Pengurusan Sistem Keselamatan Maklumat MS ISO 27001 ISMS Sektor Awam 1 KANDUNGAN KANDUNGAN 1. Latar Belakang 2. ISMS 3. Model PDCA dan Proses ISMS 4. Penilaian Risiko LATAR BELAKANG PRASARANA MAKLUMAT KRITIKAL NEGARA Sektor Perkhidmatan Kerajaan Sektor Perkhidmatan Kecemasan Majlis Keselamatan Negara •Kem Perdagangan Dlm Negeri, Koperasi & Kepenggunaan •Kem Perusahaan Perladangan & Komoditi Unit Permodenan Tadbiran dan Perancangan Pengurusan Malaysia, JPM Sektor Perkhidmatan Kesihatan Kementerian Kesihatan •Lembaga Perlesenan Tenaga Atom Sektor Pertahanan & Keselamatan Kementerian Pertahanan Kementerian Dalam Negeri Sektor Maklumat & Komunikasi Kementerian Penerangan, Komunikasi dan Kebudayaan Kem Sains, Teknologi & Inovasi Suruhanjaya Komunikasi dan Multimedia Malaysia Sektor Pengangkutan Kementerian Pengangkutan Sektor Perbankan & Kewangan Kementerian Kewangan Bank Negara Malaysia Suruhanjaya Securiti STATISTIK DUNIA PENSIJILAN ISMS • Malaysia di tangga ke -13 1.Japan 4,152 8.Korea 107 2.UK 573 9.USA 105 3.India 546 10.Italy 82 4.Taiwan 461 11.Spain 72 5.China 393 12.Hungary 71 6.Germany 228 13.Malaysia 66 7.Czech Republic 112 • Sumber www.iso27001certificates.com Ogos 2012 KESELAMATAN MAKLUMAT C • Kerahsiaan (Confidentiality) • Semua bentuk maklumat termasuk elektronik tidak boleh didedahkan / diakses tanpa kebenaran I • Integriti (Integrity) • Semua maklumat hanya boleh diubah dengan kebenaran A • Kebolehsediaan (Availability) • Semua maklumat boleh diakses pada bila-bila masa Sumber: Pekeliling Am 3/2000 Rangka Dasar ICT Kerajaan PENGENALAN ISMS / ISO 27001 ISMS? Pengurusan Sistem Keselamatan Maklumat (ISMS): Menyediakan spesifikasi mewujud, melaksana, memantau, menyemak, menyelenggara dan menambahbaik keselamatan maklumat Menyediakan kawalan-kawalan bagi melindungi keselamatan aset maklumat Menyemarak Transformasi, Mempersada Kegemilangan ISMS ISO 27001:2007 ISMS ISO 27002 (Kawalan ISMS) Keperluan Peraturan Amalan Baik Teknikal & lain-lain standard Menyemarak Transformasi, Mempersada Kegemilangan STRUKTUR ISO 27001:2007 Seksyen 1: Menerang keperluan generik Seksyen 6: Melaksana Audit Dalam ISMS Seksyen 7: Menilai semula ISMS Seksyen 2: Menetapkan dokumen yang perlu dirujuk Seksyen 5: Tanggungjawab Pengurusan Seksyen 3: Definisi dalam ISMS/ISO 27001 Seksyen 4: Proses ISMS (Model PDCA) Seksyen 8: Penambahbaikan ISMS Asas kepada Persijilan ISMS / ISO 27001:2007 PROSES ISMS Memahami keperluan keselamatan maklumat (information security requirements) dan merangka dasar serta objektif keselamatan maklumat Melaksana kawalan-kawalan untuk mengurus risiko keselamatan maklumat dalam konteks risiko penyampaian perkhidmatan organisasi Memantau dan menilai keberkesanan ISMS Menambah baik ISMS secara berterusan KEPERLUAN KESELAMATAN MAKLUMAT Seksyen 5: Tanggungjawab Pengurusan • Menyelenggara ISMS (Seksyen 4.2.4) • Menambahbaik ISMS Secara Berterusan (Seksyen 8) •Mewujud ISMS (Seksyen 4.2.1) • Memantau ISMS (Seksyen 4.2.3) • Melaksana audit dalam ISMS (Seksyen 6) • Mengkaji semula ISMS (Seksyen 7) ACT PLAN CHECK DO • Melaksana ISMS (Seksyen 4.2.2) Seksyen 4.3: Keperluan Dokumentasi Menyemarak Transformasi, Mempersada Kegemilangan PLAN: 4.2.1 Mewujud ISMS Definisi Dasar ISMS Definisi metodologi penilaian risiko & kriteria penerimaan risiko Kenal pasti risiko Analisis risiko Kenal pasti & penilaian option utk menangani risiko Pilih kawalan dalam ISO 27002 Pengurusan: Lulus baki risiko & perakuan pelaksanaan pengoperasian ISMS Sediakan penyataan pemakaian kwalan (SoA) Definisi Skop ISMS DO: 4.2.2 Melaksana ISMS Laksana Roadmap ISMS Kawalan Kesedaran & latihan CERT CHECK: 4.2.3 Memantau dan Reviu ISMS Kuatkuasa prosedur pemantauan & reviu Reviu penilaian risiko & tahap baki risiko Kemas kini pelan keselamatan Ukur keberkesanan kawalan Reviu keberkesanan ISMS mengikut jadual yang ditetapkan Audit Dalam ISMS Reviu oleh pihak pengurusan (Seksyen 6) (Seksyen 7) ACT: 4.2.4 Selenggara dan Tambah Baik ISMS Seksyen 8 Laksana penambahbaika n yang telah dikenal pasti Ambil tindakan pembetulan dan pencegahan Memastikan penambahbaika n mencapai objektif Memaklumkan hasil penemuan 4.3 KEPERLUAN DOKUMENTASI 1. 2. 3. 4. 5. 6. 7. Dasar ISMS Skop ISMS Prosedur dan kawalan Keterangan metodologi penilaian risiko Laporan penilaian risiko Pelan Penguraian Risiko (Risk Treatment Plan) Documented procedures (established, documented, implemented & maintained) includes: a. For effective planning operation & controls of information security processes b. Pengukuran keberkesanan kawalan ISMS c. Kawalan Dokumen d. Kawalan Rekod e. Audit Dalam f. Tindakan Pembetulan g. Tindakan Pencegahan 8. Rekod (termasuk rekod keputusan pihak pengurusan) 9. Penyataan Pemakaian (Statement of Applicability) ROADMAP PELAKSANAAN Agih Tanggungjawab Kenal pasti Skop Dasar ISMS Penambahbaikan Berterusan Penilaian risiko Pelaksanaan Keselamatan Maklumat Pantau, Reviu & Selenggara Penguraian Risiko (RTP) Laksana kawalan, BCM, kesedaran & latihan, CERT Menyemarak Transformasi, Mempersada Kegemilangan Fast Track Pensijilan ISMS Normal Track Pensijilan ISMS KENAL PASTI SKOP ISMS Merangkumi perkara berikut: • • • • • • Perkhidmatan organisasi Organisasi Lokasi Aset Teknologi Keterangan pengecualian dari skop ISMS CONTOH SKOP ISMS Pengurusan Sistem Keselamatan Maklumat bagi pengurusan pengoperasian Pusat Data KKM, Putrajaya. Pengurusan Sistem Keselamatan Maklumat bagi pengurusan Pusat Data Sektor Awam bertempat di Aras G, Cyberjaya MAMPU. Contoh Struktur Tadbir Urus ISMS Penilaian Risiko Risk Assessment Security Requirements Confidentiality Integrity Availability Non-repudiation Confidentiality Confidentiality - Objectives Protection against unauthorised users taking notice of data Information Confidentiality Integrity Integrity - Objectives Protection against manipulation Authenticity Copyright Validity Availability Availability - Objectives Access to systems and data for authorised users when needed Availability of Information / Services Non-repudiation Non-repudiation - Objectives Certainty regarding the author Accountability Authenticity Reliability Risk Assessment Based on certain methodology Using proprietary approach in identifying & calculating risks Consist of several steps Sequential 4.2.1 c) DEFINE RISK ASSESSMENT APPROACH MS ISO/IEC 27001 Information Security Management System TIDAK menetapkan metodologi yang khusus. Metodologi pilihan hendaklah menepati keperluan berikut: 1. Evaluate risk based on levels of C, I, A, 2. Set objectives to reduce risk to an acceptable level, 3. Determine criteria for accepting risk, and 4. Evaluate risk treatment options. MS ISO/IEC 27005:2008 Information Security Risk Management Surat Pekeliling Am Bil. 6 Tahun 2005: Garis Panduan Penilaian Risiko Keselamatan Maklumat Sektor Awam Risk Assessment Process Diagram Risk Assessment Process (1) Step Name Description 1 Establishment of Team Creates a basic component of a risk assessment exercise. The team members that possess vast knowledge of the organization are identified. Lastly, the schedule and logistics are established to ensure the smoothness of the whole exercise. 2 Establishment of Review Boundary Determines the scope of the risk assessment process. The final scope will be submitted to the senior management. Once it has received approval, the assessment team will collect all the relevant materials and information. Risk Assessment Process (2) Step Name Description 3 Identification of Assets Identifies all the assets which are within the scope of the risk assessment boundary . 4 Valuation of Assets and Establishment of Dependencies Between Assets Assigns semi-quantitative values to the assets and determines those assets’ dependencies . Risk Assessment Process (3) Step Name Description 5 Assessment of Threat Determines types of threats associated with the assets, and their relative levels. 6 Assessment of Vulnerability Identifies all potential vulnerabilities which may be exploited by threats. In addition, it will rate the relative vulnerability exposure levels. 7 Identification of Existing & Planned Safeguards Identifies all types of existing & planned safeguards which have been or will be deployed to protect the assets. Risk Assessment Process (4) Step Name Description 8 Analysis of Impact Quantifies the business impacts of the assets accordingly. The calculation will be based on the assets’ values & business loss. 9 Analysis of Likelihood Ascertains the likelihood of threats & vulnerabilities that may happen, with or without safeguard(s) in place. 10 Calculation of Risk Calculates the risk level for each asset, based on the impact value & likelihood results. ISMS (Clause: 4.2.1 Plan) 4.2.1 d) IDENTIFY THE RISKS 1. 2. 3. 4. Identify critical assets within the scope & owner Identify vulnerabilities that might exist for that asset(V) Think about threats & Identify threats that could result from those vulnerabilities(T)Vulnerabilities in pairs Identify the impact that losses of CIA may have on the assets Asset Owner Location Value: C,I,A Maklum at Emel Penggun a Ketua Server Pengawai E-mel Makluma t, CIO C (Low) I (High) A(Medi um) Business Loss Vuln/Threat Medium: Could be expected to have a serious effect on organizational effect V: Lack of backup procedure T: Corruption of data 4.2.1 e&f) ANALYSE THE RISKS 1. 2. 3. 4. Assess business impact upon failure Assess likelihood of security failure & controls implemented Estimated level of risk Determine whether the risk are acceptable or require treatment (accept, reduce etc) Asset Owner Locatio n Value: C,I,A Business Loss Risk: Vuln /Threat Impact (Value, Busines s Loss) Likelihoo d (Risk, Controls Impl) Level of Risk (Impact, Likelihood ) Decision: Acceptable / Treatment Maklumat Emel Pengguna Ketua Pengawai Maklumat, CIO Server E-mel C (Low) I (High) A(Mediu m) Value=Hig h Medium: Could be expected to have a serious effect on organizatio nal effect V: Lack of backup procedure T: Corruptio n of data Medium Likelihood corruption of data occur, backup only) = Medium Level corruption of data occur: [Impact: Medium Likelihood: medium] =Medium Reduce 4.2.1 g) SELECT CONTROL FOR THE TREATMENT OF RISKS 1. 2. Controls from Annex A. Additional controls may also be selected. Asset Owner Locati on Value: C,I,A Business Loss Risk: Vuln /Threat Impact (Value, Busine ss Loss) Likelihoo d (Risk, Controls Impl) Level of Risk (Impact, Likelihoo d) Decision: Acceptabl e/ Treatmen t Contro l Makluma t Emel Pengguna Ketua Pengawai Makluma t, CIO Server E-mel C (Low) I (High) A(Medi um) Value= High Medium: Could be expected to have a serious effect on organizat ional effect V: Lack of backup procedure T: Corruptio n of data Medium Likelihoo d corruptio n of data occur, backup only) = Medium Level corruption of data occur: [Impact: Medium Likelihood: medium] =Medium Reduce A.10.5.1 Inform ation backup 4.2.1 h) APPROVAL OF THE RESIDUAL RISK RESIDUAL RISK 1. Contoh: Telah melaksanakan kawalan A.10.5.1 Information back-up 2. Baki risiko: “Abuse of Rights“ masih wujud: Tiada kepakaran/kekangan personel untuk memantau jejak audit pengguna/pentadbir. 3. Mohon pertimbangan penerimaan pengurusan ke atas risiko “Abuse of Rights” berdasarkan kriteria penerimaan yang telah dikenalpasti: Peruntukan Latihan Terhad dan Permohonan Latihan DiRancang Jun 2013 4.2.1 i) AUTHORIZATION TO IMPLEMENT ISMS 1. Minit perakuan JK Pemandu ISMS / JK Kerja ISMS atau setara untuk melaksana ISMS 4.2.1 j) PREPARE A STATEMENT OF APPLICABILITY, SoA Contoh SOA: Controls Applicability Yes/No Implementation Yes/No Reason / Justification A.10.5.1 Yes Yes To reduce corruption of data. Procedure Backup/Restore Critical Success Factor (1) Commitment from the top management Cooperation from all parties involved in sharing information, and contribution to make accurate analysis, as well as decisions A realistic, clearly specified scope of the entire exercise, communicated to the management for its approval Accurate and precise definitions for the identified threats, and vulnerabilities’ ratings S1 – Establishment of Team Goals 1. To obtain a dedicated team members 2. To assign tasks to all team members with associated roles and responsibilities • Output 1. Team Member List 2. Tasking Schedule List Tasks 1. Identify The Assessment Team Members 2. Draw up Tasking Schedule List Identify Team Members Possess sufficient skills and experience in the ICT infrastructure of the organization Consist of 2-4 dedicated team member ICT department Business/operational unit Representative from management and operational level needed – to ensure success of RA activities RA Team Organization Chart Project Advisor Project Manager Team Leader(s) Team Members Roles & Responsibilities Roles Responsibilities Project Advisor Works with the RA Team. Responsibilities: • Ensure the required process(es) and procedure(s) are followed. • Resolve any RA exercise issues. • Conduct final evaluations, reviews and authorization of all output and documents before they are presented to the Senior Management. Reports to: No one Roles & Responsibilities Roles Responsibilities Project Manager Responsibilities: • Manage the exercise as a whole on a daily basis. • Ensure timely completion of the exercise. • Works closely with the team leader and team members. • Conduct reviews of all output and documents before they are presented to the Project Advisor. Reports to: Project Advisor. Roles & Responsibilities Roles Responsibilities Team Leader(s) Responsibilities: • Regularly ascertain the scope of work. • Evaluate results, assess gaps and provide feedback. • Perform(s) all tasks defined under each step. Report(s) to: Project Manager. Roles & Responsibilities Roles Responsibilities Team Member(s) Responsibilities: • Perform all tasks defined under each step. Report(s) to: Team Leader(s). Draw up Tasking Schedule List Logistic All team members aware of the time allocated for specific tasks Using Gantt chart is highly recommended Activities RA step Task Personnel Involved Job Function Duration Output Output (S1) Team Member List Name Job Function Sect/ Unit/ Dept/ Div/ Vendor Notes • Tasking Schedule List RA Step Task (from main step) Personnel Involved Job Function Duration Output S2 – Establishment of Review Boundary Goals 1. To identify the appropriate review boundary 2. To get consensus and approval from the senior management on the agreed review boundary • Output Tasks Identify the Scope of the Risk Assessment 2. Obtain Approval from Management 3. Gather Information Related to the Review Boundary 4. Revisit Step 1 as Necessary 1. 1. Review Boundary Statement 2. List of Related Materials Used 3. List of Questionnaires with Findings Identify the Scope of the Risk Assessment Gather basic information regarding the key business process Review and study closely Information digging: Discussions Interviews Meeting Documented & present to Senior Management Identify the Scope of the Risk Assessment Scope of review boundary By assets By business processes or functions By departments By business process/function – inline with ISO 27001 Obtain Approval from Management Endorsement by the management Aware & committed to the review boundary established Gather Information Related to the Review Boundary Using questionnaires Meant for: Management Operational group Assist in analyzing current posture of infra & info structure of the defined scope Questionnaire will be use throughout the other steps (Step 3 – Step 9) Gather Information Related to the Review Boundary Relevant documentation will help tremendously Network Diagram Service-Level Agreements Security Policies Standard Operating Procedures Corporate ICT Security Statement Process Flow of Business Process Manual Panduan Kerja Revisit Step 1 as Necessary To ensure the team established is sufficient in number and skill Changes can be made accords to the review boundary established Output (S2) Review Boundary Statement SCOPE STATEMENT Key Business Process and Functions Supporting Business Processes External Interfaces Personnel Information Assets Sites/Building • List of Related Materials Used Name Description Output (S2) List of Questionnaires with Findings No. <Topic> Questions Answers Remark By Who S3 – Identification of Assets Goals 1. To gather all the assets to be assessed (in relation to the agreed review boundary) 2. To verify the validity of each asset before the assessment begins • Output 1. List of Assets Tasks Identify Related Assets 2. Group and Classify Assets 3. Identify Assets’ Owners and Custodians 4. Verify & Validate the Findings of the Questionnaires 1. Identify Related Assets Use popular gathering method Brainstorming among RA team members Ask such questions: “What are your most important assets in your daily job?” “Are there any specific policies to protect the assets?” “What will happen if an asset is compromised?” Group and Classify Assets 4 categories of asset: Hardware Software Information or Data People Asset Classification and Description Classification Definitions Hardware A tangible asset which is used to support the informationprocessing and storage facilities of the organization. Examples: computers, servers, communication equipment, safes, etc. Software Application software or system software such as operating systems, database systems, networking system software, or office applications that provide information-processing facilities to the organization. Examples: applications, development tools, utilities, etc. Asset Classification and Description Classification Definitions Information or Data Documented (paper or electronic) information or intellectual information which is used to meet the missions and/or objectives of the organization. Examples: system documentation, operational procedures, business records, clients’ profiles, etc. People Persons who have knowledge and skills to conduct the daily in-scope business functions of agencies in order to achieve business objectives or missions. The People assets are listed based on their respective job functions, instead of the individual personnel members. Examples: general managers, software engineers, system administrators, etc. Identify Assets’ Owners and Custodians Identify assets Owner Custodian They will verify the validity and correctness of the related information gathered Verify and Validate the Findings of the Questionnaires Verify the answer in S2 (questionnaires) Verify & validate To ensure completeness and truthfulness Output (S3) List of Assets No. Asset Group Asset ID Asset Name Owner/ Custodian Location Description of Asset S4 – Valuation of Assets and Establishment of Dependencies between Assets Goals Tasks 1. To establish the 1. Identify Dependencies dependencies of the assets Associated with The Assets 2. To assign a quantified value to each identified 2. Assign a Quantified asset Value to Each Asset 3. Verify & Validate the Findings of the Questionnaires • Output 1. Summary of Asset Value and Dependencies Identify Dependencies Associated with The Assets Identify dependencies relationship Immediate neighbor Identified & verified by the owners and custodians Assign a Quantified Value to Each Asset Quantified value (CIA) Confidentiality Integrity Availability Scale Very Low Low Medium High Very High CIA Description (1) CIA Description Confidentiality This is the effect on the system and/or the organization that would result from the deliberate, unauthorized or inadvertent disclosure of the asset. The effect of unauthorized disclosure of confidential information can result in loss of public confidence, embarrassment, or legal action against the organization Integrity This is the effect on the system and/or the organization that would result from deliberate, unauthorized or inadvertent modification of the asset. If the loss of system or data integrity is not corrected, continued use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions. Also, violation of integrity may be the first step in a successful attack against system availability or confidentiality. For all these reasons, loss of integrity reduces the assurance of a system CIA Description (2) CIA Description Availability This is the effect on the system and/or the organization that would result from deliberate or accidental denial of the asset’s use. If a mission-critical system is unavailable to its end users, the organization’s mission may be affected. Loss of system functionality and operational effectiveness, for example, may result in loss of productive time, thus impeding the end users’ performance of their functions in supporting the organization’s mission. Asset Group with Their Respective CIA Asset Group Confidentiality Integrity Availability Hardware √ √ √ Software √ √ √ Information/ Data √ √ √ People √ N/A √ Value Rating Hardware Software Information/Data People Verify and Validate the Findings of the Questionnaires Questionnaires to be revisited To ensure completeness and truthfulness Output (S4) Summary of Asset Value and Dependencies No. Asset Group Asset ID Asset Name Value C I Asset Value A Asset Depended On Dependent Asset S5 – Assessment of Threats Goals 1. To produce a generic organizational threat profile 2. To identify all relevant threats to assets • Output 1. Generic Threat Profile 2. Relevant Threats to Assets Tasks 1. Create A Generic Threat Profile 2. Identify All Relevant Threats To Asset 3. Verify & Validate the Findings of the Questionnaires Create a Generic Threat Profile Specific to organization Based on simple guideline Threats which have occurred before Threats which may occur if there is no pro-active prevention action taken Identify All Relevant Threats to Assets Asset mapped to relevant threats One asset may correspond to various threats Initiate by RA team Verified by owners & custodians Verify & Validate the Findings of the Questionnaires Questionnaires to be revisited To ensure completeness and truthfulness Output (S5) Generic Threat Profile Threat Group Threat ID Threat Name Threat Description • Relevant Threats to Assets No. Asset Group Asset ID Asset Name Threat Group Threat ID Threat S6 – Assessment of Vulnerabilities Goals 1. To determine the vulnerabilities for each asset • Tasks 1. Identify Potential Vulnerabilities Exploited By Threats 2. Verify & Validate the Findings of the Questionnaires Output 1. List of Potential Vulnerabilities to Assets Identify Potential Vulnerabilities Exploited By Threats Identify Vulnerabilities Related to threat(s) Verify & Validate the Findings of the Questionnaires Questionnaires to be revisited To ensure completeness and truthfulness Output (S6) List of Potential Vulnerabilities To Assets No. Asset Group Asset ID Asset Name Vulnerability Group Vulnerability ID Vulnerability Name S7 – Identification of Existing and Planned Safeguards Goals 1. To identify all relevant existing and planned safeguards or controls for each asset • Tasks 1. Review Existing And Planned Safeguards For Protecting The Assets Output 1. Existing and Planned Safeguards Verify & Validate the Findings of the Questionnaires Questionnaires to be revisited To ensure completeness and truthfulness Output (S7) Existing & Planned Safeguards No. Asset Group Asset ID Asset Name Safeguard Category Safeguard Type Existing Planned S8 – Analysis of Impact Goals Tasks 1. To determine the 1. Determine The business loss if an asset Business Loss were to be compromised 2. Determine The Impact 2. To determine the impact Levels level of each compromised asset • Output 1. Impact Level List Determine the Business Loss (1) Replacement value Reputation value Hard to assign Not all asset can be quantified Business Loss calculation (reputation) = highest decision-making authority, from respective people Determine the Business Loss (2) Asset is: Exposed Altered Unavailable RA team – assign proper value Verified – owner & custodian Asset group (Hardware & Software) Using quantitative replacement value Determine the Business Loss (3) RA team determine low-end & high-end money spend Acquire Maintain Asset group (Information/Data) Reputation values Replacing and recovering compromised info Asset group (People) Qualitative replacement value Consider knowledge, skills required by job function Determine The Impact Levels Utilized asset value – from S4 Impact = Asset value * Business Loss Can use own impact level matrix Verify & Validate the Findings of the Questionnaires Questionnaires to be revisited To ensure completeness and truthfulness Output (S8) Impact Level List No. Asset Group Asset ID Asset Name Asset Value Business Loss Impact Level S9 – Analysis of Likelihood Goals 1. To determine the likelihood values of threats and vulnerabilities, taking into consideration the existing and planned controls • Output 1. Likelihood List Tasks 1. Determine The Likelihood Of Threats And Vulnerabilities That May Happen Determine The Likelihood Of Threats And Vulnerabilities That May Happen (1) Using the result from Step 5 - Threats Step 6 - Vulnerabilities Step 7 – Safeguards Consider worst-case scenario Consider following attributes: Past experiences Probability of future occurrences Implementation of safeguards or controls Determine The Likelihood Of Threats And Vulnerabilities That May Happen (2) Guidelines on assigning value: More than one match of the attributes in column “Explanation & Outcome”, choose which has the most matches If more than two levels have the same count of matches, choose higher level value rating Verify & Validate the Findings of the Questionnaires Questionnaires to be revisited To ensure completeness and truthfulness Output (S9) Likelihood List No. Asset Group Asset ID Asset Name Threat ID Threat Name Vuln ID Vuln Name Safeguard(s) Likelihood S10 – Calculation of Risk Goals Tasks 1. To get each asset’s risk 1. Calculate The Risk level rating based on the Level For Each Asset risk matrix table • Output 1. Risk Level Rating Calculate The Risk Level For Each Asset Based on the risk matrix table Risk = Function (Impact, Likelihood) Attributes from: Impact – Step 8 Likelihood – Step 9 Risk Matrix Likelihood Impact Very Low Low Medium High Very High Very Low VL VL L L M Low VL L M M H Medium L M M M H High L M M H VH Very High M H H VH VH Legend: VL Very Low L Low M Medium H VH High Very High Output (S10) Risk Level Rating No. Asset Group Asset ID Asset Name Threat ID Threat Name Impact Level Likelihood Risk Level Sekian, terima kasih