IMS Risk Assessment _DRAFT_v3 1(Ori)
Short Description
Download IMS Risk Assessment _DRAFT_v3 1(Ori)...
Description
FPSSB/IMS/REC/RISK-001 Template Version: 1.0
RISK ASSESSMENT
Service Risk Owner
Service
Risk Register Sevice Component
Threats
Vulnerabilities
Risk Description
Risk Treatment Plan (A=Availability, C=Confidentiality, I=Integrity)
Impact / Severity (Score 1-5)
Probability/ Likelihood (Score 1-5)
Result of Risk (Total Score)
Risk ID
Control Annex
Current Control
Risk Treatment Treat
Staff shortage
Lack of commitment, resign, and unavailability
Unable to maintain certification,
A
5
1
5
Attend all SMS related meetings, workshops and training
Long leave (accident /illness)
Lack of back-up person to approve ITSM documents.
Delay,
I
3
1
3
Train backup
Staff shortage
Lack of knowledge, direction, experiences and commitment, resign
Unable to maintain certification ,
A
3
1
3
Perform regular monitoring by Project Sponsor and Consultant
Treat
Staff shortage
Lack of knowledge, experiences and commitment, resign
Unable to maintain certification,
A
5
1
5
Assign backup person
Treat
Long leave (accident /illness)
Lack of back-up person to maintain the process
Unable to maintain certification,
A
5
1
5
Assign backup person
Human error
Lack of knowledge and experience
Unable to maintain the process,
C,I
5
1
5
Attend workshop or training
Staff shortage
Lack of knowledge, experiences and commitment, resign
Unable to maintain the process,
A
5
2
10
Perform regular monitoring by SMR and DC. Attend SMS workshop or training
Treat
Long leave (accident /illness)
Lack of back-up person to maintain the process
Unable to maintain the process,
A
5
1
5
Assign Process Team Member
Treat
9
Perform regular monitoring by SMR and DC. Attend SMS workshop or training
Controls to be implemented
Target Risk Level
Progress update to Management Meeting
L
Project Sponsor Accept
Buddy System
L
Progress update to Project Sponsor. Service Management Representative
IT Service Management Team Document Controller
IT Governance
Process Champions & Team Members
Service Desk Agent CMDB IT Service Management Tools
wrongly assigning ticket Data loss, Data integrity
EDMS
System not accessible
Lack of knowledge and experiences
Cause delay for re-assigning ticket
Manually control for ERP & BA
Data corrupted, lost track of latest version Excel files.
Server failure, no backup performed regularly
System not accessible, data corrupted.
A A, I A, I
3 4 3
3 1 1
4 3
Backup, scattered files locations Maintain hardcopy
Treat
L
Use tool (ISO Portal)
L
Accept
Treat Treat Treat
Service Desk
System not accessible
Lack of maintenance
System not accessible.
A
5
2
10
Perform regular monitoring and maintenance.
Treat
ISO Documents
Loss of documents
Lack of documents maintenance
Unavailability of documents.
A
5
1
5
Perform regular checking and updating
Treat
ISO Records
Loss of records
Lack of records maintenance
Unavailability of records.
A
5
1
5
Perform regular checking and updating
Treat
Hardware (Network Equipments / Servers)
Hardware failure
Lack of maintenance
Network services are inaccessible.
A
3
2
5
Perform regular maintenance
Hardware (Network Equipments / Servers)
Hardware failure
Susceptibility to voltage variations
Network services are inaccessible.
A
3
2
5
Regular check by Network Team / OSS
Treat
Hardware (UPS)
Battery dry out
Lack of maintenance
Network services are inaccessible when there is no electricity.
A
3
2
5
Perform regular maintenance
Treat
Hardware (Structured Cabling)
Water leakage and pests attack
Lack of periodic building maintenance and pest control
Network is intermittent or inaccessible.
A
1
1
2
Regular check by FES
Network Administrator
System hacked
Lack of competent of monitoring day to day network activities and security of the systems
Poses a security threat
C, I, A
3
2
5
Software
Unauthorized access
Lack of maintenance and poor password management
Network services are inaccessible .
A
3
2
5
Perform regular maintenance
Treat
Router, ISDN Backup
IPVPN/IPVPN Value Failure
Lack of maintenance
Network services are inaccessible .
A
3
3
6
Perform regular maintenance
Treat
IT Service Management Documents
Transfer
Network
Managed IPVPN
L Use tool (ISO Portal)
Transfer
L Progress update to SMR and DC. Encourage for ITIL certification
L L
Progress update to SMR. Encourage for regular awareness Backup, centralized storage for Excel master files ISO Portal will took place EDMS in 2013
L L L
Monitor, check and reporting. Perform quarterly maintenance. Plan to change to a new system ITIL compliance regular update and review the documents
L L
regular update and review the records
L
Continous monitor, check and reporting. Engaged vendors for maintenance Periodic checks and updates by Network Team / OSS Monitor, check and reporting. Introduce IP-based UPS system Periodic updates by FES.
45% 45% 45% 10%
Manager alerts, evaluates and verifies new software updates. a) Not guarantee -base on best effort
45% 50%
a) Sign up SLA with Telekom (Max 2 days resolution) Managed VSAT
Managed CCTV surveillance
IDU, ODU, Router, Modem
VSAT Failure
Lack of maintenance
Network services are inaccessible
A
3
3
6
Perform regular maintenance
Transfer
Hardware a) Storage Server b) Camera
Storage server down and camera faulty.
Lack of maintenance
CCTV unable to operates
A
3
3
6
Perform regular maintenance
Treat
Network
Network failure
Lack of network maintenance
CCTV unable to operates
A
3
2
5
Regular check by Network Team
Treat
Electricity
Power failures.
Susceptibility to voltage variations
CCTV unable to operates
A
3
2
5
Regular check by FES
Treat
Lack of maintenance
Fail delivery of attendance data to server ( TMS and SAP) due to malfunction of Controller or Card reader
C, A
3
3
6
Perform preventive maintenance
Treat
50% b) NMS software to monitor a) Monitoring and maintenance checking on daily, monthly and yearly basis to ensure sustain of operation. b) Troubleshoot server c) Preventive maintainance (SLA) d) Disaster recovery e) Check network availability & performance f) Reset camera's power & network cable g) Repair or change camera
45%
Managed Network & Desktop Services
Hardware a) Server b) Controller c) Card reader
Malfunction Controller or Card reader.
Check network availability & performance
45%
Back up power must be on standby a) Preventive maintenance ( twice a year) to make sure all hardware and software in good condition b) Repair or change controler or controller's power & network cable c) Reset or change card reader
45%
45%
a) Check network availability & performance b) Check and reset communication converter c) Change communication converter (faulty)
Managed Door Access Security System Network
Network down.
Lack of network maintenance
Data stuck or pending at controller & not transferred to server. Thus causing data will not be updated with the latest data and no access report.
C, A
3
3
6
Regular check by Network Team
Treat
Electricity
Power failures.
Susceptibility to voltage variations
System will fail to function (i.e. door not secure) after battery backup runs out
C, A
3
3
6
Regular check by Network Team / FES
Treat
45%
Back up power must be on standby
45%
a) Sign Maintenance aggreement with vendors Core switches failures Managed LAN
Lack of network maintenance
Network services are inaccessible
A
3
2
5
Regular check by Network Team
Treat
Core Switch, Access Switch System being hacked and information stolen by hackers Unauthorized access
Misconfiguration
1. Virus Attack 2. Antivirus installed cannot communicate with server (not connected to Felda network)
1. Antivirus software not updated agent corrupted 3. No scanning for external device ie pen drive 4. Stand alone / streamyx
C, I, A
Program error
To many unauthorized software/application installed in the user's place
3
3
6
Regular check by Network Team
Treat
2. Antivirus
b) Used Network management system(NMS) software to monitor daily activity a) Implement Intrusion Prenvention System (IPS) b) System penetration test
45%
45%
1. Execute with Symantec Endpoint installation to FGC. 2. Install new updates/ set user pc or notebook unmanaged (live update from internet).
C, I, A
1. to make sure only authorized software approve by management installed at user’s PC 2. to ensure Symantec Gateway always filter incoming email and eliminate the spam.
PC Windows OS / Software (MS-Office ) C, I, A
3. Blue Coat Implementation Field Services
Hardware Services & Support Email Program
To ensure Symantec Gateway always filter incoming email and eliminate the spam.
Spam A 1. PC not properly shutdown 2.Old Hardware
Basis Asset Management
PC Hardware
HDD failure
Printer
Printer error / Cannot print
1.Missing Driver 2. Printer cable loose
2. 3. install
1. Preventive maintenance
A
User Authorisation and Administration Asset Rental No redundancy for Genset at Wisma Felda Generator Set
UPS Data Centre
1. propose file server backup to keep at external device UPS at critical PC. 4. Preventive Maintenance
C, A
All equipments in computer room will be down after about 30 mins
More than one UPS module breakdown at same When any one UPS module fail, same servers have to be shut time ( currently 3X30KVA ) down.
A
1.To ensure that FESSB to maintain and test the genset periodically 2. To move Data Centre to different location
A
1. To replace UPS battery every year. 2. To get new UPS for back-up 3. To prepare a listing of less critical servers
A
To have in place a real time online disaster recovery plan
Data Centre Managament SKB IBM i570 machine SKB IBM DR i570 machine Air cond
SKB system not available or compromise
Felda group business operation interrupted
SKB system not available or compromise
Cannot provide business continuity in the event of a disaster.
unexpected downtime
3 out of 4 units is very old (more than 10 years)
Hardware failure Managed Enterprise Services E-mail
Server
To develop SOP -'backup process'
A
1. to sign maintenance contract 2.Monthly service
A Email services inaccessible.
A
3
1
3
Hardware monitoring and sign hardware maintenance contract
Power failure
Susceptibility to voltage variations
Email services inaccessible.
A
3
2
6
Maintain Datacenter UPS
Network failure
Lack of network maintenance
Email services inaccessible.
A
3
3
9
Perform regular monitoring and maintenance
Treat Transfer Treat
Hardware monitoring and sign hardware maintenance contract Periodic checks and updates Datacenter UPS Monitor, check and reporting. Perform monthly maintenance
L L L
FPSSB/IMS/REC/RISK-001 Template Version: 1.0
RISK ASSESSMENT System Development / Implementation
System Maintenance & Support
Program errors(Logic & formula)
Wrong reports produced, Competent programmer
Reports
A
3
2
6
Only Authorised person has access right only Change request (CR) should be established for any programs change.
Treat
1.Data not key in timely 2.Program errors(Logic & formula)
End user could not perfom daily task in appropriate manner
System errors and not functioning as usual.
A
3
2
6
Change request (CR) should be established for any programs change.
Treat
Lack of latest technology update
Reports could be produced in timely manner due to delay in posting.
1.User acceptance test(UAT) and training shall be conducted and sign off by user.One of the scope of project implementation. 2.Unauthorized change to the program ( abapers & programmer) 3.Send abapers/programmer to attend training
M
L
Consultation Service
Business Application (IT Services New Request)
Integration Service
Hardware • Software • System interfaces • Data and information • People • System mission
System or program is inaccessible
1 Program errors(Logic & formula) 2 Communication line not stable 3.Data corrupted
Wrong reports produced, Competent programmer
1. Application will not functioning 2. System will be slow
Rely on Vendor
Lack of support from Vendor
Creating the risk of delivery disruption or failure
1. Web Application Server Stop Functioning 2. Storage Full
1. Patches not up to date 2.Not well monitored
1. Application will not functioning
Program errors(Logic & formula)
Wrong reports produced, Competent programmer
Impact on Cmp/unit Business Operation
Lack of monitoring by the Server Team
1.Security and control of access to system. 2.Misuse Information
A
3
2
6
Transfer
C,I
3
2
6
1. Moniter by Server Team 2. Replace the file or repare the file that has been corrupted 3. re-Register DLL 4.Antivirus update
A
3
2
6
Developers need to ensure their software meets the highest standards for quality from vendor
1. Treat 2.Replace 3.Treat 4.Treat
FPSSB will make sure all user who use the system get enough training before they can start using the application.
L
1. Monitor the condition of the server 2. Replace the file or repare the file that has been corrupted 3. re-Register DLL 4. Monitor Antivirus update
M
User acceptance test(UAT) and training shall be conducted and sign off by user.One of the scope of project implementation.
M
Perform daily health check/monitoring the condition of the server
M
Send Abapers to Abap Training.
M
Always monitor the condition of the servers.
M
3rd Party Outsourcing
Entreprise Content Management
Transfer
A,C,I
5
3
15
1. Monitored by Server Team 2.Monitored by Functional Team
A
5
3
15
Syatem Landscape (Dev,QAS,Prd)
Unable to retrieve latest data from SAP/RML
C,I
5
3
15
Restart service ASAP when connectivity is restored
Unauthorized personnel misuse the confidential information
Security access control (authorization)
C,I
5
3
15
Authorization matrix
Threat
To strengten on authorization
M
1.Network Failure 2.Databases corrupted 3.EIS Server Failure
Lack of monitoring by the Network/Server Team
Impact on daily business operation and company's profit.
A,C,I
5
3
15
1. Monitored by server team 2. Restart server 3.System monitoring by BA team. 4. Train and expose new staff
Threat
To suggest the best method of commnucation line
M
IIS stop functioning
Lack of monitoring by the Server Team
Application will not fuctioning.
C, I
5
3
15
Only Server Team are able to direct access & look into the server.
Always monitor the condition of the servers.
M
1. IIS stop functioning 2. Data corrupted 3. DLL Library not well function 4. Virus
1. Not well monitor 2. Not proper stop the program (during process in progress running. 3.Related to the OS 4. Antivirus not up to date or is not function
1. Application will not functioning 2. System will be slow
1. Monitor the condition of the server 2. Replace the file or repare the file that has been corrupted 3. re-Register DLL 4. Monitor Antivirus update
M
1. Web Application Server Stop Functioning 2. Scanner Problem 3. Storage Full
1. Patches not up to date 2.Not well monitored
1. Application will not functioning
Perform daily health check/monitoring the condition of the server
M
Rely on Vendor
Lack of support from Vendor
To choose preferred vendor by technical evaluation.
L
Rely on Vendor
Lack of support from Vendor
Wrongly transport. Wrongly configuration
Left out transport number. New staff doing config. Staff left out some steps to config.
SAP ECC 6.0/ SAP Customized – Enhancement Management
Misconcept
SAP ECC 6.0/ SAP Customized – Program Change Management
Misconcept
ABAP
Treat
Threat
Plantation Applications Lost connectivity to SAP/AS400 servers Weighbridge & Mill Applications
Enterprise Transport Management
Website & Portal Business Application (Existing Application System)
Server /Internet Service down, Hardware Technology Integration Solution (TIS) • Software • System interfaces • Data and information • People • System mission
Transfer
Transfer
C,I
5
3
15
1. Moniter by Server Team 2. Replace the file or repare the file that has been corrupted 3. re-Register DLL 4.Antivirus update
C,I
5
3
15
1. Monitored by Server Team 2.Monitored by Functional Team
Creating the risk of delivery disruption or failure
A
3
3
9
Developers need to ensure their software meets the highest standards for quality from vendor
Transfer
Creating the risk of delivery disruption or failure
A
3
3
9
Developers need to ensure their software meets the highest standards for quality from vendor
Transfer
If configuration wrongly transport or done, PRD might have problem especially when its involved with daily routine like printing invoice, check, delivery process and etc.
A,C,I
3
1
3
Testing in QAS before transport to PRD.
Trreat
Requirement from user are not clearly configure and analyse.
If requirement from user not clear and functional misconcept on user demand the enhancement not being accepted by user eventhough confirmation with user has been done.
A,C,I
4
4
16
User acceptance testing.
Treat
Meeting user to gather the requirement clearly and get the user confirmation on the user request.
M
Requirement from user are not clearly configure and analyse.
If requirement from user not clear and functional misconcept on user demand the enhancement not being accepted by user eventhough confirmation with user has been done.
A,C,I
4
4
16
User acceptance testing.
Treat
Meeting user to gather the requirement clearly and get the user confirmation on the user request.
M
1. Treat 2.Replace 3.Treat 4.Treat
New Dimension Product (NDP)
Others Applications
3rd Parties Applications
SAP ECC 6.0/ SAP Customized – Configuration Management
ERP Consulting
To choose preferred vendor by technical evaluation. L Re-config or re-transport if the should have any problem. Testing again at QAS before transport to PRD.
L
Monitor, check and reporting.
SAP ECC 6.0/ SAP Customized – ESS integration with SAP ECC6 system SAP ECC 6.0/ SAP Customized – MSS integration with SAP ECC6 system
Treat
System not accessible
Server failure, no backup performed regularly
System not accessible.
C,I
5
1
5
Perform regular monitoring and maintenance.
Treat
L Monitor, check and reporting.
SAP PRD SAP QAS SAP DEV ESS, MSS Non SAP Application
System not accessible
Server failure, no backup performed regularly
System not accessible.
Most probably for schedule job to integrate between Non-SAP and SAP system.
Whenever the schedule job fail to perform then need to do manually t interface the information and data from the nonSAP system such WBS.
C,I
5
1
5
Perform regular monitoring and maintenance.
Treat
L Monitor, check and reporting.
SAP ECC 6.0/ SAP Customized – Integration between other systems with SAP ECC6.0 (Non-SAP)
Integration system down. System cannot be access. Power failure.
Lack of trainer. Trainer not ready for training.
Trigger for crash course training or whenever there are certain period that staff is leave.
Staff still not competent to give training especially for new staff. No staff to provide training as number of staff is insufficient to fulfill two services which are for system support and training.
A,C,I
5
1
5
Perform regular monitoring and maintenance.
Treat
L
Junior trainer need to undergo relevant training to build up competency skills to conduct training. A
1
1
1
Senior will replace trainer and junior will join the training.
Treat
L
Training
Late creation or double creation.
Data duplicate as key in data entry in SAP without checking If detail of master data is not completely provided, buffer time first. Missing details to ease the creation. New staff don't know will increase as need to gather the info from user and fulfill th procedure. any other relevant data.
A,C,I
1
1
1
Do verfication with user. Confirm all the relevant details.
Treat
Checking the master table before do the new creation of master data. Checking all relevant info are sufficient to create the new master data.Make sure every staff understand and follow the SOP
L
Treat
During peak time server need to provide the most usage at practical speeds.
M
Create/Maintain Master Data Slow speed at peak time. System support
Administration
Daily routine cannot be carried out eg, print cheque, invoice, delivery process, etc.
Sometimes at peak times(closing) some process is not up to expectation.
A,C,I
5
5
25
Ensure server run at the most availability.
Building ( Computer Lab, Server Room) - Rent
Not enough space / space less for staff/server
Ask to Shift location/ Too many user training at one time (not enough lab)/Staff Growth.
a. additional rented space. - Technical staffs transfer to City 1 rooms transfer to Anjung
Telephone/Fax
Breakdown of Communication with customer
Telephone and fax system breakdown.
Upgrade Red Tone System
Receptionist/ Telephonist
No answer call (15-25 calls) will effect the company reputation.
EL / MC & Notice 24 Hours
Standby staff to perform the task
Staff SAP
Improper Job Handover / specialist
1. 24 Hours Notice 2. Senior/certified staff resign
a. Ensure support staff has equivalent knowledge and skill (increase competency). b. Document all activities and project. c. work with Prodata's subsidiaries
Management
Job handover/ specialist
24 Hours Notice
Successor plan inplace & submitted to FHB
Internal Staff Transfer
Unauthorise access (ID SAP, restricted area)
Confidential document/information might be stolen by unauthorized person
1. Staff to conduct handover job 2. Fill in HR007 form (Inter Deparmental Staff Transfer Form)
Replacement staff.
- Project
HR & Admin
Human Resource
Temporary Access Card
1. Admin shall reminds the respective Head of Unit on 1. The staff (Security) change without the written approval. 2. Admin did not raise request to extend the expired access card.
All
the expiry of the access card. 2. If necessary, Head of Unit shall fill-up HR05 Form to extend the access card.
Documentation
Unauthorize access to documentation
Lack of proper place to store the documents
Documents may not be accessible efficiently.
Documentation
Unable to performs tasks efficient
Lack of proper documentation and policies in place
New staff may find it difficult to understand and perform the daily operation work.
Administrative
Number of risks by Matrix Number of Risks in High Risk Zone Number of Risks in Moderate Risk Zone Number of Risks in Low Risk Zone Total Number of Risks
Personnel
Human errors
Lack of training or incompetent staff
Insufficient training / knowledge / experiences in managing the tasks.
Personnel
Operation degraded
High-rate of turn-over
Unable to provide excellent services.
12 39 10 61
Request proper room to store documentation.
A, C, I
3
1
3
Regular updates of documents and knowledge base
Treat
A
3
1
3
Regular update SOP
Treat
Centralize and integrate SOP into online knowledge base with backup.
Treat
Email on ad hoc basis when discover any issue and the possible solution. Updating internal knowledge base.
A, C, I
4
2
8
Knowledge sharing when discover any issue
A
4
4
16
Existing team member to take over the job until the new replacement is in place
Transfer
Discussion with HR for Staff Retention Program
L L L M
RISK ASSESSMENT
MOHAMMAD ZAMRIL ISMAIL IT GOVERNANCE
ALI MUSTAFA GENERAL MANAGER
1 Mar 2013
1 Mar 2013
FPSSB/IMS/REC/RISK-001 Template Version: 1.0
Service Risk Owner
Service System Development / Implementation
System Maintenance & Support Consultation Service
Business Application (IT Services New Request)
Integration Service
3rd Party Outsourcing
Entreprise Content Management
ABAP Plantation Applications
Weighbridge & Mill Applications
Enterprise Transport Management
Website & Portal Business Application (Existing Application System)
Technology Integration Solution (TIS)
Business Application (Existing Application System)
New Dimension Product (NDP)
Others Applications
3rd Parties Applications
Service Sevice Component
Threats
Program errors(Logic & formula)
1.Data not key in timely 2.Program errors(Logic & formula)
Lack of latest technology update Hardware • Software • System interfaces • Data and information • People • System mission
1 Program errors(Logic & formula) 2 Communication line not stable 3.Data corrupted
Rely on Vendor
1. Web Application Server Stop Functioning 2. Storage Full
Program errors(Logic & formula)
Lost connectivity to SAP/AS400 servers
1.Security and control of access to system. 2.Misuse Information 1.Network Failure 2.Databases corrupted 3.EIS Server Failure Server /Internet Service down, Hardware • Software • System interfaces • Data and information • People • System mission
IIS stop functioning 1. IIS stop functioning 2. Data corrupted 3. DLL Library not well function 4. Virus
• Software • System interfaces • Data and information • People • System mission 1. Web Application Server Stop Functioning 2. Scanner Problem 3. Storage Full
Rely on Vendor
Rely on Vendor
Risk Register Vulnerabilities
Risk Description
Wrong reports produced, Competent programmer
Reports
End user could not perfom daily task in appropriate manner
System errors and not functioning as usual.
Reports could be produced in timely manner due to delay in posting.
System or program is inaccessible
Wrong reports produced, Competent programmer
1. Application will not functioning 2. System will be slow
Lack of support from Vendor
Creating the risk of delivery disruption or failure
1. Patches not up to date 2.Not well monitored
1. Application will not functioning
Wrong reports produced, Competent programmer
Impact on Cmp/unit Business Operation
Lack of monitoring by the Server Team
Unable to retrieve latest data from SAP/RML
Unauthorized personnel misuse the confidential information
Security access control (authorization)
Lack of monitoring by the Network/Server Team
Impact on daily business operation and company's profit.
Lack of monitoring by the Server Team
Application will not fuctioning.
1. Not well monitor 2. Not proper stop the program (during process in progress running. 3.Related to the OS 4. Antivirus not up to date or is not function
1. Application will not functioning 2. System will be slow
1. Patches not up to date 2.Not well monitored
1. Application will not functioning
Lack of support from Vendor
Creating the risk of delivery disruption or failure
Lack of support from Vendor
Creating the risk of delivery disruption or failure
Risk Register (A=Availability, C=Confidentiality, I=Integrity)
Impact / Severity (Score 1-5)
Probability/ Likelihood (Score 1-5)
Result of Risk (Total Score)
A
3
2
6
A
3
2
6
A
3
2
6
C,I
3
2
6
A
3
2
6
A,C,I
5
3
15
A
5
3
15
C,I
5
3
15
C,I
5
3
15
A,C,I
5
3
15
C, I
5
3
15
C,I
5
3
15
C,I
5
3
15
A
3
3
9
A
3
3
9
Risk Treatment Plan Risk ID
Current Control
Risk Treatment
Only Authorised person has access right only Change request (CR) should be established for any programs change.
Treat
Change request (CR) should be established for any programs change.
Treat
Transfer
1. Moniter by Server Team 2. Replace the file or repare the file that has been corrupted 3. re-Register DLL 4.Antivirus update
Developers need to ensure their software meets the highest standards for quality from vendor
1. Treat 2.Replace 3.Treat 4.Treat
Transfer
1. Monitored by Server Team 2.Monitored by Functional Team
Treat
Syatem Landscape (Dev,QAS,Prd)
Restart service ASAP when connectivity is restored
Threat
Transfer
Authorization matrix
Threat
1. Monitored by server team 2. Restart server 3.System monitoring by BA team. 4. Train and expose new staff
Threat
Only Server Team are able to direct access & look into the server. 1. Moniter by Server Team 2. Replace the file or repare the file that has been corrupted 3. re-Register DLL 4.Antivirus update
Transfer 1. Treat 2.Replace 3.Treat 4.Treat
1. Monitored by Server Team 2.Monitored by Functional Team
Treat
Developers need to ensure their software meets the highest standards for quality from vendor
Transfer
Developers need to ensure their software meets the highest standards for quality from vendor
Transfer
k Treatment Plan Controls to be implemented
1.User acceptance test(UAT) and training shall be conducted and sign off by user.One of the scope of project implementation. 2.Unauthorized change to the program ( abapers & programmer) 3.Send abapers/programmer to attend training
Target Risk Level
M
FPSSB will make sure all user who use the system get enough training before they can start using the application.
1. Monitor the condition of the server 2. Replace the file or repare the file that has been corrupted 3. re-Register DLL 4. Monitor Antivirus update
M
User acceptance test(UAT) and training shall be conducted and sign off by user.One of the scope of project implementation.
M
Perform daily health check/monitoring the condition of the server
L
Send Abapers to Abap Training.
M
Always monitor the condition of the servers.
M
To strengten on authorization
L
To suggest the best method of commnucation line
L
Always monitor the condition of the servers.
M
1. Monitor the condition of the server 2. Replace the file or repare the file that has been corrupted 3. re-Register DLL 4. Monitor Antivirus update
M
Perform daily health check/monitoring the condition of the server
L
To choose preferred vendor by technical evaluation.
L
To choose preferred vendor by technical evaluation. L
Service Risk Owner
Service SAP ECC 6.0/ SAP Customized – Configuration Management
SAP ECC 6.0/ SAP Customized – Enhancement Management
SAP ECC 6.0/ SAP Customized – Program Change Management
SAP ECC 6.0/ SAP Customized – ESS integration with SAP ECC6 system
ERP Consulting
SAP ECC 6.0/ SAP Customized – MSS integration with SAP ECC6 system SAP ECC 6.0/ SAP Customized – Integration between other systems with SAP ECC6.0 (Non-SAP)
Training
Create/Maintain Master Data
System support
Service Sevice Component
Threats
Wrongly transport. Wrongly configuration
Misconcept
Misconcept
System not accessible
SAP PRD SAP QAS SAP DEV ESS, MSS Non SAP Application
System not accessible
Integration system down. System cannot be access. Power failure.
Lack of trainer. Trainer not ready for training.
Late creation or double creation.
Slow speed at peak time.
Risk Register Vulnerabilities
Risk Description
Left out transport number. New staff doing config. Staff left out some steps to config.
If configuration wrongly transport or done, PRD might have problem especially when its involved with daily routine like printing invoice, check, delivery process and etc.
Requirement from user are not clearly configure and analyse.
If requirement from user not clear and functional misconcept on user demand the enhancement not being accepted by user eventhough confirmation with user has been done.
Requirement from user are not clearly configure and analyse.
If requirement from user not clear and functional misconcept on user demand the enhancement not being accepted by user eventhough confirmation with user has been done.
Server failure, no backup performed regularly
System not accessible.
Server failure, no backup performed regularly
System not accessible.
Most probably for schedule job to integrate between Non-SAP and SAP system.
Whenever the schedule job fail to perform then need to do manually t interface the information and data from the nonSAP system such WBS.
Trigger for crash course training or whenever there are certain period that staff is leave.
Staff still not competent to give training especially for new staff. No staff to provide training as number of staff is insufficient to fulfill two services which are for system support and training.
Data duplicate as key in data entry in SAP without checking If detail of master data is not completely provided, buffer time first. Missing details to ease the creation. New staff don't know will increase as need to gather the info from user and fulfill th procedure. any other relevant data.
Daily routine cannot be carried out eg, print cheque, invoice, delivery process, etc.
Sometimes at peak times(closing) some process is not up to expectation.
Risk Register (A=Availability, C=Confidentiality, I=Integrity)
A,C,I
A,C,I
A,C,I
C,I
C,I
A,C,I
A
A,C,I
A,C,I
Impact / Severity (Score 1-5)
Probability/ Likelihood (Score 1-5)
Result of Risk (Total Score)
Risk Treatment Plan Risk ID
Current Control
Risk Treatment
Testing in QAS before transport to PRD.
Trreat
User acceptance testing.
Treat
User acceptance testing.
Treat
Perform regular monitoring and maintenance.
Treat
Perform regular monitoring and maintenance.
Treat
Perform regular monitoring and maintenance.
Treat
Senior will replace trainer and junior will join the training.
Treat
Do verfication with user. Confirm all the relevant details.
Treat
Ensure server run at the most availability.
Treat
k Treatment Plan Controls to be implemented Re-config or re-transport if the should have any problem. Testing again at QAS before transport to PRD.
Target Risk Level
L
Meeting user to gather the requirement clearly and get the user confirmation on the user request.
L
Meeting user to gather the requirement clearly and get the user confirmation on the user request.
L
Monitor, check and reporting. L Monitor, check and reporting. L Monitor, check and reporting. L
Junior trainer need to undergo relevant training to build up competency skills to conduct training. L
Checking the master table before do the new creation of master data. Checking all relevant info are sufficient to create the new master data.Make sure every staff understand and follow the SOP
L
During peak time server need to provide the most usage at practical speeds.
L
Service Risk Owner
Service
Rental Service
Managed Enterprise Services
E-mail
Service Sevice Component
Threats
Lost of data due to hardware failure
PC , Notebook, Server Uncontrolled viruses attack / intrusion
Server
Hardware failure Power failure Network failure
Software
Spam
Software
Unauthorized access
Software
E-mail missing
Software
Phishing
Software (Webmail)
Apache and Dovecot not running
Risk Register Vulnerabilities
Risk Description a) Not properly shutdown
b) Old Hardware
Lack of maintenance
Lack of patch updates
PC, Notebook, Server harvested by viruses, spammer and may affected other PC, Notebook or server within the VLAN
Email services inaccessible. Susceptibility to voltage variations
Email services inaccessible.
Lack of network maintenance
Email services inaccessible.
Published email address
Email addresses harvested by spammer.
Lack of patch updates and poor password management
Email server is compromised.
Misconfiguration
Important emails are lost.
Lack of server maintenance and user awareness
Email accounts are compromised and server being black listed by external mail servers.
Lack of monitoring mechanism
Webmail service is inaccessible.
Risk Register (A=Availability, C=Confidentiality, I=Integrity)
C, A
A
A A A C C A C, I A
Impact / Severity (Score 1-5)
Probability/ Likelihood (Score 1-5)
Result of Risk (Total Score)
Risk Treatment Plan Risk ID
Current Control
Risk Treatment
Perform preventive maintenance
Treat
Perform preventive maintenance
Treat
Perform regular maintenance
Treat
Regular check by FES
Transfer
Perform regular monitoring and maintenance
Treat
Perform regular maintenance
Treat
Perform regular monitoring and maintenance
Treat
Perform regular monitoring and maintenance
Treat
Perform regular monitoring
Treat
Inform end user regularly
Treat
k Treatment Plan Controls to be implemented a) Propose file server for data backup (PC , Notebook) b) Establish Data Recovery Center (DRC) for non SAP c) Execute preventive maintenance
Target Risk Level
L
a) Update main antivirus with the latest virus pattern. b) Conduct Awareness to users regarding virus threat and prevention, scan thumb drive before opening file. c) Configure individual PC, notebook for scheduled scanning.
L
Monitor, check and reporting. Perform quarterly maintenance
L
Periodic checks and updates by FES Monitor, check and reporting. Perform monthly maintenance
L L
Monitor, check and reporting. Perform quarterly maintenance.
M
Monitor, check and reporting. Perform daily maintenance
M
Monitor, check and reporting.Perform daily maintenance
L
Monitor, check and reporting. Perform daily maintenance.
M
Mass mail to end user once in a month.
L
Service Risk Owner
Service
Network
Managed IPVPN Managed VSAT
Managed CCTV surveillance Managed Communication & Data Security
Managed Door Access Security System
Managed LAN
Managed LAN
Service Sevice Component
Threats
Hardware (Network Equipments / Servers)
Hardware failure
Hardware (Network Equipments / Servers)
Hardware failure
Hardware (UPS)
Battery dry out
Hardware (Structured Cabling)
Water leakage and pests attack
Network Administrator
System hacked
Software
Unauthorized access
Router, ISDN Backup
IPVPN/IPVPN Value Failure
IDU, ODU, Router, Modem
VSAT Failure
Hardware a) Storage Server b) Camera
Storage server down and camera faulty.
Network
Network failure
Electricity
Power failures.
Hardware a) Server b) Controller c) Card reader
Malfunction Controller or Card reader.
Network
Network down.
Electricity
Power failures.
Core switches failures Core Switch, Access Switch
Core Switch, Access Switch Unauthorized access
Risk Register Vulnerabilities
Risk Description
Lack of maintenance
Network services are inaccessible.
Susceptibility to voltage variations
Network services are inaccessible.
Lack of maintenance
Network services are inaccessible when there is no electricity.
Lack of periodic building maintenance and pest control
Network is intermittent or inaccessible.
Lack of competent of monitoring day to day network activities and security of the systems
Poses a security threat
Lack of maintenance and poor password management
Network services are inaccessible .
Lack of maintenance
Network services are inaccessible .
Lack of maintenance
Network services are inaccessible
Lack of maintenance
CCTV unable to operates
Lack of network maintenance
CCTV unable to operates
Susceptibility to voltage variations
CCTV unable to operates
Lack of maintenance
Fail delivery of attendance data to server ( TMS and SAP) due to malfunction of Controller or Card reader
Lack of network maintenance
Data stuck or pending at controller & not transferred to server. Thus causing data will not be updated with the latest data and no access report.
Susceptibility to voltage variations
System will fail to function (i.e. door not secure) after battery backup runs out
Lack of network maintenance
Network services are inaccessible
System being hacked and information stolen by hackers Misconfiguration
Risk Register (A=Availability, C=Confidentiality, I=Integrity)
A A A A C, I, A A A A
A
A A
C, A
C, A
C, A
A
Impact / Severity (Score 1-5)
Probability/ Likelihood (Score 1-5)
Result of Risk (Total Score)
C, I, A
Risk Treatment Plan Risk ID
Current Control
Perform regular maintenance
Risk Treatment
Transfer
Regular check by Network Team / OSS
Treat
Perform regular maintenance
Treat
Regular check by FES
Transfer
Perform regular maintenance
Treat
Perform regular maintenance
Treat
Perform regular maintenance
Transfer
Perform regular maintenance
Treat
Regular check by Network Team
Treat
Regular check by FES
Treat
Perform preventive maintenance
Treat
Regular check by Network Team
Treat
Regular check by Network Team / FES
Treat
Regular check by Network Team
Treat
Regular check by Network Team
Treat
k Treatment Plan Controls to be implemented Continous monitor, check and reporting. Engaged vendors for maintenance Periodic checks and updates by Network Team / OSS Monitor, check and reporting. Introduce IP-based UPS system Periodic updates by FES.
Manager alerts, evaluates and verifies new software updates. a) Not guarantee -base on best effort
Target Risk Level
L L L L
L L
a) Sign up SLA with Telekom (Max 2 days resolution) L b) NMS software to monitor a) Monitoring and maintenance checking on daily, monthly and yearly basis to ensure sustain of operation. b) Troubleshoot server c) Preventive maintainance (SLA) d) Disaster recovery e) Check network availability & performance f) Reset camera's power & network cable g) Repair or change camera
Check network availability & performance Back up power must be on standby a) Preventive maintenance ( twice a year) to make sure all hardware and software in good condition b) Repair or change controler or controller's power & network cable c) Reset or change card reader
L
L L
L
a) Check network availability & performance b) Check and reset communication converter c) Change communication converter (faulty) L
Back up power must be on standby
L
a) Sign Maintenance aggreement with vendors b) Used Network management system(NMS) software to monitor daily activity
L
a) Implement Intrusion Prenvention System (IPS) b) System penetration test
M
View more...
Comments
