Abstract image of a woman sitting on books and studying on a laptop

Risk Assessment documentation templates are located within this se.docx

Download as DOCX, PDF
S
SUBHI7

The document outlines the steps for conducting a risk assessment, beginning with gathering input from various stakeholders and identifying key business processes essential for operations. It emphasizes the documentation of both business processes and organizational assets, assigning priority levels to each process and related asset, and assessing existing threats. Finally, it discusses the severity of potential threats and mitigation strategies to protect critical assets.

Education
1 of 14
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Risk Assessment documentation templates are located within this section. Make additional copies as needed. In a real risk analysis process, one of the first steps is meeting with all department managers, upper management, employee representatives, and workers in the production environment, human resources staff, and other staff members to get their input. Without input from the people actually doing the work, you might not think of essential factors. That isn't possible here, so direct any questions you have to the instructor, or do independent research to find your answers. · First, identify the business processes that must continue for the organization to keep functioning—for example, collecting money from customers, receiving and processing sales, developing new products, and so on. Document major business processes that drive SunGrafix, using the Business Process column of the Business Process Identification Worksheet. (You need your imagination and some common sense for this step.) Assign a priority level to each process (using the priority rankings in the following list). Write down the department that performs the process, and leave the Assets Used column blank for now. Next, identify the organization's assets. Using the Asset Identification Worksheet that is provided in the Course Documents section on Blackboard, list each asset, its location, and approximate value, if known. (For multiple identical assets, describe the asset and list the quantity instead of listing each individual asset.) In organization-wide risk assessments, you would list all assets, including office furniture, industrial equipment, personnel, and other assets. For this project, stick to information technology assets, such as computers, servers, and networking equipment, etc. The information you enter depends on the network design you completed earlier. All the equipment needed to build your network should be listed here as well as any cabling in the facility. (Assume the facility is already wired for a computer network with network drops available for each
computer.) Hint: Remember to list items such as electricity and your Internet connection.Next, determine which assets support each business process. On your Business Process Identification Worksheet, list the assets needed for each business process in the Assets Used column. · Critical — Absolutely necessary for business operations to continue. Loss of a critical process halts business activities. · Necessary — Contributes to smooth, efficient operations. Loss of a necessary process doesn't halt business operations but degrades working conditions, slows production, or contributes to errors. · Desirable — Contributes to enhanced performance and productivity and helps create a more comfortable working environment, but loss of a desirable process doesn't halt or negatively affect operations. · Next, determine which assets support each business process. On your Business Process Identification Worksheet, list the assets needed for each business process in the Assets Used column. · Each process should be documented and have a priority assigned to it. Next, transfer the priority rankings to your Asset Identification Worksheet. Now you know which assets are the most critical to restore and warrant the most expense and effort to secure. You also have the documentation to back up your security actions for each item. · The final step is assessing existing threats. The table below shows examples of ways to evaluate some types of threats and suggests ways to quantify them. On the Threat Identification and Assessment Worksheet, list each possible threat. Be sure to consider threats from geographic and physical factors, personnel, malicious attack or sabotage, and accidents. Also, examine the facility diagram you created for flaws in the facility layout or structure that could pose a threat, such as air- conditioning failure or loss of electrical service. Assess the probability of occurrence (POC) on a 1 to 10 scale, with 1 being the lowest and 10 the highest, and assign those ratings in the
POC column for each threat. Type of Threat How to Quantify Severe rainstorm, tornado, hurricane, earthquake, wilderness fire, or flood Collect data on frequency, severity, and proximity to facilities. Evaluate the past quality and speed of local and regional emergency response systems to determine whether they helped minimize loss. Train derailment, auto/ truck accident, toxic air pollution caused by accident, or plane crash Collect data on the proximity of railroads, highways, and airports to facilities. Evaluate the construction quality of transportation systems and the rate of serious accidents on each system. Building explosion or fire Collect data on the frequency and severity of past incidents. Evaluate local emergency response to determine its effectiveness. Militant group attacking facilities, riot, or civil unrest Collect data on the political stability of the region where facilities are located. Compile and evaluate a list of groups that might have specific political or social issues with the Organization. Computer hack (external) or computer fraud (internal) Examine data on the frequency and severity of past incidents.
Evaluate the effectiveness of existing computer security measures. · Next, using the Asset Identification Worksheet, determine which assets would be affected by each threat. List those assets in the Assets Affected column of the Threat Identification and Assessment Worksheet. For an electrical outage, for example, list all assets requiring electricity to operate; for a hardware failure, list all assets a hardware failure would disrupt, damage, or destroy · In the Consequence column, enter the consequences of the threat occurring, using the following designations: Next, rate the severity of each threat in the Severity column, using the same designations as in the preceding list for consequences (C, S, M, or I). You derive these ratings by combining the probability of occurrence, the asset's priority ranking, and the potential consequences of a threat occurring. For example, if an asset has a Critical (C) priority ranking and a Catastrophic (C) consequence rating, it has a Catastrophic (C) severity rating. If you have mixed or contradictory ratings, you need to re- evaluate the asset and use common sense. A terrorist attack that destroys the facility and kills half the staff might have a probability of occurrence (POC) of only 1 (depending on your location), but if it happened, the consequences would definitely be catastrophic. Even so, because of the low POC, you wouldn't necessarily rank its severity as catastrophic. · Catastrophic (C)—Total loss of business processes or functions for one week or more. Potential complete failure of business. · Severe (S)—Business would be unable to continue functioning for 24 to 48 hours. Losses of revenue, damage to reputation or confidence, reduction of productivity, complete loss of critical data or systems. · Moderate (M)—Business could continue after an interruption of no more than 4 hours. Some loss of productivity and damage
or destruction of important information or systems. · Insignificant (I)—Business could continue functioning without interruption. Some cost incurred for repairs or recovery. Minor equipment or facility damage. Minor productivity loss and little or no loss of important data. · Finally, on the Threat Mitigation Worksheet, list assets that are ranked as the most critical and threatened with the highest severity. In the Mitigation Techniques column, list recommendations for mitigating threats to those assets. For example, to mitigate the threat of an electrical outage damaging a critical server, you might suggest a high-end uninterruptible power supply (UPS). Threat Mitigation Worksheet Form # TM01 Page ____ of _____ Business Name: Address: Facility # 001 Contact: Phone number: E-mail: Asset Threat Mitigation Techniques
Threat Identification and Assessment Worksheet Form # TIDA01
Page ____ of _____ Business Name: Address: Facility # 001 Contact: Phone number: E-mail: Threat POC Assets Affected Consequence (C, S, M, I) Severity (C, S, M, I)
Risk Assessment documentation templates are located within this se.docx
Asset Identification Worksheet Form # AID01 Page ____ of _____ Business Name: Address: Facility # 001 Contact: Phone Number: E-mail: Asset Quantity Department or Location Value Priority C N D N/A C N D
N/A C N D N/A C N D N/A C N D N/A C N D N/A C N D
N/A C N D N/A C N D N/A C N D N/A C N D N/A Business Process Identification Worksheet Form # BPID01 Page ____ of _____
Business Name: Address: Facility # 001 Contact: Phone number: E-mail: Business Process Priority Department Assets Used C N D N/A C N D N/A C N D N/A C N D N/A
C N D N/A C N D N/A C N D N/A C N D N/A C N D N/A C N D N/A C N D N/A
Risk Assessment documentation templates are located within this se.docx

More Related Content

DOCX
4 Questions only Question 6. I have answered part of the.docx
tamicawaysmith
 
DOCX
Threat Mitigation WorksheetForm # TM01Page ____ of _____.docx
herthalearmont
 
DOCX
Business Process Identification WorksheetForm # BPID01Page.docx
RAHUL126667
 
DOCX
Assignments Unit 4· Listen to the audio lecture.· Read chapte.docx
rock73
 
DOCX
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
tidwellveronique
 
PDF
Outsourcing
karlhennessy
 
PPTX
unit 2informationsecuritynotesyyyyy.pptx
SaranyaS85986
 
PDF
Information Security Planning and Risk Analysis
abacusgtuc
 
4 Questions only Question 6. I have answered part of the.docx
tamicawaysmith
 
Threat Mitigation WorksheetForm # TM01Page ____ of _____.docx
herthalearmont
 
Business Process Identification WorksheetForm # BPID01Page.docx
RAHUL126667
 
Assignments Unit 4· Listen to the audio lecture.· Read chapte.docx
rock73
 
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
tidwellveronique
 
Outsourcing
karlhennessy
 
unit 2informationsecuritynotesyyyyy.pptx
SaranyaS85986
 
Information Security Planning and Risk Analysis
abacusgtuc
 

Similar to Risk Assessment documentation templates are located within this se.docx (20)

PPTX
Iso27001 Risk Assessment Approach
tschraider
 
PPTX
1234567RISK-MANAGEMENT-FOR-SECURITY.pptx
JOHNLLOYDFERIDO
 
PDF
Vskills Certified Network Security Professional Sample Material
Vskills
 
PPTX
MIS: Information Security Management
Jonathan Coleman
 
PDF
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
PDF
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
PPTX
CONTEXTUAL ARCHITECTURE.pptx
Pandiya Rajan
 
PDF
Risk Assessment: Approach to enhance Network Security
IJCSIS Research Publications
 
PDF
Corporate Disaster Prevention And Preparedness PowerPoint Presentation Slides
SlideTeam
 
PDF
200606_NWC_Strategic Security
Chad Korosec
 
PDF
Enterprise Risk Analysis PowerPoint Presentation Slides
SlideTeam
 
PPTX
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PDF
internet securityand cyber law Unit3 1
Royalzig Luxury Furniture
 
PPT
Risk Assessment And Management
vikasraina
 
PDF
Hands on IT risk assessment
George Delikouras
 
PPTX
Physical Security Assessment
Faheem Ul Hasan
 
PPTX
nist_small_business_fundamentals_july_2019.pptx
JkYt1
 
PDF
Prevention Protection And Mitigation Planning PowerPoint Presentation Slides
SlideTeam
 
DOCX
Corpoarate Assets Risk SummaryAsset Under Review .docx
voversbyobersby
 
PPT
practical-approach-to-strategic-risk-management.ppt
olusholaJoseph
 
Iso27001 Risk Assessment Approach
tschraider
 
1234567RISK-MANAGEMENT-FOR-SECURITY.pptx
JOHNLLOYDFERIDO
 
Vskills Certified Network Security Professional Sample Material
Vskills
 
MIS: Information Security Management
Jonathan Coleman
 
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
CONTEXTUAL ARCHITECTURE.pptx
Pandiya Rajan
 
Risk Assessment: Approach to enhance Network Security
IJCSIS Research Publications
 
Corporate Disaster Prevention And Preparedness PowerPoint Presentation Slides
SlideTeam
 
200606_NWC_Strategic Security
Chad Korosec
 
Enterprise Risk Analysis PowerPoint Presentation Slides
SlideTeam
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
internet securityand cyber law Unit3 1
Royalzig Luxury Furniture
 
Risk Assessment And Management
vikasraina
 
Hands on IT risk assessment
George Delikouras
 
Physical Security Assessment
Faheem Ul Hasan
 
nist_small_business_fundamentals_july_2019.pptx
JkYt1
 
Prevention Protection And Mitigation Planning PowerPoint Presentation Slides
SlideTeam
 
Corpoarate Assets Risk SummaryAsset Under Review .docx
voversbyobersby
 
practical-approach-to-strategic-risk-management.ppt
olusholaJoseph
 
Ad

More from SUBHI7 (20)

DOCX
The material for this moduleweek has led us from Europe, through fi.docx
SUBHI7
 
DOCX
The media informs many viewers of deviance and crime, victims of cri.docx
SUBHI7
 
DOCX
The midterm is already late.  I would like to submit ASAP.Illust.docx
SUBHI7
 
DOCX
The major assignment for this week is to compose a 900-word essay co.docx
SUBHI7
 
DOCX
The minimum length for this assignment is 1,200 wordsMust use APA .docx
SUBHI7
 
DOCX
The Military•Select three characteristics of the early America.docx
SUBHI7
 
DOCX
The minimum length for this assignment is 2,000 wordsDiscoveries.docx
SUBHI7
 
DOCX
The Mini Project Task Instructions Read about validity and reliab.docx
SUBHI7
 
DOCX
The Mexican ceramics folk-art firm signs a contract for the Mexican .docx
SUBHI7
 
DOCX
The maximum size of the Layer 2 frame has become a source of ineffic.docx
SUBHI7
 
DOCX
The menu structure for Holiday Travel Vehicles existing character-b.docx
SUBHI7
 
DOCX
The marks are the actual grades which I got in the exam. So, if .docx
SUBHI7
 
DOCX
the main discussion will be Schwarzenegger and fitness,talk about ho.docx
SUBHI7
 
DOCX
The minimum length for this assignment is 1,500 words. Cellular .docx
SUBHI7
 
DOCX
The Main Post needs to be 3-5 Paragraphs At a minimum, each stud.docx
SUBHI7
 
DOCX
The main characters in Tay Garnetts film The Postman Always Rings.docx
SUBHI7
 
DOCX
The minimum length for this assignment is 2,000 words and MUST inclu.docx
SUBHI7
 
DOCX
The mafia is a well organized enterprise that deals with drugs, pros.docx
SUBHI7
 
DOCX
The minimum length for this assignment is 1,500 words. Be sure to ch.docx
SUBHI7
 
DOCX
The madrigal was a very popular musical genre in the Renaissance. Ex.docx
SUBHI7
 
The material for this moduleweek has led us from Europe, through fi.docx
SUBHI7
 
The media informs many viewers of deviance and crime, victims of cri.docx
SUBHI7
 
The midterm is already late.  I would like to submit ASAP.Illust.docx
SUBHI7
 
The major assignment for this week is to compose a 900-word essay co.docx
SUBHI7
 
The minimum length for this assignment is 1,200 wordsMust use APA .docx
SUBHI7
 
The Military•Select three characteristics of the early America.docx
SUBHI7
 
The minimum length for this assignment is 2,000 wordsDiscoveries.docx
SUBHI7
 
The Mini Project Task Instructions Read about validity and reliab.docx
SUBHI7
 
The Mexican ceramics folk-art firm signs a contract for the Mexican .docx
SUBHI7
 
The maximum size of the Layer 2 frame has become a source of ineffic.docx
SUBHI7
 
The menu structure for Holiday Travel Vehicles existing character-b.docx
SUBHI7
 
The marks are the actual grades which I got in the exam. So, if .docx
SUBHI7
 
the main discussion will be Schwarzenegger and fitness,talk about ho.docx
SUBHI7
 
The minimum length for this assignment is 1,500 words. Cellular .docx
SUBHI7
 
The Main Post needs to be 3-5 Paragraphs At a minimum, each stud.docx
SUBHI7
 
The main characters in Tay Garnetts film The Postman Always Rings.docx
SUBHI7
 
The minimum length for this assignment is 2,000 words and MUST inclu.docx
SUBHI7
 
The mafia is a well organized enterprise that deals with drugs, pros.docx
SUBHI7
 
The minimum length for this assignment is 1,500 words. Be sure to ch.docx
SUBHI7
 
The madrigal was a very popular musical genre in the Renaissance. Ex.docx
SUBHI7
 
Ad

Recently uploaded (20)

PDF
David L Page_DCI Research Study Journey_how Methodology can inform one's prac...
David L Page
 
PDF
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
PPTX
DRUGS USED FOR HORMONAL DISORDER, SUPPLIMENTATION, CONTRACEPTION, & MEDICAL T...
SaravananKumar545925
 
PDF
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
PDF
Environmental Education MCQ BD2EE - Share Source.pdf
Dr Raja Mohammed T
 
PDF
Τίμαιος είναι φιλοσοφικός διάλογος του Πλάτωνα
iliaskessaris
 
PDF
Everyday Spelling and Grammar by Kathi Wyldeck
JohanaWulandari2
 
PDF
PowerPoint for Climate Change by T.T.pdf
Tshiamo Thobega
 
PPTX
Core Concepts of Personalized Learning and Virtual Learning Environments
Dr. Bushra Sumaiya
 
PDF
Journal of Dental Science - UDMY (2021).pdf
Nay Aung
 
PDF
LIFE & LIVING TRILOGY- PART (1) WHO ARE WE.pdf
sureshkumarsoni26
 
PDF
MICROENCAPSULATION_NDDS_BPHARMACY__SEM VII_PCI Syllabus.pdf
SabsKhan1
 
PDF
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
PDF
1.Salivary gland disease.pdf 3.Bleeding and Clotting Disorders.pdf important
MichaelShawky5
 
PPTX
Education and Perspectives of Education.pptx
Central University of South Bihar, Gaya, Bihar
 
PPTX
MICROPARA INTRODUCTION XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
CACATIANReinaJeanC
 
PDF
MBA _Common_ 2nd year Syllabus _2021-22_.pdf
DrAnubha4
 
PDF
Skin Care and Cosmetic Ingredients Dictionary ( PDFDrive ).pdf
SahianAlondraPichard
 
PDF
English Textual Question & Ans (12th Class).pdf
javaidpaswal33
 
PPTX
RIZALS-LIFE-HIGHER-EDUCATION-AND-LIFE-ABROAD.pptx
yugiyami955
 
David L Page_DCI Research Study Journey_how Methodology can inform one's prac...
David L Page
 
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
DRUGS USED FOR HORMONAL DISORDER, SUPPLIMENTATION, CONTRACEPTION, & MEDICAL T...
SaravananKumar545925
 
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
Environmental Education MCQ BD2EE - Share Source.pdf
Dr Raja Mohammed T
 
Τίμαιος είναι φιλοσοφικός διάλογος του Πλάτωνα
iliaskessaris
 
Everyday Spelling and Grammar by Kathi Wyldeck
JohanaWulandari2
 
PowerPoint for Climate Change by T.T.pdf
Tshiamo Thobega
 
Core Concepts of Personalized Learning and Virtual Learning Environments
Dr. Bushra Sumaiya
 
Journal of Dental Science - UDMY (2021).pdf
Nay Aung
 
LIFE & LIVING TRILOGY- PART (1) WHO ARE WE.pdf
sureshkumarsoni26
 
MICROENCAPSULATION_NDDS_BPHARMACY__SEM VII_PCI Syllabus.pdf
SabsKhan1
 
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
1.Salivary gland disease.pdf 3.Bleeding and Clotting Disorders.pdf important
MichaelShawky5
 
Education and Perspectives of Education.pptx
Central University of South Bihar, Gaya, Bihar
 
MICROPARA INTRODUCTION XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
CACATIANReinaJeanC
 
MBA _Common_ 2nd year Syllabus _2021-22_.pdf
DrAnubha4
 
Skin Care and Cosmetic Ingredients Dictionary ( PDFDrive ).pdf
SahianAlondraPichard
 
English Textual Question & Ans (12th Class).pdf
javaidpaswal33
 
RIZALS-LIFE-HIGHER-EDUCATION-AND-LIFE-ABROAD.pptx
yugiyami955
 

Risk Assessment documentation templates are located within this se.docx

  • 1. Risk Assessment documentation templates are located within this section. Make additional copies as needed. In a real risk analysis process, one of the first steps is meeting with all department managers, upper management, employee representatives, and workers in the production environment, human resources staff, and other staff members to get their input. Without input from the people actually doing the work, you might not think of essential factors. That isn't possible here, so direct any questions you have to the instructor, or do independent research to find your answers. · First, identify the business processes that must continue for the organization to keep functioning—for example, collecting money from customers, receiving and processing sales, developing new products, and so on. Document major business processes that drive SunGrafix, using the Business Process column of the Business Process Identification Worksheet. (You need your imagination and some common sense for this step.) Assign a priority level to each process (using the priority rankings in the following list). Write down the department that performs the process, and leave the Assets Used column blank for now. Next, identify the organization's assets. Using the Asset Identification Worksheet that is provided in the Course Documents section on Blackboard, list each asset, its location, and approximate value, if known. (For multiple identical assets, describe the asset and list the quantity instead of listing each individual asset.) In organization-wide risk assessments, you would list all assets, including office furniture, industrial equipment, personnel, and other assets. For this project, stick to information technology assets, such as computers, servers, and networking equipment, etc. The information you enter depends on the network design you completed earlier. All the equipment needed to build your network should be listed here as well as any cabling in the facility. (Assume the facility is already wired for a computer network with network drops available for each
  • 2. computer.) Hint: Remember to list items such as electricity and your Internet connection.Next, determine which assets support each business process. On your Business Process Identification Worksheet, list the assets needed for each business process in the Assets Used column. · Critical — Absolutely necessary for business operations to continue. Loss of a critical process halts business activities. · Necessary — Contributes to smooth, efficient operations. Loss of a necessary process doesn't halt business operations but degrades working conditions, slows production, or contributes to errors. · Desirable — Contributes to enhanced performance and productivity and helps create a more comfortable working environment, but loss of a desirable process doesn't halt or negatively affect operations. · Next, determine which assets support each business process. On your Business Process Identification Worksheet, list the assets needed for each business process in the Assets Used column. · Each process should be documented and have a priority assigned to it. Next, transfer the priority rankings to your Asset Identification Worksheet. Now you know which assets are the most critical to restore and warrant the most expense and effort to secure. You also have the documentation to back up your security actions for each item. · The final step is assessing existing threats. The table below shows examples of ways to evaluate some types of threats and suggests ways to quantify them. On the Threat Identification and Assessment Worksheet, list each possible threat. Be sure to consider threats from geographic and physical factors, personnel, malicious attack or sabotage, and accidents. Also, examine the facility diagram you created for flaws in the facility layout or structure that could pose a threat, such as air- conditioning failure or loss of electrical service. Assess the probability of occurrence (POC) on a 1 to 10 scale, with 1 being the lowest and 10 the highest, and assign those ratings in the
  • 3. POC column for each threat. Type of Threat How to Quantify Severe rainstorm, tornado, hurricane, earthquake, wilderness fire, or flood Collect data on frequency, severity, and proximity to facilities. Evaluate the past quality and speed of local and regional emergency response systems to determine whether they helped minimize loss. Train derailment, auto/ truck accident, toxic air pollution caused by accident, or plane crash Collect data on the proximity of railroads, highways, and airports to facilities. Evaluate the construction quality of transportation systems and the rate of serious accidents on each system. Building explosion or fire Collect data on the frequency and severity of past incidents. Evaluate local emergency response to determine its effectiveness. Militant group attacking facilities, riot, or civil unrest Collect data on the political stability of the region where facilities are located. Compile and evaluate a list of groups that might have specific political or social issues with the Organization. Computer hack (external) or computer fraud (internal) Examine data on the frequency and severity of past incidents.
  • 4. Evaluate the effectiveness of existing computer security measures. · Next, using the Asset Identification Worksheet, determine which assets would be affected by each threat. List those assets in the Assets Affected column of the Threat Identification and Assessment Worksheet. For an electrical outage, for example, list all assets requiring electricity to operate; for a hardware failure, list all assets a hardware failure would disrupt, damage, or destroy · In the Consequence column, enter the consequences of the threat occurring, using the following designations: Next, rate the severity of each threat in the Severity column, using the same designations as in the preceding list for consequences (C, S, M, or I). You derive these ratings by combining the probability of occurrence, the asset's priority ranking, and the potential consequences of a threat occurring. For example, if an asset has a Critical (C) priority ranking and a Catastrophic (C) consequence rating, it has a Catastrophic (C) severity rating. If you have mixed or contradictory ratings, you need to re- evaluate the asset and use common sense. A terrorist attack that destroys the facility and kills half the staff might have a probability of occurrence (POC) of only 1 (depending on your location), but if it happened, the consequences would definitely be catastrophic. Even so, because of the low POC, you wouldn't necessarily rank its severity as catastrophic. · Catastrophic (C)—Total loss of business processes or functions for one week or more. Potential complete failure of business. · Severe (S)—Business would be unable to continue functioning for 24 to 48 hours. Losses of revenue, damage to reputation or confidence, reduction of productivity, complete loss of critical data or systems. · Moderate (M)—Business could continue after an interruption of no more than 4 hours. Some loss of productivity and damage
  • 5. or destruction of important information or systems. · Insignificant (I)—Business could continue functioning without interruption. Some cost incurred for repairs or recovery. Minor equipment or facility damage. Minor productivity loss and little or no loss of important data. · Finally, on the Threat Mitigation Worksheet, list assets that are ranked as the most critical and threatened with the highest severity. In the Mitigation Techniques column, list recommendations for mitigating threats to those assets. For example, to mitigate the threat of an electrical outage damaging a critical server, you might suggest a high-end uninterruptible power supply (UPS). Threat Mitigation Worksheet Form # TM01 Page ____ of _____ Business Name: Address: Facility # 001 Contact: Phone number: E-mail: Asset Threat Mitigation Techniques
  • 6. Threat Identification and Assessment Worksheet Form # TIDA01
  • 7. Page ____ of _____ Business Name: Address: Facility # 001 Contact: Phone number: E-mail: Threat POC Assets Affected Consequence (C, S, M, I) Severity (C, S, M, I)
  • 9. Asset Identification Worksheet Form # AID01 Page ____ of _____ Business Name: Address: Facility # 001 Contact: Phone Number: E-mail: Asset Quantity Department or Location Value Priority C N D N/A C N D
  • 10. N/A C N D N/A C N D N/A C N D N/A C N D N/A C N D
  • 11. N/A C N D N/A C N D N/A C N D N/A C N D N/A Business Process Identification Worksheet Form # BPID01 Page ____ of _____
  • 12. Business Name: Address: Facility # 001 Contact: Phone number: E-mail: Business Process Priority Department Assets Used C N D N/A C N D N/A C N D N/A C N D N/A
  • 13. C N D N/A C N D N/A C N D N/A C N D N/A C N D N/A C N D N/A C N D N/A