Risk Treatment Plan

ES1 - Vulnerability exploitation

An attacker exploits a security vulnerability to cause the undesirable disclosure of information, fraud or denial of service ....

Assets

The assets that need to be protected in order to prevent the impact caused by this event are:

sensitive information, etc.

Threats

The principal threat agents are:

employees, etc.

Vulnerabilities

The vulnerabilities that might be exploited are:

ignorance, misunderstanding and human fallibility , etc.

Impacts

The primary impacts of such an event are:

Undesirable disclosure of information (UDI), etc

Consequential impacts are:

Adverse press coverage, etc.

Risk treatment plan

ES1.1a Security policy

We have an up to date set of rules. They cover all our legal, regulatory and contractual obligations, and are proportional to our risks. Elaborate as appropriate, particularly concerning sensitivity of information and how it is to be handled and communicated<<>> We oblige our employees, contractors, customers etc, to follow them and we carefully select our employees and contractors before engaging and deploying them. There are penalties for not following the rules. If someone breaks the rules, they therefore cannot reasonably claim that they did not know that such rules existed. However, they might break them because they do not fully understand them.

THE STORY CONTINUES COVERING SUCH TOPICS AS TRAINING AND AWARENESS, ACCESS CONTROL, MASQUERADE, MALICIOUS CODE, MONITORING AND RECOVERY, ETC

THE GENERAL STORY LINE IS TO ASK (AND ANWSER) HOW CAN WE PREVENT THE EVENT? IF WE CANNOT DO THAT OR IF OUR PREFVENTIVE MEASURE FAILS, HOW TO WE DETECT THE EVENT? CAN WE THEN PREVENT THE OCCURENCE OF THE IMPACT? IF WE CANNOT DO THAT, HOW CAN WE REDUCE THE SEVERITY OF THE IMPACT?

Risk assessment

THERE THEN FOLLOWS AN ANALYSIS OF THE CONTROLS SHOWING HOW THEY OPERATE TO REDUCE THE FREQUENCY OR LIKELIHOOD OF THE OCCURENCE OF THE IMPACT AND/OR THE SEVERITY OF THE IMPACT. THIS RESULTS IN A STATEMENT OF RESIDUAL RISK. ALL RELEVANT EVENT-CIRCUNSTANCE PAIRS ARE CONSIDERED. NOTE THAT THIS CONSITUTES A RISK REGISTER

Return

IMS-Smart produced by Gamma Secure Systems Limited. Gamma is an ISO/IEC 27001:2005 and BS EN ISO 9001: 2000 registered company, certified for the provision of information security consultancy. BSI certificate numbers IS 85916 and FS 30710. Gamma Secure Systems, Diamond House, Frimley Road, Camberley, Surrey, GU15 2PS, UK Tel: +44 1276 702500 - Fax: +44 1276 692903. Use of IMS-Smart Template reference 015-071210-01-080102, copyright © Gamma Secure Systems Limited, 2007-8