Reporte Ejecutivo del Analisis Activos.pdf
-
Upload
nahuelpereyra -
Category
Documents
-
view
215 -
download
0
Transcript of Reporte Ejecutivo del Analisis Activos.pdf
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
1/17
Risk Management
Executive Analysis Report
01 Proyecto
PRJR13011
Issued:
The information in this document and any attachments is intended for users of Modulo RiskManager, a product developed by Modulo Security LLC. If you do not have permission to access this
information, know that it is prohibited to read, release, or copy this information. Improper use will be subjectto the legislation in effect based on the confidentiality agreements.
The controls in the knowledge bases created by Modulo Security LLCare protected by copyright andownership laws.
The full or partial unauthorized reproduction of the information in this report shall result in civil andcriminal punishments.
06/11/2013 7:58:08
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
2/17
The information in this document and any attachments is intended for users ofModulo Risk Manager, a product developed by Modulo Security LLC. If you do not havepermission to access this information, know that it is prohibited to read, release, or copythis information. Improper use will be subject to the legislation in effect based on theconfidentiality agreements.
The controls in the knowledge bases created by Modulo Security LLC areprotected by copyright and ownership laws.
The full or partial unauthorized reproduction of the information in this reportshall result in civil and criminal punishments.
ATTENTION
www.modulo.com
Modulo Security LLC
Copyright 2013 Modulo Solutions for GRC2 of 17
PRJR13011
Executive Analysis Report
http://localhost/var/www/apps/conversion/tmp/scratch_2/[email protected]://www.modulo.com.br/http://www.modulo.com.br/http://www.modulo.com.br/http://www.modulo.com.br/http://localhost/var/www/apps/conversion/tmp/scratch_2/[email protected] -
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
3/17
1. INTRODUCTION
This report presents the results of the risk analysis carried out in the 01 Proyecto project. Theinvestigations included the organization's assets and may have used various methods for collectingevidence, such as: automated collectors, documental analyses, interviews, facility inspections,
and others.
Some of the main issues address in this report include:
1) What are the major threats to the business?
2) What are the risk levels of the non-implemented controls?
3) What are the recommendations to reduce these risks?
4) How can the security actions to be taken be prioritized?
More detailed information and technical recommendations can be found in the Risk Analysis Report
and in the Operational Risks Report, which are generated by Modulo Risk Manager, the systemdesigned by Modulo Security LLC based on the GRC Metaframework methodology. Thismethodology is in compliance with the guidelines provided in the ISO/IEC 27001, ISO/IEC 27002,ISO/IEC 27005, ISO 31000, and ISO Guide 73 standards. Thus, Modulo Risk Manager providesincreased productivity, control, and standardization in activities and helps the organizationachieve the desired results.
Abierto
The following table displays the project data, as shown below:
Name:
Administrator
usuario1
01 Proyecto
Substitute Leader:
If the project is open when the report is issued, only partial results will be presented.
Status:
Author:
Leader:
PRJR13011
06/04/2013
06/04/2013
Code:
Project Created:
usuario1 Analysis End Date:
Project Closed:
Analysis Start Date:
Copyright 2013 Modulo Solutions for GRC3 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
4/17
Risk = Probability x Severity x Relevance
The probability and severity factors are scored during technical analyses, whereas the relevancefactor is scored according to the importance of the asset to the organization.
1.1 Calculating the PSR
This is the degree of importance theasset holds to the organization, whichmay take into consideration the business
components it supports.
This severity scores the level of impacton the organization if the riskmaterializes. This means that if the
incident occurs, the severity will scorethe degree the performance, reliability,or quality of the asset will becompromised.
This is the probability that vulnerabilitiesor weaknesses are exploited by one ormore threats due to the absence of
controls.
RELEVANCESEVERITYPROBABILITY
Probability x Severity x Relevance
ISO Guide 73 states that risk is expressed as the value of the combination of the score of anevent and its consequences. Modulo Risk Manager considers the PSR to calculate the risk, whichrepresents the estimate of these combined factors. These factors are scored on a scale from 1 to
5. The PSR then represents the degree of risk associated with the absence of a control, and iscalculated through the following formula:
Copyright 2013 Modulo Solutions for GRC4 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
5/17
1.2 Risk Indices
Awareness of the risks and their assessment is no longer a technical need. It has become astrategy for organizations to meet the requirements set by the market, the government,regulatory agencies, and others.
To provide a risk estimate, Modulo Risk Manageruses the following indices:
PSR: Calculated by summing the PSR scores of the controls. The product of the P, S, and R factorsof each control is calculated and the results are then summed. The PSR can be consolidated byasset, asset type, perimeter, control grouping, knowledge base, questionnaire, businesscomponent, etc., and may vary between 0 and 100%.
Risk Index: Calculated by dividing the PSR of the non-implemented controls (identified risks) bythe PSR of the applicable controls. It's expressed as a percentage and may vary from 0 to 100%.
Security Index: Calculated by dividing the PSR of the implemented controls (avoided risk) by the
PSR of the applicable controls, thus complementing the Risk Index. It's also expressed as apercentage and may vary from 0 to 100%.
Control Index: Calculated by dividing the number of implemented controls by the number ofapplicable controls. It's expressed as a percentage and may vary from 0 to 100%.
Gap Index: Calculated by dividing the number of non-implemented controls by the number ofapplicable controls, thus complementing the Control Index. It's also expressed as a percentage andmay vary from 0 to 100%.
Copyright 2013 Modulo Solutions for GRC5 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
6/17
2.1 Gap Analysis (by Number of Controls)
From a list of 329 controls investigated, 99 were considered applicable. From this total, 62controls were identified as implemented (Control Index1of 62,63%) and 37 controls were identifiedas non-implemented (Gap Index2 of 37,37%).
Note that the higher the control index, the greater the number of controls in accordance with therecommendations in the knowledge bases used in the analysis.
2. SUMMARY
Figure 1 - Number of Controls by Status
Copyright 2013 Modulo Solutions for GRC6 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
7/17
Copyright 2013 Modulo Solutions for GRC7 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
8/17
Considering the risk with a total PSR3 of 14209, 4322 were considered applicable. Of this total,3024 can be considered controlled risks (implemented controls), representing a Security Index4of69,97%. In addition, the 1298 risk related to the non-implemented controls (identified risk)
represent a Risk Index of 30,03%.
Note that the higher the Security Index, the lower the risk level in the assets in question.
2.2 Risk Analysis (by PSR)
Figure 2 - PSR Index by Risk Analysis Status
(1)TheControlIndexiscalculatedbydividingthenumberofimplementedcontrolsbythenumberofapplicablecontrols.(2)TheGapIndexiscalculatedbydividingthenumberofnon-implementedcontrolsbythenumberofapplicablecontrols.(3)ThePSRrepresentsthedegreeofriskassociatedwiththeabsenceofacontrol,andiscalculatedbymultiplyingtheProbabilityxSeverityxRelevance.(4)TheSecurity Indexiscalculatedbydividingthecontrolledrisks(PSR)bytheapplicablerisks.(5)TheRiskIndexiscalculatedbydividingtheidentifiedrisks(PSR)bytheapplicablerisks.
IMPORTANT: When the Security Index is greater than the Control Index, it can be inferred that there isgreater effectiveness in the risk management process, since the implemented controls correspond tothose with higher risks (higher PSRs). Otherwise, it can be inferred that there is less effectiveness in therisk management process, since most of the implemented controls correspond to the lower risks (withlower PSRs). If the values are similar, it can be concluded that there is a homogenous distributionbetween the level of risk and the priority given to the implemented controls.
Copyright 2013 Modulo Solutions for GRC8 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
9/17
30,03% of identified risksRISK INDEX
69,97% of controlled risksSECURITY INDEX
Figure 3 - Distribution of Risks (PSR) by Risk Level
The risks considered applicable in the analysis can be divided into:
2.3 Distribution of Risks (PSR) by Risk Level
Copyright 2013 Modulo Solutions for GRC9 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
10/17
Table 3 below presents the consolidated results by threat. It shows the absolute values andpercentages of the controlled and identified risks for the 10 threats with the highest risk indices,presenting in descending order of this index.
The identified risk (PSR) associated with each threat (potential incident) is calculated by summingthe PSR scores of all the non-implemented controls associated with this threat. The Risk Index iscalculated by dividing the value of the identified risks by the value of the applicable risks for eachcontrol associated with the threats.
2.4 Risks by Threat
Risk IndexIdentifiedRisk (PSR)
SecurityIndex
ControlledRisk (PSR)
ApplicableRisk (PSR)
Threat
100,0%400,0%040Repudiation
75,0%21625,0%72288Drop in Performance
57,1%4042,9%3070Non-Compliance with Regulations
53,0%62047,0%5491169Loss of Traceability
27,7%56872,3%14842052Unavailability of Services or Information
13,2%38186,8%25062887Unauthorized Logical Access
13,1%5486,9%359413Errors, Omissions, or Improper Use
0,6%1099,4%16241634Fraud or Sabotage
0,0%00,0%00Administrative Sanctions
0,0%0100,0%6060Copyright Infringement
Table 3 - Risks by Threat
These results should be used to prioritize the actions for the most critical business componentsand assets, in terms of the risks resulting from the main threats to the organization (see Figure 4):
Figure 4 - RIsks by Threat
Copyright 2013 Modulo Solutions for GRC10 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
11/17
The risks identified in the assets, which support the organizations business components, wereconsolidated in the two levels that categorize these components: strategic and tactical levels.
2.5 Risks by Business Component
Copyright 2013 Modulo Solutions for GRC11 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
12/17
Table 4 below presents the consolidated indices by strategic business component. It shows theabsolute values and percentages of the risks for the 0 components with the highest risk indices.
2.5.1 Strategic-Level Risks
RiskIndex
SecurityIndex
IdentifiedRisk (PSR)
ControlledRisk (PSR)
Gap IndexControl IndexNon-
ImplementedControls
ImplementedControls
RelevanceComponent
Table 4 - Risks per Strategic Level
The value of the identified risk for each strategic business component is composed of the sum ofthe identified risk (PSR of the non-implemented controls) for all the assets that support it.
The Risk Index is calculated by dividing the value of the identified risk by the value of theapplicable risk, for each business component as well as for all the components.
These results should be used to prioritize actions in the assets supporting the strategic businesscomponents with the highest risk indices (see Figure 5):
Figure 5: Risk Index for Strategic Business Components
Copyright 2013 Modulo Solutions for GRC12 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
13/17
2.5.2 Tactical-Level Risks
Table 5 below presents the consolidated risks by tactical business component. It shows theabsolute values and percentages for the 1 component(s) with the highest risk indices.
RiskIndex
SecurityIndex
IdentifiedRisk
ControlledRisk
Gap IndexControl IndexNon-
ImplementedControls
ImplementedControls
RelevanceOrganizational
System
30,03%69,97%1298302437,37%62,63%3762Medium01_PC_Banking_e
mpresasTable 5 - Tactical-Level Risks
The value of the identified risk for each tactical business component is comprised of the sum ofthe identified risks (PSR) of all the assets support it.
The Risk Index for each business component is calculated by dividing the value of the identifiedrisks by the value of the applicable risk, in each business component as well as in all thecomponents.
These results should be used to prioritize actions in the assets that support the tactical businesscomponents with the highest risk indices (see Figure 6).
Table 6 - Risk Index in Tactical Business Components
Copyright 2013 Modulo Solutions for GRC13 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
14/17
2.6 Risks by Asset (PSR)
The 2 assets listed in the following table correspond to 30,03% of the total of applicable risks.These assets should be prioritized for treatment in order to reduce the risks identified.
Contribution toRisk Index
Risk IndexIdentified
PSRSecurity
IndexControlled
PSRApplicable
PSRRelevanceAsset TypeAsset
22,4%27,5%97072,5%25603530Very HighTecnologa01 Servidor Back End
7,6%41,4%32858,6%464792HighTecnologa01 Firewall
30,03%34,4%129865,6%30244322Consolidated (2)
Table 6 - Risks Identified in the Assets (by PSR)
Copyright 2011 Modulo Solutions for GRC14 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
15/17
2.7 Risk Levels of Non-Implemented Controls
Table 7 below presents the number and percentage of each risk level for the non-implementedcontrols in both the quantitative and qualitative overviews.
TotalVery LowLowMediumHighVery HighOverview
RISKS LEVELS
100%0,00%2,00%53,00%15,18%29,82%%
1298026688197387PSRQualitative
100,00%0,00%5,41%64,86%13,51%16,22%%
37022456ControlsQuantitative
Table 7 - Risk Levels of Non-Implemented Controls
According to the table above, it can be noted that 16,22%of the non-implemented controls represent29,82%of the risks considered Very High in the organization.
Copyright 2013 Modulo Solutions for GRC15 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
16/17
3. NEXT STEPS
This analysis identified the main asset risks, and its results will assist the decision-making processto address the situations that affect the organization's objectives. The risk levels and theinterpretations for each value are presented in the table below:
The results of the analysis provide important information for the next steps: risk evaluation andtreatment. Using Modulo Risk Manager to evaluate risks and monitor their treatment allows forincreased productivity and the use of additional tools, such as the What-If treatment simulator,which allows results to be evaluated in different possible scenarios.
In addition, the evaluation and treatment phases are also integrated with the analysis phase inModulo Risk Manager, allowing for the proper use of the results. Thus, when it is decided that acertain risk will be sent for treatment, the system will allow treatment events to be created,
which can be monitored and which allow for the evolution of the results found in the analysis.
For the next steps, the evaluation phase of the system should be used and the following approachshould be adopted:
Identify the controls with "Very High" and "High" risk levels;
Evaluate the possible impacts of implementing these controls in the assets, systems, andbusiness operations;
Send the controls with "Very High" and "High" risk levels for immediate treatment;
Identify the controls with "Medium" risk levels;Evaluate the need to implement, in the short term, controls with "Medium" risk levels;
Identify the benefits of reducing the risks in the organization, using the Risk Index;
1, 2, 3, 4, 5, 6These are acceptable risks, and asset managers should be informed of them.Very Low
8, 9, 10, 12, 15, 16These are risks which may be acceptable once reviewed and confirmed by the
asset managers.Low
18, 20, 24, 25, 27, 30These are risks which may be acceptable once reviewed and confirmed by the
asset managers; however, their acceptance should be done formally.Medium
32, 36, 40, 45, 48, 50These are unacceptable risks, and asset managers should at least be oriented
on how to control them.High
60, 64, 75, 80, 100, 125These are unacceptable risks, and asset managers should be oriented on how
to minimize them immediately.Very High
PSR ValuesDefinitionRisk Level
Table 8 - Possible PSR Values
Risk Management Process
Copyright 2013 Modulo Solutions for GRC16 of 17
PRJR13011
Executive Analysis Report
-
8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf
17/17
Verify if the residual risks of the evaluation are satisfactory;
Evaluate the impacts of accepting the controls with lower risk levels;
Accept the risks for controls with lower risk levels;
If the residual risks are not satisfactory, continue the process for controls with "Low"
and "Very Low" risk levels;Close the project and constantly monitor the residual risk during the treatments.
PRJR13011
Executive Analysis Report