NIST Retail

Risk Assessment Report for Dinny Hall Retail Mart
1

Dinny Hall Retail Mart

MBA-ITBM
Batch: 2013-2015

Prepared By: Group 1 (Div. C)
Ambrish Anand (13030241100)
Ankit Bajaj (13030241102)
Dipesh Golwala (13030241104)
Pratik Patil (13030241118)
Yogesh Shadapuri (13030241139)

Risk Assessment Report
On
Microsoft
Retail Management System
Using
NIST
2

Table of Contents
1. Introduction4
2. Risk Assessment Approach5
3. IT System Characterization6
4. Risk Identification.10
5. Control Analysis15
6. Risk Likelihood.29
7. Risk Impact Analysis34
8. Overall Risk Assessment Determination...35
9. Recommendations37
10. Result Documentation39

3

List of Tables

Table A: IT System Inventory and Definition
Table B: Threats Identified
Table C: Threats, Vulnerabilities and Risk
Table D: Security Controls
Table E: Risks-Controls-Factors Correlation
Table F: Risk Likelihood Ratings
Table G: Risk Impact Analysis
Table H: Overall Risk Rating Matrix
Table I: Overall Risk Ratings Table
Table J: Recommendations
Table K: Risk Assessment Matrix

4

1. INTRODUCTION
1.1 Purpose
The purpose of this risk assessment is to evaluate the adequacy of the Dinny Hall
Supermarkets Microsoft Dynamics Retail Management System (RMS) IT security. RMS offers
small and midsize retailers a complete point of sale (POS) solution that can be adapted to meet
unique requirements. This powerful software package automates POS processes and store
operations, provides centralized control for multi-store retailers, and integrates with Microsoft
Office system programs, Microsoft Dynamics GP, and other popular applications. This risk
assessment provides a structured qualitative assessment of the RMS operational environment. It
addresses threats, vulnerabilities, risks, impacts and safeguards. The assessment recommends
cost-effective safeguards to mitigate threats and associated exploitable vulnerabilities identified
in Dinny Halls RMS System.
1.2 Scope
The scope of this risk assessment report is to assess the systems use of resources and
controls (implemented or planned), to eliminate and/or manage vulnerabilities exploitable by
threats internal and external to the retail domain. If exploited, these vulnerabilities could
result in:
Unauthorized disclosure of data(customer sensitive information)
Unauthorized modification to the system, its data, or both
Denial of service, access to data or both to authorized users
This Risk Assessment Report evaluates the confidentiality (protection from unauthorized
disclosure of system and data information), integrity (protection from improper modification of
information) and availability (loss of system access) of the system. Recommended security
safeguards will allow management to make decisions about security-related initiatives.

5

2. RISK ASSESSMENT APPROACH
This risk assessment methodology and approach was conducted using the guidelines in
NIST SP 800-30, Risk Management Guide for Information Technology Systems. The assessment
is broad in scope and evaluates security vulnerabilities affecting confidentiality, integrity and
availability. The assessment recommends appropriate security safeguards, permitting
management to make knowledge-based decisions about security-related initiatives. The
methodology addresses the following types of controls:
Management Controls: Management of the Information Technology (IT) security system
and the management and acceptance of risk.
Operational Controls: Security methods focusing on mechanisms implemented and
executed primarily by people (as opposed to systems), including all aspects of physical
security, media safeguards and inventory controls.
Technical Controls: Hardware and software controls providing automated protection to the
system or applications (Technical controls operate within the technical system and
applications).
The NIST RMF, illustrated in Figure 1, provides the covered entity with a disciplined,
structured, extensible, and repeatable process for achieving risk-based protection related to the
operation and use of information systems and the protection of EPHI. It represents an
information security life cycle that facilitates continuous monitoring and improvement in the
security state of the information systems within the organization.

The flexible nature of the NIST RMF allows other communities of interest to use the
framework voluntarily either with the NIST security standards and guidelines or with industry-
specific standards and guidelines. The RMF provides organizations with the flexibility needed to
apply the right security controls to the right information systems at the right time to adequately
protect the critical and sensitive information, missions, and business functions of the
organization.

6

Figure 1.NIST RMF
The risk assessment methodology encompasses of nine primary steps, which are described
below:

Step 1 - System Characterization
Step 2 - Threat Identification
Step 3 - Vulnerability Identification
Step 4 - Control Analysis
Step 5 - Likelihood Determination
Step 6 - Impact Analysis
Step 7 - Risk Determination
Step 8 - Control Recommendations
Step 9 - Results Documentation

3. IT SYSTEM CHARACTERIZATION:
The purpose of this step is to identify IT system and define Risk assessment boundary,
components and data sensitivity.

7

Table A : IT System Inventory and Definition
I. IT System Identification and Ownership
IT System
ID
IMS IT System Common Name Inventory Management
System (IMS)
Owned by Dinny Hall Retail Mart
System
Owner
Chris Chapman System administrator Ant Corrie
Data owner William Gomes Data Custodian
Ant Corrie, Evans
Thomas
II. IT System Boundary and Components
IT System
Description
and
Components
Operating System: Windows Server 2008.
Two servers running in Windows server 2008.
Backup Server operates when main server fails.
Database and backup database are attached to server.
The Systems Payment, Inventory and Supply Chain accesses relevant data
from server.
IT system
Interface
TeraData This system ensures data transmission among different network
entities.
All the security aspects of data transfer are handled by TeraData
Employee accessibility rights are defined by TeraData
Initial user id and password are generated by this system

III. IT System Interconnections
Agency or org IT system name IT system name

IT System
owner
Interconnect
security
agreement
summary
Retail management
services
Bill Payment
system
BPS Chris
Chapman
No formal
agreement
required as
the system
has common
owner
8

Diagram of the system and network architecture, including all components of the system and
communications links connecting the components of the system, associated data communications
and networks:

Figure 1 IT System Boundary Diagram Interconnected Retail Environment)
Retail management
services
Stock
management
system

SMS
Chris
Chapman
No formal
agreement
required as
the system
has common
owner
Type of data Confidentiality Integrity Availability
Financial data High. May lead
to unauthorized
transaction and
fiscal loss to
customer,
thereby harming
company
reputation
High Low
Stock details High. If leaked
competitors can
misuse them
High High
9

Information Flow Diagram:

Security Structure:

Information sent from main outlet
to RMS division data center
10

4. RISK IDENTIFICATION
The purpose is to identify risks existing in the system. Risks occur when vulnerabilities in
the IT system or its environment can be exploited by threats.

4.1 Identification of Vulnerabilities:
The following were the vulnerabilities identified:
Weak encryption standard is vulnerability for the RMS system. It threatens the
CIA (confidentiality, availability, integrity) aspect of the organization. Encryption
standard is not compliant with the PCI DSS standards (wireless eavesdropping,
wired eavesdropping )
Absence of network monitoring systems.
Absence of processing logs.
No purging of old data.
Storage of critical information in unencrypted format.
Certain inventories dont have their details fed in the system, though they are present in
the stock. So there are risks of theft and other manipulations in which the staffs may be
involved.
Supply chain management system didn't comply with security standards.
The transaction systems and other network connected hardware devices handling
sensitive information used the same usernames and passwords across DH stores
nationwide.
Maintenance Hurdles on remote Sites due to lack of technical expertise.
No timely security patches on in-house systems.
Cyber-attacks as connection with diverse set of networks-in-house, corporate and public.
4.2 Identification of Threats

The following threats were identified:
Any hacker or intruder may get an easy access to the critical information because
of the weak encryption standards implemented.
If at all any intrusion happens it would not be detected because of the inadequate
network monitoring system.
11

Detection of login details would not be possible because of absence of processing
logs so if at all any security incident happens, the source would not be traceable.
In case of any security breach, the critical data would be easily accessible as it
was present in unencrypted format.
VPN accounts assigned to former employees, which the system administrator didnt close
after the employees service was terminated can become a gateway for hacker intrusion.
The risk of system in the SCM getting hacked, thus revealing inventory details to the
hackers who can sell these information to the competitors of DINNY HALL
Supermarket.
The transaction systems and other network connected hardware devices handling
sensitive information used the same usernames and passwords across stores nationwide.
An attacker who compromised on a system in one store could access the same device at
every DH store nationwide.
Loopholes in the inventory management system would compromise on the
traceability of products kept in retail store.
Systems connected to network- internal or public are susceptible to malware
attacks.
Stealing of credit card information and other sensitive customer data.
The threats identified are listed in table below:

Table B: Threats Identified
Wireless
eavesdropping

Power loss

Communication
failure

Wired eavesdropping

Tornadoes

Work place violence

Spoofing

Floods

DOS Attack
Stored data
manipulation

Bomb threat

Rioting
Lost or stolen device

Malware Attacks Robbery

Earthquake

Fire

Cyber terrorism

12

4.3 Identification of Risks

The following were the risks identified:

Poor network Security would risk the critical information of the company.
Access control mismanagement would risk the disclosure of company details
Failures in hardware devices may lead to permanent loss of data.
Disgruntled employees may result in loss of critical company decisions and policies.
Active VPN accounts of ex-employees would result in unauthorized access and risk
the critical information.
Loss of financial information would affect the company image.
Loss of inventory details would give an undue advantage to competitors.
Natural calamity would hamper the business.
Loss of business details would reveal strategies and hamper the long term goals.
Table C: Threats, Vulnerabilities and Risk
Risk
No.
Vulnerabilities Threats Risks of
Compromise
of
Risk Summary
1 Improper
handling of
financial data of
the company.
Loss of confidential data May loss
Financial Data
some
important
financial
legers and
balance sheet
internally.
Loss of financial
data, having severe
impact on the
companys brand
image
2 Unencrypted data
and detail of
employee
Unethically updating
details of employee.
Misuse of
employees
details
Loss of employee
details
3 Accidental
damage to
business
A situation from which
the company cant recover
Discontinuity
of services
Business plan
4 Not well planned
architecture of
company
Loss of data Loss of
resources data
and others
thing which is
important.
Natural calamities
like earthquake,
hurricane etc
13

5 Water leakage
near the server
room
Threat of fire. Availability
and integrity
of retail data
Water leakage may
cause short-circuit
leading to eruption
of fire.
6 No proper access
control employee
Lack of access control can
be misused leading to
incidents such as data
theft etc
Confidentiality
and integrity
of retail data
Unauthorized access
control
7 Poor network
security
Weak firewall, outdated
antivirus etc
Confidentiality
and integrity
of retail data
Denial of service
attack via dummy
packets
8 Unsecure remote
access
Multiple access points Due to this the
data can be
shared with
others.
Masquerading access
points
9 Encryption
standard is not
compliant with
the PCI DSS
standards

wireless eve dropping,
wired eavesdropping,
spoofing, etc may be the
outcome of exploiting this
vulnerability
Confidentiality
and integrity
of retail data
Spoofing
10 Physical access
controls not
implemented
Unauthorized people
access in the organization
Tailgating and
hence loss of
confidential
data
Tailgating
11 Hardware-failure Important customer
confidential data may be
lost or corrupted
Confidentiality
and integrity
of retail data
Power loss
12 VPN accounts of
the ex-employees
still in use
Unauthorized access. Confidentiality
and integrity
of retail data
VPN account of ex-
employee
compromised
13 Lack of proper
security practices
Accessible to hackers. Easily
accessible to
hackers.
Hacking
14 Customer
sensitive
Misuse of confidential
customer data
Confidentiality
and integrity
Unencrypted
password increases
the chances of
14

data/password
was also stored
unencrypted.
of retail data security breaches in
the system
15 Disgruntled
employees
Work place violence,
execution of system
sabotage
Confidentiality
and integrity
of retail data
Loss or theft of USB
drives could result in
compromise of
confidentiality of
DH
data
16 The transaction
systems and
other network
connected
hardware devices
handling
sensitive
information used
the same
usernames and
passwords across
DH stores
nationwide
If the hacker gets through
the network security walls
of one system, he can do
so for other systems too.
Confidentiality
and integrity
of retail data
Compromise of
unexpired/unchanged
passwords could
result in compromise
of confidential
business data
17 Lack of proper
physical security
Robbery Money, Shop
items
Lack of adequate
physical security
leads to robbery
which in turn leads
to physical injury.

15

5. CONTROL ANALYSIS:
The purpose of control analysis is to provide a report about the control measures
implemented and the control policies that are planned. It is then matched with the risks to
identify which risk needs to be addressed and which can be acceptable to the organization.

Table D : Security Controls
Control Area In-place/Planned Description of Controls
1. Risk Management

1.1 IT security Roles and
Responsibilities

Planned

Required IT Security roles
have been assigned. There is a
CIO appointed who has
appointed roles to individuals.
1.2 Business Impact analysis

In Place

DH management and staff
conducted and documented a
BIA. It needs to be reviewed
annually and was done also.
1.3 IT system & data
Classification
In Place DH should know how much
data it should store. There
should be provision to store
customer sensitive information
separate from other data. In
short, classification of data
should be there.
1.4 IT system Inventory &
Definition
In Place DH recognizes an inventory of
Sensitive IT data that contains
crucial customer information.
This also includes stock level
and inventory detail included
in the Risk assessment report.
16

System definition also forms a
part of this report.
1.5 Risk Assessment In Place This report documents the
Risk Assessment of DH in
April 2012
1.6 IT security Audits In Place IT security audit has been
taken care of by Mark Smith,
Internal Audit Director in DH.
An internal audit is planned
annually.

2. Contingency planning
2.1Continuity of operations
planning
In Place

In Place
Ant Corrie is the DH
Coordinator of Operation Plan
Coordination. The DH COOP
identifies all personnel
required for its execution,
includes personnel required
for recovery of the DH, &
includes emergency
declaration, notification and
operations procedures.

The COOP document is
classified as sensitive; access
to this document is restricted
to COOP team members, & a
copy of the COOP is stored
off site at Data Recovery
Services, Inc., DHs recovery
site partner. The DH COOP,
17

including components relating
to the DH is currently being
updated as a result of the
COOP exercise; completion is
expected by Dec 2013.
2.2IT disaster recovery
planning
In Place 1. A Disaster Recovery Plan
(DRP) and Business
Continuity Plan (BCP) for the
DH has been documented
& approved by the Security
Commissioner, Marlin Luther.
This plan calls for:-
Recovery of the DH within 48
hours at a cold site maintained
by Data Recovery Services,
Inc. (DRSI). In order to
support 24-hour recovery of
DH during budget preparation,
the contract with DRSI
includes 24-hour recovery
during this period.

2.3 IT system and data
backup Restoration
In Place DH has a backup and
restoration plan, documented
and approved by Chris
Chapman, the DH system
owner. This plan calls for:
a. Daily full & monthly
incremental backups & review
of backup logs of DH data by
operations staff.
18

3. IT Systems Security
3.1 IT System Hardening In Place DH systems use Windows 7,
Windows 2008 server and
Oracle 10g benchmark for the
Centre of Internet Security
(CIS). Chris Chapman the
BFS system owner, has
approved the
recommendations regarding
the benchmarks
DH operations staff will
determine whether the CIS
benchmarks continue to
provide appropriate protection
by carrying out vulnerability
scan.
3.2 IT System
Interoperability Security
In Place The RMS system in DH
interacts with the payment
system, Inventory system and
the POS system. The data
sharing is mentioned in the
risk assessment report. Chris
Chapman is the System Owner
of retail system, POS system
and inventory system.
Therefore no written data
sharing agreement is required.

3.3 IT System Development
Life cycle security

Planned

The DH risk assessment team
analyses all its software in the
various stages of its life cycle
with regards to security
compliance. As documented
throughout this Risk
19

Assessment report, DH risk
assessment team conducts &
documents a formal Risk
Assessment of the DH every
three years.
3.4 Malicious Code
protection
Planned DH has few antivirus products
installed in the system and
network servers. These
software do the following :-
1) Protects the system from
malicious programs
2) Scans files retrieved from
various sources
3) Maintains logs for
protection activities
4) Allows administrator to
modify the configurations
The Acceptable User Policy,
under development, will
prohibit DH users from
intentionally developing or
experimenting with malicious
programs & knowingly
propagating malicious
programs. This policy is
scheduled to get completed in
October 2012.

4.Logical Access Control
4.1 Account Management Planned The following Policies need to
be implemented:
20

Access level to be
granted on the basis of
least privilege.
Any change in the
access levels should be
done with the
permission of Chris
Chapman and Ant
Corrie.
Any account, if unused
for 60 days should get
locked. Unlocking of
the account should be
done with the
permission of George
Mathew.
Account monitoring
should be done.
Detailed report should
be made to identify
any unusual account
access.
4.2 Password Management In Place Password would expire
after 60 days
Every password
requires 4
alphanumeric
characters, 3 numeric
characters and 1
special characters.
New password and old
21

password should not
have more the 5
characters in common.
Use of different
password at different
stores.
High encryption
standards for database
passwords.
Use of standard
procedure for handling
the initial user id and
password. User is
required to change the
password in the first
login.
4.3 Remote access In Place VPN account
monitoring system
should establish.
Old VPN accounts
should be locked.
Logs should be
maintained that contain
VPN account access
information.
Access level for
different VPN
accounts should be
defined.

5.Personnel Security
22

5.1 Access Determination
and control
Planned Access control needs
to implemented as per
work area and
hierarchy
Access rights for
people working in
SCM and Payment
system should be
separated.
5.2 IT security awareness
and training
Planned Employee Security
awareness training
should be conducted
on an annually basis
Security training
should be provided to
newly joined
employees
6.Threat Management
6.1 Threat Detection

In Place

Planned

Planned
Ant Corrie is the head for
threat detection. Following
are the components of threat
detection:
1. Regular training sessions
for employee on IT security
training.
2. Regular monitoring of IT
system.
3. Regular evaluation of
security awareness among
employees.
6.2 Incident handling Planned Following are the measures
23

that are suggested to be
implemented
1. Protocols for handling
security incident
2. Establishment of a
dedicated team to prevent and
handle cyber attacks
3. Identifying different levels
of security incident and
chalking out preventive
measures for the same
4. Establishing hierarchy for
reporting process, in case of
security incident
6.3 Security Monitoring
&logging
Planned 1. Development of logging
capabilities and review
procedures
2. Enabling logging and
retention of logs for 60 days
3. Monitoring of security logs
and reporting to security team
in case of security incident
7. IT Asset Management
7.1 IT Asset Control In Place Any personal data storage
devices are not allowed in the
company premises.
All the devices have a unique
ID and Device record has
entry of all the devices as per
the unique ID.
Any allocation of new
24

devices or change in the
position of the devices should
be done with the permission of
George Mathew and also
should be recorded in Device
Record.
7.2 Software License
Management
In Place

In Place
Documented policies require
the use of only DH (Dinny
Hall Retail Mart), approved
software on its IT systems &
require annual reviews of
whether all software is used in
accordance with license
requirements.
All software used at Dinny
Hall Retail Mart is
appropriately licensed.
7.3 Configuration
Management & Change
Control
In Place Creation and management of
IT assets record.
Record should have entries of
all the IT assets and its
valuation.
Security practices as per the
valuation of the device are
implemented.
Any change in the IT
environment
(intentional/accidental) should
be immediately reported to
George Mathew.

25

The identified risks are associated with the relevant controls in a Risk-Controls Table
(Table E), as below.This correlation determines whether controls exist that respond adequately to
the identified risks.

Table E: Risks-Controls-Factors Correlation

Risk
No.
Risk Summary Correlation of Relevant Controls &
Other Factors
1. Loss of financial data, having severe
impact on the companys brand
image
Overall Security enforcement in DH is
being worked upon. Loopholes are
being analyzed and documented.
2 Loss of employee details Encryption standards and system
security controls are being focused
upon.
3 Business plan DH is coming up with compliance in
BCP and DRP to ensure uninterrupted
business procedures.
4 Natural calamities like earthquake,
hurricane etc
There are no controls relevant to this
risk; neither are there any mitigating or
Exacerbating factors. DH Management
has accepted this risk. However BCP
and DRP are being focused upon to
ensure speedy recovery.
5 Water leakage may cause short-
circuit leading to eruption of fire.
There are no controls relevant to this
risk; neither are there any mitigating or
exacerbating factors. DH Management
has accepted this risk.
6 Unauthorized access control Controls 4.2 and 7.1 determine the
security measures against unauthorized
access. These policies are adhoc based
rather than on roles.
26

7 Denial of service attack via dummy
packets
Intrusion control measures have been
included in the control analysis
documentation. Intrusion Prevention
System (IPS) is yet to be implemented
in the system.
8 Masquerading access points Masqueraded access points are difficult
to detect and has often succeeded in
fooling the system users. No controls
so far have been effectively
implemented regarding this.
9 Spoofing Spoofing is the creation of TCP/IP
packets using somebody else's IP
address. DH firewall protects the
system from spoofing. However it fails
to give consistent resistance against
spoofing.
10 Tailgating Control 7.1 takes into account the
various risk factors against
unauthorized entry of people in
restricted entry zone. This control has
not been consistently followed posing
greater security threat.
11 Stored data manipulation Stored data can be manipulated by the
employees from the inventory. RFID
tracking and updating in the
corresponding system can help prevent
this. This strategy is yet to be
implemented in DH.
12 Power loss Power loss may result in loss of crucial
data from the system during the
process of transition. Proper backup
27

systems are being worked upon in
order to avoid this.
13 VPN account of ex-employee
compromised
Controls 4.1 and 7.1 are in place for
closing unneeded and unused user
accounts, but are not enforced.
A mitigating factor is that the risk
depends ongaining access to the client
application.
14 Hacking Hacking is difficult to prevent due to
various flaws present in DHs core
systems. Network security controls are
being enforced in DH.
15 Unencrypted password increases the
chances of security breaches in the
system
Effectiveness of controls requiring
encryption of passwords is low, as
these controls have not been followed.
16 Loss or theft of USB
compromise of
confidentiality of BFS
data
Effectiveness of controls prohibiting
storage of sensitive data on USB drives
is low, as these controls have not been
followed. Threat source capability is
high as such USB drives are frequently
lost or stolen.
17 Compromise of
unexpired/unchanged
passwords could
of confidential business data
Password management controls such as
changing password within certain
number of days, password should be
above specific length and should
contain mixture of alphabets, numbers,
special characters etc. are emphasized.
18 Lack of adequate physical security
leads to robbery which in turn leads
to physical injury.
Post signs stating that the cash register
only contains minimal cash along with
periodic patrolling by security officer
are emphasized.
28

6. RISK LIKELIHOOD DETERMINATION

The purpose of this step is to assign a likelihood rating of high, moderate or low to each risk.
This rating is a subjective judgment based on the likelihood that vulnerability might be exploited
by a threat.

Table F : Risk Likelihood Ratings
Risk no. Risk Summary Risk Likelihood
Evaluation
Risk likelihood
rating
1 Loss of confidential data There are adequate
protections implemented
to avoid this incident.
But it depends on the
occurrence and
compliance of core
security controls by the
organization.
High
2 Loss of staff details staff detail loss may be
not be that crucial to the
organization unless it
involves compromise of
data such as credit card
numbers etc.
Moderate
3 Business plan Business plan of DH can
be of immense value to
its competitors. It can be
of major utility to
sabotage its business
strategies thus leading to
fall in its market
High
29

positions.
4 Natural calamities like
earthquake, hurricane etc
There is no control
against these calamities
in DH, so the
effectiveness of controls
is low.
Low
5 Water leakage may cause
short-circuit leading to
eruption of fire.
There are no controls
against water damage to
DH from the wet-pipe
sprinkler system in the
event of a fire, so the
effectiveness of controls
is low. The likelihood of
fire in the DH is
moderate.
Moderate
6 Unauthorized access control Unauthorized access
control can lead to
confidential data loss or
theft. The likelihood of
this incident is moderate
in DH
Moderate
7 Denial of service attack via
dummy packets
The controls in place to
avert these attacks are
very poor. The
likelihood of this
incident is high in DH.
High
8 Masquerading access points Masqueraded access
points are difficult to
detect and has often
succeeded in fooling the
system users. No
High
30

controls have so far been
effectively implemented
regarding this. The
likelihood of this
incident is high in DH
9 Spoofing DH firewall protects the
system from spoofing
however it fails to give
consistent resistance
against spoofing. The
likelihood of this
incident is moderate in
DH
Moderate
10 Tailgating Controls against
tailgating/unauthorized
physical access have
been a neglect issue thus
posing greater security
threat. Such incident can
lead to data theft or loss
from the system due to
presence of intruders in
entry restricted zones.
High
11 Stored data manipulation Stored data can be
manipulated by the
employees or outsiders
from the inventory.
High
12 Power loss Power loss may result in
loss of crucial data from
the system during the
process of transition.
Moderate
31

Proper backup systems
are yet to be installed.
The likelihood of this
incident is moderate
13 VPN account of ex-
employee compromised
Effectiveness of controls
for closing user accounts
is low, as unneeded user
IDs exist on DH Threat
source capability is also
low as the risk is
dependent on learning a
user ID & password &
gaining access to the
client application. There
appear to be adequate
protections against this
risk.
Moderate
14 Hacking Due to lack of proper
system security control
implementation in DH,
hacking risks are always
on the greater side due to
presence of many
loopholes
High
15 Unencrypted password
increases the chances of
security breaches in the
system
Unencrypted passwords
or weakly encrypted
passwords are easily
hacked with less effort.
High
compromise of
Threat source capability
is high as such drives are
frequently lost or stolen
High
32

confidentiality of DH
data
USB.
17 Compromise of
unexpired/unchanged
passwords could
result in compromise of
confidential business data
Employees and system
users many a times do
not comply with
password compliance
norms leading to weak
system security.
High
18 Lack of adequate physical
security leads to robbery
which in turn leads to
physical injury.
No installation of panic
buttons, to notify
security officials
quickly, and no security
guard(s) can give way to
robbery.
Moderate

33

7 RISK IMPACT ANALYSIS

The purpose of this step is to impact rating of high, moderate or low to each risk
identified in Table C. The impact rating is determined based on the severity of the adverse
impact that would result from an occurrence of the risk.

Table G: Risk Impact Analysis
Risk
No.
Risk Summary Risk Impact Risk Impact
Rating
1 Loss of financial data, having severe
impact on the companys brand image
Image of the company is
hampered.
High
2 Loss of employee details Managing and collecting all data
again is difficult.
Moderate
3 Business plan Competitive rival may get the
companys plan.
High
4 Natural calamities like earthquake,
hurricane etc
Damaging the infrastructure of
the company
Low
5 Fire would activate the water sprinkler
system thereby causing water damage
It causes the sudden loss of
electricity at Dinny Hall or
shock circuit which hits the
computer
Moderate
6 Unauthorized access control Important data may be hacked
by hackers or some confidential
data loss of the company
Moderate
7 Denial of service attack via dummy
packets
Cyber-attack or may causes
viruses in computer which
corrupt the data or update wrong
data.
High
8 Masquerading access points Update the information store in
the system automatically by the
hackers from the access point.
High
9 Spoofing Unauthorized data sent to system
by gaining access through
firewall.
Moderate
10 Tailgating Unauthorized access to critical
work places leading breach of
confidentiality and security.
High
11 Stored data manipulation Manipulating data means
changes in data which is
important from confidentiality
point of view, bringing system in
danger zone.
High
12 Power loss Unsaved important data loss,
data corruption.
Moderate
13 VPN account of ex-employee It may be misused by ex- Moderate
34

compromised employee to steal confidential
data.
14 Hacking Viruses, malware creation which
corrupt data or update
unauthorized data
High
15 Unencrypted password increases the
chances of security breaches in the
system
Easily detected and hackers can
gain access to system.
High
compromise of
data
Loss of important confidential
data or stolen by the others rivals
or hackers.
High
17 Old passwords

Easily detected and can be
hacked by hackers.
High

18 Robbery Unavailability of adequate
physical security measures leads
to the occurrence of easy
robbery.
High

8 .OVERALL RISK DETERMINATION
The purpose of this step is to calculate an overall risk rating of high, moderate or low for
each risk identified in Table C. The risk rating must be based on both the likelihood of the risk
occurring and on the impact to the COV should the risk occur.
Table H: Overall Risk Rating Matrix
Risk Likelihood
Impact
Low (10) Medium (50) High (100)
High (1.0) Low Risk
(10 x 1.0 = 10)
Medium Risk
(50 x 1.0 = 50)
High Risk
(100 x 1.0 = 100)
Medium (0.5) Low Risk
(10 x 0.5 = 5)
Medium Risk
(50 x 0.5 = 25)
Medium Risk
(100 x 0.5 = 50)
Low (0.1) Low Risk
(10 0.1 = 1)
Low Risk
(50 x 0.1 = 5)
Low Risk
(100 x 0.1 = 10)
35

Risk Scale: Low(1 to 10), Moderate (> 10 to 50), High(>50 to 100)

Risk rating is assigned to each risk identified and as listed in Table C. The risk rating of
each individual risk was calculated using the guidance provided in NIST SP 800-30.
Table I : Overall Risk Ratings Table
Risk No. Risk Summary Risk Likelihood
Rating
Risk Impact
Rating
Overall
1 Loss of financial data,
having severe impact on the
companys brand image
High High High
2 Loss of employee details Moderate Moderate Moderate
3 Business plan High High High
4 Natural calamities like
earthquake, hurricane etc
Low Low Low
5 Fire would activate the
water sprinkler system
thereby causing water
damage
Moderate Moderate Moderate
6 Unauthorized access
control
7 Denial of service attack via
dummy packets
High High High
8 Masquerading access points High High High
9 Spoofing Moderate Moderate Moderate
10 Tailgating High High High
11 Stored data manipulation High High High
12 Power loss Moderate Moderate Moderate
employee compromised
14 Hacking High High High
15 Unencrypted password
increases the chances of
security breaches in the
system
High High High
compromise of
data
High High High
17 Compromise of
unexpired/unchanged
passwords could
High High High
36

of confidential business
data
18 Robbery Moderate High High

9. RECOMMENDATIONS

The purpose of this step is to recommend additional actions required to respond to the
identified risks in DH. The objective is to reduce residual risk to the system its data to a level that
is acceptable as defined by ISM.

Table J: Recommendations
Risk No. Risk Summary Risk Rating Recommendations
1 Loss of financial
data, having severe
impact on the
companys brand
image
High Financial data should be encrypted and not to
be accessed directly. Access controls should
be implemented. It should be accessible only
to registered financial employee.
2 Loss of employee
details
Moderate Employee data should be encrypted and
stored. Loss if any should be reported
immediately.
3 Business plan High Business employee should know about
business plan and they should not discuss this
plan with colleagues friends and/or relatives.
4 Natural calamities
like earthquake,
hurricane etc
Low Highly protected plan to prevent damage from
these natural calamities.
5 Fire would activate
the water sprinkler
system thereby
causing water
damage
Moderate None. Replacing the Wet-pipe Sprinkler
System in the Data Center is supposed to be
cost-prohibitive. Executive management has
elected to accept this risk.
6 Unauthorized access
control
moderate There should be only authorized access to
register employee. Control team should have
high control on the access.

7 Denial of service
attack via dummy
packets
High Risk management staff and the PSI support
team should analyze whether replacing the
existing Intrusion Detection Systems (IDS)
with an Intrusion Prevention System is a
cost effective response to this risk.
8 Masquerading access
points
High As an immediate step, the system support
team should disable the remote OS features.
As documented in planned controls, the
37

admin Risk management staff and support
team should work to develop a secure method
to allow remote access.
9 Spoofing Moderate The client software should be rewritten so
that clear-text user IDs & passwords are not
used in script and initialization files.
10 Tailgating High Ethical practices should be used by every
employee in the organization.
11 Stored data
manipulation
High Taking regular back-ups on a daily/hourly
basis as per requirements.
12 Power loss Moderate Backup power supply should be available.
employee
compromised
Moderate System admin should control and block the
accounts of ex-employees as soon as they
leave the organization.
14 Hacking High High security practices to block the hackers.
Network security applications should be
installed to detect hackers if any, existing in
the system.
15 Unencrypted
password
High Store data in encrypted format.
drives
High Admin should include the prohibition on
storing sensitive data on removable media
such as USB drives of the employees.
Security Awareness and training programs for
employees should be conducted.
17 Compromise of
unexpired/unchanged
passwords could
of confidential
business data
High The system support team should encourage
employees to change password regularly
within 30 days and keep strong passwords.
18 Robbery High Along with frequent guard patrolling, panic
buttons need to be installed so that employees
can notify the authorities quickly and easily.

10. RESULT DOCUMENTATION
The final step in risk assessment approach is to complete the Risk Assessment Matrix.
Risk Assessment once completed should be documented in an official report or management
brief. Management should take care to assign a priority to the recommendation, assign
responsibility, initiate responsibility and provide a date by which the implementation should be
completed.

38

Table K : Risk Assessment Matrix
Ris
k
No.
Vulnera
bility
Threat

Risk

Risk
Summary

Risk
Likeli
hood
Ratin
g

Risk
Impa
ct
Ratin
g

Ove
rall
Risk
Rati
ng

Analysis of
Relevant
Controls
and Other
Factors

Recommen
dations
1 Improper
handling
data of
finance
of
company
.
Loss of
confide
ntial
data
May
loss
Finan
cial
Data
some
impor
tant
financ
ial
legers
and
balanc
e
sheet
intern
ally.
Loss of
financial
data, having
severe
impact on
the
companys
brand image
High High High Overall
Security
enforcemen
t in DH is
being
worked
upon.
Loopholes
are being
analyzed
and
documente
d.
Financial
data should
be
encrypted
and not to
be accessed
directly.
Access
controls
should be
implemente
d. It should
be
accessible
only to
registered
financial
employee.
2 Unencry
pted data
and
detail of
employe
e
Unethic
ally
updatin
g
details
of
employ
ee.
Misus
e of
emplo
yee
details
Loss of
employee
details
Mode
rate
Mode
rate
Mod
erate
Encryption
standards
and system
security
controls are
being
focused
upon their
details.
Employee
data should
be
encrypted
and stored.
Loss if any
should be
reported
immediately
.
3 Accident
al
damage
to
business
A
situatio
n from
which
the
compan
y cant
Disco
ntinuit
y of
servic
es
Business
plan
High High High DH is
coming up
with
compliance
in BCP and
Business
employee
should
know about
business
plan and
they should
39

recover DRP to
ensure
uninterrupt
ed business
procedures.
not discuss
this plan
with
colleagues
friends
and/or
relatives.
4 Not well
planned
architect
ure of
company
Loss of
data
Loss
of
resour
ces
data
and
others
thing
which
is
impor
tant.
Natural
calamities
like
earthquake,
hurricane
etc
Low low Low There are
no controls
relevant to
this risk;
neither are
there any
mitigating
or
exacerbatin
g factors.
DH
Manageme
nt has
accepted
this risk.
However
BCP and
DRP is
being
focused
upon to
ensure
speedy
recovery.
Highly
protected
plan to
prevent
damage
from these
natural
calamities.
5 Water
leakage
Fire Confi
dentia
Fire would
activate the
water
Mode
rate
Mode
rate
Mod
erate
There are
no controls
None.
Replacing
the Wet-
40

near the
server
room
lity
and
integri
ty of
retail
data
sprinkler
system
thereby
causing
water
damage
relevant to
this risk;
neither are
there any
mitigating
or
Exacerbatin
g factors.
DH
Manageme
nt has
accepted
this risk.
pipe
Sprinkler
System in
the Data
Center is
supposed to
be cost-
prohibitive.
Executive
managemen
t has elected
to accept
this risk.
6 No
proper
access
control
employe
e
Lack of
access
control
can be
misuse
d
leading
to
incident
s such
as data
theft
etc
Confi
dentia
lity
and
integri
ty of
retail
data
Unauthorize
d access
control
Mode
rate
Mode
rate
Mod
erate
Controls
4.2 and 7.1
determine
the security
measures
against
unauthorize
d access.
These
policies are
ad hoc
based
rather than
on roles.
There
should be
only
authorized
access to
register
employee.
Control
team should
have high
control on
the access.

7 Poor
network
security
Weak
firewall
,
outdate
Confi
dentia
lity
and
Denial of
service
attack via
dummy
packets
High High High Intrusion
control
measures
have been
Risk
managemen
t staff and
the PSI
support
team should
41

d anti-
virus
etc
integri
ty of
retail
data
included in
the control
analysis
documentat
ion.
Intrusion
Prevention
System
(IPS) is yet
to be
implemente
d in the
system
analyze
whether
replacing
the
existing
Intrusion
Detection
Systems
(IDS)
with an
Intrusion
Prevention
System is a
cost
effective
response to
this risk.
8 Unsecure
Methods
remote
access
Multipl
e
access
data
Due
to this
the
data
will
shared
with
the
others
.
Masqueradi
ng access
points
High High High Masquerad
ed access
points are
difficult to
detect and
has often
succeeded
in fooling
the system
users. No
controls
have so far
been
effectively
implemente
d regarding
this.
As an
immediate
step, the
system
support
team
should
disable the
remote OS
features. As
documented
in planned
controls, the
admin
Risk
managemen
t staff and
support
team should
work to
develop a
secure
method to
allow
remote
access.
42

9 Encrypti
on
standard
is not
complian
t with the
PCI DSS
standards

wireles
s eve
droppin
g,
wired
eavesdr
opping,
spoofin
g, etc
may be
the
outcom
e of
exploiti
ng this
vulnera
bility
Confi
dentia
lity
and
integri
ty of
retail
data
Spoofing Mode
rate
Mode
rate
Mod
erate
Spoofing is
the creation
of TCP/IP
packets
using
somebody
else's IP
address.
DH firewall
protects the
system
from
spoofing
however it
fails to give
consistent
resistance
against
spoofing
The client
software
should be
rewritten so
that clear-
text user
IDs &
passwords
are not
used in
script and
initialization
files.
10 Physical
access
controls
not
practiced
Unauth
orized
people
access
in the
organiz
ation
Tailga
ting
and
hence
loss
of
confid
ential
data
Tailgating High High High Control 7.1
takes into
account the
various risk
factors
against
unauthorise
d entry of
people in
restricted
entry zone.
This
Ethical
practices
should be
used by
every
employee in
the
organization
.
43

control has
not been
consistently
followed
posing
greater
security
threat.
11 Not
proper
data
storage
Loss of
the
workin
g data
and
informa
tional
data
Rewri
te
again
whole
new
data
that
are
loss.
Stored data
manipulatio
n
High High High Stored data
can be
manipulate
d by the
employees
from the
inventory.
RFID
tracking
and
updating in
the
correspondi
ng system
can help
prevent
this. This
strategy is
yet to be
implemente
d in DH.
Taking
regular
back-ups on
a
daily/hourly
basis as per
requirement
s.
12 Hardwar
e -failure
Importa
nt
Confi
dentia
Power loss Mode
rate
Mode
rate
Mod
erate
Power loss
may result
Backup
power
supply
44

custom
er
confide
ntial
data
may be
lost or
corrupt
ed
lity
and
integri
ty of
retail
data
in loss of
crucial data
from the
system
during the
process of
transition.
Proper back
up systems
is being
worked
upon in
order to
avoid this.
should be
available.
13 VPN
accounts
of the
ex-
employe
es still in
use
Unauth
orized
access

Confi
dentia
lity
and
integri
ty of
retail
data
VPN
account of
ex-
employee
compromise
d
Mode
rate
Mode
rate
Mod
erate
Controls
4.1 and 7.1
are in place
for
closing
unneeded
and unused
user
accounts,
but are not
enforced.
A
mitigating
factor is
that the risk
depends on
gaining
System
admin
should
control and
block the
accounts of
ex-
employees
as soon as
they leave
the
organization
.
45

access to
the client
application.
14 Lack of
proper
security
practices
Accessi
ble to
hackers
.
Easily
access
ible to
hacke
rs.
Hacking High High High Hacking is
difficult to
prevent due
to various
flaws
present in
DHs core
systems.
Network
security
controls are
being
enforced in
DH
High
security
practices to
block the
hackers.
Network
security
applications
should be
installed to
detect
hackers if
any,
existing in
the system.
15 Custome
r
sensitive
data/pass
word
was also
stored
unencryp
ted.
Misuse
of
confide
ntial
custom
er data
Confi
dentia
lity
and
integri
ty of
retail
data
Unencrypte
d password
increases
the chances
of security
breaches in
the system
High High High Effectivene
ss of
controls
requiring
encryption
of
passwords
is low, as
these
controls
have not
been
followed.
Store data in
encrypted
format.
16 Disgruntl Work Confi Loss or High High High Effectivene Admin
46

ed
employe
es
place
violenc
e,
executi
on of
system
sabotag
e
dentia
lity
and
integri
ty of
retail
data
theft of
USB
drives could
result in
compromise
of
confidential
ity of DH
data
ss of
controls
prohibiting
storage of
sensitive
data on
USB
drives is
low, as
these
controls
have
not been
followed.
Threat
source
capability
is high as
such USB
drives are
frequently
lost or
stolen.
should
include the
prohibition
on
storing
sensitive
data on
removable
media
suchas USB
drives of the
employees.
Security
Awareness
and
Training
Programs
for
employees
should be
conducted.
47

17 The
transacti
on
systems
and other
network
connecte
d
hardware
devices
handling
sensitive
informati
on used
the same
usernam
es and
password
s across
DH
stores
nationwi
de
If the
hacker
gets
through
the
networ
k
security
walls of
one
system,
he can
do so
for
other
systems
too.
Confi
dentia
lity
and
integri
ty of
retail
data
Compromis
e of
unexpired/u
nchanged
passwords
could
result in
compromise
of
confidential
business
data
High High High Password
manageme
nt controls
such as
changing
password
within
certain
number of
days,
password
should be
above
specific
length and
should
contain
mixture of
alphabets,
numbers,
special
characters
etc are
emphasized
.
The system
support
team should
encourage
employees
to change
password
regularly
within 30
days and
keep strong
passwords.
48

18 Lack of
proper
physical
security
Robber
y
Mone
y and
other
assets
Lack of
adequate
physical
security
leads to
robbery
which in
turn leads to
physical
injury.
Mode
rate
High High Post signs
stating that
the cash
register
only
contains
minimal
cash along
with
periodic
patrolling
by security
officer are
emphasized
.
Along with
frequent
guard
patrolling,
panic
buttons need
to be
installed so
that
employees
can notify
the
authorities
quickly and
easily.

NIST Retail

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

NIST Retail

Diunggah oleh

Hak Cipta:

Format Tersedia

Risk Assessment Report for Dinny Hall Retail Mart

Anda mungkin juga menyukai