qwertyuiopasdfghjklzxcvbnmqw

ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
Apollo Hospitals
opasdfghjklzxcvbnmqwertyuiop
Risk Assessment Report
asdfghjklzxcvbnmqwertyuiopas
dfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzx
cvbnmqwertyuiopasdfghjklzxcv
bnmqwertyuiopasdfghjklzxcvbn
mqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqw
ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiop
asdfghjklzxcvbnmrtyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzx
Prepared By:

PURPOSE, CAUTIONS & FORMAT

PURPOSE
Thepurposeofthisdocumentistoidentify Vulnerabilities, Threats and Risks associated with
BYOD implementation. The document also contains Likelihood ratings and impact ratings.
These instructions are based on theNational Institute of Standards and Technology (NIST)
Special Publication (SP)800-30,Risk Management Guide for Information Technology
Systems.

RISK ASSESSMENT DOCUMENT REVIEW HISTORY

ReviewDate

Reviewer

September,2015

PritiPuri

Table of Contents
1.

Introduction....................................................................................................... 4

2.

Healthcare System Characterization.................................................................4

2.1.

3.

Hospitals Assets.......................................................................................... 4

Risk Identification.............................................................................................. 5
3.1.

Identification of Vulnerabilities....................................................................5

3.2.

Identification of Threats.............................................................................. 5

3.3.

Identification of Risks.................................................................................. 5

4.

Control Analysis................................................................................................. 5

5.

Risk Likelihood Determination...........................................................................5

6.

Risk Impact Analysis.......................................................................................... 5

7.

Overall Risk Determination................................................................................5

8.

Recommendations............................................................................................. 5

9.

Result Documentation....................................................................................... 5

1. Introduction
*TO BE EDITED

We have performed this risk assessment for BYOD implementation to satisfy the
requirements of NIST Special Publication (SP) 800-30 to perform an assessment at
least every 3 years or whenever a major change is made to a sensitive system.
This risk assessment identifies

Vulnerabilities
Threats
Risks
Risk Likelihoods
Risk Impacts

2. Healthcare System Characterization

*TO BE EDITED

It defines the scope of the risk assessment effort. The purpose of this step is to identify
the network assets, to define the risk assessment boundary and components, and to
identify the data sensitivity.

2.1.

Hospitals Assets

*TO BE EDITED

An asset is an economic resource. Anything tangible or intangible that is capable of

being owned or controlled to produce value and that is held to have positive economic
value is considered an asset. Simply stated, assets represent value of ownership that
can be converted into cash (although cash itself is also considered an asset)

Asset Types

Devices

Assets
Laptops
Mobile
Tablets

3. Risk Identification
*TO BE EDITED

The purpose of this step is to identify the risks to BYOD assets. Risks occur in
anysystem when vulnerabilities (i.e., flaws or weaknesses) in the IT system or
itsenvironment can be exploited by threats (i.e. natural, human, or environmental
factors).
The process of risk identification consists of three components:
Identification of vulnerabilities in the system and its environment.
Identification of credible threats that could affect the system.
Pairing of vulnerabilities with credible threats to identify risks to which the
system is exposed.
After the process of risk identification is complete, likelihood and impact of risks
willbe considered.

3.1.

Identification of Vulnerabilities
Vulnerabilities were identified and documented in below table.

3.2.

Identification of Threats
The purpose is to identify the credible threats to the IT system and its
environment. Athreat is credible if it has the potential to exploit an identified
vulnerability. Threats were identified related to each vulnerability and is
documented in below table.

3.3.

Identification of Risks
*TO BE EDITED

Risks were identified for the implementation of BYOD by matching identified

vulnerabilities with credible threats that might exploit them. This pairing of
vulnerabilities with credible threats is documented in below table.
Sr
No

Vulnerability

Threat

Risk of
compromise
of

Risk Summary

Health
Information
exchange not
secured

Data compromise
by intrusion, data
breach

Sensitive and
critical data

Failure at Data
Center

Denial of Service
attack on Data
Centre

Availability of
data and
applications

Disaster
Recovery and
Business
Continuity not
in place

Severe effect on
operations of the
hospital, impact
on business

Productivity,
revenue,
patient safety

Unidentified
security
vulnerabilities
in biomedical
devices

Systems can be
hacked or
planted with
malware

Patient safety,
privacy of data

Electronic
Health Record
(EHR)
application not
secured

Access rights
misused, data
breach or man in
the middle attack

Data privacy,
intellectual
property

No information
security policy
implemented

Technical,
physical, and
administrative
safeguards
vulnerable

Security of
health
information

As health information
exchanges (HIEs) make
patient information
electronically available across
hospital system, privacy and
data security concerns have
become paramount. The risks
are compounded by the
numerous systems and
organizations involved.
Data-based business
intelligence is quickly moving
to the forefront for most
healthcare organizations. The
greater the emphasis on
better managing outcomes
and overall population health,
the more important data
(clinical or otherwise)
becomes.
Productivity, revenue, and
even patient safety could be
severely affected if systems
and data are not available
and operational at all times.
While business continuity
related to disaster recovery is
not a new concern for
healthcare organizations,
it ranked high because of its
strategic and business
impact.
Unidentified security
vulnerabilities in biomedical
devices can affect patient
safety as well as the privacy
of data on devices and
networked systems.
Many healthcare
organizations
are susceptible to risks
related to the implementation
of electronic health record
(EHR), financial, and other
business systems.
HIPAA remains an area of
significant risk for healthcare
organizations. Maintaining
the security of protected
health information is
challenging. Absence of

IT assets and
Software
licenses not
tracked

Access through
personal
devices not
restricted

supporting documentation
demonstrating adherence to
policies can be a huge risk.
Many organizations have
issues with tracking not only
their physical IT assets but
their software licenses as
well. Lack of control in these
areas can lead to financial
losses for the organization.
Electronic protected health
information (ePHI) and
similarly sensitive data can
be disclosed to unauthorized
personnel either by malicious
intent or inadvertent mistake.

Use of outdated
software
introduces
vulnerability,
software stops
operating after
license expiry
Data loss,
malware infection

Security of
health
information,
availability of
data and
applications

Identity
management
and RBAC (Role
Based Access
Control) not
implemented

Unauthorised
access to data or
applications

Security of
hospital data,
patient
information,
applications

Unauthorized access to data

or applications is a significant
organizational risk, making
system access a highly
ranked area of concern.
Healthcare organizations
often struggle to maintain
consistent core controls (for
example, passwords,
timeouts, and lockouts)
around system access.

10

Not complied to
Payment Card
Industry Data
Security
Standard (PCI
DSS)

Credit card data

stolen at Point of
Sale and/or
through web
application.

Customers'
credit card data

The standard outlines

technical and operational
system requirements to
protect cardholder data, often
is overlooked in the
healthcare industry.
Overlooking the requirements
can be very costly for the
hospital.

11

Malfunctioning
of the
application

Electronic Health
Record (EHR)
Application
failure

Confidentiality
and integrity of
hospital data
(financial, ip,
staff info)

An enterprise system tends

to come with standard IT
configurations.leaving a huge
margin for error If your
hospital has deployed an
electronic health record
(EHR) system, you probably
have a contingency plan in
the event of a system
outage. After all, computing
systems go down, and when
an EHR system is not
working, it affects nearly
every aspect of a hospitals
operations, from patient care
to admissions to finance to
supply chain

12

Defects in the
systems

Systems failure in
hospitals

Operational Systems failures in

healthcare can hinder employees,
potentially decreasing both
productivity and quality of care Both

hospitals and hospital

patients are bearing a
massive cost as a result of
the occurrence of medication
prescribing errors in the
public health systems, poor
information systems may be
a contributing factor in the
occurrence of these
errors.These are linked to
situations where information
is is unavailable or
inaccessible
13

Intentional
human Error

Unscheduled
system downtime

14

Levels of
securities not
applied

Indiscriminate
Malicious Attack(Mock
Cyberattacks)

Medical
devices, patient
safety

15

Firewall not updated

or not configured
properly

Highly Funded Attack

on confidentiality of
data

Patients
details,their
reputation and
privacy

Unscheduled downtime is
unplanned downtime due to system
or environmental (e.g., power)
failures. Downtime may affect a
single application or be systemwide

A medical device is being used on a

patient (e.g., x-ray, ECG, ventilator,
CT, MRI, PET), when a malicious
software attack occurs. This may be
a side
effect of a broad cyber attack where
the medical device is not specifically
targeted.
These broad, sometimes low-skill,
technology attack tools are otherwise
known as viruses, Trojan horses, or
worms, for example. Even under
these circumstances,
the system should be able to protect
patient safety and health. Individual
patient and healthcare provider
damage may result if the attack leads
to
the disclosure of personal data
A malicious attacker is highly funded
and is highly capable of launching a
targeted attack. Typically, the attacker
is an outsider and the targets are
medical data of VIPs such as athletes
or celebrities, stored in a healthcare
system. The effects of disclosed
medical information (e.g., cancer, HIV
status) may never be undone and
may cause severe social and
financial consequences to the victim

16

Distruntled
member,frustrated
person

Personal Revenge

Business
loss,reputation
at stake

17

Occurrence of
Natural calamities,
disasters.

Wide spread
disasters results
power blackout

Availability of
the entire
infrastructure

18

Power blackout and

power backup
failure

Operational
discontinuity

Business
Impact,
Availability
impact

19

Lack of awareness
among employees

Violation of policy
regulation by an
employee

Hampers
Business
continuity

A threat may originate from angry or

vengeful persons (employees,
patients,
or service staff, for example). The
bulk of these attacks come from
internal,
or formerly internal, people. They
have a powerful desire to inflict
damage to a
specific target inside the healthcare
facility or to the healthcare facility as
a whole,
but are not likely to be sophisticated
in terms of knowledge about systems
or well
funded
Provision of healthcare in the
aftermath of a widespread disaster.
Such a disaster may have been
caused by natural (e.g., earthquake,
tsunami, hurricane/ typhoon, volcano,
wildfire) or man-made causes (terror,
war, power failure).
During these disasters the general
infrastructure (IT networks, roads,
electrical
power, water) may additionally be
disrupted or destroyed. Further, the
disaster may have caused damage to
the healthcare facility itself and thus
may have destroyed
parts of the local building or
healthcare infrastructure causing a
Healthcare
System Failure. The situation may
get worse as the disaster itself
increases
the number of patients who arrive at
the healthcare facility
Many hospitals are unprepared for
the consequences caused by the
power blackouts and are often
unaware of the true costs and impact
that they can have on their working
procedures

The greatest threat to the security of

the healthcare industry is the total
lack of awareness of principal cyber
threats

4. Control Analysis
The purpose of this step is to document a list of security controls used for the Network
Asset monitoring. The controls are matched with the risks identified, in order to
identify those risks that require additional response and are documented in the below
table.

SR

Risk Summary

As health information exchanges (HIEs)

make patient information electronically
available across hospital system,
privacy and data security concerns have
become paramount. The risks are
compounded by the numerous systems
and organizations involved.

Data-based business intelligence is

quickly moving to the forefront for most
healthcare organizations. The greater
the emphasis on better managing
outcomes and overall population health,
the more important data (clinical or
otherwise) becomes.
Productivity, revenue, and even patient
safety could be severely affected if
systems and data are not available and
operational at all times. While business
continuity related to disaster recovery is
not a new concern for healthcare
organizations, it ranked high because of
its strategic and business impact.

Unidentified security vulnerabilities in

biomedical devices can affect patient
safety as well as the privacy of data on
devices and networked systems.
Many healthcare organizations are
susceptible to risks related to the
implementation of electronic health
record (EHR), financial, and other
business systems.
HIPAA remains an area of significant risk
for healthcare organizations.
Maintaining the security of protected
health information is challenging.
Absence of supporting documentation
demonstrating adherence to policies
can be a huge risk.
Many organizations have issues with
tracking not only their physical IT assets
but their software licenses as well. Lack
of control in these areas can lead to
financial losses for the organization.
Electronic protected health information
(ePHI) and similarly sensitive data can
be disclosed to unauthorized personnel
either by malicious intent or inadvertent
mistake.
Unauthorized access to data or
applications is a significant
organizational risk, making system
access a highly ranked area of concern.
Healthcare organizations often struggle
to maintain consistent core controls (for
example, passwords, timeouts, and

Control

5. Risk Likelihood Determination

*Please check if some thing to edit or add

The purpose of this step is to assign a likelihood rating of high, moderate or low to
each risk identified. The following factors should be considered:
Threat-source motivation and capability, in the case of human threats
Probability of the threat occurring, based on statistical data or previous
experience, in thecase of natural and environmental threats and
Existence and effectiveness of current or planned controls

Other factors may also be used to estimate likelihood. These include historical
information, records and information from security organizations such as US-CERT
and other sources.

Risk Likelihood Definitions

Effectiveness of
Probability that threat occurs
controls
High [3]
Moderate [2]
Low [1]

SR

Low
Low
Moderate

Low
Moderate
High

Risk Summary

As health information
exchanges (HIEs), PHI make
patient information
electronically available across
hospital system, privacy and
data security concerns have
become paramount. The risks
are compounded by the
numerous systems and
organizations involved.
Data center failure: Data-based
business intelligence is quickly
moving to the forefront for most
healthcare organizations. The
greater the emphasis on better
managing outcomes and overall
population health, the more
important data (clinical or
otherwise) becomes.

Moderate
High
High

Risk Likelihood Rating

High

High

10

Productivity, revenue, and even

patient safety could be severely
affected if systems and data are
not available and operational at
all times. While business
continuity related to disaster
recovery is not a new concern
for healthcare organizations, it
ranked high because of its
strategic and business impact.
Unidentified security
vulnerabilities in biomedical
devices can affect patient
safety as well as the privacy of
data on devices and networked
systems.
Many healthcare organizations
are susceptible to risks related
to the implementation of
electronic health record (EHR),
financial, and other business
systems.

Moderate

HIPAA remains an area of

significant risk for healthcare
organizations. Maintaining the
security of protected health
information is challenging.
Absence of supporting
documentation demonstrating
adherence to policies can be a
huge risk.
Many organizations have issues
with tracking not only their
physical IT assets but their
software licenses as well. Lack
of control in these areas can
lead to financial losses for the
organization.
Electronic protected health
information (ePHI) and similarly
sensitive data can be disclosed
to unauthorized personnel
either by malicious intent or
inadvertent mistake.
Unauthorized access to data or
applications is a significant
organizational risk, making
system access a highly ranked
area of concern. Healthcare
organizations often struggle to
maintain consistent core
controls (for example,
passwords, timeouts, and
lockouts) around system
access.
The standard outlines technical
and operational system
requirements to protect
cardholder data, often is
overlooked in the healthcare
industry. Overlooking the
requirements can be very costly
for the hospital.

Moderate

High

High

Low

High

Moderate

Moderate

11

12

13

14

15

16

An enterprise system tends to

come with standard IT
configurations. leaving a huge
margin for error If your hospital
has deployed an electronic
health record (EHR) system, you
probably have a contingency
plan in the event of a system
outage. After all, computing
systems go down, and when an
EHR system is not working, it
affects nearly every aspect of a
hospitals operations, from
patient care to admissions to
finance to supply chain

Low

Operational Systems failures in

healthcare can hinder employees,
potentially decreasing both productivity
and quality of care Both hospitals

Low

and hospital patients are

bearing a massive cost as a
result of the occurrence of
medication prescribing errors in
the public health systems, poor
information systems may be a
contributing factor in the
occurrence of these
errors.These are linked to
situations where information is
is unavailable or inaccessible
Unscheduled downtime is
unplanned downtime due to system or
environmental (e.g., power) failures.
Downtime may affect a single application
or be systemwide
A medical device is being used on a
patient (e.g., x-ray, ECG, ventilator, CT,
MRI, PET), when a malicious software
attack occurs. This may be a side effect
of a broad cyber attack where the
medical device is not specifically
targeted.
These broad, sometimes low-skill,
technology attack tools are otherwise
known as viruses, Trojan horses, or
worms, for example. Even under these
circumstances, the system should be
able to protect patient safety and health.
Individual patient and healthcare
provider damage may result if the attack
leads to the disclosure of personal data
A malicious attacker is highly funded and
is highly capable of launching a targeted
attack. Typically, the attacker is an
outsider and the targets are medical
data of VIPs such as athletes or
celebrities, stored in a healthcare
system. The effects of disclosed medical
information (e.g., cancer, HIV status)
may never be undone and may cause
severe social and financial
consequences to the victim
A threat may originate from angry or
vengeful persons (employees, patients,
or service staff, for example). The bulk of
these attacks come from internal, or
formerly internal, people. They have a
powerful desire to inflict damage to a
specific target inside the healthcare

Low

Moderate

Moderate

Low

facility or to the healthcare facility as a

whole, but are not likely to be
sophisticated in terms of knowledge
about systems or well funded.

17

18

19

Provision of healthcare in the aftermath

of a widespread disaster. Such a
disaster may have been caused by
natural (e.g., earthquake, tsunami,
hurricane/ typhoon, volcano, wildfire) or
man-made causes (terror, war, power
failure).
During these disasters the general
infrastructure (IT networks, roads,
electrical power, water) may additionally
be disrupted or destroyed. Further, the
disaster may have caused damage to
the healthcare facility itself and thus may
have destroyed parts of the local
building or healthcare infrastructure
causing a Healthcare System Failure.
The situation may get worse as the
disaster itself increases the number of
patients who arrive at the healthcare
facility
Many hospitals are unprepared for the
consequences caused by the power
blackouts and are often unaware of the
true costs and impact that they can have
on their working procedures

Low

The greatest threat to the security of the

healthcare industry is the total lack of
awareness of principal cyber threats

Moderate

Low

6. Risk Impact Analysis

*Please check if some thing to edit or add
The purpose of this step is to assign an impact rating of high, moderate or low to each risk
identified.
The impact rating is determined based on the severity of the adverse impact that would
result from an occurrence of the risk.
Risk Impact Rating Definition
Magnitude Of Impact
High

Moderate

Low

SR

Risk Summary

1
As health information exchanges
(HIEs) make patient information
electronically available across
hospital system, privacy and
data security concerns have
become paramount. The risks
are compounded by the
numerous systems and
organizations involved..

Data-based business intelligence

is quickly moving to the forefront
for most healthcare
organizations. The greater the
emphasis on better managing
outcomes and overall population
health, the more important data
(clinical or otherwise) becomes.

Impact Of Definition
Occurrence of the risk: (1) may result in
human death or serious injury; (2) may result
in the loss of major tangible assets, resources
or sensitive data; or (3) may significantly
harm, or impede the mission, reputation, or
interest.
Occurrence of the risk: (1) may result in
human injury; (2) may result in the costly loss
of tangible assets or resources; or (3) may
violate, harm, or impede the mission,
reputation, or interest.
Occurrence of the risk: (1) may result in the
loss of some tangible assetsor resources or (2)
may noticeably affect the mission, reputation

Risk Impact

Risk Impact
Rating

Loss of Mission
Critical
business
information

High

Sensitive
Data
Compromised

High

Productivity, revenue, and even

patient safety could be severely
affected if systems
and data are not available and
operational at all times. While
business continuity
related to disaster recovery is
not a new concern for healthcare
organizations,
it ranked high because of its
strategic and business impact.
Unidentified security
vulnerabilities in biomedical
devices can affect patient safety
as well as the privacy of data on
devices and networked systems.

5
Many healthcare organizations
are susceptible to risks related to
the implementation of electronic
health record (EHR), financial,
and other business systems.

10

HIPAA remains an area of

significant risk for healthcare
organizations. Maintaining the
security of protected health
information is challenging.
Absence of supporting
documentation demonstrating
adherence to policies can be a
huge risk.
Many organizations have issues
with tracking not only their
physical IT assets but
their software licenses as well.
Lack of control in these areas
can lead to financial losses for
the organization.
Electronic protected health
information (ePHI) and similarly
sensitive data can be disclosed
to unauthorized personnel either
by malicious intent or
inadvertent mistake.
All data within, or accessed by,
corporate apps should be encrypted
so that compromised devices dont
give up their data in readable form. If
users are allowed to access data in
offline mode, app data is especially
sensitive and must be encrypted to
ensure security.
Because users will bring a variety of
device types (tablets, phones,
laptops) and manufacturers to the
workplace, a separate security should
be available for each supported
device specific to that device. Generic
security policies will leave significant
gaps and create additional
vulnerabilities on your network. Most
mobile management suites support a

Unrequitted
Intrusion
exposed

Fork bomb
data wipe out

Data
or

Moderate

and

High

Replication
of
company's
new
launches, Sensitive
and
business
critical information
and data

High

Low
Inadvertent
violations
security
precautions

of

Data and privacy

compromise

Moderate

Security
Breach
and vitiate other
machines

High

Data Snooping and

data meddling

High

Significant
loopholes in the
current
security
setup

Moderate

variety of device types and

manufacturers. Devices outside of the
support matrix should not be allowed
as part of the BYOD program.

11

High
Periodic re-authentication assures
that the user is genuine. Unlimited
access without re-authentication is a
secure vulnerability for any device
that might be stolen or compromised
during authenticated use.
Management suites can enforce reauthentication after a set time period.

12
Apps with this threat permit hackers
to steal files or data, completely wipe
data, permit eavesdropping, and
cause other consequences on the
victims device. It is also possible for
an app to carry multiple payloads.
The source code of a legitimate app
will be taken out and repacked with
malicious code to hide the threat from
the victim.

13
Employees may download
communication apps that have been
infected by adversaries to mine the
users contact database; if these
databases are connected to the
corporate network, then hackers can
mine corporate data and send it over
to compromised servers via the
web. Such apps will mine text and call
logs too.

14

15

This is an application that can be

installed via phishing or by attaching
itself to a legitimate application,
usually free things such as a free
feature in a productivity application,
slipping through the Google Play
Store or App Store. The keylogger
malware can record all keystrokes
that are typed by the user, making it
easy for criminals to record financial
data and sensitive information.
Mobile devices may use un-trusted
content that other types of devices
generally do not encounter. An
example is Quick Response (QR)
codes. They are specifically designed
to be viewed and processed by
mobile device cameras. Each QR
code is translated to a uniform
resource locator (URL), so malicious
QR codes could direct mobile devices
to malicious websites. This could
allow for targeted attacking, such as
placing malicious QR codes at a
location where targeted users gather.

Unauthorised
Access

Sensitive,
confidential,
company-related
Data exposed.

Moderate

Users
contacts,corporate
data leakage

High

Organization's
Financial data and
sensitive
information.

High

Moderate

Personal
Information loss

16

17

In terms of organization security,

mobile devices with location services
enabled are at increased risk of
targeted attacks because it is easier
for potential attackers to determine
where the user and the mobile device
are, and to correlate this information
with other sources about who the
user associates with and the kinds of
activities they perform in particular
locations.
This raises the question of the
ownership of the phone number. The
issue becomes apparent when
employees in sales or other
customer-facing roles leave the
company and take their phone
number with them. Customers calling
the number will then potentially be
calling competitors which can lead to
loss of business for BYOD
enterprises.

Personal
safety
and
company's
data

Low

Low

Strategic decisions
leakage

18

Low
Mobile devices are simply too good of
a target for potential attackers to pass
up. All it takes is for one infected
device to eventually reach many
others that are connected to the same
network. Research has shown that
2,000 new malware samples for
Android devices are discovered daily.

Loss of Personal
Data

7. Overall Risk Determination

The purpose of this step is to calculate an overall risk rating of high, moderate or low
for each risk identified. The risk rating must be based on both the likelihood of the
risk occurring and on the impact.
The determination of risk ratings is somewhat subjective. Their value is in the
attempt to quantify, however subjectively, the combination of likelihood and impact
of occurrence.
Each risk rating is expressed as the correlation of the given risks likelihood of
occurrence, and the risk's respective impact rating.

SR
#

Risk Summary

After the exposure to BYOD,

Organizations now have less control
over devices, and thus the
vulnerabilities get in to the picture
for the simple reason that all the
devices now are not on
organizations Domain , So the
device security policies are not
automatically implemented on it.

If an employee uses a smart phone

to access the company network and
then loses that phone, untrusted
parties could retrieve any unsecured
data on the phone.

1. Various members of the family

often share certain devices such as
tablets; a child may play games on
his or her parents tablet and
accidentally share sensitive content
via email or through other means
such as Dropbox.
2. People sometimes sell their
devices and might forget to wipe
sensitive information before selling
the device or handing it down to a
family member.
Hacker can get into the
organization's server and glean out
mission critical data.It could also be
done by an irate ex-employee or
disgruntled current employee who
has access to the server.
1. Jailbreaking and rooting bypasses
the device's security mechanisms,
allowing any app to be installed on
the device. And all it takes is a
single rogue app behind a corporate
firewall to allow the bad guys into
your corporate digital fortress.
2. Jailbreaking does introduce a
high degree of risk since it means
adding software that hasnt been
vetted by service providers. There
are a number of jailbroken
applications that deliberately corrupt
the users phone or do something
embarrassing or deceptive (reading
emails, stealing contact lists,
eavesdropping, etc.).
Haphazard approach in handling
BYOD devices due to lack of
awareness among the
employees,thereby leading to loss of
business critical information.
A basic security measure that many
device owners neglect is the screen
lock password. Screen lock
passwords are simple to setup and
yet provide a high level of data theft
protection. Proper enforcement of
Screen lock passwords helps to

Risk
Likelihoo
d Rating

Risk
Impact
Rating

Overall
Risk
Rating

High

High

High

High

High

High

Low

Moderate

Moderate

Moderate

High

Moderate

High

High

High

Low

Low

Low

High

Moderate

Moderate

8. Recommendations
The purpose of this step is to recommend additional actions required to respond to the
identified risks, as appropriate to the agencys operations. The goal of the recommended risk
response is to reduce the residual risk to the system and its data to an acceptable level. The
following factors should be considered in recommending controls and alternative solutions
to minimize or eliminate identified risks:

Effectiveness of recommended options (e.g., system compatibility)

Legislation and regulation
Organizational policy
Operational impact
Safety and reliability

SR
#

Risk Summary

Overall
Risk
Rating

Recommendations

High

After the exposure to BYOD,

Organizations now have less control
over devices, and thus the
vulnerabilities get in to the picture for
the simple reason that all the devices
now are not on organizations
Domain, So the device security
policies are not automatically
implemented on it.

The recovery procedure should be

assessed periodically and audited once
every 6 months.

High

If an employee uses a smartphone

to access the company network and
then loses that phone, untrusted
parties could retrieve any unsecured
data on the phone.

1. Various members of the family

often share certain devices such as
tablets; a child may play games on
his or her parents tablet and
accidentally share sensitive content
via email or through other means
such as Dropbox.
2. People sometimes sell their
devices and might forget to wipe
sensitive information before selling
the device or handing it down to a
family member.

Hacker can get into the

organization's server and glean out
mission critical data.It could also be
done by an irate ex-employee or
disgruntled current employee who
has access to the server.

1. Jailbreaking and rooting bypasses

the device's security mechanisms,
allowing any app to be installed on
the device. And all it takes is a single
rogue app behind a corporate firewall
to allow the bad guys into your
corporate digital fortress.
2. Jailbreaking does introduce a high
degree of risk since it means adding
software that hasnt been vetted by
service providers. There are a
number of jailbroken applications
that deliberately corrupt the users
phone or do something
embarrassing or deceptive (reading
emails, stealing contact lists,
eavesdropping, etc.).
Haphazard approach in handling
BYOD devices due to lack of
awareness among the employees,

Bit locker encryption lock should be kept

active.

Moderate

Dual Profile system should be maintained.

Moderate

Accounts of the employees who leave the

company should be deactivated
immediately. Adequate measures should
be taken to ensure that confidential data is
not extracted from the system by the
employees by any means. Regular
monitoring of the employees system
should be done.

High

MDM policies should be updated.

Low

Required training on security must be

given to the employees beforehand which
involves measure of removing generic

9. Result Documentation
The final step in the risk assessment is to complete the Risk Assessment Matrix.
The risk assessment report helps senior management, the mission owners, makes informed
decisions on policy, procedural, budget and system operational and management changes.
A risk assessment is not an audit or investigation report, which often looks for wrong doing
and issues findings that can be embarrassing to managers and system owners. A risk
assessment is a systematic, analytical tool for identifying security weaknesses and
calculating risk.