| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 |  | ||||||||||||||||||||||||||
2 | SECURITY ASSESSMENT TEMPLATE | ||||||||||||||||||||||||||
3 | The threats, vulnerabilities, and risks mentioned on this sheet are examples of common scenarios. Make a copy of the sheet and customize it to your business's specifications. (File > Make a Copy OR File > Download) | ||||||||||||||||||||||||||
4 | How to use the template: | ||||||||||||||||||||||||||
5 | 1. The risk scenarios and subsequent information populated in the template are only examples. Actual risks, vulnerabilities, impact, and control measures will vary depending on your business. Please change the data accordingly. 2. You can customize the template by adding or removing columns to meet your specific needs. 3. The template is intended to serve only as a guide to help you complete your security assessment. | ||||||||||||||||||||||||||
6 | IT asset | Security risk | Security threat | Vulnerability | Impact of risk | Risk level | Impact level | Existing controls | Proposed controls | Priority | Person responsible | Timeframe for completion | Notes | ||||||||||||||
7 | Network systems | Information involved in electronic messaging gets compromised | Spyware attack | Information in transit is not encrypted. | ● Leakage of sensitive data will attract penalties from regulatory bodies ● Loss of customer trust ● Fall in brand equity | HIGH | HIGH | Security policy states that sensitive data should not be sent to external sources. | ● Implement encryption for data at rest as well as in transit. ● Use data loss prevention software to detect data exfiltration transmission. | HIGH | IT team lead | Jun-22 | Justin from the IT team to shortlist data loss prevention software vendors and send RFPs by May 20, 2022. | ||||||||||||||
8 | Desktops or servers | Unathorized users gain access to the operating system and steal data or crash the system | Phishing attack | Employees may accidentally—or knowingly—give away certain details that help hackers gain access to the systems. Weak passwords that hackers can easily crack. | ● Loss of productivity due to system downtime ● Leakage of certain data types can lead to loss of IP rights ● Client data may get compromised | MEDIUM | HIGH | Employees are trained on phishing and other social engineering techniques. Passwords have to be changed every six months. | ● Use computer-based awareness training to train employees and identify weak points using simulation excercises. ● Install a password manager tool to enforce the use of strong passwords. | HIGH | HR or learning and development team IT team lead | Jul-22 | First batch of employees to be trained on June 10, 2022. HR head Megha to decide on the batch strength and department for the training sessions. | ||||||||||||||
9 | Website | Users are not able to access the website | DDoS attack | The website runs on a free version of the software package, which offers limited security capabilities. | ● Loss of clients due to the inability to make online purchases ● Loss of revenue ● Advantage for competitors | MEDIUM | HIGH | None in place. | ● Move the website to a more secure and trusted platform. ● Get SSL certification for the website. | MEDIUM | IT team lead | Sep-22 | N/A | ||||||||||||||
10 | Security policy | Data theft or loss due to security breaches at third-party vendors | Ransomware attack | Security considerations are not checked when dealing with third-party vendors. | ● Data loss ● Loss of revenue and customers ● Regulatory penalties | MEDIUM | MEDIUM | None in place. | ● Check third-party vendor security before getting into a partnership. Add a clause to the partnersip agreement that vendors need to be PCI DSS compliant, and check for any discrepancies. | MEDIUM | Procurement team lead | Dec-21 | Seek advice from legal counsel. | ||||||||||||||
11 | User devices | Malicious apps | Malware attack | Employees use the same mobile device for office as well as personal work. There is no separation of data and no control of what type of content can be downloaded. | ● System downtime ● Loss of critical data ● Loss of competitive advantage | HIGH | HIGH | Bring-your-own-device (BYOD) policy with limited guidelines. | ● Implement endpoint security solutions. ● Monitor devices that are connected to your network. ● Use device management and application management tools to manage the installation of apps from a single, centralized source. ● Revise BYOD policies to enforce greater security. | HIGH | IT team lead and HR team lead | Jun-22 | Next meeting to discuss progress on proposed controls will be on May 10, 2022. | ||||||||||||||
12 | Data storage | Records get lost or manipulated due to poor sharing practices | Employee negligence | No common business rules around document and version control management. | ● Discrepancies in the records maintained by different teams and/or between the company and client firms, leading to loss of trust and data mismanagement ● Data loss without any backups | HIGH | MEDIUM | Teams have their own policies around data storage. | ● Develop and implement centralized policy and procedures around version control. ● Lock down share drives. ● Implement an electronic documents and records management system (EDRMS) for content management. | HIGH | IT team lead and department heads | Jul-22 | Policy preparation to be completed by May 31, 2022. | ||||||||||||||
13 | Employee data | A terminated employee dials into the company's network and accesses proprietary information | Disgruntled former employees | Terminated employees' system identifiers are not removed soon enough | ● Loss of data ● Data misuse | LOW | MEDIUM | Terminated employee details are removed every three months. | ● Ensure employee identifiers are archived within a week of an employee leaving. | LOW | IT team lead | Dec-21 | N/A | ||||||||||||||
14 | API | API key exposure | Disgruntled employees | Insecure storage of API keys. API keys that are no longer needed, are not disposed off securely. | ● Attackers with illegal access to keys can cause a denial of service. | MEDIUM | MEDIUM | Only SSL keys are disposed off routinely. | ● Ensure API keys are stored well and disposed off routinely. ● Implement API gateway software to provide the API security administrator with complete control over access management, threat detection, confidentiality, integrity, and audits for every API the organization publishes. | MEDIUM | IT team lead | Dec-22 | N/A | ||||||||||||||
15 | Firewall | Unauthorized users hack into the system through the internet | Ransomware attack | Company's firewall allows inbound telnet, and guest ID is enabled on XYZ server. | ● Unauthorized access to sensitive files due to system vulnerabilities | HIGH | LOW | None in place. | ● Control the firewall's inbound traffice files. | MEDIUM | IT team | Dec-22 | N/A | ||||||||||||||
16 | |||||||||||||||||||||||||||
17 | |||||||||||||||||||||||||||
18 | |||||||||||||||||||||||||||
19 | |||||||||||||||||||||||||||
20 | |||||||||||||||||||||||||||
21 | |||||||||||||||||||||||||||
22 | |||||||||||||||||||||||||||
23 | |||||||||||||||||||||||||||
24 | |||||||||||||||||||||||||||
25 | |||||||||||||||||||||||||||
26 | |||||||||||||||||||||||||||
27 | |||||||||||||||||||||||||||
28 | |||||||||||||||||||||||||||
29 | |||||||||||||||||||||||||||
30 | |||||||||||||||||||||||||||
31 | |||||||||||||||||||||||||||
32 | |||||||||||||||||||||||||||
33 | |||||||||||||||||||||||||||
34 | |||||||||||||||||||||||||||
35 | |||||||||||||||||||||||||||
36 | |||||||||||||||||||||||||||
37 | |||||||||||||||||||||||||||
38 | |||||||||||||||||||||||||||
39 | |||||||||||||||||||||||||||
40 | |||||||||||||||||||||||||||
41 | |||||||||||||||||||||||||||
42 | |||||||||||||||||||||||||||
43 | |||||||||||||||||||||||||||
44 | |||||||||||||||||||||||||||
45 | |||||||||||||||||||||||||||
46 | |||||||||||||||||||||||||||
47 | |||||||||||||||||||||||||||
48 | |||||||||||||||||||||||||||
49 | |||||||||||||||||||||||||||
50 | |||||||||||||||||||||||||||
51 | |||||||||||||||||||||||||||
52 | |||||||||||||||||||||||||||
53 | |||||||||||||||||||||||||||
54 | |||||||||||||||||||||||||||
55 | |||||||||||||||||||||||||||
56 | |||||||||||||||||||||||||||
57 | |||||||||||||||||||||||||||
58 | |||||||||||||||||||||||||||
59 | |||||||||||||||||||||||||||
60 | |||||||||||||||||||||||||||
61 | |||||||||||||||||||||||||||
62 | |||||||||||||||||||||||||||
63 | |||||||||||||||||||||||||||
64 | |||||||||||||||||||||||||||
65 | |||||||||||||||||||||||||||
66 | |||||||||||||||||||||||||||
67 | |||||||||||||||||||||||||||
68 | |||||||||||||||||||||||||||
69 | |||||||||||||||||||||||||||
70 | |||||||||||||||||||||||||||
71 | |||||||||||||||||||||||||||
72 | |||||||||||||||||||||||||||
73 | |||||||||||||||||||||||||||
74 | |||||||||||||||||||||||||||
75 | |||||||||||||||||||||||||||
76 | |||||||||||||||||||||||||||
77 | |||||||||||||||||||||||||||
78 | |||||||||||||||||||||||||||
79 | |||||||||||||||||||||||||||
80 | |||||||||||||||||||||||||||
81 | |||||||||||||||||||||||||||
82 | |||||||||||||||||||||||||||
83 | |||||||||||||||||||||||||||
84 | |||||||||||||||||||||||||||
85 | |||||||||||||||||||||||||||
86 | |||||||||||||||||||||||||||
87 | |||||||||||||||||||||||||||
88 | |||||||||||||||||||||||||||
89 | |||||||||||||||||||||||||||
90 | |||||||||||||||||||||||||||
91 | |||||||||||||||||||||||||||
92 | |||||||||||||||||||||||||||
93 | |||||||||||||||||||||||||||
94 | |||||||||||||||||||||||||||
95 | |||||||||||||||||||||||||||
96 | |||||||||||||||||||||||||||
97 | |||||||||||||||||||||||||||
98 | |||||||||||||||||||||||||||
99 | |||||||||||||||||||||||||||
100 | |||||||||||||||||||||||||||