David J. Lillenstein, Ed.D., NCSP Edward M. Levinson, Ed.D., NCSP Christina Sylvester, B.A.
Risk Assessment Worksheets - NCSP - V4 User(1)
Transcript of Risk Assessment Worksheets - NCSP - V4 User(1)
NATIONAL CYBER SECURITY POLICY - ENTITY/SUB-ENTITY RISK ASSESSMENT PROCESS
Worksheets in this Workbook1. Process Charts - this worksheet2. Summary & Declaration - Summary of risk assessment and declaration by officer submitting the risk assessment3. Part 1 - CNI Entity Information - Profile of Entity/Sub-Entity submitting the risk assessment (Please read the instructions in this CNII Entity Information worksheet to start doing the risk assessment)4. High level risk assessment worksheets: a. Part 2 - HL Impact - High level impact analysis b. Part 3 - HL Dependency - High level dependency (on ICT or cyber systems) analysis c. Part 4 - HL Controls - High level controls analysis5. Detailed risk assessment worksheets: a. Part 5 - Detailed Impact Analysis - Impact to various segments/elements of the Nation/National Economy b. Part 6 - Detailed Threat Analysis - Likelihood of threats exploiting vulnerabilities c. Part 7 - Detailed Risk Assessment Result
Summary of Charts In This Worksheet (for infomation only)Chart 1 : Risk Assessment FrameworkChart 2 : Risk Assessment Process Framework (that is referred in Chart 1)Chart 3 : Compliance Governance Framework (that is referred in Chart 1)Chart 4 : High Level Risk Assessment and Detailed Risk Assessment
Note : Adjust the appropriate zoom factor to be able to see each complete chart within your screen.
1. CGSO ASSEMBLES ANNUAL QUESTIONNAIREWITH INPUTS FROM MKN AND NC3-PT6
1. CGSO ASSEMBLES ANNUAL QUESTIONNAIREWITH INPUTS FROM MKN AND NC3-PT6
2. CGSO SENDS QUESTIONNAIRE TO REGULATORYBODIES AND CNI ENTITIES
2. CGSO SENDS QUESTIONNAIRE TO REGULATORYBODIES AND CNI ENTITIES
3. CNI ENTITIES FILL QUESTIONNAIRE AND SENDRESPONSE TO PT6
3. CNI ENTITIES FILL QUESTIONNAIRE AND SENDRESPONSE TO PT6
4. NC3-PT6 CONSOLIDATE OVERALL AND SENDTO CGSO FOR KEY POINTS COMMITTEE APROVAL
4. NC3-PT6 CONSOLIDATE OVERALL AND SENDTO CGSO FOR KEY POINTS COMMITTEE APROVAL
Includes Risk AssessmentInformation
Required
5. KEY POINTS COMMITTEE APPROVES ANDCGSO PROVIDES UPDATED LIST TO NC3-PTs5. KEY POINTS COMMITTEE APPROVES ANDCGSO PROVIDES UPDATED LIST TO NC3-PTs
6. NC3-PTs USE UPDATED LIST/COMPLIANCE INFOTO PRIORITIZE ACTIVITIES AND FOCUS AREAS
6. NC3-PTs USE UPDATED LIST/COMPLIANCE INFOTO PRIORITIZE ACTIVITIES AND FOCUS AREAS
Compliance and Risk
AssessmentInformation
Compliance Information
Risk-Impact Rank
Information
CHART 3 : COMPLIANCE GOVERNANCE FRAMEWORK
04/08/2023 11:17:37 document.xls (Summary & Declaration)
SUMMARY AND DECLARATION - ENTITY/SUB-ENTITY RISK ASSESSMENT
Ref Code : For Office Use Only
Low Impact
Dependency Analysis Not Required
Controls Assessment Not Required
FILL IN THE PARTICULARS OF RESPONDENT AND REVIEWER/APPROVER BELOW (Items 1 to 4 to be filled in Part 1, not here)
1 CNI ENTITY : Lembaga Pelabuhan Johor2 CNI SUB-ENTITY : 3 4A1-8A1, Pusat Perdagangan Pasir Gudang, Jalan Bandar, 81700 Pasir Gudang, Johor
4
8 NAME OF RESPONDENT :
9 DESIGNATION : 1011 CORRESPONDENCE ADDRESS :
12 TELEPHONE NOS. :
13 FAX NOS. :14 EMAIL ADDRESS : Signature and Stamp15 WEBSITE/PORTAL ADDRESS : Date :
16
17 POSITION : 1819 CORRESPONDENCE ADDRESS :
20 TELEPHONE NOS. : 21 FAX NOS. :22 EMAIL ADDRESS : Signature and Stamp
Date :
SUMMARY FOR (SUB-) ENTITY'S SERVICE OR PRODUCT HIGH LEVEL RISK ASSESSMENT
Detailed Risk Assessment Not
Compulsory
ADDRESS WHERE SERVICE IS CENTERED/DELIVERED/ORIGINATED FROM OR ADDRESS WHERE PRODUCT IS PRODUCED :
SHORT NAME OF SERVICE OR PRODUCT (GROUP) :
To the best of my knowledge, I declare that information submitted here are true and assessments submitted in the remaining worksheets are fair reflection of the organisation.DEPARTMENT/ DIVISION / SECTION
/UNIT:
NAME OF REVIEWER/APPROVER OF RESPONSE :
DEPARTMENT/ DIVISION / SECTION /UNIT:
04/08/2023 11:17:37 5 document.xls (Part 1 - CNI Entity Information)
PART 1 : GENERAL INFORMATION
Low Impact
Dependency Analysis Not Required
Controls Assessment Not Required
SECTION A
FILL IN THE PARTICULARS OF THE ENTITY AND SUB-ENTITY
1 CNI ENTITY : Lembaga Pelabuhan Johor2 CNI SUB-ENTITY : 3 4A1-8A1, Pusat Perdagangan Pasir Gudang, Jalan Bandar, 81700 Pasir Gudang, Johor
Instructions : a. Please fill in this Part 1 and then do the high level risk assesment by providing inputs in Part 2 - HL Impact Worksheet, Part 3 - HL Dependency Worksheet and Part 4 - HL Controls Worksheet. b. If the verdict from the high level risk assessment (see cell G5 in this worksheet) indicates that a detailed risk assessment is necessary, then please proceed to do the detailed risk assessment by filling in Part 5 - Detailed Impact Analysis Worksheet and Part 6 - Threats-Vulnerability Analysis Worksheet and view the results in Part 7 - Detailed Risk Assessment Result Worksheet. The summary of the detailed risk assessment (if required) will appear in cells E9 to G12 of this worksheet. c. In the detailed risk assessment, if it is obvious that the impact of disrpution of the critical services and products is medium to very high, then this input can be entered direct in cell G12 in Part 7 - Detailed Risk Assessment Result Worksheet instead of filling the details in the Part 5 - Detailed Impact Analysis Worksheet.
SUMMARY FOR (SUB-) ENTITY'S SERVICE OR PRODUCT
HIGH LEVEL RISK ASSESSMENT
Detailed Risk Assessment Not
Compulsory
Note : 1. This part must be filled by all CNI (sub-)Entities, irrespective whether they are doing the high level risk assessment first (See Part 2, Part 3 and Part 4), or whether they are bypassing the high level risk assessment and doing the full risk assessment only (Parts 5, 6 and 7). (To bypass high level risk assessment, go to Part 2 and put Y in a 'High Impact' column.) 2. IMPORTANT : Please fill and submit one set of response separately for EACH SERVICE OR PRODUCT (GROUP) from the same Sub-Entity if there are several services or products (group) from the same Sub-Entity.3. Entities are to use their own internally devised identifier codes for the following: a. Service or Product Code in Section B b. Critical Systems Code (non cyber) in Section D c. Critical Cyber Systems Code in Section D.
ADDRESS WHERE SERVICE IS CENTERED/DELIVERED/ORIGINATED FROM OR ADDRESS WHERE PRODUCT IS PRODUCED :
04/08/2023 11:17:37 6 document.xls (Part 1 - CNI Entity Information)
4
5
6 Johor
7 Perairan Johor
SECTION B
1 2 3 4 5 6 7 8 9
10 11
SHORT NAME OF SERVICE OR PRODUCT (GROUP) * :(See note 2 above)
DESCRIPTION OF SERVICE OR PRODUCT (GROUP) * :(Please describe what is the service or product and not what the entity does to produce the service or product. For GROUP, please list each service/product in section B below)
AREA OF COVERAGE OF SERVICE OR PRODUCT : (Please provide the name or unique identifier of the Region, State, District, Township, Industrial Area, Operations Area, Business District etc)
KEY PARAMETERS OF AREA OF COVERAGE : 1. Residential Population (estimated numbers)2. Commercial Population (number of companies)3. Industries (number of industries)4. Business Value (estimated RM value of business)5. Others (Please describe)Please enter for all the major ones in the particular area of coverage that apply.
* ITEMISE THE CRITICAL SERVICES OR PRODUCTS INCLUDED IN THE DEFINED GROUP, IF THESE CRITICAL SERVICES OR PRODUCTS ARE TO BE ADDRESSED AS ONE GROUP (in Section A4 and Section A5 above) IN THE RISK ASSESSMENT.
SERVICE OR PRODUCT CODE
04/08/2023 11:17:37 7 document.xls (Part 1 - CNI Entity Information)
12 13 14 15
SECTION C
1 2 3 4 5 6 7 8 9
10 11 12 13 14 15
SECTION D
CRITICAL SYSTEMS (NON-CYBER)
123
* ITEMISE THE LIST OF SERVICES OR PRODUCTS LOGICALLY IN THE GROUP (in Sections A4 and A5 above) THAT ARE NOT CATEGORISED AS CRITICAL SERVICES OR PRODUCTS
MAP THE SERVICE OR PRODUCT (GROUP) TO CRITICAL (NON-CYBER) SYSTEMS (IF ANY) AND CRITICAL CYBER SYSTEMS THAT DELIVER/PRODUCE THE SERVICE OR PRODUCT (GROUP)
CRITICAL SYSTEMS
CODE
CRITICAL CYBER SYSTEMS (NOTE : ONE CYBER SYSTEM CAN MANAGE/CONTROL MORE THAN ONE CRITICAL SYSTEM TO DELIVER THE
SERVICE OR PRODUCT)
CRITICAL CYBER
SYSTEMS CODE
DEGREE OF DEPENDENCY ** (see
guide on right)
04/08/2023 11:17:37 8 document.xls (Part 1 - CNI Entity Information)
456789
10
04/08/2023 11:17:37 9 document.xls (Part 2 - HL Impact)
PART 2 : HIGH LEVEL IMPACT ASSESSMENT
Dimensions
Defense and Security x y x x xLow Impact
Economy x y x x xLow Impact
National Image x y x x xLow Impact
Government Services x y x x xLow Impact
Health and Safety x y x x xLow Impact
Maximum Level >> Low Impact
Explanation on Dimensions Defense and Security Compromise or weakening of our ability to defend (MAF, APMM) and ensure security (Police etc).Economy
National Image
Government Services
Health and Safety Hospital services, emergency services including ambulance, fire brigade, civil defense, seach and rescue and public safety
For each of the following dimensions that may be impacted in the event of the disruption to your critical services or products (group) in Part 1 , select the appropriate estimated level of impact with a 'Y' in the appropriate impact column. Note : Do not factor in any dependency on cyber systems at this stage. Just focus on your service or product and the impact of its disruption.
Very Low
ImpactLow
ImpactMedium Impact
High Impact
Very High
Impact
Covers commerce, banking, industrial activity, logistics and transportation including airport and port management, domestic and international trade, stock exchange etc
Online and core government services dependent on ICT like RTD, Immigration, Customs, NRD, e-Procurement, e-SPKB, GFMAS, SPEKS, SAGA etc
04/08/2023 11:17:37 10 document.xls (Part 3 - HL Dependency)
PART 3 : HIGH LEVEL ASSESSMENT OF DEPENDENCY ON INFORMATION OR CYBER SYSTEMS
You need not respond below as the impact assessment shows that impact is low.
Online Applications x y x x xLow Dependency
Backend Applications x y x x xLow Dependency
Databases/Repository x y x x xLow Dependency
SAN/NAS x y x x xLow Dependency
Corporate Network x x x y xHigh Dependency
Private Network x y x x xLow Dependency
Internet y x x x xVery Low Dependency
Control Systems Network y x x x xVery Low Dependency
Remote Services x y x x xLow Dependency
Maximum Level >> High Dependency
Cyber Systems Main Components
Very Low
Dependency
Low Depende
ncy
Medium Depende
ncy
High Depende
ncy
Very High
Dependency
04/08/2023 11:17:37 11 document.xls (Part 4 - HL Controls)
You need not respond below as the Impact is low or Dependency on Cyber Systems is low.
Information Security Dimensions
Risk Assessment/Treatment x x y x x Medium Controls
Security Policy x x y x x Medium Controls
Organization of Information Security x y x x x High Controls
Asset Management x x x y x Low Controls
Human Resources Security x x y x x Medium Controls
Physical & Environmental Security x x y x x Medium Controls
Communications and Operations Mgmt y x x x x Very High Controls
Access Control x x y x x Medium Controls
Info Systems Acqusition, Dev & Maintenan x x y x x Medium Controls
Information Security Incident Mgmt x x y x x Medium Controls
Business Continuity Management x x y x x Medium Controls
Compliance x x y x x Medium Controls
Minimum Level >> Low Controls
PART 4 : HIGH LEVEL ASSESSMENT OF STATUS OF CONTROLS ON INFORMATION OR CYBER SYSTEMS THAT ARE USED IN THE DELIVERY OF CRITICAL PRODUCTS AND SERVICES
Very High
ControlsHigh
ControlsMedium Controls
Low Controls
Very Low Controls
04/08/2023 11:17:37 12 document.xls (Part 5-Detailed Impact Analysis)
You need not respond here as the High Level Risk Assessment indicates that risk is low.
SEIGH Dimensions >> TOTAL
Mili
tary
Readin
ess
Polic
e O
pera
tions
APM
M O
pera
tions
E-C
om
merc
e
Secu
riti
es
Inte
rnati
onal Tra
de
Dom
est
ic T
rade
Fore
ign E
xch
ange
Invest
or
Perc
epti
on
Cit
izen P
erc
epti
on
Fore
ign P
erc
epti
on
E-G
overn
ment
E-P
aym
ent
Tota
ls
Healt
h S
erv
ices
Public
Healt
h
Public
Safe
ty
Tota
ls
Critical Products and Services Group
4.0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ### 4 4 4 ###
PART 5 : CNII (SUB-)ENTITIES' DETERMINATION OF IMPACT DUE TO UNAVAILABILITY/COMPROMISE OF THEIR CRITICAL PRODUCTS AND SERVICES
PLEASE IGNORE THE TABLE BELOW. YOU NEED NOT FILL IN THE DETAILS IN ROW 11.
Impact to National
Defense and Security
Impact to National Economic Strength
Impact to National Image
Impact to Government
Capabilities to Function
Impact to Public Health and Safety
Components of SEIGH Dimensions >>
Imp
act
(Wei
gh
t A
vera
ged
)
Imp
act
(Ro
un
ded
Wt
Avg
)
Indu
stri
al
Pro
duct
ion
Banki
ng a
nd
Finance
People
Id
enti
ty a
nd
Imm
igra
tion
Serv
ices
Public
Pensi
ons,
Tru
sts
and S
avin
gs
04/08/2023 11:17:37 13 document.xls (Part 6-Detailed Threat Analysis)
You need not respond here as the High Level Risk Assessment indicates that risk is low.
Asset Group Asset Name Threats Vulnerabilities
People
4
PART 6 : CNII (SUB-)ENTITY'S DETAILED ANALYSIS OF THREATS-VULNERABILITIES-COUNTERMEASURES THAT WILL ASSURE THE DELIVERY OF THEIR CRITICAL PRODUCTS AND SERVICES
PLEASE IGNORE THE TABLE BELOW. YOU NEED NOT FILL IN THE DETAILED THREATS-VULNERABILITIES LIKELIHOOD TABLE BELOW.
Controls/ Safeguards/ Countermeasures
Likelihood of Threats
Exploiting Vulnerabilities (0
to 4)
Asset Group Likelihood (0
to 4)
Overall Likelihood (0
to 4)
Logical Access Procedures
Perimeter Protection Measures
Patch Control and Updates Measures
04/08/2023 11:17:37 14 document.xls (Part 6-Detailed Threat Analysis)
You need not respond here as the High Level Risk Assessment indicates that risk is low.
Asset Group Asset Name Threats Vulnerabilities
PART 6 : CNII (SUB-)ENTITY'S DETAILED ANALYSIS OF THREATS-VULNERABILITIES-COUNTERMEASURES THAT WILL ASSURE THE DELIVERY OF THEIR CRITICAL PRODUCTS AND SERVICES
PLEASE IGNORE THE TABLE BELOW. YOU NEED NOT FILL IN THE DETAILED THREATS-VULNERABILITIES LIKELIHOOD TABLE BELOW.
Controls/ Safeguards/ Countermeasures
Likelihood of Threats
Exploiting Vulnerabilities (0
to 4)
Asset Group Likelihood (0
to 4)
Overall Likelihood (0
to 4)
4
Hardware
Software
Network
Patch Control and Updates Measures
04/08/2023 11:17:37 15 document.xls (Part 6-Detailed Threat Analysis)
You need not respond here as the High Level Risk Assessment indicates that risk is low.
Asset Group Asset Name Threats Vulnerabilities
PART 6 : CNII (SUB-)ENTITY'S DETAILED ANALYSIS OF THREATS-VULNERABILITIES-COUNTERMEASURES THAT WILL ASSURE THE DELIVERY OF THEIR CRITICAL PRODUCTS AND SERVICES
PLEASE IGNORE THE TABLE BELOW. YOU NEED NOT FILL IN THE DETAILED THREATS-VULNERABILITIES LIKELIHOOD TABLE BELOW.
Controls/ Safeguards/ Countermeasures
Likelihood of Threats
Exploiting Vulnerabilities (0
to 4)
Asset Group Likelihood (0
to 4)
Overall Likelihood (0
to 4)
Network
4
Physical Security
Environmental & Support Systems
04/08/2023 11:17:38 16 document.xls (Part 7 - Detailed Results)
Risk Rating Matrix
Very Low-0 Low-1 Medium -2 High-3 Very High-4
Very Low-0 0 1 2 3 4
Low-1 1 2 3 4 5
Medium-2 2 3 4 5 6
High-3 3 4 5 6 7
Very High-4 4 5 6 7 8
Low Risk : 0 to 2 Impact rating manually entered (only allowed if rating is 2,3 or 4):
Medium Risk : 3 to 5 Impact from Part 5 (Detailed Impact Analysis): 4
High Risk : 6 to 8 SUMMARY OF DETAILED RISK ANALYSIS FOR :
Impact rating from Part 5 used: 4
Threats Likelihood from Part 6 (Threats-Vulnerability Analysis): 4
Overall Risk : HIGH RISK
Numerical Risk Rating (Threat Likelihood and Impact) : 8
PART 7 : CNII (SUB-)ENTITIES' RISK ASSESSMENT TAKING THE OVERALL IMPACT FROM PART 5 AND THE OVERALL THREATS EXPLOITING VULNERABILITIES LIKELIHOOD FROM PART 6
THIS TABLE IS IGNORED AS THE HIGH LEVEL RISK ASSESSMENT INDICATES THAT RISK IS LOW.
Likelihood of Incident Scenario(i.e. Likelihood of Threats Exploiting Vulnerabilities)
Impact of Incident to Nation
Compatibility Report for Risk Assessment Worksheets - NCSP - V4 User(1).xls
Run on 10/23/2009 10:31
Significant loss of functionality # of occurrences
29
The following features in this workbook are not supported by earlier versions of Excel. These features may be lost or degraded when you save this workbook in an earlier file format.
Some cells have more conditional formats than are supported by the selected file format. Only the first three conditions will be displayed in earlier versions of Excel.
'Summary & Declaration'!C5:C7
'Part 1 - CNI Entity Information'!E5:F7
'Part 2 - HL Impact'!G7:G12
'Part 2 - HL Impact'!S7:S9
'Part 3 - HL Dependency'!G9:G17
'Part 3 - HL Dependency'!R9:R11
'Part 3 - HL Dependency'!S9
'Part 3 - HL Dependency'!R13:S14
'Part 4 - HL Controls'!G9:G20
'Part 4 - HL Controls'!R9:R11
'Part 4 - HL Controls'!S9
'Part 4 - HL Controls'!R13:S14
'Part 5-Detailed Impact Analysis'!AF15:AF17
22
24
'Part 6-Detailed Threat Analysis'!K53:K55
'Part 6-Detailed Threat Analysis'!L53
'Part 6-Detailed Threat Analysis'!K57:L58
'Part 7 - Detailed Results'!J4:J6
Some cells have overlapping conditional formatting ranges. Earlier versions of Excel will not evaluate all of the conditional formatting rules on the overlapping cells. The overlapping cells will show different conditional formatting.
'Summary & Declaration'!C11:C12
'Part 1 - CNI Entity Information'!E11:E12
'Part 2 - HL Impact'!S13:S14
'Part 3 - HL Dependency'!R15:R16
'Part 4 - HL Controls'!R15:R16
'Part 5-Detailed Impact Analysis'!AF21:AF22
'Part 6-Detailed Threat Analysis'!K59:K60
'Part 7 - Detailed Results'!J10:J11
Some cells contain conditional formatting with the 'Stop if True' option cleared. Earlier versions of Excel do not recognize this option and will stop after the first true condition.
Minor loss of fidelity
89
'Part 2 - HL Impact'!B7:F11
'Part 2 - HL Impact'!G7:G14
'Part 3 - HL Dependency'!B9:G17
'Part 3 - HL Dependency'!G19:G20
'Part 4 - HL Controls'!B9:G20
'Part 4 - HL Controls'!G22:G23
Some cells or styles in this workbook contain formatting that is not supported by the selected file format. These formats will be converted to the closest format available.