DLP Risk Assessment

Residual Residual Residual

Risk ID Key Asset Threat event Incident Scenario Consequences Impact Probability Exploitation Rate Risk Treat Decision Controls Residual Impact Probability Exploitation Rate Residual Risk Actions

0 Not rated 0 Not rated

0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated
0 Not rated 0 Not rated

Classification: Internal Page 1 of 10

Controls

ID Control ISO27001
1030 A set of policies for information security at MCAP is defined, approved by management, published A.5.1.1
and communicated to employees and relevant external parties.
1031 The policies for information security are reviewed at leas annually or if significant changes occur to A.5.1.2
ensure their continuing suitability, adequacy and effectiveness.
1032 All information security responsibilities at MCAP are defined and allocated. A.6.1.1
1033 Conflicting duties and areas of responsibility are segregated to reduce opportunities for A.6.1.2
unauthorized or unintentional modification or misuse of the MCAP’s assets.
1034 Appropriate contacts with special interest groups or other specialist security forums and A.6.1.4
professional associations are maintained.
1035 Information security is addressed in project management, regardless of the type of the project. A.6.1.5

1036 A policy and supporting security measures are adopted to manage the risks introduced by using A.6.2.1
mobile devices such as laptops and phones.
1037 Background verification checks on all candidates for employment are carried out in accordance A.7.1.1
with relevant laws, regulations and ethics and are proportional to the business requirements, the
classification of the information to be accessed and the perceived risks.

1038 The contractual agreements with employees and contractors state their and MCAP’s A.7.1.2
responsibilities for information security.
1039 MCAP management requires all employees and contractors to apply information security in A.7.2.1
accordance with the established policies and procedures of MCAP.
1040 All employees of MCAP and, where relevant, contractors receive appropriate awareness education A.7.2.2
and training and regular updates in organizational policies and procedures, as relevant for their job
function.
1041 There are a formal and communicated disciplinary process in place to take action against A.7.2.3
employees who have committed an information security breach.
1042 Information security responsibilities and duties that remain valid after termination or change of A.7.3.1
employmentare defined, communicated to the employee or contractor and enforced.

1043 Assets associated with information and information processing facilities are identified and an A.8.1.1
inventory of these assets is drawn up and maintained.
1044 Assets maintained in the inventory are owned. A.8.1.2
1045 Rules for the acceptable use of information and of assets associated with information and A.8.1.3
information processing facilities are identified, documented and implemented.
1046 All employees and external party users are inform and enforced to return all of MCAP assets in A.8.1.4
their possession upon termination of their employment, contract or agreement.
1047 Information is classified in terms of legal requirements, value, criticality and sensitivity to A.8.2.1
unauthorised disclosure or modification.
1048 An appropriate set of procedures for information labelling are developed and implemented in A.8.2.2
accordance with the information classification scheme adopted by MCAP.
1049 Procedures for handling assets are developed and implemented in accordance with the A.8.2.3
information classification scheme adopted by MCAP.
1050 Procedures are implemented for the management of removable media in accordance with the A.8.3.1
classification scheme adopted by MCAP.
1051 Media are disposed of securely when no longer required, using formal procedures. A.8.3.2
1052 Media containing information is protected against unauthorized access, misuse or corruption A.8.3.3
during transportation.
1053 An access control policy is established, documented and reviewed based on business and A.9.1.1
information security requirements.
1054 Users are provided with access to the network and network services that they have been A.9.1.2
specifically authorized to use.

Classification: Public 2 of 10
Controls

ID Control ISO27001
1055 A formal user registration and de-registration process is implemented to enable assignment of A.9.2.1
access rights.
1056 A formal user access provisioning process is implemented to assign or revoke access rights for all A.9.2.2
user types to all systems and services.
1057 The allocation and use of privileged access rights is restricted and controlled. A.9.2.3
1058 The allocation of secret authentication information is controlled through a formal management A.9.2.4
process.
1059 Asset owners review users’ access rights at least quarterly. A.9.2.5
1060 The access rights of all employees and external party users to information and information A.9.2.6
processing facilities are removed upon termination of their employment, contract or agreement, or
adjusted upon change.
1061 Users are enforced to follow MCAP’s practices in the use of secret authentication information. A.9.3.1

1062 Access to information and application system functions is restricted in accordance with the access A.9.4.1
control policy.
1063 Where required by the access control policy, access to systems and applications is controlled by a A.9.4.2
secure log-on procedure.
1064 Password management systems is interactive and ensures quality passwords. A.9.4.3
1065 The use of utility programs that might be capable of overriding system and application controls is A.9.4.4
restricted and tightly controlled.
1066 Access to MCAP application source code is restricted. A.9.4.5
1067 A policy on the use of cryptographic controls for protection of information is developed and A.10.1.1
implemented.
1068 A policy on the use, protection and lifetime of cryptographic keys is developed and implemented A.10.1.2
through their whole lifecycle.
1069 Security perimeters are defined and used to protect areas that contain either sensitive or critical A.11.1.1
information and information processing facilities.
1070 Secure areas are protected by appropriate entry controls to ensure that only authorized personnel A.11.1.2
are allowed access.
1071 Physical security for offices, rooms and facilities are designed and applied. A.11.1.3
1072 Physical protection against natural disasters, malicious attack or accidents is designed and applied. A.11.1.4

1073 Procedures for working in secure areas are designed and applied. A.11.1.5
1074 Access points such as delivery and loading areas and other points where unauthorized persons A.11.1.6
could enter the premises are controlled and, if possible, isolated from information processing
facilities to avoid unauthorized access.
1075 Equipment is sited and protected to reduce the risks from environmental threats and hazards, and A.11.2.1
opportunities for unauthorized access.
1076 Equipment is protected from power failures and other disruptions caused by failures in supporting A.11.2.2
utilities.
1077 Power and telecommunications cabling carrying data or supporting information services are A.11.2.3
protected from interception, interference or damage.
1078 Equipment is correctly maintained to ensure its continued availability and integrity. A.11.2.4
1079 Equipment, information or software shall not be taken off-site without prior authorization. A.11.2.5

1080 Security is applied to off-site assets taking into account the different risks of working outside A.11.2.6
MCAP’s premises.
1081 All items of equipment containing storage media are verified to ensure that any sensitive data and A.11.2.7
licensed software has been removed or securely overwritten prior to disposal or re-use.

1082 Users shall ensure that unattended equipment has appropriate protection. A.11.1.8

Classification: Public 3 of 10
Controls

ID Control ISO27001
1083 A clear desk policy for papers and removable storage media and a clear screen policy for A.11.2.9
information processing facilities are adopted.
1084 Operating procedures are documented and made available to all users who need them. A.12.1.1
1085 Changes to MCAP business processes, information processing facilities and systems that affect A.12.1.2
information security are controlled.
1086 The use of resources is monitored, tuned and projections made of future capacity requirements to A.12.1.3
ensure the required system performance.
1087 Development, testing, and operational environments are separated to reduce the risks of A.12.1.4
unauthorized access or changes to the operational environment.
1088 Detection, prevention and recovery controls to protect against malware are implemented, A.12.2.1
combined with appropriate user awareness.
1089 Backup copies of information, software and system images are taken and tested regularly in A.12.3.1
accordance with an agreed backup policy.
1090 Event logs recording user activities, exceptions, faults and information security events are A.12.4.1
produced, kept and regularly reviewed.
1091 Logging facilities and log information are protected against tampering and unauthorized access. A.12.4.2

1092 System administrator and system operator activities are logged and the logs protected and A.12.4.3
regularly reviewed.
1093 The clocks of all relevant information processing systems within MCAP or security domain are A.12.4.4
synchronised to a single reference time source.
1094 Procedures are implemented to control the installation of software on operational systems. A.12.5.1

1095 Information about technical vulnerabilities of information systems being used is obtained in a A.12.6.1
timely fashion, MCAP’s exposure to such vulnerabilities evaluated and appropriate measures taken
to address the associated risk.
1096 Networks are managed and controlled to protect information in systems and applications. A.13.1.1

1097 Security mechanisms, service levels and management requirements of all network services are A.13.1.2
identified and included in network services agreements, whether these services are provided in-
house or outsourced.
1098 Groups of information services, users and information systems are segregated on MCAP networks. A.13.1.3

1099 Formal transfer policies, procedures and controls are in place to protect the transfer of information A.13.2.1
through the use of all types of communication facilities.
1100 Agreements address the secure transfer of business information between MCAP and external A.13.2.2
parties.
1101 Information involved in electronic messaging is appropriately protected. A.13.2.3
1102 Requirements for confidentiality or non-disclosure agreements reflecting MCAP’s needs for the A.13.2.4
protection of information are identified, regularly reviewed and documented.
1103 The information security related requirements are included in the requirements for new A.14.1.1
information systems or enhancements to existing information systems.
1104 Information involved in application services passing over public networks is protected from A.14.1.2
fraudulent activity, contract dispute and unauthorized disclosure and modification.
1105 Information involved in application service transactions is protected to prevent incomplete A.14.1.3
transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized
message duplication or replay.
1106 Rules for the development of software and systems are established and applied to developments A.14.2.1
within MCAP.
1107 Changes to systems within the development lifecycle are controlled by the use of formal change A.14.2.2
control procedures.

Classification: Public 4 of 10
Controls

ID Control ISO27001
1108 When operating platforms are changed, business critical applications are reviewed and tested to A.14.2.3
ensure there is no adverse impact on MCAP operations or security.
1109 Modifications to MCAP application are discouraged, limited to necessary changes and all changes A.14.2.4
are strictly controlled.
1110 Principles for engineering secure systems are established, documented, maintained and applied to A.14.2.5
any information system implementation efforts.
1111 MCAPl established and appropriately protects secure development environments for system A.14.2.6
development and integration efforts that cover the entire system development lifecycle.

1112 MCAP mangement supervises and monitors the activity of outsourced system development. A.14.2.7

1113 Testing of security functionality is carried out during development. A.14.2.8

1114 Acceptance testing programs and related criteria are established for new information systems, A.14.2.9
upgrades and new versions.
1115 Test data is selected carefully to reduce data breaches, protected and controlled. A.14.3.1
1116 Information security requirements for mitigating the risks associated with supplier’s access to A.15.1.1
MCAP’s assets are agreed with the supplier and documented.
1117 All relevant information security requirements are established and agreed with each supplier that A.15.1.2
may access, process, store, communicate, or provide IT infrastructure components for, MCAP’s
information.
1118 Agreements with suppliers include requirements to address the information security risks A.15.1.3
associated with information and communications technology services and product supply chain.

1119 MCAP regularly monitors, reviews and audits supplier service delivery. A.15.2.1
1120 Changes to the provision of services by suppliers, including maintaining and improving existing A.15.2.2
information security policies, procedures and controls, are managed, taking account of the
criticality of business information, systems and processes involved and re-assessment of risks.

1121 Responsibilities and procedures are established to ensure a quick, effective and orderly response A.16.1.1
to information security incidents.
1122 Information security events are reported through appropriate management channels as quickly as A.16.1.2
possible.
1123 Employees and contractors usingMCAP’s information systems and services are required to note A.16.1.3
and report any observed or suspected information security weaknesses in systems or services.

1124 Information security incidents are responded to in accordance with the documented procedures. A.16.1.5

1125 Knowledge gained from analysing and resolving information security incidents is used to reduce A.16.1.6
the likelihood or impact of future incidents.
1126 MCAP defines and applies procedures for the identification, collection, acquisition and A.16.1.7
preservation of information, which can serve as evidence.
1127 MCAP determines its requirements for information security and the continuity of information A.17.1.1
security management in adverse situations, e.g. during a crisis or disaster.
1128 MCAP established, documented, implemented and maintain processes, procedures and controls to A.17.1.2
ensure the required level of continuity for information security during an adverse situation.

1129 MCAP verifies the established and implemented information security continuity controls at least A.17.1.3
annually in order to ensure that they are valid and effective during adverse situations.

1130 Information processing facilities are implemented with redundancy sufficient to meet availability A.17.2.1
requirements.

Classification: Public 5 of 10
Controls

ID Control ISO27001
1131 All relevant legislative statutory, regulatory, contractual requirements and MCAP’s approach to A.18.1.1
meet these requirements are explicitly identified, documented and kept up to date for each
information system and the organization.
1132 Appropriate procedures are implemented to ensure compliance with legislative, regulatory and A.18.1.2
contractual requirements related to intellectual property rights and use of proprietary software
products.
1133 Records are protected from loss, destruction, falsification, unauthorized access and unauthorized A.18.1.3
release, in accordance with legislatory, regulatory, contractual and business requirements.

1134 Privacy and protection of personally identifiable information is ensured as required in relevant A.18.1.4
legislation and regulation where applicable.
1135 MCAP’s approach to managing information security and its implementation (i.e. control objectives, A.18.2.1
controls, policies, processes and procedures for information security) are reviewed independently
at planned intervals or when significant changes occur.
1136 MCAP managers regularly review the compliance of information processing and procedures within A.18.2.2
their area of responsibility with the appropriate security policies, standards and any other security
requirements.
1137 Information systems are regularly reviewed for compliance with MCAP’s information security A.18.2.3
policies and standards.

Classification: Public 6 of 10
Common Terms Definitions

Term MCAP Definition Ref

Access control Mechanisms that limit availability of information or information-processing resources PCI-DSS
only to authorized persons or applications
Adversary Individual, group, organization, or government that conducts or has the intent to DHS Risk Lexicon
conduct detrimental activities.
Asset Anything that has value to the organization and which therefore requires protection. See ISO/IEC
also 'information asset' 27005:2011
Attack Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy CNSSI No. 4009
information system resources or the information itself.
Authentication Verifying the identity of a user, process, or device, often as a prerequisite to allowing FIPS 200
access to resources in an information system.
Availability Ensuring timely and reliable access to and use of information. 44 U.S.C., Sec.
3542
Compensating Security A management, operational, and/or technical control (i.e., safeguard or CNSSI No. 4009
Control countermeasure) employed by an organization in lieu of a recommended security
control in the low, moderate, or high baselines that provides equivalent or comparable
protection for an information system.

Confidentiality Preserving authorized restrictions on information access and disclosure, including means 44 U.S.C., Sec.
for protecting personal privacy and proprietary information. 3542
Consequence outcome of an event affecting MCAP’s objectives. An event can lead to a range of ISO/IEC
consequences. A consequence can be certain or uncertain and in the context of 27005:2011
information security is usually negative.
Control measure that is modifying risk. Controls for information security include any process, ISO/IEC
policy, procedure, guideline, practice or organizational structure, which can be 27005:2011
administrative, technical, management, or legal in nature which modify information
security risk.

Criticality A measure of the degree to which an organization depends on the information or NIST SP 800-60
information system for the success of a mission or of a business function.
Cyber Attack An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of CNSSI No. 4009
disrupting, disabling, destroying, or maliciously controlling a computing
environment/infrastructure; or destroying the integrity of the data or stealing controlled
information.

Cyber Security The ability to protect or defend the use of cyberspace from cyber attacks. CNSSI No. 4009
Cyberspace A global domain within the information environment consisting of the interdependent CNSSI No. 4009
network of information systems infrastructures including the Internet,
telecommunications networks, computer systems, and embedded processors and
controllers.

Event occurrence or change of a particular set of circumstances. An event can be one or more ISO/IEC
occurrences, and can have several causes. A negative event can sometimes be referred 27005:2011
to as an “incident” or “accident”.
External context external environment in which MCAP seeks to achieve its objectives. External context ISO/IEC
can include: the cultural, social, political, legal, regulatory, financial, technological, 27005:2011
economic, natural and competitive environment, whether international, national,
regional or local; key drivers and trends having impact on the objectives of the
organization; and relationships with, and perceptions and values of, external
stakeholders

Impact Level The magnitude of harm that can be expected to result from the consequences of CNSSI No. 4009
unauthorized disclosure of information, unauthorized modification of information,
unauthorized destruction of information, or loss of information or information system
availability.

Classification: Public 7 of 10
Common Terms Definitions

Term MCAP Definition Ref

Impact Value The assessed potential impact resulting from a compromise of the confidentiality, CNSSI No. 1253
integrity, or availability of an information type, expressed as a value of low, moderate, or
high.
Information Any communication or representation of knowledge such as facts, data, or opinions in CNSSI No. 4009
any medium or form, including textual, numerical, graphic, cartographic, narrative, or
audiovisual.
Information Asset A body of knowledge that is organized and managed as a single entity. Like any other
corporate asset, an organization's information assets have financial value. That value of
the asset increases in direct relationship to the number of people who are able to make
use of the information.

Information Owner Official with statutory or operational authority for specified information and CNSSI No. 4009
responsibility for establishing the controls for its generation, classification, collection,
processing, dissemination, and disposal.
Information Resources Information and related resources, such as personnel, equipment, funds, and 44 U.S.C., Sec.
information technology. 3502
Information Security The protection of information and information systems from unauthorized access, use, 44 U.S.C., Sec.
disclosure, disruption, modification, or destruction in order to provide confidentiality, 3542
integrity, and availability.
Information System A discrete set of information resources organized for the collection, processing, 44 U.S.C., Sec.
maintenance, use, sharing, dissemination, or disposition of information. 3502
Information System Official responsible for the overall procurement, development, integration, modification, NIST SP 800-30
Owner or operation and maintenance of an information system.
Integrity Guarding against improper information modification or destruction, and includes 44 U.S.C., Sec.
ensuring information nonrepudiation and authenticity. 3542
internal context internal environment in which MCAP seeks to achieve its objectives. Internal context can ISO/IEC
include: governance, organizational structure, roles and accountabilities; policies, 27005:2011
objectives, and the strategies that are in place to achieve them; the capabilities,
understood in terms of resources and knowledge (e.g. capital, time, people, processes,
systems and technologies); information systems, information flows and decision-making
processes (both formal and informal); relationships with, and perceptions and values of,
internal stakeholders; the organization's culture; standards, guidelines and models
adopted by the organization; and form and extent of contractual relationships.

Level of risk magnitude of a risk, expressed in terms of the combination of consequences and their ISO/IEC
likelihood. 27005:2011
Likelihood chance of something happening ISO/IEC
27005:2011
Likelihood of A weighted factor based on a subjective analysis of the probability that a given threat is CNSSI No. 4009
Occurrence capable of exploiting a given vulnerability or a set of vulnerabilities.
Management Controls The security controls (i.e., safeguards or countermeasures) for an information system FIPS 200
that focus on the management of risk and the management of information system
security.
Operational Controls The security controls (i.e., safeguards or countermeasures) for an information system FIPS 200
that are primarily implemented and executed by people (as opposed to systems).

Owner See Information Owner and Information System Owner

Qualitative Assessment Use of a set of methods, principles, or rules for assessing risk based on nonnumerical DHS Risk Lexicon
categories or levels.
Quantitative Use of a set of methods, principles, or rules for assessing risks based on the use of DHS Risk Lexicon
Assessment numbers where the meanings and proportionality of values are maintained inside and
outside the context of the assessment.

Classification: Public 8 of 10
Common Terms Definitions

Term MCAP Definition Ref

Residual risk risk remaining after risk treatment. Residual risk can also be known as “retained risk” ISO/IEC
27005:2011
Residual risk Portion of risk remaining after security measures have been applied. CNSSI No. 4009
Risk Effect of uncertainty on objectives. Information security risk is often expressed in terms ISO/IEC
of a combination of the consequences of an information security event and the 27005:2011
associated likelihood of occurrence. Information security risk is associated with the
potential that threats will exploit vulnerabilities of an information asset or group of
information assets and thereby cause harm to an organization.

Risk Analysis process to comprehend the nature of risk and to determine the level of risk. Risk analysis ISO/IEC
provides the basis for risk evaluation and decisions about risk treatment. 27005:2011

Risk Assessment overall process of risk identification, risk analysis and risk evaluation. ISO/IEC
27005:2011
Risk Communication continual and iterative processes that MCAP conducts to provide, share or obtain ISO/IEC
information, and to engage in dialogue with stakeholders regarding the management of 27005:2011
risk. The information can relate to the existence, nature, form, likelihood, significance,
Risk Criteria evaluation,
terms acceptability
of reference againstand treatment
which of risk. of a risk is evaluated. Risk criteria are
the significance ISO/IEC
based on organizational objectives, and external and internal context. 27005:2011

Risk Evaluation process of comparing the results of risk analysis with risk criteria to determine whether ISO/IEC
the risk and/or its magnitude is acceptable or tolerable. Risk evaluation assists in the 27005:2011
decision about risk treatment.
Risk Identification process of finding, recognizing and describing risks. Risk identification involves the ISO/IEC
identification of risk sources, events, their causes and their potential consequences. Risk 27005:2011
identification can involve historical data, theoretical analysis, informed and expert
opinions, and stakeholders’ needs.

Risk Management coordinated activities to direct and control an organization with regard to risk. ISO/IEC
27005:2011
Risk Treatment process to modify risk. Risk treatment can involve: avoiding the risk by deciding not to ISO/IEC
start or continue with the activity that gives rise to the risk; taking or increasing risk in 27005:2011
order to pursue an opportunity; removing the risk source; changing the likelihood;
changing the consequences; sharing the risk with another party or parties (including
contracts and risk financing); and retaining the risk by informed choice.

Security Policy A set of criteria for the provision of security services. CNSSI No. 4009
Stakeholder person or organization that can affect, be affected by, or perceive themselves to be ISO/IEC
affected by a decision or activity 27005:2011
Threat Condition or activity that has the potential to cause information or information PCI-DSS
processing resources to be intentionally or accidentally lost, modified, exposed, made
inaccessible, or otherwise affected to the detriment of the organization.

Classification: Public 9 of 10
Reference Values

Consequences VLOOKUP Values (do not edit)

F - Material Financial loss Risk Rating Probab+Ease
L - Legal actions 0 Not rated 0
R - Reputation damage 1 Low 0
U - Loss of users / customers 2 Low 1
C - Loss of competitive advantage 3 Low 2
K - Loss of knowledge / Intellectual Property 4 Low 2
I - Key stakeholders (e.g. Board, Shareholders) confidence loss 5 Medium
S - Loss of service / SLA 6 Medium
8 Medium
Business Impact (Pull-down values - edit only text) 9 Medium
1-Insignificant 10 High
2-Minor 12 High
3-Moderate 15 High
4-Major 16 High
5-Catastrophic 20 Extreme
25 Extreme
Treatment Options (Pull-down values - edit only text)
0-Not treated
1-Out of scope
2-Accept
3-Modify
4-Transfer
5-Avoid

Probability (Pull-down values -edit only text)

1-Rare
2-Unlikely
3-Possible
4-Likely
5-Almost certain

Ease of Exploitation (pull-down values - edit only text)

1-Hard
2-Med
3-Easy

Classification: Internal