Sanjiv Mitragotri

ISMS Risk assessment management policy Version Release Date Status Author RESTRICTED 1.0 & ISMS risk assessment and management policy Change History Version Date RESTRICTED Revised By Summary of Change Page 2 of 13 ISMS risk assessment and management policy Table of Contents I. Purpose .................................................................................................................................. 4 A. II. Glossary ............................................................................................................................. 4 Assets ..................................................................................................................................... 5 A. Critical asset identification .............................................................................................. 5 B. Business Asset Master...................................................................................................... 5 III. Information Asset Classification ......................................................................................... 6 IV. Information Asset Valuation................................................................................................. 8 A. V. The asset valuation criteria .............................................................................................. 8 Identification of Security Requirements ............................................................................. 9 VI. Assessment of Security Requirements ............................................................................... 9 A. Risk Assessment ............................................................................................................. 10 B. Assessment of risk probability & impact ...................................................................... 10 VII. Risk Treatment ..................................................................................................................... 11 A. Selection & Application of Appropriate Controls ......................................................... 12 B. Risk Reductions and Acceptance .................................................................................. 12 C. Residual Risk ................................................................................................................... 13 RESTRICTED Page 3 of 13 ISMS risk assessment and management policy I. Purpose Risk is the possibility of damage (threat) that may happen to the assets. ISMS Risk Assessment is a process to identify the information security risks and assess the damage it could cause to the organisation. Risk assessment then leads to its treatment (management) plan using appropriate information controls. These controls need to be implemented to mitigate the risk or to reduce the impact of the risk to an acceptable level. This policy document provides a description of the overall Information security risk management processes that shall be followed for the organisation's business and information security requirements. The approach meets the criteria of ISO 27001 ISMS Standard namely: ● Identifying the critical asset/s for the business ● Identifying threats and vulnerabilities to critical assets and its impacts on CIA requirements ● Assessing the likelihood of threats occurring and estimating the harm it may inflict to Organisation ● Identifying the most appropriate risk treatment option along with selecting appropriate information controls to reduce the risks to an acceptable level A. Glossary Term Definition/ Meaning (in the context of this document) ISMS Information Security Management System Risk Any probable or assumed event that can disrupt the normal course of flow and/or may adversely impact the reputation, customers, financial health of the organisation BAM Business Asset Master - A register containing relevant and important details of all the assets of the organisation. CIA The three triads/ pillars of information security viz. Confidentiality, Integrity and Availability Threat Any external action/ event that could disrupt normal course of activities e.g. threat of heavy rains causing floods/ water logging Vulnerability Any intrinsic/ inbuilt feature carrying an unknown weakness, RESTRICTED Page 4 of 13 ISMS risk assessment and management policy which may be exposed/ exploited by malicious users for personal gains or inflicting harm to others. II. Assets A. Critical asset identification An asset is defined as something that has value or utility to the organisation for its business operations. Assets which are critical for the business, are only to be considered for asset valuation. The outcome of asset identification will be an inventory list/ register containing all major assets in the ISMS. B. Business Asset Master A Business Asset Master (BAM) is required to be created as per requirement of ISO 27001. It shall contain the details of all Important and relevant assets used for business. It also helps to establish external and internal context for Information Security Risk Management. BAM should cover all the following as applicable in the context of the organisation: Information regarding various assets available in the organisation: ● Name of asset ● Location details for asset as appropriate (City/State/Country/Building/Floor/Area identifier, if any) ● Designated asset owner ● Details of the asset as applicable/ relevant to the asset viz unique identifier, manufacturer RESTRICTED Page 5 of 13 ISMS risk assessment and management policy Business Asset Master captures information of assets and also identifies critical assets for the business. Examples of asset categories or classification include: Category 1: ● Functional roles with count of people - Identify all roles that are part of delivery of the process/services of your department (even for roles which are vacant) Category 2: ● Team-specific Standard Operating Procedure (SOPs) and related documentation ○ SOPs ○ Service Level Agreement /Operational Level Agreement ○ Compliance policy ● Team-specific Work Output (Paper/Digital) ○ Records / evidence generated during day to day operations confirming internal/ contractual/ legal/ regulatory/ ISO requirements. ○ List of department-specific records - that demonstrates the activities performed Category 3: ● All service providers - Internal, external ● Application services - Identify all business applications required for your operations. ● Utilities/network services - Identify all infrastructure, network and utility services required for your operations. ● Remote access: Identify all applications that are used remotely but only by employees/contractors The outcome of asset identification will be an ISMS inventory containing all major assets used to deliver services. III. Information Asset Classification In order to provide an appropriate level of protection, all information assets are classified as CRITICAL or NON-CRITICAL assets. Information assets need to be classified in terms of its value, utility and criticality to the business operations of the organisation. It is agreed to use the following classifications: Confidential RESTRICTED Page 6 of 13 ISMS risk assessment and management policy This classification applies to the information which needs to be available on a need-to-know basis only for authorised users. Its unauthorised disclosure could seriously and adversely impact businesses and/or their customers. Examples of confidential information could include operation plans, corporate level strategic plans, intellectual property information, commercial proposals etc. All such information should be labelled as ‘Confidential’ by its owner or originator. Restricted The restricted level of asset information pertains to highly sensitive information to the company; which when disclosed would cause substantial damage to the reputation and competitive position of the company in the market. Examples of restricted information are details of major acquisitions, financial dealings, business and competition strategy, sensitive customer related information. Internal Use Information which can be shared across the organisation falls under this category. Examples include employee training materials, Policy/Procedure Manuals etc. Public Use Information which can be shared to the public falls under this category. Examples include Annual Report, Company website information, product and service brochures etc. No specific labelling is required for such information or documents. RESTRICTED Page 7 of 13 ISMS risk assessment and management policy IV. Information Asset Valuation The ratings for critical assets identified in Business Asset Master are performed to clearly distinguish and focus on the aspect of an asset/team that requires a higher degree of security control / protection. Assets having a rating of 4 requires implementation of controls, which can combine administrative, technical, procedural and management controls. Controls can be preventive, detective, maintenance, and monitoring controls. Management team shall agree to the ratings and will define security strategy. A. The asset valuation criteria Confidentiality of information refers to the protection of information from unauthorised disclosure. The impact of unauthorised disclosure of confidential information can range from jeopardising organisation security to the disclosure of private data of employees. It is assessed using the scale described below: Value 4 3 2 1 Impact Valuation (Confidentiality, Integrity, Availability) Reference Explanation Assets whose unauthorised access, unauthorised or Very High inadvertent modification of data or unavailability of services leading to any one or all the following viz. financial losses, reputation loss, endangers people’s health, safety or results in intellectual property loss are considered as “Very High” impact events/ incidents. Any loss or unauthorised access, modification of information High or unavailability of services or any information which is NOT categorised as ‘Confidential’ resulting in small/ negligible delays, some adverse / negative publicity are considered as “High” impact events/ incidents. Any information security incident where there is minor Medium operational impact, due to violation or otherwise and the news regarding the incident is contained internally are considered as “Medium” impact events/incidents. Any incident of event which has very low or Insignificant Low impact RESTRICTED Page 8 of 13 ISMS risk assessment and management policy V. Identification of Security Requirements It is necessary to identify the information assets security requirements. This has to consider all the information assets we rely on to do business and deliver services to our customers & stakeholders. This includes identifying: ● All security controls already implemented - either by default or by design built in to the specific information asset(s). ● All the information of vulnerabilities and threats for each asset shall be analysed thoroughly. The findings should be used to determine additional security controls to protect the information assets. ● The statutory, regulatory and contractual requirements/ obligations to be fulfilled for our customers, trading partners, service providers and stakeholders. ● The output of this process is to identify security requirements based on the above defined parameters for the following areas: ○ Personnel ○ Physical environment ○ Hardware, software and communications equipment ○ Critical business processes ○ Management and administration procedures and controls VI. Assessment of Security Requirements Security requirements are assessed taking into account the business value and criticality of the various information assets available The following process flow describes the complete flow of Risk Assessment. RESTRICTED Page 9 of 13 ISMS risk assessment and management policy A. Risk Assessment The objective of risk assessment is to determine the extent of the potential threat and the risk associated with all assets/resources throughout the organisation. The output of this process helps to identify optimum and adequate controls for reducing or eliminating risk. B. Assessment of risk probability & impact The following risk assessment matrix shall be used to evaluate the risk and determine the risk score. Risk Assessment Matrix Low (1) Medium (2) High (3) Medium High High Medium (2) Low Medium High Low (1) Low Low Medium High (3) Probability Impact ● All the risks will be scored using the formula described here below: Risk score (risk value) = value of Probability x value of Impact ● All the risks identified and assessed to have a risk score greater than 1 will be considered for risk treatment. ● A Risk Treatment Plan shall then be developed to treat the risks. RESTRICTED Page 10 of 13 ISMS risk assessment and management policy Legend VII. High Risk needs to be reduced, if not avoided Medium Risk can be accepted and may be monitored Low Risk can be accepted NA Risk is no longer applicable Risk Treatment Results from the risk analysis is a list of security risks. The risk will range from “Low” to “Very High” based on the risk score derived after its assessment. This is compared against the acceptable risk level determined by the management team in the established context. ● All the risks identified and assessed to have a risk score greater than 1 will be considered for risk treatment. ● All the identified and assessed risks shall be treated to reduce the risk exposure level. The risk treatment approach shall be in the given descending order of preference: 1. Risk avoidance 2. Risk mitigation /reduction 3. Risk transfer 4. Risk acceptance RESTRICTED Page 11 of 13 ISMS risk assessment and management policy A. Selection & Application of Appropriate Controls In order to reduce the assessed risks within the scope of the ISMS to an acceptable level, some additional appropriate and justified security controls shall be identified and applied. While selecting controls for implementation, a number of factors will be considered which are listed as follows: ● The relative strength of the controls ● Ease of use of the controls applied ● Transparency to the user(s) ● The assistance/ help that needs to be provided to the user to perform their function ● Impact of the controls viz. prevention, deterrence, detection, recovery, correction, monitoring and awareness. B. Risk Reductions and Acceptance After identifying appropriate controls to reduce a specific risk, it should be assessed how much these controls are able to reduce the risk. This reduced risk is called residual risk and is based on an expert judgement of the practitioner. However, it is preferred as this model can be refined and made more accurate with acquired experience of using it. RESTRICTED Page 12 of 13 ISMS risk assessment and management policy If the residual risk is unacceptable, a business decision will be made on how to deal with it. Additional or alternative controls can be considered in order to reduce the risk to an acceptable level. The above step will be repeated till the identified risk is assessed to have an acceptable risk score or alternatively, the risk is accepted. C. Residual Risk It is quite possible that not all the risks can be mitigated or eliminated. After risk assessment and application of appropriate treatments, the new risk level is determined. The following steps shall be performed on the residual risks: ● If the new risk level is within the acceptable level of 1 or 2 then no further treatment is required. The Risk Level of 1 or 2 is considered as the residual risk which the organisation accepts. ● If the residual risk (after appropriate risk treatment) continues to be greater than a risk score of 2, then the concerned risk owners, after seeking necessary approvals from management, can accept the residual risk. RESTRICTED Page 13 of 13