Scribd
Upload
155 views7 pages

ICT Risk Assessment Impact Score

This document proposes a methodology to assess information security risk in IT colleges using questionnaires. It describes collecting primary data through questionnaires, assigning scores to different information security factors, and using a mathematical model to calculate overall risk level based on impact and likelihood. Tables provide examples of impact scores and criteria for different security factors to be used in the assessment.

Uploaded by

axaz sah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
155 views7 pages

ICT Risk Assessment Impact Score

This document proposes a methodology to assess information security risk in IT colleges using questionnaires. It describes collecting primary data through questionnaires, assigning scores to different information security factors, and using a mathematical model to calculate overall risk level based on impact and likelihood. Tables provide examples of impact scores and criteria for different security factors to be used in the assessment.

Uploaded by

axaz sah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

1.

ICT Risk Sample Methodology

This paper will apply the information security model to primary data. Due to the time
and resource constraints use of existing model is the only practically possible method
to apply the conceptual framework to real world data. The employee of the
organization will be provided with a set of questions and the response will be one of
the available options. Indicators shown in table 1 and table 2 below will be given each
a score for evaluation and mathematical model would be used for determining the
final information security level of the organization.

Table 1 : Impact Score and Criteria

Criteria Very High High Medium Low Very Low


Score 5 4 3 2 1

Table 2 : Likelihood Score and Criteria

Criteria Very High High Medium Low Very Low


Score 5 4 3 2 1

1.1. Data collection Technique


Primary data will be collected from the various IT colleges. Questionnaires will be
prepared and collect inputs from the head of information security. Question will be
presented with alternatives.

1
1.2. ISMS Contexts
Question will administer to obtain the strength of all the six ISMS factors in a college.
➢ Context of the college: It will determine external and internal issues that are
relevant to its purpose and that affect its ability to achieve the intended
outcome(s) of its information security management system.
➢ Leadership: This factor helps to ensure the integration of the information
security management system requirements into the organization’s processes.
Also for the communicating the importance of effective information security
management and of conforming to the information security management
system requirements.
➢ Planning and risk management: This factor helps to ensure the information
security management system can achieve its intended outcome(s). It also helps
to prevent, or reduce, undesired effects and achieve continual improvement. It
ensures that repeated information security risk assessments produce
consistent, valid and comparable results.
➢ Support and resources: This factor determines the necessary competence of
person(s) doing work under its control that affects it information security
performance. It helps to retain appropriate documented information as
evidence of competence.
➢ Operation and performance evaluation: The organization shall keep
documented information to the extent necessary to have confidence that the
processes have been carried out as planned. The organization shall control
planned changes and review the consequences of unintended changes, taking
action to mitigate any adverse effects, as necessary. The organization
determines what needs to be monitored and managed, including information
security processes and controls.

➢ Improvement: This is another one of the important factor that evaluates the
need for action to eliminate the causes of nonconformity.
Table 3 : Question Structure

2
S.No Questionnaire Based on No of Questions

1 Context 3

2 Leadership 4

3 Planning and Risk Assessment 10

4 Support and Resources 2

Operation and Performance 4


5
Evaluation

6 Improvement 7

1.3. Mathematical Model of Risk Level

The universal formula for calculation of risk is

Risk = Impact x Likelihood


Where:
Impact = A measure of the effect of an event
Likelihood = A measurement of how likely it is that particular event will occur.

For Calculation,
Impact = Level of estimated effect
n

Likelihood = ( X i ) / n
i =1

Xi = Level of estimated likelihood,


n =Total number of colleges

3
The final risk level is calculated by simply taking the average of the score of risk in each
criterion.
Hence,

 Risk
i =1
Final Risk Level =
t

Where:
t = Total number of criteria of the questionnaire

1.4. Risk Level Analysis

To analyze the risk level obtained from above mathematical model, a risk threshold
chart is used. The chart helps in classification of the obtained risk value into the level
of risk such as low risk, moderate risk or high risk.

The output of the risk value obtained from each domain is labeled separately into the
chart so that it becomes easy in identifying the stronger and weaker aspects involved
in IT security.

2. Impact Values of indicators


The impact values of indicator based on ISO standard calculation of the questionnaire
are presented below:

4
Table 4 : Score of the Contexts

Context Indicator Impact

INFORMATION SECURITY FRAMEWORK 5

INFORMATION SECURITY RESPONSIBILITY 4


Context of
FAMILIARITY OF INFORMATION SECURITY
the college
AMONG DEDICATED STAFF 3

MEMBERS INFORMATION SECURITY EDUCATION 2

CLASSIFICATION AND PROTECTION OF


5
INFORMATION

SECURITY TEAM
Leadership 4

TYPES OF HANDLED INFORMATION AND


APPLICABLE REGULATION 3

CONTACT WHEN HACKED 5

TRANSMITTING, STORING AND HANDLING


SENSITIVE INFORMATION 4

PREVENTION OF UNAUTHORIZED ACCESS OF


INFORMATION STORED ON MEDIA 4
Planning and
Risk ENSURE AUTHORIZED ACCESS 4
Assessment
PROTECTION USING CRYPTOGRAPHY 5

POLICIES FOR WEBSITE VISITS 3

CRITICAL DATA STORAGE 4

SECURE DISPOSAL OF SENSITIVE INFORMATION 3

5
BROWSING OR DOWNLOAD FROM TRUSTED
SITES 3

ABIDE LICENSE/COPYRIGHT LAWS WHEN


DOWNLOAING 2

ENCOUNTERED WITH VIRUS OR TROJAN ON


COMPUTER NETWORK 4

LOSS OF INFORMATION WHILE FORMATTING


HARD DRIVE 5

WORK FROM HOME USING PERSONAL COMPUTER 3

LOGGING IN TO WORK ACCOUNT USING PUBLIC


NETWORK 4

PROTECTION AGAINST SOCIAL ENGINEERING,


PHISHING, CYBERCRIME 5

VIOLATION OF POLICY AND REGULATION USING


THIRD PARTY STORAGE 3

BUSINESS PLAN AND RESPONSIBILITY 3

EFFECTIVE EVALUATION OF SAFETY PLAN 4

PROTECTION OF INFORMATION AND IT’S


FACILITIES AGAINST MALWARE 4
Support and
Resources PROTECTION AGAINST LOSS OF DATA 5

STORAGE OF SENSITIVE DATA IN SECURED


LOCATION 4

INTERNET CONNECTION 2

6
AMOUNT SPENT ON ANTI-VIRUS 4

SUDDEN SHUTDOWN OF INTERNET 3

DEPARTMENT OF INFORMATION SECURITY


PERFORM INFORMATION SECURITY BASED 3
ASSESSMENT

USAGE OF LOCAL INTRUSION DETECTION


Operation
SYSTEM (IDS) 2
and
Performance
USAGE OF LOCAL INTRUSION PROVISION
Evaluation 3
SYSTEM (IPS)

USAGE VIRTUAL PRIVATE NETWORK (VPN) 1

PENETRATION TESTING 2

REGULAR REVIEW OF INFORMATION SECURITY


2
POLICIES

REGULAR UPDATE OF INFORMATION SECURITY


POLICIES 3

EMPLOYEE TRAINING TO RAISE AWARENESS


ABOUT INFORMATION SECURITY 3

Improvement
DIFFICULTY IN CONVINCING 2

INFORMATION OF NEW FORM OF INFORMATION


SECURITY ATTACKS 5

TOOLS USED TO DETECT ATTACKS 4

INVESTMENT IN SECURITY SOLUTION 2

You might also like