61
Request proper room to store documentation.
A, C, I
Regular updates of documents and knowledge base
Treat
Regular update SOP
Treat
Centralize and integrate SOP into online knowledge

base with backup.
Treat
Email on ad hoc basis when discover any issue and the

possible solution. Updating internal knowledge base.
A, C, I
Knowledge sharing when discover any issue
16
Existing team member to take over the job until the new
replacement is in place
Transfer
Discussion with HR for Staff Retention Program
L
L
L
M
RISK ASSESSMENT
MOHAMMAD ZAMRIL ISMAIL

IT GOVERNANCE
ALI MUSTAFA
GENERAL MANAGER
1 Mar 2013
1 Mar 2013
Service
Risk Owner
Service
System Development /
Implementation
System Maintenance & Support

Consultation Service
(IT Services
New Request)
Integration Service
3rd Party Outsourcing
Entreprise Content Management
ABAP
Plantation Applications
Weighbridge & Mill Applications
Enterprise Transport Management
Website & Portal

Technology Integration Solution (TIS)
New Dimension Product (NDP)
Others Applications
3rd Parties Applications
Service
Sevice Component
Threats
1.Data not key in timely

2.Program errors(Logic & formula)
Lack of latest technology update

Hardware
Software
System interfaces
People
System mission
1 Program errors(Logic & formula)

2 Communication line not stable
3.Data corrupted
Rely on Vendor

2. Storage Full
Lost connectivity to SAP/AS400 servers
1.Security and control of access to system.

2.Misuse Information
1.Network Failure
2.Databases corrupted
3.EIS Server Failure
Server /Internet Service down,
Hardware
Software
System interfaces
People
System mission
IIS stop functioning

1. IIS stop functioning
2. Data corrupted
3. DLL Library not well function
4. Virus
Software
System interfaces
People
System mission
2. Scanner Problem
3. Storage Full
Rely on Vendor
Rely on Vendor
Risk Register
Vulnerabilities
Risk Description
Reports
End user could not perfom daily task in appropriate manner
System errors and not functioning as usual.
Reports could be produced in timely manner due to delay in

posting.
System or program is inaccessible


Impact on Cmp/unit Business Operation
Unable to retrieve latest data from SAP/RML
Unauthorized personnel misuse the confidential information
Security access control (authorization)
Lack of monitoring by the Network/Server Team
Impact on daily business operation and company's profit.
Application will not fuctioning.
1. Not well monitor

2. Not proper stop the program (during process in progress
running.
3.Related to the OS
4. Antivirus not up to date or is not function


Risk Register
I=Integrity)
Impact / Severity
(Score 1-5)
(Score 1-5)
Result of Risk
(Total Score)
C,I
A,C,I
15
15
C,I
15
C,I
15
A,C,I
15
C, I
15
C,I
15
C,I
15
Risk Treatment Plan

Risk ID
Current Control
Risk Treatment
Only Authorised person has access right only

programs change.
Treat

programs change.
Treat
Transfer

corrupted
3. re-Register DLL
4.Antivirus update

1. Treat
2.Replace
3.Treat
4.Treat
Transfer

Treat
Syatem Landscape (Dev,QAS,Prd)
Restart service ASAP when connectivity is restored
Threat
Transfer
Authorization matrix
Threat
1. Monitored by server team

2. Restart server
3.System monitoring by BA team.
4. Train and expose new staff
Threat
Only Server Team are able to direct access & look into
the server.
corrupted
3. re-Register DLL
4.Antivirus update
Transfer
1. Treat
2.Replace
3.Treat
4.Treat

Treat

Transfer

Transfer
k Treatment Plan
1.User acceptance test(UAT) and training shall be

2.Unauthorized change to the program ( abapers &
programmer)
3.Send abapers/programmer to attend training
Target Risk Level
FPSSB will make sure all user who use the system get
enough training before they can start using the
application.

corrupted
3. re-Register DLL
User acceptance test(UAT) and training shall be


the server
Send Abapers to Abap Training.
To strengten on authorization
To suggest the best method of commnucation line

corrupted
3. re-Register DLL

the server

L
Service
Risk Owner
Service
SAP ECC 6.0/
SAP Customized Configuration
Management
SAP ECC 6.0/

SAP Customized Enhancement
Management
SAP ECC 6.0/

SAP Customized Program Change
Management
SAP ECC 6.0/

SAP Customized ESS integration
with SAP ECC6 system
ERP Consulting
SAP ECC 6.0/

SAP Customized
MSS integration with SAP ECC6
system
SAP ECC 6.0/
SAP Customized
Integration between other systems
with SAP ECC6.0
(Non-SAP)
Training
Create/Maintain Master Data
System support
Service
Sevice Component
Threats
Wrongly transport. Wrongly configuration
Misconcept
Misconcept
SAP PRD
SAP QAS
SAP DEV
ESS, MSS
Non SAP Application
Integration system down. System cannot be

access. Power failure.
Lack of trainer. Trainer not ready for training.
Late creation or double creation.
Slow speed at peak time.
Risk Register
Vulnerabilities
Risk Description
Left out transport number. New staff doing config. Staff left out
some steps to config.
If configuration wrongly transport or done, PRD might have

problem especially when its involved with daily routine like
printing invoice, check, delivery process and etc.


Most probably for schedule job to integrate between Non-SAP

and SAP system.
Whenever the schedule job fail to perform then need to do

manually t interface the information and data from the nonSAP system such WBS.
Trigger for crash course training or whenever there are certain

period that staff is leave.
Staff still not competent to give training especially for new

staff. No staff to provide training as number of staff is
insufficient to fulfill two services which are for system support
and training.
Data duplicate as key in data entry in SAP without checking

If detail of master data is not completely provided, buffer time
first. Missing details to ease the creation. New staff don't know will increase as need to gather the info from user and fulfill
th procedure.
any other relevant data.
Daily routine cannot be carried out eg, print cheque, invoice,

delivery process, etc.
Sometimes at peak times(closing) some process is not up to

expectation.
Risk Register
I=Integrity)
A,C,I
A,C,I
A,C,I
C,I
C,I
A,C,I
A,C,I
A,C,I
Impact / Severity
(Score 1-5)
(Score 1-5)
Result of Risk
(Total Score)
Risk Treatment Plan

Risk ID
Current Control
Risk Treatment
Testing in QAS before transport to PRD.
Trreat
Treat
Treat
Treat
Treat
Treat
Senior will replace trainer and junior will join the training.
Treat
Do verfication with user. Confirm all the relevant details.
Treat
Ensure server run at the most availability.
Treat
k Treatment Plan
Re-config or re-transport if the should have any
problem. Testing again at QAS before transport to PRD.
Target Risk Level



L
L
L
Junior trainer need to undergo relevant training to build

up competency skills to conduct training.
L
Checking the master table before do the new creation

of master data. Checking all relevant info are sufficient
to create the new master data.Make sure every staff
understand and follow the SOP
During peak time server need to provide the most

usage at practical speeds.
Service
Risk Owner
Service
Rental Service
Managed Enterprise Services
E-mail
Service
Sevice Component
Threats
Lost of data due to hardware failure
PC , Notebook, Server
Uncontrolled viruses attack / intrusion
Server
Hardware failure
Power failure
Network failure
Software
Spam
Software
Unauthorized access
Software
E-mail missing
Software
Phishing
Software (Webmail)
Apache and Dovecot not running
Risk Register
Vulnerabilities
Risk Description
a) Not properly shutdown
b) Old Hardware
Lack of maintenance
Lack of patch updates
PC, Notebook, Server harvested by viruses, spammer and

may affected other PC, Notebook or server within the VLAN

Published email address
Email addresses harvested by spammer.
Lack of patch updates and poor password management
Email server is compromised.
Misconfiguration
Important emails are lost.
Lack of server maintenance and user awareness
Email accounts are compromised and server being black

listed by external mail servers.
Lack of monitoring mechanism
Webmail service is inaccessible.
Risk Register
I=Integrity)
C, A
A
A
A
C
C
A
C, I
A
Impact / Severity
(Score 1-5)
(Score 1-5)
Result of Risk
(Total Score)
Risk Treatment Plan

Risk ID
Current Control
Risk Treatment
Treat
Treat
Treat
Transfer
Treat
Treat
Treat
Treat
Perform regular monitoring
Treat
Inform end user regularly
Treat
k Treatment Plan
a) Propose file server for data backup (PC , Notebook)
b) Establish Data Recovery Center (DRC) for non SAP
c) Execute preventive maintenance
Target Risk Level
a) Update main antivirus with the latest virus pattern.

b) Conduct Awareness to users regarding virus threat
and prevention, scan thumb drive before opening file.
c) Configure individual PC, notebook for scheduled
scanning.

maintenance
Periodic checks and updates by FES

Monitor, check and reporting. Perform monthly
maintenance
L
L

maintenance.
Monitor, check and reporting. Perform daily

maintenance
Monitor, check and reporting.Perform daily

maintenance
Monitor, check and reporting. Perform daily

maintenance.
Mass mail to end user once in a month.
Service
Risk Owner
Service
Network
Managed IPVPN
Managed VSAT
Managed CCTV surveillance

Managed Communication &
Data Security
Managed Door Access Security

System
Managed LAN
Managed LAN
Service
Sevice Component
Threats
Hardware failure
Hardware failure
Hardware (UPS)
Battery dry out
Hardware (Structured Cabling)
Water leakage and pests attack
Network Administrator
System hacked
Software
Unauthorized access
Router, ISDN Backup
IPVPN/IPVPN Value Failure
IDU, ODU, Router, Modem
VSAT Failure
Hardware
a) Storage Server
b) Camera
Storage server down and camera faulty.
Network
Network failure
Electricity
Power failures.
Hardware
a) Server
b) Controller
c) Card reader
Malfunction Controller or Card reader.
Network
Network down.
Electricity
Power failures.
Core switches failures


Unauthorized access
Risk Register
Vulnerabilities
Risk Description
Lack of maintenance
Lack of maintenance
Network services are inaccessible when there is no electricity.
Lack of periodic building maintenance and pest control
Network is intermittent or inaccessible.
Lack of competent of monitoring day to day network activities

and security of the systems
Poses a security threat
Lack of maintenance and poor password management
Lack of maintenance
Lack of maintenance
Lack of maintenance
Lack of maintenance
Fail delivery of attendance data to server ( TMS and SAP)

due to malfunction of Controller or Card reader
Data stuck or pending at controller & not transferred to

server. Thus causing data will not be updated with the latest
data and no access report.
System will fail to function (i.e. door not secure) after battery
backup runs out
System being hacked and information stolen by hackers

Misconfiguration
Risk Register
I=Integrity)
A
A
A
A
C, I, A
A
A
A
A
A
C, A
C, A
C, A
Impact / Severity
(Score 1-5)
(Score 1-5)
Result of Risk
(Total Score)
C, I, A
Risk Treatment Plan

Risk ID
Current Control
Risk Treatment
Transfer
Regular check by Network Team / OSS
Treat
Treat
Transfer
Treat
Treat
Transfer
Treat
Treat
Treat
Treat
Treat
Regular check by Network Team / FES
Treat
Treat
Treat
k Treatment Plan
Continous monitor, check and reporting. Engaged
vendors for maintenance
Periodic checks and updates by Network Team / OSS
Monitor, check and reporting. Introduce IP-based UPS
system
Periodic updates by FES.
Manager alerts, evaluates and verifies new software

updates.
a) Not guarantee -base on best effort
Target Risk Level
L
L
L
L
L
L
a) Sign up SLA with Telekom (Max 2 days resolution)

L
b) NMS software to monitor
a) Monitoring and maintenance checking on daily,
monthly and yearly basis to ensure sustain of operation.
b) Troubleshoot server
c) Preventive maintainance (SLA)
d) Disaster recovery
e) Check network availability & performance
f) Reset camera's power & network cable
g) Repair or change camera
Check network availability & performance

a) Preventive maintenance ( twice a year) to make sure
all hardware and software in good condition
b) Repair or change controler or controller's power &
network cable
c) Reset or change card reader
L
L
a) Check network availability & performance

b) Check and reset communication converter
c) Change communication converter (faulty)
L
a) Sign Maintenance aggreement with vendors

b) Used Network management
system(NMS) software to monitor daily activity
a) Implement Intrusion Prenvention System (IPS)

b) System penetration test

IMS Risk Assessment - DRAFT - v3 1 (Ori)

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

IMS Risk Assessment - DRAFT - v3 1 (Ori)

Caricato da

Copyright:

Formati disponibili

FPSSB/IMS/REC/RISK-001

Template Version: 1.0

Risk Treatment Plan

Lack of commitment, resign, and unavailability

Unable to maintain certification,

Attend all SMS related meetings, workshops and training

Long leave (accident /illness)

Lack of back-up person to approve ITSM documents.

Lack of knowledge, direction, experiences and commitment,

Unable to maintain certification ,

Perform regular monitoring by Project Sponsor and

Lack of knowledge, experiences and commitment, resign

Unable to maintain certification,

Assign backup person

Long leave (accident /illness)

Lack of back-up person to maintain the process

Unable to maintain certification,

Assign backup person

Lack of knowledge and experience

Unable to maintain the process,

Attend workshop or training

Lack of knowledge, experiences and commitment, resign

Unable to maintain the process,

Perform regular monitoring by SMR and DC. Attend SMS

Long leave (accident /illness)

Lack of back-up person to maintain the process

Unable to maintain the process,

Assign Process Team Member

Perform regular monitoring by SMR and DC. Attend SMS

Target Risk Level

Progress update to Management Meeting

Progress update to Project Sponsor.

IT Service Management Team

Process Champions & Team Members

Service Desk Agent

wrongly assigning ticket

System not accessible

Lack of knowledge and experiences

Cause delay for re-assigning ticket

Manually control for ERP & BA

Data corrupted, lost track of latest version Excel files.

Server failure, no backup performed regularly

System not accessible, data corrupted.

Backup, scattered files locations

Use tool (ISO Portal)

System not accessible

System not accessible.

Perform regular monitoring and maintenance.

Lack of documents maintenance

Perform regular checking and updating

Lack of records maintenance

Perform regular checking and updating

Hardware (Network Equipments / Servers)

Network services are inaccessible.

Perform regular maintenance

Hardware (Network Equipments / Servers)

Susceptibility to voltage variations

Network services are inaccessible.

Regular check by Network Team / OSS

Battery dry out

Network services are inaccessible when there is no electricity.

Perform regular maintenance