IT SECURITY RISK ASSESSMENT
REVISION 2: 02/12/2021
1. INTRODUCTION
1.1 PURPOSE
1.2 STEPS
2. DESCRIPTION OF SERVICE / APPLICATION / PRODUCT
2.1 OVERVIEW
2.1.1 Workstation Access
2.1.2 Ownership of Information
2.1.3 External Access/Privileges
3. SCOPE
3.1 IN SCOPE
3.2 OUT OF SCOPE
3.3 INTENDED USE
3.4 BUSINESS CRITICAL SUCCESS FACTORS
3.5 KEY RESIDUAL WEAKNESSES AND THEIR POTENTIAL BUSINESS CONSEQUENCES OR EXPOSURES
List of Figures
FIGURE 1. SAFEPASS RISK ASSESSMENT TOOL
1. INTRODUCTION
1.1 PURPOSE
This manual will assist the management team in delivering the highest level of security to SafePass customers and serve as a reference tool for everyday use. It describes the best practice and is the reference document for all IT security personnel when dealing with our customers. This document is intended enhance our ability to sell the SafePass Visitor Management System and ancillary products and services by considering the following two elements:
- Risk Factors consider the intrinsic risk of the business process being assessed (for example, liquidity of assets).
- Risk Level is a numeric range for each Risk Factor. Included are descriptions of the lowest, middle and highest risk attributes for most factors. Any number within the range that best represents the Risk Level can be used.
1.2 STEPS
- Identify the business process to be assessed.
- Assemble the proper team, if needed.
- Consider local business conditions which might introduce additional exposures or increase risk (for example, significant cost or staffing reductions, significant changes in government fiscal policies or business conditions, hyperinflation, remoteness, autonomy, excessive overtime).
- Assess the Risk Level for each Risk Factor as it pertains to the business process.
- Assign the appropriate numeric score and document explanations in the comments column.
- There may be unique aspects of the business process being assessed that are not addressed in Risk Factors A through H. Consider such aspects in Risk Factor I. Use Risk Factor I to consider additional control concerns (for example, ExxonMobil does not have internal audit rights; evidence of control weaknesses detected in audits, internal assessments or irregularities).
- For those factors not applicable, note as NA and score as zero.
- Add the assessment scores for each Risk Factor. The sum is the overall score for the business process.
- Compare the total score to the range shown on the bottom of the last page of the form to ascertain the Risk Level (High, Moderate, or Low). The precise score is generally less important than the Risk Level itself. If the score classifies the business process as high-risk, a Controls Catalog is required.
- Use the completed Risk Assessment to document the analysis and decision process. It should be reviewed and endorsed by the Business Process Owner, and filed for future reference.
2. DESCRIPTION OF SERVICE / APPLICATION / PRODUCT
2.1 OVERVIEW
SafePass visitor management system provides customers with a security system that allows for visitors to check into a customer facility or secure location. This process is completed by obtaining personal information and identification photographs that assist in the validation, verification and storage of historical records of individuals who gained access to a customer facility.
2.1.1 Workstation Access
Customer security personnel will be on site to gather the required documentation and assist in the authorization process to obtain personal information from outside visitors or potentially vendors. This interface is derived from the customer obtaining this information and stored on SafePass owned or leased servers and utilizes SafePass owned or leased equipment.
2.1.2 Ownership of Information
This personal information will be obtained, modified and stored as per the direction of on-site customer staff and personnel. It is the responsibility of SafePass to ensure this information is process, managed, accessed and stored according to the current US regulatory requirements and industry standards.
2.1.3 External Access/Privileges
- Customer security personnel access the webservers and SafePass databases via the internet from a standalone workstation owned by the Customer and is located at the customer facility. Security personnel are granted contribute access to the data. They use a shared id and password that has been created for the facility location.
- The site manager, a Customer employee, is responsible to ensure all information is obtained according to the SafePass process and validate visitor ID information against the physical visitor.
- Customer security personnel also are required to ensure
- A limited number of Key individuals at SafePass have read/write access to the system via the internet. A set of shared IDs and passwords has been created for use by SafePass and customer personnel.
3. SCOPE
3.1 IN SCOPE
Customer visitor personal information
Online services using visitor personal information
SafePass servers storing visitor personal information
3.2 OUT OF SCOPE
Anything not related to personal information used by SafePass or its customers
3.3 INTENDED USE
Internal Working Information Not Intended for Release. Non- proprietary
3.4 BUSINESS CRITICAL SUCCESS FACTORS
Loss of service (in-part or in-full) would not impact business critical success.
3.5 KEY RESIDUAL WEAKNESSES AND THEIR POTENTIAL BUSINESS CONSEQUENCES OR EXPOSURES
- Customer security personnel and SafePass access the personal information of the visitors and process the information using external web services, if the customer approves. SafePass ensures the integrity of these services based upon internal reviews and vetting of the service providers according to US government regulations and industry standards relation to Information Security Management.
- There are no processes in place to ensure personal information is removed from the SafePass hardware on site after security personnel obtains the information. SafePass accepts the above issues and takes no exception to them, as all information which could be loaded on site are low-risk.
Figure 1. SafePass Risk Assessment Tool
| Business Process: | ||||||
| Risk Factors / Levels | Probability Score | Consequence Score | Comments | |||
| A
Score 2 4 8 12 16 20 |
DOLLAR EXPOSURE
This measures significance in terms of the annual values of throughputs or the value of assets controlled or affected by the business process (e.g., annual revenue, capex, opex, or Balance Sheet value for assets). (Note: computing centers would assume annual dollar throughput of systems). 2 – < $10M 4 – $10M – $50M 8 – $51M – $100M 12 – $101M – $250M 16 – $251M – $500M 20 – > $500M |
0 | 0 | |||
| B
Score 0 10 20 |
LIQUIDITY
This is a measure of the ease with which the dollar exposure of the business process can be lost, converted into cash, etc. 0 – Not liquid (e.g., administrative operation, assets with limited salability, or immovable fixed assets). 10 – Somewhat liquid (e.g., equipment, spares, receivables processing). 20 – Highly liquid (e.g., cash, and items widely used or easily convertible into cash). |
0 | 0 | |||
| C
Score 0 5 10 |
CONSEQUENCE
This measures the consequence of a breakdown in a process or failure to meet commitments to third parties which could result in a business disruption or adverse publicity. Also, the magnitude of penalties for non-compliance with laws/regulations (excludes safety & environmental matters). 0 – Insignificant 5 – Some damage/penalties 10 – Extreme damaging consequences / severe penalties |
0 | 0 | |||
| D
Score 0 10 20 |
INFORMATION SENSITIVITY
This measures the sensitivity and confidentiality of the information processed by the area which would be harmful if obtained by competitors, information brokers, employees, or others without a need to know. 0 – Limited sensitivity 10 – Sensitive operating information of interest to competition or private payroll or medical information 20 – Competitively or economically damaging (e.g., acquisitions, procurement, etc.) |
0 | 0 | |||
| E
Score 0 5 10 |
COMPLEXITY OF THE BUSINESS PROCESS / SYSTEM / REGULATORY ENVIRONMENT
This measures the difficulty of the tasks performed, the difficulty of complying with regulations and opportunity for error. 0 – Standard process/computer system or stable regulatory environment. 5 – Somewhat complex process/computer system or somewhat complex regulatory environment. 10 – Non-standard process/computer system or substantial complex regulations. |
0 | 0 | |
| F
Score 0 5 10 |
NUMBER AND NATURE OF OPERATING LOCATIONS
This measures the difficulty of administering or controlling operations due to the nature of the organization. 0 – Central location, one unit. 5 – Few locations centrally controlled. 10 – Location(s) with decentralized control. |
0 | 0 | |
| G
Score 0 5 10 |
COMPUTER SYSTEM CHANGES
This measures the maturity and stability of the computer system / applications used. 0- Stable computer system with few changes. 5 – Systems being changed / added to regularly. 10 – Post-implementation phase of new computer system. |
0 | 0 | |
| H
Score 0 5 10 |
ORGANIZATION / BUSINESS PROCESS CHANGE
This measures the degree of change in the organization / business process, as changes can increase risk. 0 – Stable organization, little change in key staff. 5 – Some reorganization of work responsibilities or changes in key staff. 10 – Significant reorganization of work responsibilities or several changes in key staff or management. |
0 | 0 | |
| I | OTHER risk factors or degree of exposure not considered adequately in the items above. It can be a new dimension not considered, or the risk factor in the business process being assessed is believed to be greater than the points allowed in one or more of the above items (e.g. third-party software with known deficiencies, attention / oversight by third parties, political/economic stability).
Describe the risk and reason for the score assigned. Score can be from 0 to 20. |
0 | 0 | |
| PROBABILITY A – 45 and higher
PROBABILITY B – 30 to 44 PROBABILITY C – 20 to 29 PROBABILITY D – 10 to 19 PROBABILITY E – Less than 10 |
Total
0 |
|||
| CONSEQUENCE I – 45 and higher
CONSEQUENCE II – 22 to 44 CONSEQUENCE III – 10 to 22 CONSEQUENCE IV – Less than 10 |
Total
0 |
|||
