risk assessment report and risk treatment plan -...
TRANSCRIPT
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 1 of 98
Risk Assessment Report and Risk Treatment Plan
Jabatan Laut Malaysia
RESTRICTED Release Version: 1.3
Document Number: JLM -IT-RPT-02
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 2 of 98
1.0 DOCUMENT INFORMATION Document Type Report
Document Number:
JLM -IT-RPT-02
File Name Risk Assessment Report and Risk Treatment Plan
Document Version 1.3
Effective Date 20 December 2013
Prepared by Name
Azizul Halimi Husain
Date: 12 December 2013
Signature:
Reviewed By Name
Ahmad Kamil Bin Hassan Rabein
17 December 2013
Signature:
Approved by Name
Roslee bin Mat Yusof
Date: 20 December 2013 Signature:
Document Distribution All Departments
2.0 CHANGE HISTORY Version Date Prepared/Amended by Remarks Approved By
1.0 3 May 2012 Azizul Halimi Husain Final JPICT
1.1 27 December 2012 Azizul Halimi Husain Final Roslee bin Mat Yusof
1.2 15 January 2013 Azizul Halimi Husain Final Roslee bin Mat Yusof
1.3 20 December 2013 Azizul Halimi Husain Final Roslee bin Mat Yusof
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 3 of 98
TABLE OF CONTENTS
1.0 DOCUMENT INFORMATION 2
2.0 CHANGE HISTORY 2
3.0 PURPOSE 5
4.0 SCOPE 5
5.0 RISK ASSESSMENT APPROACH 5
6.0 DEFINITION AND MATRIX 5
6.1 DEFINITIONS 5
6.2 ASSET VALUE 6
6.3 RISKS ASSESSMENT 10
6.3.1 HARDWARE 10
6.3.2 SOFTWARE 31
6.3.3 PEOPLE 35
6.3.4 DOCUMENTS 39
6.3.5 APPLICATION 56
6.4 RISKS ASSESSMENT REPORT 57
6.4.1 DATA CENTRE 57
6.4.2 DISASTER RECOVERY CENTRE 67
6.5 RISKS TREATMENT PLAN 76
6.5.1 DATA CENTRE 76
6.5.2 DISASTER RECOVERY CENTRE 88
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 4 of 98
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 5 of 98
3.0 PURPOSE The purpose of this risk assessment is to evaluate the adequacy of the IT facilities,
system and information security. This risk assessment provides a structured
qualitative assessment of the operational and data centre environment. It addresses
sensitivity, threats, vulnerabilities, risks and the treatments. The assessment
recommends controls to mitigate threats and associated exploitable vulnerabilities.
4.0 SCOPE The scope of this risk assessment was limited to the security controls applicable in
the areas of computer hardware and software, data, operations, administration,
management, information, facilities, communication, personnel, and contingency
under IT and IT Operations & Support area of responsibilities.
5.0 RISK ASSESSMENT APPROACH The risk assessment conducted was in accordance with the methodology described
in Information Security Risk Management guideline (ISO 27005). The methodology
used to conduct this risk assessment is qualitative and quantitative and no attempt
was made to determine any annual loss expectancies, asset cost projections, or
cost-effectiveness of risk treatment recommendations.
6.0 DEFINITION AND MATRIX 6.1 DEFINITIONS
1) Identified assets covered within the scope of the policy. E.g.:
a. Information assets: databases, system documentation,
operational/support procedures, archived information
b. Software assets: application software, system software, development
tools
c. Physical assets: computer equipment, communication equipment,
storage media, technical equipment, furniture
d. Services: lighting, heating, air-conditioning, power supply,
housekeeping
2) Confidentiality: Preserving authorized restrictions on information access and disclosure,
including means for protection personal privacy and proprietary information
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 6 of 98
3) Integrity: Guarding against improper information modification or destruction, and
includes ensuring information non-repudiation and authenticity
4) Availability: Ensuring timely and reliable access to and use of information
5) Threats are dangerous actions that can cause harm. The degree of threat
depends on the attacker's Skills, Knowledge, Resources, Authority, and
Motives.
6) Vulnerabilities are weaknesses in victims that allow a threat to become
effective.
6.2 ASSET VALUE The formula used for determining Asset Value is:
Asset Value (AV) = Confidentiality ( C ) x Impact ( I ) x Availability ( A )
The table below shows the classification of Confidentiality, Integrity and Availability in the scale of Low to Critical.
Confidentiality ( C )
1 - Low 2 - Medium 3 - High 4 - Critical
Not classified The unauthorized
disclosure of information will not
have adverse effect on organizational
operations, organizational assets,
or individuals
Restricted The unauthorized
disclosure of information could be expected to have a
limited adverse effect on organizational
operations, organizational assets,
or individuals
Confidential The unauthorized
disclosure of information could be expected to have a
serious adverse effect on organizational
operations, organizational assets,
or individuals
Secret The unauthorized
disclosure of information could be expected to have a
severe or catastrophic adverse effect on
organizational operations,
organizational assets, or individuals
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 7 of 98
Integrity ( I ) 1 - Low 2 - Medium 3 - High 4 - Critical
The modification or destruction of
information will not have adverse effect on
organizational operations,
organizational assets, or individuals
The modification or destruction of
information could be expected to have a
limited adverse effect on organizational
operations, organizational assets,
or individuals
The modification or destruction of
information could be expected to have a
serious adverse effect on organizational
operations, organizational assets,
or individuals
The modification or destruction of
information could be expected to have a
severe or catastrophic adverse effect on
organizational operations,
organizational assets, or individuals
Availability ( A )
1 - Low 2 - Medium 3 - High 4 - Critical
The disruption of access to or use of information or an
information system will not have adverse effect
on organizational operations,
organizational assets, or individuals
The disruption of access to or use of information or an
information system could be expected to
have a limited adverse effect on organizational
operations, organizational assets,
or individuals
The disruption of access to or use of information or an
information system could be expected to
have a serious adverse effect on organizational
operations, organizational assets,
or individuals
The disruption of access to or use of information or an
information system could be expected to
have a severe or catastrophic adverse
effect on organizational operations,
organizational assets, or individuals
Asset Value Matrix:
Confidentiality Integrity
Availability Low ‐ 1
Medium ‐ 2
High ‐ 3
Critical ‐ 4
Low ‐ 1 1 2 3 4 1 ‐ Low
Medium ‐ 2 4 8 12 16 2 ‐ Medium
High ‐ 3 9 18 27 36 3 ‐ High
Critical ‐4 16 32 48 64 4 ‐ Critical
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 8 of 98
Asset Value Score:
Asset Value (AV) = C x I x A
Score Asset Value Description
48‐64 4 Critical (a severe or catastrophic adverse effect)
27‐47 3 High (a serious adverse effect)
8‐26 2 Medium (a limited adverse effect)
1‐7 1 Low (no adverse effect)
Risk Rating: Probability (P)
Rating Levels of
Occurrence Description
4 Certain Projected to occur more than four times in the next 12 months
3 Likely Projected to occur at least once in the next 12 months
2 Possible Some likelihood of occurrence at least once in the next 3 years
1 Unlikely Low potential of occurrence
Impact (I)
Rating Level Description
4 Severe Extended outage, permanent loss of resource, triggering business continuity procedures, complete compromise of information, operational delay > 6 weeks
3 High Considerable system outage, loss of connected customers, business confidence, compromise of large amount information, operational delay between 4 to 6 weeks
2 Moderate Small but tangible harm, maybe noticeable by a limited audience, some embarrassment, some effort to repair, operational delay between 2 to 4 weeks
1 Low Minimal effort to repair, restore or reconfigure, operational delay between 1 to 2 weeks
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 9 of 98
Risk Matrix
Impact
Probability Asset
Unlikely ‐ Possible ‐ Likely ‐ Certain ‐ Value
1 2 3 4
Severe ‐ 4 16 32 48 64 4 – Critical
High ‐ 3 9 18 27 36 3 – High
Moderate ‐ 2 4 8 12 16 2 – Medium
Low ‐ 1 1 2 3 4 1 – Low
Net Risks = Gross Risks – Controls (Treatment)
Gross Risks = P x I x AV
Score Risk Level Action Required
33‐64 High
There is a strong need for corrective measures. An existing system may continue to operate, but a treatment plan must be put in place as soon as possible.
10‐32 Medium
Corrective actions are needed and a treatment plan must be developed to incorporate these actions within a reasonable period of time (treatment plan is not required if Management decided to retain/accept the risk).
1‐9 Low The system’s Authorizing Official must determine whether corrective actions are still required or decide to accept the risk.
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 10 of 98
6.3 RISKS ASSESSMENT
6.3.1 HARDWARE
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
SERVER MOT/IPLP/H/08/138
SCN784000Z6 SCN7843025D SCN7843025K SCN7843025C
HP Proliant BL460C
4 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Blade Server
4 4 4 64 Critical‐4
SERVER MOT/IPLP/H/08/139
SGH831XCE4 C7000
Blade
Enclosure
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Blade Enclosure
4 4 4 64 Critical‐4
SERVER MOT/IPLP/H(S1)/08/24
SGH826Y1P8 HP Proliant DL580G6
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Backup Email
2 2 2 8 Medium‐2
SERVER ‐ ‐ VMWare
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Database MAPASS
4 4 4 64 Critical‐4
SERVER ‐ ‐ VMWare
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
AFIS 4 2 4 32 High‐3
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 11 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
SERVER ‐ ‐ VMWare
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Marine 45 New (SDPX)
4 4 4 64 Critical‐4
SERVER ‐ ‐ VMWare
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Online Payment
4 4 4 64 Critical‐4
SERVER ‐ ‐ VMWare
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
SHIP 4 4 4 64 Critical‐4
SERVER VMWare
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
MARINE23(SPK)
4 4 4 64 Critical‐4
SERVER ‐ SGH845X8V8 HP Proliant ML351
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
SDPX DAYABU
MI
1 1 1 1 Low‐1
SERVER MOT/IPLP/H/07/100
SSGH73606PC HP XW4400 WORKSTATION
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
DOKUMEN ISMS
4 4 1 16 Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 12 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
SERVER
MOT/IPLP/H(S1)/08/10
1
SSGH845X8V4
HP PROLIANT ML350
1 Data
Center, UTMKE
UTMKE Jabatan Laut
Malaysia STAND BY
1 1 1 1 Low‐1
SERVER JPM/ICU/H/2012(475)
SGH311PAV5
HP DL 120 G7
PLUGGABLE
4LFF CTO SERVER
1 Data
Center, UTMKE
ICU JPM ICU JPM SERVER INTEGRASI BLESS
2 4 4 32 High‐3
SERVER MOT/IPLL/H/13/26
8YX0GY1
DELL POWEREDGE R620
1 Data
Center, UTMKE
LEMBAGA DIUS API
Jabatan Laut
Malaysia
Sistem Aset
( eSPA)
3 3 2 18 Medium‐2
SERVER MOT/IPLP/H(S1)/08/34
CN782601F9 HP Proliant ML350
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Primary DNS
2 2 4 16 Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 13 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
SERVER MOT/IPLP/H(S1)/08/40
2W3H72S DELL Poweredge
R310
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Primary (e‐BKP)
3 3 4 36 High‐3
SERVER IPL/SERVER/2003‐01
CTS981S DELL PowerEdge
2650
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
SOPHOS 3 3 3 27 High‐3
SERVER MOT/IPLP/H(S1)/08/32
CN782601EM HP Proliant ML350
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
SECONDARY DHCP
1 1 1 1 Low‐1
SERVER
‐ ‐ VMWare
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
JALIN & Web
4 4 4 64 Critical‐4
SERVER ‐ ‐ VMWare
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Online Payment
SCS
4 4 4 64 Critical‐4
SERVER Tiada Tiada VM WARE
1 Data
Center, UTMKE
UTMKE Jabatan Laut
Malaysia
STAGGING SERVER
2 2 2 8 Medium‐2
SERVER Tiada Tiada VM WAR
1 Data
Center, UTMKE
Jabatan Laut
WEBSERVER
4 4 4 64 Critical‐4
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 14 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
E UTMKE Malaysia
SERVER Tiada Tiada VM WARE
1 Data
Center, UTMKE
UTMKE Jabatan Laut
Malaysia
VCENTER 41
3 3 3 27 High‐3
UPS MOT/IPLP/H/08/141
105J35001 UPS System
MGE Galaxy
3000
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Backup AC Power
Data Center
1 1 4 4 Low‐1
UPS ‐ 20042266
Frontier RAID 3000 UPS
1 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia
Backup AC Power
DRC
1 1 4 4 Low‐1
GENSET IPL/A04/UPS/2004/1
854485 PRAMAC GSW ‐
Genset DRUTZ‐BF6
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Genset 1 1 4 4 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 15 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
M 1013K
AIRCOND MOT/IPLP/H/08/135
CMGEA‐0144/08
CITEC
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Precision Air Cond
1 2 4 8 Medium‐2
AIRCOND MOT/IPLP/H/08/134
CMGEA‐0145/08
CITEC
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Precision Air Cond
1 2 4 8 Medium‐2
AIRCOND ‐ ‐ YORK 2.5 HP 1
DRC, ILPPPL ILPPPL
Jabatan Laut
Malaysia Air Cond
1 2 4 8 Medium‐2
AIRCOND ‐ ‐ YORK 2.5 HP 1
DRC, ILPPPL ILPPPL
Jabatan Laut
Malaysia Air Cond
1 2 4 8 Medium‐2
DOOR ACCESS
MOT/IPLP/H/08/140
T800296 Door Access
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Door Access Data Center
3 3 4 36 High‐3
DOOR ACCESS
SSGH836YPFH
MICRO
ENGINE
1 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia
Door Access DRC
3 3 4 36 High‐3
SERVER MOT/IPLP/H(S1)/08/27
CN782601EC HP Proliant
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Primary DHCP
3 3 4 36 High‐3
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 16 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
ML350
SERVER MOT/IPLP/H(S1)/10/14
SGH034XSCY HP Proliant DL380G7
1 Data Center, UTMKE
LEMBAGA DIUS API
Jabatan Laut
Malaysia
Sistem Aset
( eSPA)
3 3 2 18 Medium‐2
SERVER MOT/IPLP/H(S1)/08/39
3W3H72S DELL Poweredge
R311
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Backup (e‐BKP)
3 3 2 18 Medium‐2
SERVER MOT/IPLP/H(S1)/08/35
407LLGRJ33 HP Proliant ML110
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Secondary DNS
2 3 2 12 Medium‐2
SERVER Tiada Tiada VM WARE
1 Data
Center, UTMKE
UTMKE Jabatan Laut
Malaysia
INTEGRATION SCS
4 4 4 64 Critical‐4
APPLIANCE MOT/IPLP/H/08/147
BAR‐SF‐136832
Barracuda
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Anti Spam 2 2 4 16 Medium‐2
Hardware MOT/IPLP/H(K38)/09/
L3ACY7N Lenovo
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
MCTG 2 2 1 4 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 17 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
72
NETWORK MOT/IPLP/H/08/147
210235A37FX087000028
3Com
Core Switch
S7906E
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Core Switch
2 3 4 24 Medium‐2
NETWORK ‐ A034G112800
179AC
ALLIED
TELESIS AR 7705
1 Data
Center, UTMKE
UTMKE GITN ROUTER EG*NET
4 4 4 64 Critical‐
4
NETWORK ‐ NS1149C3477
ALCATEL LUCENT 7210 SAS‐E
1 Data
Center, UTMKE
UTMKE GITN ROUTER EG*NET
4 4 4 64 Critical‐
4
NETWORK ‐ LR2012010019
76
EXINDA 4010 SERIE
1 Data
Center, UTMKE
UTMKE GITN ROUTER EG*NET
4 4 4 64 Critical‐
4
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 18 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
S
NETWORK ‐ NS1149C3554
ALCATEL LUCENT AR 7210 SAS‐E
1 Data
Center, UTMKE
UTMKE TELEKOM MALAYSI
A
ROUTER 1*NETWORK
4 4 4 64 Critical‐
4
NETWORK ‐ CN1800X01K
HP AMSR 50‐60 ROUTER
1 Data
Center, UTMKE
UTMKE SOLSIS (M) SDN BHD
ROUTER 1*NETWORK
4 4 4 64 Critical‐
4
NETWORK 9KAFA8MFEA7
00
3Com
Core Switch
Superstack 4 Switch550
1 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia
Core Switch
2 3 4 24 Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 19 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
0G‐E1‐24 Port
NETWORK ‐
ALLIED
TELESIS AR 7705
1 DRC, ILPPPL
ILPPPL GITN ROUTER EG*NET
4 4 4 64 Critical‐
4
NETWORK ‐ 0006B112281
0
Sonicwall PRO 2040
1 DRC, ILPPPL
ILPPPL GITN FIREWALL 1 1 1 1 Low‐1
NETWORK ‐ 3C13G12
ROUTER 3012 3COM
1 DRC, ILPPPL
ILPPPL GITN ROUTER EG*NET
4 4 4 64 Critical‐
4
NETWORK ‐ 15H02378
TELLABS 8120 MINI NODE M
1 DRC, ILPPPL
ILPPPL TELEKOM MALAYSI
A
ROUTER 1*NETWORK
4 4 4 64 Critical‐
4
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 20 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
NETWORK ‐ 15H00400
TELLABS 8110 NETWORK TERMINATING
UNIT
1 DRC, ILPPPL
ILPPPL TELEKOM MALAYSI
A
ROUTER 1*NETWORK
4 4 4 64 Critical‐
4
NETWORK ‐ JF233A
HP A‐MSR 30‐16 ROUTER
1 DRC, ILPPPL
ILPPPL SOLSIS (M) SDN BHD
ROUTER 1*NETWORK
4 4 4 64 Critical‐
4
NETWORK ‐
9J8F9EKAFE660
9J8F9WM6F8EA2
9J8K9EKAFFFE6
3com
3CR17333-91 Switch
4210 26
3 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia
Network Switch
4 4 4 64 Critical‐
4
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 21 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
Port
NETWORK ‐ ‐
Network Switch
2 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia
Network Switch
4 4 4 64 Critical‐
4
FIRE FIGHTING
MOT/IPLP/H/08/136
ATM 348416 FM 200
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Fire fighting system
2 4 3 24 Medium‐2
FIRE FIGHTING
‐ ‐
CO2 Fire Suppresion
System
3 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia
Fire fighting system
2 4 3 24 Medium‐2
CCTV CAMERA
MOT/IPLP/H/08/142
T800297 4 CHANNEL DIGITAL VIDEO
RECORDER
1 Data Center, UTMKE
UNIT PENGURUSAN ASET
Jabatan Laut
Malaysia
CCTV FOR DATA CENTER
2 2 4 16 Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 22 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
SERVER ‐ ‐ VMWare
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
CMPortal 2 2 2 8 Medium‐2
SERVER
MOT/IPLP/H(S1)/08/11
0
SGH845X8VD
HP Proliant ML350
1 Data
Center, UTMKE
UTMKE Jabatan Laut
Malaysia
SERVER SDPX
MELAKA
1 1 1 1 Low‐1
SERVER Tiada Tiada VM WARE
1 Data
Center, UTMKE
UTMKE Jabatan Laut
Malaysia
RPM INTEGRAT
ION
4 4 4 64 Critical‐4
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 23 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
SERVER Tiada Tiada VM WARE
1 Data
Center, UTMKE
UTMKE Jabatan Laut
Malaysia
CLCBCC/LAYAR/ISP
S
4 2 4 32 High‐3
SERVER MOT/IPLP/H(S1)08/23
SGH826Y1P6
HP Proliant DL580 G5
1 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia SDPX
2 2 4 16 Medium‐2
SERVER MOT/IPLP/H(S1)08/26
SGH826Y1PB
HP Proliant DL580 G5
1 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia AFIS
2 2 4 16 Medium‐2
SERVER IPL/SERVER/2003‐05
HTS981S
Dell PowerEdge
2650
1 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia
JALIN & WEB
2 2 4 16 Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 24 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
SERVER MOT/IPLP/H(S1)08/33
CN782601E7
HP ProLiant ML350
1 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia SHIP
2 2 4 16 Medium‐2
SERVER MOT/IPLP/H(S1)08/31
CN782601EN
HP ProLiant ML350
1 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia MAPASS
2 2 4 16 Medium‐2
SERVER IPL/SERVER/2003‐02
DTS981S
Dell PowerEdge
2650
1 DRC, ILPPPL
ILPPPL Jabatan Laut
Malaysia DNS
2 2 4 16 Medium‐2
APPLIANCE MOT/IPLP/H/08/153
SGH841XXYJ
HP EVA 4000 Storage Server
1 Data
Center, UTMKE
UTMKE Jabatan Laut
Malaysia
SAN Storage
1 1 1 1 Low‐1
APPLIANCE MOT/IPLP/H/0
SGH841XXYK HP
Stora1
Data Center,
UTMKE Jabatan Laut
Storage Works
1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 25 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
8/153‐1 ge Works
UTMKE Malaysia
APPLIANCE
MOT/IPLP/H/08/154‐01
USB840XYR6 USB840XYSN
HP Storage
Works
4/16 SAN Switch
2 Data
Center, UTMKE
UTMKE Jabatan Laut
Malaysia
SAN Switch
1 1 1 1 Low‐1
APPLIANCE MOT/IPLP/H/08/149
JM 9 Tippingpoint IPS
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Intrusion Prevention System
1 1 1 1 Low‐1
APPLIANCE MOT/IPLP/H/08/146
79082008000219
Juniper ISG2000
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Firewall 1 1 1 1 Low‐1
APPLIANCE MOT/IPLP/H/08/144
SGH841XXYK HP Storage
Works
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Tape Library
1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 26 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
MSL4048 Tape Library
APPLIANCE MOT/IPLP/H/08/148
ITW0601‐0208 NAGIOS
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Environment
Monitoring System
1 1 1 1 Low‐1
APPLIANCE MOT/IPLP/H/08/148‐01
ITW0602‐0209 Climate Monitor WxGoos‐2
1 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Climate Monitorin
g
1 1 1 1 Low‐1
APPLIANCE MOT/IPLP/H/08/145
200‐0258‐15 REV A
F5 Load Balancer
2 Data Center, UTMKE
UTMKE Jabatan Laut
Malaysia
Load Balancer
1 1 1 1 Low‐1
APPLIANCE
MOT/IPLP/H/08/153‐02
MOT/IP
2FDRF2S GDDRF2S
COMPELLENT SC800
2 Data
Center, UTMKE
KPP UTMKE
Jabatan Laut
Malaysia
SAN STORAGE
4 4 4 64 Critical‐4
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 27 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
LP/H/08/153‐03
CONTROLLER
APPLIANCE
MOT/IPLP/H/08/153‐04
FDDRF2S
COMPELLENT SC220
ENCLOSURE
1 Data
Center, UTMKE
KPP UTMKE
Jabatan Laut
Malaysia
SAN STORAGE
4 4 4 64 Critical‐4
APPLIANCE
MOT/IPLP/H/08/154‐02
MOT/IPLP/H/08/154‐03
3X5Y7P1 3Y5Y7P1
BROCADE 300 BUNDLE SAN SWITCH
2 Data
Center, UTMKE
KPP UTMKE
Jabatan Laut
Malaysia
SAN STORAGE
4 4 4 64 Critical‐4
APPLIANCE ‐ LR2010050023
85
BARRACUDA NG FIREWALL
1 Data
Center, UTMKE
UTMKE
TECHNOLOGY PARK MALAYSI
A
FIREWALL
4 4 4 64 Critical‐4
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 28 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
F200
Workstation
HP XW4400 Workstation
1 PEJABAT KETUA
PENGARAH LAUT
TN. HJ. BAHARIN BIN DATO' ABD
HAMID
Jabatan Laut
Malaysia
Kerja Pejabat
4 3 3 36 High‐3
Workstation MOT/IPLP/H(K38)/07/114
SSGH73606S7 HP XW4400 Workstation
1 BAHAGIAN
KHIDMAT PENGURU
SAN
ZAINAL FITRI BIN
ZAINAL
JABATAN LAUT
MALAYSIA
Kerja Pejabat
2 3 3 18 Medium‐2
Workstation MOT/IPLP/H(K38)/07/113
SSGH73606SL HP XW4400 Workstation
1 BAHAGIAN
KHIDMAT PENGURU
SAN
FARID BIN
MUSLEH
JABATAN LAUT
MALAYSIA
Kerja Pejabat
2 3 3 18 Medium‐2
Workstation MOT/IPLP/H(K38)/07/109
SSGH73606SP HP XW4400 Workstation
1 BAHAGIAN
KHIDMAT PENGURU
SAN
FARAH NEEDRA BINTI HASHIBULLAH
JABATAN LAUT
MALAYSIA
Kerja Pejabat
2 3 3 18 Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 29 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
Workstation MOT/IPLP/H(K38)/07/164
SSGH73606SG HP XW4400 Workstation
1 BAHAGIAN
KHIDMAT PENGURU
SAN
VALERIAN SHEM DONGG
OT
JABATAN LAUT
MALAYSIA
Kerja Pejabat
3 3 3 27 High‐3
Workstation MOT/IPLP/H(K38)/07/165
SSGH73606T4 HP XW4400 Workstation
1 BAHAGIAN
KHIDMAT PENGURU
SAN
YUSNIZA BINTI ZAKARIA
JABATAN LAUT
MALAYSIA
Kerja Pejabat
2 3 3 18 Medium‐2
Workstation MOT/IPLP/H(K38)/07/115
SSGH73606SN HP XW4400 Workstation
1 BAHAGIAN
KHIDMAT PENGURU
SAN
AZIZUL HALIMI BIN
HUSAIN
JABATAN LAUT
MALAYSIA
Kerja Pejabat
3 3 3 27 High‐3
Workstation MOT/IPLP/H(K38)/07/162
SSGH73606SF HP XW4400 Workstation
1 BAHAGIAN
KHIDMAT PENGURU
SAN
AHMAD KAMIL BIN
HASSAN RABEIN
JABATAN LAUT
MALAYSIA
Kerja Pejabat
4 3 3 36 High‐3
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 30 of 98
Asset Value
Type of Asset Asset No (Pendaftaran)
Serial Number Name of
Asset QTY Department
Name of Owner
Owner of Asset
Function Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE( CIA )
Asset Value ( AV )
Workstation MOT/IPLP/H(K38)/07/173
SSGH73606T8 HP XW4400 Workstation
1 BAHAGIAN
KHIDMAT PENGURU
SAN
NUR HANINI BINTI ABDUL HADI
JABATAN LAUT
MALAYSIA
Kerja Pejabat
2 2 1 4 Low‐1
Workstation Tiada Tiada Tiada
1
BAHAGIAN
KHIDMAT PENGURU
SAN
NOOR AZRI BINTI ABDUL LATIP
Jabatan Laut
Malaysia
Kerja Pejabat
2 2 1 4 Low‐1
Workstation Tiada Tiada Tiada
1
BAHAGIAN
KHIDMAT PENGURU
SAN
MUSYARRAF BIN
MAZLAN
Jabatan Laut
Malaysia
Kerja Pejabat
2 2 1 4 Low‐1
Workstation MOT/IPLP/H(K38)/07/134
SSGH73606T2 HP XW4400 Workstation
1 BAHAGIAN
KHIDMAT PENGURU
SAN
SHAIRA BINTI
HASHIM
JABATAN LAUT
MALAYSIA
Kerja Pejabat
2 3 3 18 Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 31 of 98
6.3.2 SOFTWARE Asset Value
SERIAL NO
NAME OF THE ASSET
QTY LOCATION INSTALLED‐ DIV/UNIT
APPLICATION / SOFTWARE OWNER
DEPARTMENT FUNCTION Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE ( CIA )
Asset Value ( AV )
AQA00113497 AQA00113505 AQA00113529 AQA00113500
BROCADE LICENSE 8 PORT ACTIVATION
4 UTMKE KPP UTMKE JABATAN LAUT
MALAYSIA
LICENSE BROCADE 8 PORT
ACTIVATION 3 4 4 48 Critical‐4
Licenses Microsoft SQL Server 2008
15 UTMKE KPP UTMKE JABATAN LAUT
MALAYSIA
Microsoft SQL Server 2008
3 3 4 36 High‐3
Licenses
Microsoft Windows Server
2003 R2 SP2(VM)
5 UTMKE KPP UTMKE JABATAN LAUT
MALAYSIA
Microsoft Windows Server 2003 R2
SP2(VM) 3 3 4 36 High‐3
Licenses
Microsoft Windows Server 2008 R2 SP2
(SDPX)
15 UTMKE (SDPX SERVER)
KPP UTMKE JABATAN LAUT
MALAYSIA
Microsoft Windows Server 2008 R2 SP2
(SDPX) 3 3 4 36 High‐3
Licenses VMware 1 UTMKE KPP UTMKE JABATAN LAUT
MALAYSIA VMware 3 3 4 36 High‐3
1187‐5008‐5049‐2739‐
Adobe Cold Fudsion
Standard 9.0 1 UTMKE KPP UTMKE
JABATAN LAUT
MALAYSIA
Adobe Cold Fudsion Standard 9.0
3 3 4 36 High‐3
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 32 of 98
Asset Value
SERIAL NO
NAME OF THE ASSET
QTY LOCATION INSTALLED‐ DIV/UNIT
APPLICATION / SOFTWARE OWNER
DEPARTMENT FUNCTION Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE ( CIA )
Asset Value ( AV )
8638‐6222
OEM Windows XP Professional
115 UTMKE (NB
&WS) KPP UTMKE
JABATAN LAUT
MALAYSIA
Windows XP Professional
2 1 1 2 Low‐1
OEM
Microsoft Office 2007
Professional (NB &WS)
115 UTMKE (NB
&WS) KPP UTMKE
JABATAN LAUT
MALAYSIA
Microsoft Office 2007 Professional
(NB &WS) 2 1 1 2 Low‐1
Licenses Adobe
Coldfusion 8 1 UTMKE KPP UTMKE
JABATAN LAUT
MALAYSIA Adobe Coldfusion 8 2 1 2 4 Low‐1
Free CENTOS 1 UTMKE KPP UTMKE JABATAN LAUT
MALAYSIA CENTOS 1 1 1 1 Low‐1
Free Xampp 1 UTMKE KPP UTMKE JABATAN LAUT
MALAYSIA Xampp 1 1 1 1 Low‐1
J86RF‐8PWYM‐FJ84M‐BH6PH‐PKBFX
Microsoft Windows 2008
Server 1 UTMKE KPP UTMKE
JABATAN LAUT
MALAYSIA
Microsoft Windows 2008 Server
2 1 2 4 Low‐1
M74BR‐V4MQC‐24WDJ‐QXX9P‐3Y6CB
Microsoft Windows 2008
Server 1 UTMKE KPP UTMKE
JABATAN LAUT
MALAYSIA
Microsoft Windows 2008 Server
2 1 2 4 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 33 of 98
Asset Value
SERIAL NO
NAME OF THE ASSET
QTY LOCATION INSTALLED‐ DIV/UNIT
APPLICATION / SOFTWARE OWNER
DEPARTMENT FUNCTION Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE ( CIA )
Asset Value ( AV )
‐ Adobe Web Standard CS3
1 UTMKE KPP UTMKE JABATAN LAUT
MALAYSIA
Adobe Web Standard CS3
1 1 1 1 Low‐1
‐ Adobe
Fireworks CS3 1 UTMKE KPP UTMKE
JABATAN LAUT
MALAYSIA
Adobe Fireworks CS3
1 1 1 1 Low‐1
‐ Adobe Flash Pro
CS3 1 UTMKE KPP UTMKE
JABATAN LAUT
MALAYSIA
Adobe Flash Pro CS3
1 1 1 1 Low‐1
‐ Adobe
Captivate 3.0 1 UTMKE KPP UTMKE
JABATAN LAUT
MALAYSIA
Adobe Captivate 3.0
1 1 1 1 Low‐1
1016‐1759‐7090‐0724‐5465‐7485
Adobe Acrobat 8.0
1 UTMKE KPP UTMKE JABATAN LAUT
MALAYSIA Adobe Acrobat 8.0 1 1 1 1 Low‐1
‐
Microsoft Project 2007
1 UTMKE KPP UTMKE JABATAN LAUT
MALAYSIA
Microsoft Project 2007
1 1 1 1 Low‐1
LICENSE SOFTWARE
1187‐
5006‐
3920‐
Adobe Coldfusion Standard 10 ALP
1 UTMKE KPP UTMKE 1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 34 of 98
Asset Value
SERIAL NO
NAME OF THE ASSET
QTY LOCATION INSTALLED‐ DIV/UNIT
APPLICATION / SOFTWARE OWNER
DEPARTMENT FUNCTION Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE ( CIA )
Asset Value ( AV )
2262‐
9148‐
5553
LICENSE SOFTWARE
29776726
SYM ENDPOINT PROTECTION 12.1
1 UTMKE KPP UTMKE 1 1 1 1 Low‐1
LICENSE SOFTWARE
Licenses
Microsoft SQL Server
2008 ILPPPL PTM ILPPPL 1 1 1 1 Low‐1
LICENSE SOFTWARE
Licenses
Microsoft Windows Server 2003 R2 SP2
ILPPPL PTM ILPPPL 1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 35 of 98
6.3.3 PEOPLE Asset Value
Employee Name
Emp ID Title Department Laptop / Desktop
Location Owner of asset
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE ( CIA )
Asset Value ( AV )
HJ. BAHARIN BIN DATO'
ABD HAMID
620927035471
TIMBALAN KETUA
PENGARAH LAUT (CIO)
IBU PEJABAT LAUT
Laptop and Desktop
PEJABAT KETUA
PENGARAH
JABATAN LAUT
MALAYSIA 4 3 3 36 High‐3
ROSLEE BIN MAT YUSOF
610927106651
PENGARAH KHIDMAT
PENGURUSAN
IBU PEJABAT LAUT
Laptop and Desktop
BAHAGIAN KHIDMAT
PENGURUSAN
JABATAN LAUT
MALAYSIA 4 3 3 36 High‐3
AHMAD KAMIL BIN HASSAN RABEIN
611030085125 KETUA
PENOLONG PENGARAH
IBU PEJABAT LAUT
Laptop and Desktop
UTMKE JABATAN LAUT
MALAYSIA 4 3 3 36 High‐3
VALERIAN SHEM
DONGGOT 801202125787
PEGAWAI TEKNOLOGI MAKLUMAT
IBU PEJABAT LAUT
Laptop and Desktop
UTMKE JABATAN LAUT
MALAYSIA 3 3 3 27 High‐3
AZIZUL HALIMI BIN
HUSAIN
840210035503 PEGAWAI TEKNOLOGI MAKLUMAT
IBU PEJABAT LAUT
Desktop UTMKE JABATAN LAUT
MALAYSIA 3 3 3 27 High‐3
FARAH NEEDRA BINTI
HASHIBULLAH
750127085324
PENOLONG PEGAWAI TEKNOLOGI MAKLUMAT
IBU PEJABAT LAUT
Desktop UTMKE JABATAN LAUT
MALAYSIA 2 3 3 18
Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 36 of 98
Asset Value
Employee Name
Emp ID Title Department Laptop / Desktop
Location Owner of asset
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE ( CIA )
Asset Value ( AV )
YUSNIZA BINTI
ZAKARIA 800201145210
PENOLONG PEGAWAI TEKNOLOGI MAKLUMAT
IBU PEJABAT LAUT
Desktop UTMKE Jabatan Laut
Malaysia 2 3 3 18
Medium‐2
ZAINAL FITRI BIN ZAINAL
841126065077
PENOLONG PEGAWAI TEKNOLOGI MAKLUMAT
IBU PEJABAT LAUT
Desktop UTMKE Jabatan Laut
Malaysia 2 3 3 18
Medium‐2
FARID BIN MUSLEH
840502105251
PENOLONG PEGAWAI TEKNOLOGI MAKLUMAT
IBU PEJABAT LAUT
Desktop UTMKE Jabatan Laut
Malaysia 2 3 3 18
Medium‐2
SHAIRA BINTI
HASHIM 850109115268
PENOLONG PEGAWAI TEKNOLOGI MAKLUMAT
IBU PEJABAT LAUT
Desktop UTMKE Jabatan Laut
Malaysia 2 3 3 18
Medium‐2
NOOR AZRI BINTI ABDUL LATIP
890826086224 PEKERJA SAMBILAN HARIAN
IBU PEJABAT LAUT
Desktop UTMKE JABATAN LAUT
MALAYSIA 1 1 1 1 Low‐1
MUSYARRAF BIN MAZLAN
900807125861 PEKERJA SAMBILAN HARIAN
IBU PEJABAT LAUT
Desktop UTMKE JABATAN LAUT
MALAYSIA 1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 37 of 98
Asset Value
Employee Name
Emp ID Title Department Laptop / Desktop
Location Owner of asset
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE ( CIA )
Asset Value ( AV )
NUR HANINI BINTI ABDUL HADI
920129105412 PEKERJA SAMBILAN HARIAN
IBU PEJABAT LAUT
Desktop UTMKE JABATAN LAUT
MALAYSIA 1 1 1 1 Low‐1
ABDUL NASAR BIN ABDUL HADI
610110086211 PENGARAH ILPPPL
ILPPPL Laptop and Desktop
ILPPPL JABATAN LAUT
MALAYSIA 3 3 3 27 High‐3
GHADZALI BIN
AHMAD 630825075733
KPP UNIT PEMBANGU
NAN LATIHAN
ILPPPL Laptop ILPPPL JABATAN LAUT
MALAYSIA 3 3 3 27 High‐3
RIZIANA BINTI
IBRAHIM 840518025678
PEGAWAI TEKNOLOGI MAKLUMAT
UNIT PEMBANGU
NAN LATIHAN
Laptop ILPPPL Jabatan Laut
Malaysia 3 3 3 27 High‐3
FAZLEEN BINTI SAID
810624105308
PENOLONG PEGAWAI TEKNOLOGI MAKLUMAT
UNIT PEMBANGU
NAN LATIHAN
Desktop ILPPPL Jabatan Laut
Malaysia 3 3 3 27 High‐3
SHAHRUL NIZAM BIN HANAFIE
770807025921 PEMANDU ILPPPL ‐ ILPPPL Jabatan Laut
Malaysia 3 3 3 27 High‐3
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 38 of 98
Asset Value
Employee Name
Emp ID Title Department Laptop / Desktop
Location Owner of asset
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE ( CIA )
Asset Value ( AV )
GITN SDN BHD
‐ KONTRAKTOR EG*NET
‐ ‐ GITN SDN BHD GITN SDN
BHD 3 4 4 48
Critical‐4
NETWORK OPERATION CENTRE
‐
KONTRAKTOR
1*NETWORK
‐ ‐ SOLSIS (M) SDN BHD
SOLSIS (M) SDN BHD
3 3 4 36 High‐3
TECHNOLOGY PARK MALAYSIA IT SDN BHD
‐
KONTRAKTOR
1*NETWORK
‐ ‐ TECHNOLOGY
PARK MALAYSIA
TECHNOLOGY PARK MALAYSIA
3 3 3 27 High‐3
TELEKOM MALAYSIA
BHD ‐
KONTRAKTOR
1*NETWORK
‐ ‐ TELEKOM MALAYSIA
BHD
TELEKOM MALAYSIA
BHD 3 3 4 36 High‐3
MOHD NURRUL FAIZ MOHD TAIB
850112‐05‐5083 KETUA AUDIT
DALAMAN
IBU PEJABAT LAUT
‐ BAHAGIAN KAWALAN INDUSTRI
JABATAN LAUT
MALAYSIA 3 3 3 27 High‐3
AZMAN AHMAD
700502‐02‐5521 AHLI AUDIT DALAMAN
ILPPPL ‐ ILPPPL JABATAN LAUT
MALAYSIA 3 3 3 27 High‐3
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 39 of 98
Asset Value
Employee Name
Emp ID Title Department Laptop / Desktop
Location Owner of asset
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE ( CIA )
Asset Value ( AV )
JULIZAH ALIUSUS@ABDUL AZIZ
850729‐12‐6080 AHLI AUDIT DALAMAN
WILAYAH SARAWAK
‐ UNIT
TEKNOLOGI MAKLUMAT
JABATAN LAUT
MALAYSIA 3 3 3 27 High‐3
6.3.4 DOCUMENTS
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
FILE UTMKE/SEC
DAFTAR KATALALUAN KESELAMATAN ICT
KPP
UTMKE
DAFTAR KATALALUAN KESELAMATAN ICT
RAHSIA
4 4 3 48 Critical‐4
FILE UTMKE/EMAIL
DAFTAR KATALALUAN EMAIL
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
DAFTAR KATALALUAN EMEIL 2012
RAHSIA 3 3 3 27 High‐3
FILE UTMKE/ SOFTWARE
SENARAI LESEN@PRODUCT KEY
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
SENARAI LESEN@PRODUCT KEY PERKAKASAN
TERHAD
3 3 3 27 High‐3
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 40 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
PERKAKASAN DAN PERISIAN
DAN PERISIAN
FILE UTMKE/DC&DRC
DAFTAR REKOD PERKAKASAN DAN PERISIAN ICT DATA CENTER & DRC
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
DAFTAR REKOD PERKAKASAN DAN PERISIAN ICT DATA CENTER & DRC
TERHAD
3 3 3 27 High‐3
FILE UTMKE/ BACK
DAFTAR PENYALINAN ( BACKUP) DATA / APLIKASI
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
DAFTAR PENYALINAN ( BACKUP) DATA / APLIKASI
TERHAD
3 3 3 27 High‐3
FILE KEWPA‐
6
DAFTAR PERGERAKAN HARTA MODAL
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
DAFTAR PERGERAKAN HARTA MODAL 2012
TERHAD
2 3 3 18 Medium‐2
FILE IPL 2498 SURAT MENYURA
1 UTMKE KPP
UTMKE Jabatan Laut
SURAT MENYURAT
TERHAD 2 3 3 18 Medium‐
2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 41 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
T DENGAN UNIT TEKNOLOGI MAKLUMAT DAN KERAJAAN ELEKTRONIK
Malaysia DENGAN UNIT TEKNOLOGI MAKLUMAT DAN KERAJAAN ELEKTRONIK
FILE IPL 2408
RANGKAIAN INTERNET JABATAN LAUT SEMENANJUNG MALAYSIA
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
RANGKAIAN INTERNET JABATAN LAUT SEMENANJUNG MALAYSIA
TERHAD
2 3 3 18 Medium‐2
PROCEDURE PS‐
BKhP‐06
MS ISO 9001:2008‐PENGURUSAN ICT
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
PROSEDUR SOKONGAN MS ISO 9001:2008
TERHAD
2 3 2 12 Medium‐2
DOCUMENT PSTM 1 UTMKE ICTSO Jabatan ISP JLM 2011‐ TERHAD 2 2 2 8 Medium‐
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 42 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
Laut Malaysia
2015 2
DOCUMENT ISMS 1 UTMKE ICTSO Jabatan Laut
Malaysia
ISMS (Policies, Procedures, Reports, Baseline, Forms)
TERHAD
2 2 2 8 Medium‐2
FILE IPL
2491‐A KESELAMATAN ICT
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
KESELAMATAN ICT
TERHAD 2 2 2 8 Medium‐
2
FILE UTMKE 1/2004(HW)
REKOD DAFTAR PENYELENGGARAAN ICT
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
REKOD DAFTAR PENYELENGGARAAN ICT
TERHAD
1 2 2 4 Low‐1
FILE IPL 2492 PERKAKASAN ICT
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
PERKAKASAN ICT
TERHAD 2 2 1 4 Low‐1
FILE IPL 2492
‐ A
PERKAKASAN ICT ‐ SDPX
KPP
UTMKE
PERKAKASAN ICT ‐ SDPX
TERHAD
2 2 1 4 Low‐1
DOCUMENT ARAHAN KESELAMATAN
1 UTMKE ICTSO Jabatan Laut
Malaysia
ARAHAN KESELAMATAN
TERHAD 2 1 1 2 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 43 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
FILE IPL 1983 ‐ A/C
KURSUS, SEMINAR, BENGKEL ‐ KOMPUTER/TEKNOLOGI MAKLUMAT
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
KURSUS, SEMINAR, BENGKEL ‐ KOMPUTER/TEKNOLOGI MAKLUMAT
UMUM
1 1 1 1 Low‐1
FILE IPL 2493
PEROLEHAN
PERKAKASAN ICT
1 UTMKE UTMKE Jabatan Laut
Malaysia
PEROLEHAN PERKAKASAN ICT
TERHAD
2 2 2 8 Medium‐2
FILE IPL 2208
‐ B
MANUAL PROSEDUR KERJA DAN FAIL MEJA UTMKE
1 UTMKE UTMKE Jabatan Laut
Malaysia
MANUAL PROSEDUR KERJA DAN FAIL MEJA
UTMKE
UMUM
1 1 1 1 Low‐1
FILE IPL 2492
‐ A
PERKAKASAN ICT ‐ SDPX
1 UTMKE UTMKE Jabatan Laut
Malaysia
PERKAKASAN ICT ‐ SDPX
UMUM 1 1 1 1 Low‐1
FILE IPL 2413
‐ M
SURAT MENYURAT MS ISO 9001 : 2008 ‐
1 UTMKE UTMKE Jabatan Laut
Malaysia
SURAT MENYURAT MS ISO 9001 : 2008 ‐ PENGURUSAN ICT PS ‐ BKhP ‐ 06
UMUM
1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 44 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
PENGURUSAN ICT PS ‐ BKhP ‐ 06
DOCUMENT ‐
SENARAI REKOD
PENGEDARAN REKOD DOKUMEN
ISMS
1 UTMKE UTMKE Jabatan Laut
Malaysia
SENARAI REKOD PENGEDARAN
REKOD DOKUMEN ISMS
TERHAD
2 2 2 8 Medium‐2
DOCUMENT ‐
MALAYSIAN
CYBERLAW REQUIREM
ENTS
1 UTMKE UTMKE Jabatan Laut
Malaysia
MALAYSIAN CYBERLAW
REQUIREMENTS UMUM
1 1 1 1 Low‐1
FILE (01)
MS ISO 9001 : 2008 :
DOKUMEN SOKONGA
N PENGURUSAN ICT
1 UTMKE UTMKE Jabatan Laut
Malaysia
MS ISO 9001 : 2008 : DOKUMEN
SOKONGAN PENGURUSAN ICT
TERHAD
2 2 2 8 Medium‐2
FILE (02)
UTMKE / EMAIL
DAFTAR KATALALUAN EMAIL
2 UTMKE UTMKE Jabatan Laut
Malaysia
DAFTAR KATALALUAN
EMAIL RAHSIA
3 3 3 27 High‐3
FILE (04) REKOD 1 UTMKE UTMKE Jabatan REKOD DAFTAR UMUM 1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 45 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
DAFTAR PENYELENGGARAAN PERKAKAS
AN PENYELENGGARAAN
ICT (UTMKE 1/2004)
Laut Malaysia
PENYELENGGARAAN PERKAKASAN PENYELENGGARAAN ICT (UTMKE
1/2004)
FILE (05)
KEW PA ‐ 6 : DAFTAR PERGERAKAN HARTA MODAL
1 UTMKE UTMKE Jabatan Laut
Malaysia
KEW PA ‐ 6 : DAFTAR
PERGERAKAN HARTA MODAL
UMUM
1 1 1 1 Low‐1
FILE
(06) UTMKE 1 /2004 ‐ SW
PENYELENGGARAAN APLIKASI
2 UTMKE UTMKE Jabatan Laut
Malaysia
PENYELENGGARAAN APLIKASI
UMUM
1 1 1 1 Low‐1
FILE
(07) UTMKE / PASS (K) 1 / 2009
BORANG KATALALU
AN APLIKASI 2013
2 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG KATALALUAN APLIKASI 2013
RAHSIA
3 3 3 27 High‐3
FILE (08)
UTMKE PENYELENGGARAAN
1 UTMKE UTMKE Jabatan Laut
PENYELENGGARAAN SDPX
UMUM 1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 46 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
1/2004 ‐SDPX
SDPX Malaysia
FILE (10)
PESANAN PEMBELIAN UTMKE 2012
1 UTMKE UTMKE Jabatan Laut
Malaysia
PESANAN PEMBELIAN UTMKE 2012
TERHAD
2 2 2 8 Medium‐2
FILE (11)
SENARAI KAD
HARTA MODAL
KEW. PA 2 DATA
CENTER, IBU
PEJABAT LAUT
MALAYSIA
1 UTMKE UTMKE Jabatan Laut
Malaysia
SENARAI KAD HARTA MODAL KEW. PA 2 DATA CENTER, IBU PEJABAT LAUT MALAYSIA
TERHAD
2 2 2 8 Medium‐2
FILE (12)
SENARAI LESEN @ PRODUCT
KEY PERKAKASAN DAN PERISIAN
1 UTMKE UTMKE Jabatan Laut
Malaysia
SENARAI LESEN @ PRODUCT KEY PERKAKASAN DAN PERISIAN
RAHSIA
3 3 3 27 High‐3
FILE ‐ INVENTORI 1 UTMKE UTMKE Jabatan INVENTORI ALAT UMUM 1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 47 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
ALAT GANTI
PERALATAN
Laut Malaysia
GANTI PERALATAN
FILE ‐ UJIAN PKP JLM 2013
1 UTMKE UTMKE Jabatan Laut
Malaysia
UJIAN PKP JLM 2013 TERHAD
2 2 2 8 Medium‐2
FILE
NO KONTRAK : IPL 71/2013
NO SEBUTHARGA : IPL 59/2012
PENYELENGGARAAN PERKAKAS
AN, PERISIAN DAN
SISTEM APLIKASI BAGI SISTEM
DOKUMEN PELAUT (SDPX) UNTUK JABATAN LAUT
MALAYSIA
1 UTMKE UTMKE Jabatan Laut
Malaysia
PENYELENGGARAAN PERKAKASAN, PERISIAN DAN SISTEM APLIKASI BAGI SISTEM DOKUMEN
PELAUT (SDPX) UNTUK JABATAN LAUT MALAYSIA
TERHAD
2 2 2 8 Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 48 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
FORM JLM‐IT‐FRM‐01
LAPORAN AUDIT KUALITI
DALAMAN
1 UTMKE UTMKE Jabatan Laut
Malaysia
LAPORAN AUDIT KUALITI
DALAMAN UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐02
LAPORAN KETAKAKURAN /
PERMERHATIAN
1 UTMKE UTMKE Jabatan Laut
Malaysia
LAPORAN KETAKAKURAN / PERMERHATIAN
UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐03
BORANG LAPORAN INSIDEN
1 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG LAPORAN INSIDEN
UMUM 1 1 1 1 Low‐1
FORM JLM‐UPSM‐FRM‐04
BORANG PERMOHONAN KAD JABATAN
1 UPSM UPSM Jabatan Laut
Malaysia
BORANG PERMOHONAN KAD JABATAN
UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐05
SIJIL PERAKUAN PELUPUSAN DATA MEDIA
1 UTMKE UTMKE Jabatan Laut
Malaysia
SIJIL PERKAUAN PELUPUSAN DATA
MEDIA UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐06
BORANG PERMOHO
NAN PERTUKAR
AN
3 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG PERMOHONAN PERTUKARAN MAKLUMAT SISTEM
UMUM
1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 49 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
MAKLUMAT SISTEM
FORM JLM‐IT‐FRM‐07
BORANG KEMASUKAN DAN
PENGELUARAN
PERALATAN DI PUSAT DATA IPL
1 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG KEMASUKAN DAN PENGELUARAN PERALATAN DI PUSAT DATA IPL
UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐08
SENARAI SEMAK AUDIT
TRAIL DAN SISTEM LOG
1 UTMKE UTMKE Jabatan Laut
Malaysia
SENARAI SEMAK AUDIT TRAIL DAN
SISTEM LOG UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐09
SENARAI SEMAK KAMERA LITAR
TERTUTUP PUSAT DATA IPL
1 UTMKE UTMKE Jabatan Laut
Malaysia
SENARAI SEMAK KAMERA LITAR
TERTUTUP PUSAT DATA IPL
UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐10
BORANG PENGURUS
AN 1 UTMKE UTMKE
Jabatan Laut
Malaysia
BORANG PENGURUSAN
KAPASITI UMUM
1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 50 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
KAPASITI
FORM JLM‐IT‐FRM‐11
PENDAFTARAN /
PERUBAHAN
MAKLUMAT ASET
1 UTMKE UTMKE Jabatan Laut
Malaysia
PENDAFTARAN / PERUBAHAN
MAKLUMAT ASET UMUM
1 1 1 1 Low‐1
FORM JLM‐UPSM‐FRM‐12
BORANG PERMOHONAN AKSES PENGGUNA (UARF)
2 UPSM UPSM Jabatan Laut
Malaysia
BORANG PERMOHONAN
AKSES PENGGUNA (UARF)
UMUM
1 1 1 1 Low‐1
FORM JLM‐UPA‐
FRM‐13
BORANG PENDAFTA
RAN UNTUK
MEMASUKI IBU
PEJABAT LAUT
1 UPA UPA Jabatan Laut
Malaysia
BORANG PENDAFTARAN
UNTUK MEMASUKI IBU PEJABT LAUT
UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐14
BORANG PENDAFTA
RAN MASUK DAN
KELUAR KE
1 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG PENDAFTARAN MASUK DAN
KELUAR KE PUSAT DATA IPL
UMUM
1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 51 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
PUSAT DATA IPL
FORM JLM‐IT‐FRM‐15
BORANG PENYALINAN SEMULA (BACKUP)
1 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG PENYALINAN SEMULA (BACKUP)
UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐16
BORANG PENYALINAN SEMULA (RESTORE) DATA
2 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG PENYALINAN SEMULA
(RESTORE) DATA
UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐17
BORANG SEMAKAN INVENTORI
ASET
1 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG SEMAKAN
INVENTORI ASET UMUM
1 1 1 1 Low‐1
FORM JLM‐UPSM‐FRM‐18
BORANG PERUBAHAN AKSES PENGGUN
A
1 UPSM UPSM Jabatan Laut
Malaysia
BORANG PERUBAHAN
AKSES PENGGUNA
UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐19
BORANG PERMOHO
NAN PERUBAHA
N DOKUMEN
1 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG PERMOHONAN PERUBAHAN DOKUMEN
UMUM
1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 52 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
FORM JLM‐IT‐FRM‐20
SENARAI SEMAK DATE & TIME
PROPERTIES SERVER
1 UTMKE UTMKE Jabatan Laut
Malaysia
SENARAI SEMAK DATE & TIME PROPERTIES SERVER
UMUM
1 1 1 1 Low‐1
FORM JLM‐UPSM‐FRM‐21
BORANG PENDAFTA
RAN UNTUK
MEMASUKI IBU
PEJABAT LAUT
1 UPSM UPSM Jabatan Laut
Malaysia
BORANG PENDAFTARAN
UNTUK MEMASUKI IBU PEJABT LAUT
UMUM
1 1 1 1 Low‐1
FORM JLM‐IT‐FRM‐22
BORANG PERMOHO
NAN REMOTE AKSES KE SERVER
(KONTRAKTOR)
1 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG PERMOHONAN REMOTE AKSES
UMUM
1 1 1 1 Low‐1
FORM JLM‐UPSM‐FRM‐23
BORANG KEMASKINI MAKLUMA
T
1 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG KEMASKINI MAKLUMAT
UMUM
1 1 1 1 Low‐1
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 53 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
FORM JLM‐IT‐FRM‐24
BORANG PENGURUS
AN KAPASITI PERKAKAS
AN
1 UTMKE UTMKE Jabatan Laut
Malaysia
BORANG PENGURUSAN
KAPASITI PERKAKASAN
UMUM
1 1 1 1 Low‐1
REPORT JLM‐IT‐RPT‐01
BCM POST MORTEM REPORT
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia BCM REPORT TERHAD
2 3 3 18 Medium‐2
REPORT JLM‐IT‐RPT‐02
RISK ASSESSMENT REPORT
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
RISK ASSESSMENT REPORT
TERHAD 2 3 3 18 Medium‐
2
REPORT JLM‐IT‐RPT‐03
INTERNAL PENETRATI
ON TESTING REPORT
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
INTERNAL PENETRATION
TESTING REPORT TERHAD
2 3 3 18 Medium‐2
REPORT JLM‐IT‐RPT‐04
EXTERNAL PENETRATI
ON TESTING REPORT
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
ENTERNAL PENETRATION
TESTING REPORT TERHAD
2 3 3 18 Medium‐2
REPORT JLM‐IT‐RPT‐05
WEB APPLICATI
ON TESTING
1 UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
WEB APPLICATION REPOIRT
TERHAD
2 3 3 18 Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 54 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
REPORT
REPORT JLM‐IT‐RPT‐06
EXTERNAL PENETRATIONTESTING (ACTION TAKEN) REPORT
UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
ENTERNAL PENETRATION
TESTING REPORT TERHAD
2 3 3 18 Medium‐2
REPORT JLM‐IT‐RPT‐07
INTERNAL PENETRATIONTESTING (ACTION TAKEN) REPORT
UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
ENTERNAL PENETRATION
TESTING REPORT TERHAD
2 3 3 18 Medium‐2
REPORT JLM‐IT‐RPT‐08
WEB APPLICATI
ON TESTING (ACTION TAKEN) REPORT
UTMKE KPP
UTMKE
Jabatan Laut
Malaysia
WEB APPLICATION
REPORT TERHAD
2 3 3 18 Medium‐2
REPORT JLM‐IT‐RPT‐09
PELAN PERANCANGAN ISMS
IBU PEJABAT LAUT,JABA
1 UTMKE UTMKE Jabatan Laut
Malaysia
PELAN PERANCANGAN
ISMS IBU PEJABAT
LAUT,JABATAN LAUT MALAYSIA
TERHAD
2 3 3 18 Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 55 of 98
Asset Value
TYPE OF DOCUMENT
SERIAL NO
NAME OF THE ASSET
QTY
DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
DEPARTMENT
FUNCTION
CATEGORY (RAHSIA/TERHAD/UMUM)
Confidentiality( C )
Integrity( I )
Availability( A )
SCORE( CIA )
Asset Value ( AV )
TAN LAUT MALAYSIA
REPORT JLM‐IT‐RPT‐10
INFORMATION
SECURITY MANAGEM
ENT METRICS &MEASUREMENT (ISMMM) REPORT
1 UTMKE UTMKE Jabatan Laut
Malaysia
INFORMATION SECURITY
MANAGEMENT METRICS
&MEASUREMENT (ISMMM) REPORT
TERHAD
2 3 3 18 Medium‐2
REPORT JLM‐IT‐RPT‐11
MINIT MESYUARAT JPICT ISMS
1 UTMKE UTMKE Jabatan Laut
Malaysia
MINIT MESYUARAT
TERHAD
2 3 3 18 Medium‐2
REPORT JLM‐IT‐RPT‐12
PELAN BANGUNAN DI IPL
1 UTMKE UTMKE Jabatan Laut
Malaysia
PELAN BANGUNAN DI IPL
TERHAD 2 3 3 18 Medium‐
2
REPORT JLM‐IT‐RPT‐13
AUDIT NON‐
CONFORMANCE
FINDINGS
UTMKE UTMKE AUDIT NON‐
CONFORMANCE FINDINGS
TERHAD
2 3 3 18 Medium‐2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 56 of 98
6.3.5 APPLICATION
Asset Value
NAME OF THE ASSET QTY DEPARTMENT (LOCATION ‐ DIV/UNIT)
NAME OF THE OWNER
NAME OF THE COMPANY
FUNCTION Confidentiality
( C ) Integrity
( I ) Availability
( A ) SCORE ( CIA )
Asset Value ( AV )
DOOR ACCESS 1 UTMKE KPP UTMKE Jabatan Laut Malaysia
Access Door Data Center
3 4 4 48 Critical‐4
XPORTAL NET 1 ILPPPL PTM ILPPPL JABATAN LAUT MALAYSIA
Access Door DRC
3 4 4 48 Critical‐4
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 57 of 98
6.4 RISKS ASSESSMENT REPORT
6.4.1 DATA CENTRE
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
1 People
Information theft, Leakage, Illegal copying
a) No appropriate policy and procedure b) Weak in enforcement of in‐compliance c) No proper authorisation process from management in place
a) NDA signed by staff and third party b) Restricted access to critical system or facilities (access card, authorised login and visitor registration) c) Anti malware software d) Disclaimer e) ISMS posters ‐ for user IT security awareness f) Review the information security policy to meet the ISMS requirement g) Document control through
5.2.2 Physical Entry Control 6.4.1 Management of Removable Computer Media 6.4.2 Disposal of Media 6.4.3 Security of System Documentation8.3 System Access Restriction
A.6.1.5 Confidentiality Agreements A.7.2 Information classification A.7.2.1 Classification guidelines A.7.2.2 Information labeling and handling A.10.7 Media handling A.10.7.1 Management of removable computer media A.10.7.2 Disposal of Media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation A.11.2 User access management A.11.2.2 Privilege management
2 3 6 12 18 24 Reduce
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 58 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
classification of information h) Implement the password policy i) Practice the clear screen clear desk following the 5S j) Proper authorization for any business requests
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 59 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
2 People
Vandalism,
Sabotage, Fraud
a) No rules and policy establish to manage the threats b) Awareness to the policy requirement is weak c) Inefficient of identified controls
a) Installed IPS and firewall on the network b) Server hardening c) Controlled logical & physical access to critical server d) Audit logging for monitoring e) Implemented monitoring policy for security violation prevention ‐ Information Security Incident Management f) Developed Information Security Incident Management procedure for monitoring and logging responsibilities f) More CCTV
3.1.4 Termination of Employment or Transfer 3.3 Disciplinary process 4.2 Mobile Device Usage 10.1.1 Network Management 10.1.2 Network Design and Segmentation 10.2.1 Firewalls and Routers 12.2 Monitoring and Logging
A.9.1.2 Physical entry controls
2 1 2 4 6 8 Retain
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 60 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
g) Anti passback feature for current access card system.
3 Technolog
y
External and
Internal attacks
successfully disturb the IT
operations because
if uninstalled patches
a) No policies and procedures b) No AD to push the patches c) Vendors that support some of the systems fail to update patches d) No knowledge to deploy and testing new patches
a) Internal patching is done on regular basis and documented b) Patch Management Policy & Procedure c) IT team implement testing and deploy patches
6.6.7 Classification of technical vulnerabilities and patches
A.10.4 Protection against malicious and mobile code
1 3 3 6 9 12 Reduce
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 61 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
4 Process
Not able to
conduct forensic in the event
of external & internal hacking attacks
a) No audit log review Policy & Procedure b) No Security Incident Management to track logs incidents c) No knowledge in audit log monitoring d) No manpower to review audit logs
a) Audit logs are kept for 5 years b) Event Logging Procedure is implemented c) Implemented monitoring process for audit log review. d) Security Incident Management is implemented e) IT team monitor audit logs
5.7.1 Fault Reporting 5.7.2 Audit Logging 5.7.3 Review of Logs 5.7.4 Protection of Logs
A.10.10.1 Audit logging A.10.10.2 Audit Monitoring
2 3 6 12 18 24 Reduce
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 62 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
5 Process
Entity IT assets went missing (server, notebook and etc)
a) No asset inventory review P&P b) No asset management system to track the assetsc) No knowledge in IT asset review monitoring d) No manpower in IT asset review
a) Asset Management Policy is implemented b) Asset Management System (Sistem Pengurusan Aset) is in place
6.1.1 Information Systems Asset Inventory6.1.2 Information Asset Classification6.1.3 Handling and Labelling of Information6.1.4 Acceptable use of Assets6.3.2 Return of IT Assets and Equipment 6.3.3 Withdrawal of Access Rights on Resignation / Voluntary Termination of Employment, Completion of Contractual Obligations or Services5.1.1 Physical Security Perimeter5.1.2
A.7.1.1 Inventory of assets
1 2 2 4 6 8 Retain
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 63 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
Physical Entry Controls5.1.3 Securing Offices, Telecommunications Closets, Data Center and Facilities5.1.4 Working in Secure Areas5.2.1 Equipement Location and Protection5.2.5 Security of Equipment off‐Premises
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 64 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
6 Process Power Failure
a) No backup power b) Main DB faulty c) Schedule Maintenance By TNB
a) Installed UPS & Genset
5.2.2 Power Supplies
A.9.2.2 Supporting utilities
3 2 6 12 18 24 Retain
7 People Absence
of personnel
a) Transfer b)Death c)Promotion d)Medical Leave e)Study Leave
a) Replacement from JPA b) Stand‐In Personnel c) Compulsory training on critical applications to at least 2 employees
6.3.1 Withdrawal of Access Rights on Dismissal or Transfer of an Employee, Contractor or Third Party Service Provider
A.8.3.1 Termination Responsibilities
2 1 2 4 6 8 Retain
8 Process
System / Application failure
a) Hardware failure / maintenance b) Software failure / maintenance c) Human errors d) DRC not function properly
a) Daily Backup b) Corrective & Preventive Maintenance c) Replacement of hardware d) Conduct training for users e) DRC process review and testing
5.2.4 Equipment Maintenance 5.6.1 Backup and Restoration Procedures
A.9.2.4 Equipment maintenance A.10.5.1 Information back‐up A.14.1.5 Testing, maintaining and re‐assessing business continuity plan
3 2 6 12 18 24 Reduce
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 65 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
9 Technolog
y
Lack of Storage Capacity (SAN
Storage)
a) Exponential increase of data growth b) No House‐keeping c) No secondary storage
a) Purchase new SAN Storage Solution
b) Capacity Planning and
review c) Preventive and
corrective maintenance
5.5.2 Capacity Management
A.10.3.1 Capacity management
3 2 6 12 18 24 Reduce
10 Technolog
y Virus
Outbreak
a) No review on antivirus update process b) License not renewed on time c) Lack of security awareness/training
a) Daily Scanning b) Renew License c) Install antivirus d) Review antivirus update process e) Conduct security awareness / training
5.7.2 Audit Logging 5.7.3 Review of Logs
A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile code A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknesses
3 2 6 12 18 24 Retain
11 Technolog
y
Network (LAN) Failure
a) Network appliances failure due to obsolete b) Cabling haywire c) No physical access control to switch room
a) Procure new appliances b) LAN Rewiring c) Switch room always locked. d) Switch room not use for other purpose
5.8.1 Network security 5.8.2 Access to Network Infrastructure and utilities
A.10.6.1 Network controls A.10.6.2 Security of network services
2 2 2 4 6 8 Retain
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 66 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
12 Technolog
y Hardware Failure
a) Power Surge b) No schedule maintenance c) No proper handling d) Components failure
a) UPS to protect from power surge b) Preventive and maintenance for all hardware c) Training and handling manual
5.2.2 Power Supplies
A.9.2.2 Supporting utilities A.9.2.4 Equipment maintenance
1 2 2 4 6 8 Retain
13 Technolog
y
Email service interupte
d
a) Network failure b) System / application failure c) Hardware failure
a) Backup Line b) Secondary email server c) PM & CM for Email System ( HW & SW)
5.2.4 Equipment Maintenance 5.6.1 Backup and Restoration Procedures
A.9.2.4 Equipment maintenance A.10.5.1 Information back‐up A.14.1.5 Testing, maintaining and re‐assessing business continuity plan
1 2 2 4 6 8 Retain
14 Technolog
y
Server Application system vulnerabilities ( eg. DDos,
Defacement)
a) No server hardening b) No Application review c) No network review
a) Acquisition, Development & Maintenance Policy is implemented b) Access Control Policy is implemented
5.8.1 Network security 5.7.2 Audit Logging 5.7.3 Review of Logs 5.7.1 Fault Reporting
A.10.6.1 Network controls A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile code
2 3 6 12 18 24 Reduce
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 67 of 98
6.4.2 DISASTER RECOVERY CENTRE
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
1 People
Information theft, Leakage, Illegal copying
a) No appropriate policy and procedure b) Weak in enforcement of in‐compliance c) No proper authorisation process from management in place
a) Restricted access to critical system or facilities (access card, authorised login and visitor registration) b) Anti malware software c) Disclaimer d) ISMS posters ‐ for user IT security awareness e) Review the information security policy to meet the ISMS requirement f) Document control through classification of information g) Practice the clear screen clear
5.2.2 Physical Entry Control 6.4.1 Management of Removable Computer Media 6.4.2 Disposal of Media 6.4.3 Security of System Documentation8.3 System Access Restriction
A.6.1.5 Confidentiality Agreements A.7.2 Information classification A.7.2.1 Classification guidelines A.7.2.2 Information labeling and handling A.10.7 Media handling A.10.7.1 Management of removable computer media A.10.7.2 Disposal of Media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation A.11.2 User access management A.11.2.2 Privilege management
3 4 12 24 36 48 Reduce
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 68 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
desk following the 5S
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 69 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
2 People
Vandalism,
Sabotage, Fraud
a) No rules and policy establish to manage the threats b) Awareness to the policy requirement is weak c) Inefficient of identified controls
a) Installed IPS and firewall on the network b) Controlled logical & physical access to critical server c) Implemented monitoring policy for security violation prevention ‐ Security Incident Management d) Developed Information Security Incident Management procedure for monitoring and logging responsibilities e) Anti passback feature for current access card system.
3.1.4 Termination of Employment or Transfer 3.3 Disciplinary process 4.2 Mobile Device Usage 10.1.1 Network Management 10.1.2 Network Design and Segmentation 10.2.1 Firewalls and Routers 12.2 Monitoring and Logging
A.9.1.2 Physical entry controls
3 3 9 18 27 36 Reduce
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 70 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
3 Technolog
y
External and
Internal attacks
successfully disturb the IT
operations because
if uninstalled patches
a) No policies and procedures b) No AD to push the patches c) Vendors that support some of the systems fail to update patches d) No knowledge to deploy and testing new patches
a) Patch Management Policy & Procedure
6.6.7 Classification of technical vulnerabilities and patches
A.10.4 Protection against malicious and mobile code
2 3 6 12 18 24 Reduce
4 Process
Not able to
conduct forensic in the event
of external & internal hacking attacks
a) No audit log review P&P b) No SIEM to track logs incidents c) No knowledge in audit log monitoring d) No manpower to review audit logs
a) Event Logging Procedure is implemented b) Security Incident Management is implemented
5.7.1 Fault Reporting 5.7.2 Audit Logging 5.7.3 Review of Logs 5.7.4 Protection of Logs
A.10.10.1 Audit logging A.10.10.2 Audit Monitoring
3 4 12 24 36 48 Reduce
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 71 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
5 Process
Entity IT assets went missing (server, notebook and etc)
a) No asset inventory review P&P b) No asset management system to track the assetsc) No knowledge in IT asset review monitoring d) No manpower in IT asset review
a) Asset Management Policy is implemented b) Asset Management System (Sistem Pengurusan Aset) is in place
6.1.1 Information Systems Asset Inventory6.1.2 Information Asset Classification6.1.3 Handling and Labelling of Information6.1.4 Acceptable use of Assets6.3.2 Return of IT Assets and Equipment 6.3.3 Withdrawal of Access Rights on Resignation / Voluntary Termination of Employment, Completion of Contractual Obligations or Services5.1.1 Physical Security Perimeter5.1.2
A.7.1.1 Inventory of assets
1 2 2 4 6 8 Retain
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 72 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
Physical Entry Controls5.1.3 Securing Offices, Telecommunications Closets, Data Center and Facilities5.1.4 Working in Secure Areas5.2.1 Equipement Location and Protection5.2.5 Security of Equipment off‐Premises
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 73 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
6 Process Power Failure
a) No backup power b) Main DB faulty c) Schedule Maintenance By TNB
a) Installed UPS 5.2.2 Power Supplies
A.9.2.2 Supporting utilities
4 3 12 24 36 48 Reduce
7 People Absence
of personnel
a) Transfer b)Death c)Promotion d)Medical Leave e)Study Leave
a) Replacement from JPA b) Stand‐In Personnel c) Compulsory training on critical applications to at least 2 employees
6.3.1 Withdrawal of Access Rights on Dismissal or Transfer of an Employee, Contractor or Third Party Service Provider
A.8.3.1 Termination Responsibilities
2 1 2 4 6 8 Retain
8 Process
System / Application failure
a) Hardware failure / maintenance b) Software failure / maintenance c) Human errors d) DRC not function properly
a) Data Restoration b) Corrective & Preventive Maintenance c) Replacement of hardware d) DRC process review and testing
5.2.4 Equipment Maintenance 5.6.1 Backup and Restoration Procedures
A.9.2.4 Equipment maintenance A.10.5.1 Information back‐up A.14.1.5 Testing, maintaining and re‐assessing business continuity plan
3 3 9 18 27 36 Reduce
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 74 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
9 Technolog
y
Lack of Storage Capacity (SAN
Storage)
a) Exponential increase of data growth b) No House‐keeping c) No secondary storage
a) Preventive and corrective
maintenance
5.5.2 Capacity Management
A.10.3.1 Capacity management
4 3 12 24 36 48 Reduce
10 Technolog
y Virus
Outbreak
a) No review on antivirus update process b) License not renewed on time c) Lack of security awareness/training
a) Daily Scanning b) Renew License
5.7.2 Audit Logging 5.7.3 Review of Logs
A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile code A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknesses
3 2 6 12 18 24 Retain
11 Technolog
y
Network (LAN) Failure
a) Network appliances failure due to obsolete b) Cabling haywire c) No physical access control to switch room
a) Switch room always locked. b) Switch room not use for other purpose
5.8.1 Network security 5.8.2 Access to Network Infrastructure and utilities
A.10.6.1 Network controls A.10.6.2 Security of network services
2 3 6 12 18 24 Reduce
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 75 of 98
Risk Register Risk Controls Risk Assessment
Item Category Potential Threats
Potential Vulnerabilities
Controls Implemented
IT Security Policies & Standards
ISMS Controls being met
Probability (P)
Impact (I)
Risk Level
for AV 1
Risk Level
for AV 2
Risk Level
for AV 3
Risk Level
for AV 4
Risk Treatment Option
12 Technolog
y Hardware Failure
a) Power Surge b) No schedule maintenance c) No proper handling d) Components failure
a) UPS to protect from power surge b) Preventive and maintenance for all hardware
5.2.2 Power Supplies
A.9.2.2 Supporting utilities A.9.2.4 Equipment maintenance
2 3 6 12 18 24 Reduce
13 Technolog
y
Server Application system vulnerabilities ( eg. DDos,
Defacement)
a) No server hardening b) No Application review c) No network review
NIL
5.8.1 Network security 5.7.2 Audit Logging 5.7.3 Review of Logs 5.7.1 Fault Reporting
A.10.6.1 Network controls A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile code
2 3 6 12 18 24 Reduce
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 76 of 98
6.5 RISKS TREATMENT PLAN
6.5.1 DATA CENTRE
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
1
Information theft, Leakage, Illegal copying
a) No appropriate policy and procedure b) Weak in enforcement of in‐compliance c) No proper authorisation process from management in place
a) NDA signed by staff and third party b) Restricted access to critical system or facilities (access card, authorised login and visitor registration) c) Anti malware software d) Disclaimer e) ISMS posters ‐ for user IT security awareness f) Review the information security policy to meet the ISMS requirement g) Document
2 3 6 12 18 24 Reduce
A.6.1.5 Confidentiality Agreements A.7.2 Information classification A.7.2.1 Classification guidelines A.7.2.2 Information labeling and handling
1. Implement Data Loss Prevention (DLP) system 2. Comply to Personal Data Protection Act (PDPA)
1. IT Unit
Jan – June 2015
1. DLP log Review 2. PDPA Report review
1 2 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 77 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
control through classification of information h) Implement the password policy i) Practice the clear screen clear desk following the 5S j) Proper authorization for any business requests
A.10.7 Media handling A.10.7.1 Management of removable computer media A.10.7.2 Disposal of Media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation A.11.2
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 78 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
User access management A.11.2.2 Privilege management
2
Vandalism, Sabotage, Fraud
a)No rules and policy establish to manage the threats b)Awareness to the policy requirement is weak c)Ineffective / inadequate controls
a) Installed IPS and firewall on the network b) Server hardening c) Controlled logical & physical access to critical server d) Audit logging for monitoring e) Implemented monitoring policy for security violation prevention – Information Security Incident Management f) Developed Information Security Incident
2 1 2 4 6 8 Retain
A.9.1.2 Physical entry controls
NIL NIL NIL NIL 2 1 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 79 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Management procedure for monitoring and logging responsibilities f) More CCTV g) Anti passback feature for current access card system.
3
External and Internal attacks successfully disturb the IT operations because if uninstalled patches
a) No policies and procedures b) No AD to push the patches c) Vendors that support some of the systems fail to update patches d) No knowledge to deploy and testing new patches
a) Internal patching is done on regular basis and documented b) Patch Management Policy & Procedure c) IT team implement testing and deploy patches
1 3 3 6 9 12 Reduce
A.10.4 Protection against malicious and mobile code
1. Deploy AD to push patches to all systems
1. IT Unit
July 2014 – June 2015
Audit Log Review
1 2 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 80 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
4
Not able to conduct forensic in the event of external & internal hacking attacks
a) No audit log review Policy & Procedure b) No Security Incident Management to track logs incidents c) No knowledge in audit log monitoring d) No manpower to review audit logs
a) Audit logs are kept for 5 years b) Event Logging Procedure is implemented c) Implemented monitoring process for audit log review. d) Security Incident Management is implemented e) IT team monitor audit logs
2 3 6 12 18 24 Reduce
A.10.10.1 Audit Logging A.10.10.2 Audit Monitoring
1. Implement for security violation prevention Security Incident Event Management (SIEM) system 2. Developed SIEM procedure for monitoring and logging responsibilities 3. Send It team for audit log analysis training
1. IT Unit
Jan – June 2015
Audit Log Review
1 2 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 81 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
5
Entity IT assets went missing (server, notebook and etc)
a) No asset inventory review P&P b) No asset management system to track the assetsc) No knowledge in IT asset review monitoring d) No manpower in IT asset review
a) Asset Management Policy is implemented b) Asset Management System (Sistem Pengurusan Aset) is in place
1 2 2 4 6 8 Retain
A.7.1.1 Inventory of assets
NIL NIL NIL NIL 1 2 2 4 6 8
6 Power Failure
a) No backup power b) Main DB faulty c) Schedule Maintenance By TNB
a) Installed UPS & Genset
3 2 6 12 18 24 Retain
A.9.2.2 Supporting utilities
NIL NIL NIL NIL 3 2 6 12 18 24
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 82 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
7 Absence of personnel
a) Transfer b)Death c)Promotion d)Medical Leave e)Study Leave
a) Replacement from JPA b) Stand‐In Personnel c) Compulsory training on critical applications to at least 2 employees
2 1 2 4 6 8 Retain
A.8.3.1 Termination Responsibilities
NIL NIL NIL NIL 2 1 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 83 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
8 System / Application failure
a) Hardware failure / maintenance b) Software failure / maintenance c) Human errors d) DRC not function properly
a) Daily Backup b) Corrective & Preventive Maintenance c) Replacement of hardware d) Conduct training for users e) DRC process review and testing
3 2 6 12 18 24 Reduce
A.9.2.4 Equipment maintenance A.10.5.1 Information back‐up A.14.1.5 Testing, maintaining and re‐assessing business continuity plan
1. A process to review all application to upgrade (if needed) 2.Proper documentation (review and update)
1. Application System Owner 2. IT Unit
June – Dec 2014
Application and System Documentations review report
2 1 2 4 6 8
9
Lack of Storage Capacity (SAN Storage)
a) Exponential increase of data growth b) No House‐keeping
a) Purchase new SAN Storage Solution b) Capacity Planning and review c) Preventive and
3 2 6 12 18 24 Reduce
A.10.3.1 Capacity management
1. Purchase secondary SAN storage
1. CIO 2. KPP UTMKE 3. IT Unit
June 2014 – Dec 2015
Project Report
2 1 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 84 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
c) No secondary storage
corrective maintenance
10
Virus Outbreak
a) No review on antivirus update process b) License not renewed on time c) Lack of security awareness/training
a) Daily Scanning b) Renew License c) Install antivirus d) Review antivirus update process e) Conduct security awareness / training
3 2 6 12 18 24 Retain
A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile code A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknesses
NIL NIL NIL NIL 3 2 6 12 18 24
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 85 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
11
Network (LAN) Failure
a) Network appliances failure due to obsolete b) Cabling haywire c) No physical access control to switch room
a) Procure new appliances b) LAN Rewiring c) Switch room always locked. d) Switch room not use for other purpose
1 2 2 4 6 8 Retain
A.10.6.1 Network controls A.10.6.2 Security of network services
NIL NIL NIL NIL 1 2 2 4 6 8
12
Hardware Failure
a) Power Surge b) No schedule maintenance c) No proper handling d) Components failure
a) UPS to protect from power surge b) Preventive and maintenance for all hardware c) Training and handling manual
1 2 2 4 6 8 Retain
A.9.2.2 Supporting utilities A.9.2.4 Equipment maintenance
NIL NIL NIL NIL 1 2 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 86 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
13
Email service interupted
a) Network failure b) System / application failure c) Hardware failure
a) Backup Line b) Secondary email server c) PM & CM for Email System ( HW & SW)
1 2 2 4 6 8 Retain
A.9.2.4 Equipment maintenance A.10.5.1 Information back‐up A.14.1.5 Testing, maintaining and re‐assessing business continuity plan
NIL NIL NIL NIL 1 2 2 4 6 8
14
Server Application system vulnerabilities (eg. DDos, Defacement)
a) No server hardening b) No Application review c) No network review
a) Acquisition, Development & Maintenance Policy is implemented b) Access Control Policy is implemented
2 3 6 12 18 24 Reduce
A.10.6.1 Network controls A.10.4.1 Controls against malicious code
1. Security Posture Assessment (SPA) to be conducted
1. CIO/KPP UTMKE 2. IT Unit 3. Third party/vendor
June – Dec 2014
SPA report
1 2 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 87 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
A.10.4.2 Controls against mobile code
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 88 of 98
6.5.2 DISASTER RECOVERY CENTRE
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
1
Information theft, Leakage, Illegal copying
a) No appropriate policy and procedure b) Weak in enforcement of in‐compliance c) No proper authorisation process from management in place
a) Restricted access to critical system or facilities (access card, authorised login and visitor registration) b) Anti malware software c) Disclaimer d) ISMS posters ‐ for user IT security awareness e) Review the information security policy to meet the ISMS requirement f) Document control through classification of information g) Practice the clear screen clear desk following the 5S
3 4 12 24 36 48 Reduce
A.6.1.5 Confidentiality Agreements A.7.2 Information classification A.7.2.1 Classification guidelines A.7.2.2 Information labeling and handling A.10.7 Media handling
1. NDA signed by staff and third party 2. Implement the password policy 3. Proper authorization for any business requests 4. Implement Data Loss Prevention (DLP) system 5. Comply to PDPA
1. IT Unit ILPPPL
1‐3. Jun – Dec 2014 4‐5. Jan – June 2015
1.Audit log review 2. Document Authorizatopm Review Record 3. DLP log Review 4. PDPA Report review
1 2 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 89 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
A.10.7.1 Management of removable computer media A.10.7.2 Disposal of Media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation A.11.2 User access management
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 90 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
A.11.2.2 Privilege management
2
Vandalism, Sabotage, Fraud
a)No rules and policy establish to manage the threats b)Awareness to the policy requirement is weak c)Ineffective / inadequate controls
a) Installed IPS and firewall on the network b) Controlled logical & physical access to critical server c) Implemented monitoring policy for security violation prevention ‐ Information Security Incident Management d) Developed Information Security Incident Management procedure for monitoring and logging
3 3 9 18 27 36 Reduce
A.9.1.2 Physical entry controls
1. Server hardening 2. Audit logging for monitoring 3. Install CCTV
1. IT Unit ILPPPL 2. Asset Unit
1‐2. June – Dec 2014 3. Jan – June 2015
1. Server hardening Report 2. Audit logging Report
2 1 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 91 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
responsibilities e) Anti passback feature for current access card system.
3
External and Internal attacks successfully disturb the IT operations because if uninstalled patches
a) No policies and procedures b) No AD to push the patches c) Vendors that support some of the systems fail to update patches d) No knowledge to deploy and testing new patches
a) Patch Management Policy & Procedure
2 3 6 12 18 24 Reduce
A.10.4 Protection against malicious and mobile code
1) Perform Internal patching and documented 2) IT team implement testing and deploy patches 3. Deploy AD to push patches to all systems
1. IT Unit ILPPPL
1‐2. June – Dec 2014
3. July 2014 – June 2015
Audit Log Review
1 2 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 92 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
4
Not able to conduct forensic in the event of external & internal hacking attacks
a) No audit log review P&P b) No SIEM to track logs incidents c) No knowledge in audit log monitoring d) No manpower to review audit logs
a) Event Logging Procedure is implemented b) Security Incident Management is implemented
3 4 12 24 36 48 Reduce
A.10.10.1 Audit Logging A.10.10.2 Audit Monitoring
1. Audit log to be kept 2. Implement monitoring process for audit log review. 3. IT team to monitor audit logs 4. Implement for security violation prevention Security Incident Event Management (SIEM) system 5. Developed SIEM
1. IT Unit
1‐3. June – Dec 2014
4‐5. Jan – June 2015
Audit Log Review
1 2 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 93 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
procedure for monitoring and logging responsibilities 6. Send It team for audit log analysis training
5
Entity IT assets went missing (server, notebook and etc)
a) No asset inventory review P&P b) No asset management system to track the assetsc) No knowledge in IT asset review monitoring d) No manpower in IT asset review
a) Asset Management Policy is implemented b) Asset Management System (Sistem Pengurusan Aset) is in place
1 2 2 4 6 8 Retain
A.7.1.1 Inventory of assets
NIL NIL NIL NIL 1 2 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 94 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
6 Power Failure
a) No backup power b) Main DB faulty c) Schedule Maintenance By TNB
a) Installed UPS 4 3 12 24 36 48 Reduce
A.9.2.2 Supporting utilities
1. Install Genset
1. IT Unit ILPPPL 2. Asset Unit
Jan – June 2015
UPS Maintenance Report
3 2 6 12 18 24
7 Absence of personnel
a) Transfer b)Death c)Promotion d)Medical Leave e)Study Leave
a) Replacement from JPA b) Stand‐In Personnel c) Compulsory training on critical applications to at least 2 employees
2 1 2 4 6 8 Retain
A.8.3.1 Termination Responsibilities
NIL NIL NIL NIL 2 1 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 95 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
8 System / Application failure
a) Hardware failure / maintenance b) Software failure / maintenance c) Human errors d) DRC not function properly
a) Data Restoration b) Corrective & Preventive Maintenance c) Replacement of hardware d) DRC process review and testing
3 3 9 18 27 36 Reduce
A.9.2.4 Equipment maintenance A.10.5.1 Information back‐up A.14.1.5 Testing, maintaining and re‐assessing business continuity plan
1. Conduct training for staffs
1. IT Unit ILPPPL
June – Dec 2014
2 2 4 8 12 16
9
Lack of Storage Capacity (SAN Storage)
a) Exponential increase of data growth b) No House‐keeping c) No
a) Preventive and corrective maintenance
4 3 12 24 36 48 Reduce
A.10.3.1 Capacity management
1. Purchase new SAN Storage Solution 2. Capacity Planning and review
1. IT Unit ILPPPL 2. Asset Unit
June 2014 – Dec 2015
Project Report
2 1 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 96 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
secondary storage
10
Virus Outbreak
a) No review on antivirus update process b) License not renewed on time c) Lack of security awareness/training
a) Daily Scanning b) Install antivirus
3 2 6 12 18 24 Retain
A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile code A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknesses
NIL NIL NIL NIL 3 2 6 12 18 24
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 97 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
11
Network (LAN) Failure
a) Network appliances failure due to obsolete b) Cabling haywire c) No physical access control to switch room
a) Switch room always locked. b) Switch room not use for other purpose
2 3 6 12 18 24 Reduce
A.10.6.1 Network controls A.10.6.2 Security of network services
1. Network Maintenanc
e
1. IT Unit ILPPPL 2. Asset Unit
Jan – June 2015
1. Maintenance Report
1 2 2 4 6 8
12
Hardware Failure
a) Power Surge b) No schedule maintenance c) No proper handling d) Components failure
a) UPS to protect from power surge b) Preventive and maintenance for all hardware
2 3 6 12 18 24 Reduce
A.9.2.2 Supporting utilities A.9.2.4 Equipment maintenance
1. Training and handling manual
1. IT Unit ILPPPL
June – Dec 2014
1 2 2 4 6 8
JLM-IT-RPT-02 Risk Assessment Report v1.3 Page 98 of 98
Risk Assessment Risk Treatment Residual Risk
Item
Potential Threats
Potential Vulnerabiliti
es
Controls Currently Implemented
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
Risk Treatme
nt Option
ISMS Controls to be met
Propose Treatment
Responsibility / Resourc
es
Schedule /
Timeframe
Reporting / Monitoring
Probability (P)
Impact (I)
Risk Level for AV 1
Risk Level for AV 2
Risk Level for AV 3
Risk Level for AV 4
13
Server Application system vulnerabilities (eg. DDos, Defacement)
a) No server hardening b) No Application review c) No network review
NIL 2 3 6 12 18 24 Reduce
A.10.6.1 Network controls A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile code
1. Security Posture Assessment (SPA) to be conducted
1. CIO/KPP UTMKE 2. IT Unit ILPPPL 3. Third party/vendor
June – Dec 2014
1. SPA report
1 2 2 4 6 8