RISK ASSESSMENT
FPSSB/IMS/REC/RISK-001
Template Version: 1.0
Service Risk Register Risk Treatment Plan
Risk Owner Service Sevice Component Threats Vulnerabilities Risk Description Risk ID Control Annex Current Control Risk Treatment Controls to be implemented Target Risk Level
IT Governance
IT Service Management Team Project Sponsor
Staff shortage Lack of commitment, resign, and unavailability Unable to maintain certification, A 5 1 5 Attend all SMS related meetings, workshops and training Treat Progress update to Management Meeting L
Long leave (accident /illness) Lack of back-up person to approve ITSM documents. Delay, I 3 1 3 Train backup Accept Buddy System L
Service Management Representative Staff shortage Unable to maintain certification , A 3 1 3 Treat
Progress update to Project Sponsor.
L
Document Controller
Staff shortage Lack of knowledge, experiences and commitment, resign Unable to maintain certification, A 5 1 5 Assign backup person Treat Use tool (ISO Portal) L
Long leave (accident /illness) Lack of back-up person to maintain the process Unable to maintain certification, A 5 1 5 Assign backup person Treat Use tool (ISO Portal) L
Human error Lack of knowledge and experience Unable to maintain the process, C,I 5 1 5 Attend workshop or training Accept L
Process Champions & Team Members Staff shortage Lack of knowledge, experiences and commitment, resign Unable to maintain the process, A 5 2 10 Treat L
Long leave (accident /illness) Lack of back-up person to maintain the process Unable to maintain the process, A 5 1 5 Assign Process Team Member Treat L
Service Desk Agent wrongly assigning ticket Lack of knowledge and experiences Cause delay for re-assigning ticket A 3 3 9 Treat L
IT Service Management Tools
CMDB Data loss, Data integrity Manually control for ERP & BA Data corrupted, lost track of latest version Excel files. A, I 4 1 4 Backup, scattered files locations Treat Backup, centralized storage for Excel master files L
EDMS System not accessible Server failure, no backup performed regularly System not accessible, data corrupted. A, I 3 1 3 Maintain hardcopy Treat ISO Portal will took place EDMS in 2013 L
Service Desk System not accessible Lack of maintenance System not accessible. A 5 2 10 Perform regular monitoring and maintenance. Treat L
IT Service Management Documents
ISO Documents Loss of documents Lack of documents maintenance Unavailability of documents. A 5 1 5 Perform regular checking and updating Treat regular update and review the documents L
ISO Records Loss of records Lack of records maintenance Unavailability of records. A 5 1 5 Perform regular checking and updating Treat regular update and review the records L
Network
Hardware (Network Equipments / Servers) Hardware failure Lack of maintenance Network services are inaccessible. A 3 2 5 Perform regular maintenance Transfer 45%
Hardware (Network Equipments / Servers) Hardware failure Susceptibility to voltage variations Network services are inaccessible. A 3 2 5 Regular check by Network Team / OSS Treat Periodic checks and updates by Network Team / OSS 45%
Hardware (UPS) Battery dry out Lack of maintenance A 3 2 5 Perform regular maintenance Treat 45%
Hardware (Structured Cabling) Water leakage and pests attack Lack of periodic building maintenance and pest control Network is intermittent or inaccessible. A 1 1 2 Regular check by FES Transfer Periodic updates by FES. 10%
Network Administrator System hacked Poses a security threat C, I, A 3 2 5
Software Unauthorized access Lack of maintenance and poor password management Network services are inaccessible . A 3 2 5 Perform regular maintenance Treat 45%
Managed IPVPN Router, ISDN Backup IPVPN/IPVPN Value Failure Lack of maintenance Network services are inaccessible . A 3 3 6 Perform regular maintenance Treat 50%
Managed VSAT IDU, ODU, Router, Modem VSAT Failure Lack of maintenance Network services are inaccessible A 3 3 6 Perform regular maintenance Transfer 50%
Managed CCTV surveillance
Storage server down and camera faulty. Lack of maintenance CCTV unable to operates A 3 3 6 Perform regular maintenance Treat 45%
Network Network failure Lack of network maintenance CCTV unable to operates A 3 2 5 Regular check by Network Team Treat Check network availability & performance 45%
Electricity Power failures. Susceptibility to voltage variations CCTV unable to operates A 3 2 5 Regular check by FES Treat Back up power must be on standby 45%
Malfunction Controller or Card reader. Lack of maintenance C, A 3 3 6 Perform preventive maintenance Treat 45%
Network Network down. Lack of network maintenance C, A 3 3 6 Regular check by Network Team Treat 45%
Electricity Power failures. Susceptibility to voltage variations C, A 3 3 6 Regular check by Network Team / FES Treat Back up power must be on standby 45%
Managed LAN Core Switch, Access Switch
Core switches failures Lack of network maintenance Network services are inaccessible A 3 2 5 Regular check by Network Team Treat 45%
Unauthorized access Misconfiguration System being hacked and information stolen by hackers C, I, A 3 3 6 Regular check by Network Team Treat 45%
Field Services Hardware Services & Support
PC Windows OS / Software (MS-Office )
C, I, A
Program error
C, I, A
Email Program Spam
A
PC Hardware HDD failure C, A
Printer Printer error / Cannot print A 1. Preventive maintenance
Basis User Authorisation and Administration Asset Management Asset Rental
Data Centre Data Centre Managament Generator Set
No redundancy for Genset at Wisma Felda
A
UPS A
SKB IBM i570 machine SKB system not available or compromise Felda group business operation interrupted A
SKB IBM DR i570 machine SKB system not available or compromise Cannot provide business continuity in the event of a disaster. A To develop SOP -'backup process'
Air cond unexpected downtime 3 out of 4 units is very old (more than 10 years) A
Managed Enterprise Services E-mail Server
Hardware failure Email services inaccessible. A 3 1 3 Treat L
Power failure Susceptibility to voltage variations Email services inaccessible. A 3 2 6 Maintain Datacenter UPS Transfer Periodic checks and updates Datacenter UPS L
Network failure Lack of network maintenance Email services inaccessible. A 3 3 9 Perform regular monitoring and maintenance Treat L
(A=Availability, C=Confidentiality,
I=Integrity) Impact / Severity (Score 1-5) Probability/ Likelihood (Score 1-5) Result of Risk(Total Score)
Lack of knowledge, direction, experiences and commitment,
resign Perform regular monitoring by Project Sponsor and Consultant
Perform regular monitoring by SMR and DC. Attend SMS
workshop or training Progress update to SMR and DC. Encourage for ITIL certification
Perform regular monitoring by SMR and DC. Attend SMS
workshop or training Progress update to SMR. Encourage for regular awareness
Monitor, check and reporting. Perform quarterly maintenance. Plan to change to a new system ITIL compliance
Managed Network & Desktop Services
Continous monitor, check and reporting. Engaged vendors for maintenance
Network services are inaccessible when there is no electricity. Monitor, check and reporting. Introduce IP-based UPS system
Lack of competent of monitoring day to day network activities and security of the systems
Manager alerts, evaluates and verifies new software updates.
a) Not guarantee -base on best effort a) Sign up SLA with Telekom (Max 2 days resolution) b) NMS software to monitor Hardware a) Storage Server b) Camera
a) Monitoring and maintenance checking on daily, monthly and yearly basis to ensure sustain of operation. b) Troubleshoot server
c) Preventive maintainance (SLA) d) Disaster recovery e) Check network availability & performance f) Reset camera's power & network cable g) Repair or change camera
Managed Door Access Security System
Hardware a) Server b) Controller c) Card reader
Fail delivery of attendance data to server ( TMS and SAP) due to malfunction of Controller or Card reader
a) Preventive maintenance ( twice a year) to make sure all hardware and software in good condition b) Repair or change controler or controller's power & network cable
c) Reset or change card reader
Data stuck or pending at controller & not transferred to server. Thus causing data will not be updated with the latest data and no access report.
a) Check network availability & performance b) Check and reset communication converter c) Change communication converter (faulty)
System will fail to function (i.e. door not secure) after battery backup runs out
a) Sign Maintenance aggreement with vendors b) Used Network management system(NMS) software to monitor daily activity a) Implement Intrusion Prenvention System (IPS) b) System penetration test 1. Virus Attack
2. Antivirus installed cannot communicate with server (not connected to Felda network)
1. Antivirus software not updated 2. Antivirus agent corrupted
3. No scanning for external device ie pen drive 4. Stand alone / streamyx
1. Execute with Symantec Endpoint installation to FGC.
2. Install new updates/ set user pc or notebook unmanaged (live update from internet). To many unauthorized software/application installed in the
user's place 1. to make sure only authorized software approve by management installed at user’s PC
2. to ensure Symantec Gateway always filter incoming email and eliminate the spam.
3. Blue Coat Implementation
To ensure Symantec Gateway always filter incoming email and eliminate the spam. 1. PC not properly shutdown
2.Old Hardware 1. propose file server 2. backup to keep at external device 3. install
UPS at critical PC. 4. Preventive Maintenance 1.Missing Driver
2. Printer cable loose
All equipments in computer room will be down after about 30
mins 1.To ensure that FESSB to maintain and test the genset periodically
2. To move Data Centre to different location More than one UPS module breakdown at same
time ( currently 3X30KVA ) When any one UPS module fail, same servers have to be shut down. 1. To replace UPS battery every year.2. To get new UPS for back-up
3. To prepare a listing of less critical servers To have in place a real time online disaster recovery plan
1. to sign maintenance contract 2.Monthly service Hardware monitoring and sign hardware maintenance
contract Hardware monitoring and sign hardware maintenance contract
Monitor, check and reporting. Perform monthly maintenance
RISK ASSESSMENT
FPSSB/IMS/REC/RISK-001
Template Version: 1.0
Program errors(Logic & formula) Wrong reports produced, Competent programmer Reports A 3 2 6 Treat M
System Maintenance & Support End user could not perfom daily task in appropriate manner System errors and not functioning as usual. A 3 2 6 Treat L
Consultation Service
Lack of latest technology update System or program is inaccessible A 3 2 6 Transfer L
Integration Service
Wrong reports produced, Competent programmer C,I 3 2 6 M
3rd Party Outsourcing
Rely on Vendor Lack of support from Vendor Creating the risk of delivery disruption or failure A 3 2 6 Transfer M
Entreprise Content Management
A,C,I 5 3 15 Treat M
ABAP Program errors(Logic & formula) Wrong reports produced, Competent programmer Impact on Cmp/unit Business Operation A 5 3 15 Syatem Landscape (Dev,QAS,Prd) Threat Send Abapers to Abap Training. M
Plantation Applications
Lack of monitoring by the Server Team Unable to retrieve latest data from SAP/RML C,I 5 3 15 Restart service ASAP when connectivity is restored Transfer Always monitor the condition of the servers. M
Weighbridge & Mill Applications
Unauthorized personnel misuse the confidential information Security access control (authorization) C,I 5 3 15 Authorization matrix Threat To strengten on authorization M
Enterprise Transport Management
Lack of monitoring by the Network/Server Team Impact on daily business operation and company's profit. A,C,I 5 3 15 Threat To suggest the best method of commnucation line M
Website & Portal IIS stop functioning Lack of monitoring by the Server Team Application will not fuctioning. C, I 5 3 15 Transfer Always monitor the condition of the servers. M
Technology Integration Solution (TIS)
C,I 5 3 15 M
New Dimension Product (NDP)
C,I 5 3 15 Treat M
Others Applications
Rely on Vendor Lack of support from Vendor Creating the risk of delivery disruption or failure A 3 3 9 Transfer To choose preferred vendor by technical evaluation. L
3rd Parties Applications
Rely on Vendor Lack of support from Vendor Creating the risk of delivery disruption or failure A 3 3 9 Transfer
To choose preferred vendor by technical evaluation. L
ERP Consulting
Wrongly transport. Wrongly configuration A,C,I 3 1 3 Testing in QAS before transport to PRD. Trreat L
Misconcept Requirement from user are not clearly configure and analyse. A,C,I 4 4 16 User acceptance testing. Treat M
Misconcept Requirement from user are not clearly configure and analyse. A,C,I 4 4 16 User acceptance testing. Treat M
System not accessible Server failure, no backup performed regularly System not accessible. C,I 5 1 5 Perform regular monitoring and maintenance. Treat L
System not accessible Server failure, no backup performed regularly System not accessible. C,I 5 1 5 Perform regular monitoring and maintenance. Treat L
A,C,I 5 1 5 Perform regular monitoring and maintenance. Treat L
Training
Lack of trainer. Trainer not ready for training. A 1 1 1 Senior will replace trainer and junior will join the training. Treat L
Create/Maintain Master Data
Late creation or double creation. A,C,I 1 1 1 Do verfication with user. Confirm all the relevant details. Treat L
System support
Slow speed at peak time. A,C,I 5 5 25 Ensure server run at the most availability. Treat M
HR & Admin Administration
Building ( Computer Lab, Server Room) - Rent Not enough space / space less for staff/server
Telephone/Fax Breakdown of Communication with customer Telephone and fax system breakdown. Upgrade Red Tone System
Receptionist/ Telephonist EL / MC & Notice 24 Hours Replacement staff. Standby staff to perform the task
Human Resource
Staff SAP Improper Job Handover / specialist
Management Job handover/ specialist 24 Hours Notice Successor plan inplace & submitted to FHB
Internal Staff Transfer Unauthorise access (ID SAP, restricted area)
Temporary Access Card
All Administrative
Documentation Unauthorize access to documentation Lack of proper place to store the documents Documents may not be accessible efficiently. A, C, I 3 1 3 Regular updates of documents and knowledge base Treat Request proper room to store documentation. L
Documentation Unable to performs tasks efficient Lack of proper documentation and policies in place A 3 1 3 Regular update SOP Treat L
Personnel Human errors Lack of training or incompetent staff A, C, I 4 2 8 Knowledge sharing when discover any issue Treat L
Personnel Operation degraded High-rate of turn-over Unable to provide excellent services. A 4 4 16 Transfer Discussion with HR for Staff Retention Program M
Number of risks by Matrix
Number of Risks in High Risk Zone
12
Number of Risks in Moderate Risk Zone
39
Number of Risks in Low Risk Zone
10
Total Number of Risks
61
Business Application (IT Services New Request) System Development / Implementation Hardware • Software • System interfaces • Data and information • People • System mission
Only Authorised person has access right only Change request (CR) should be established for any programs change.
1.User acceptance test(UAT) and training shall be conducted and sign off by user.One of the scope of project implementation.
2.Unauthorized change to the program ( abapers & programmer)
3.Send abapers/programmer to attend training 1.Data not key in timely
2.Program errors(Logic & formula) Change request (CR) should be established for any programs change.
Reports could be produced in timely manner due to delay in posting.
FPSSB will make sure all user who use the system get enough training before they can start using the application.
1 Program errors(Logic & formula) 2 Communication line not stable 3.Data corrupted
1. Application will not functioning 2. System will be slow
1. Moniter by Server Team 2. Replace the file or repare the file that has been corrupted 3. re-Register DLL 4.Antivirus update 1. Treat 2.Replace 3.Treat 4.Treat
1. Monitor the condition of the server 2. Replace the file or repare the file that has been corrupted
3. re-Register DLL 4. Monitor Antivirus update
Developers need to ensure their software meets the highest standards for quality from vendor
User acceptance test(UAT) and training shall be conducted and sign off by user.One of the scope of project implementation.
1. Web Application Server Stop Functioning
2. Storage Full 1. Patches not up to date2.Not well monitored 1. Application will not functioning 1. Monitored by Server Team
2.Monitored by Functional Team Perform daily health check/monitoring the condition of the server
Business Application (Existing Application System)
Server /Internet Service down, Hardware • Software • System interfaces • Data and information • People • System mission
Lost connectivity to SAP/AS400 servers
1.Security and control of access to system. 2.Misuse Information 1.Network Failure 2.Databases corrupted 3.EIS Server Failure
1. Monitored by server team 2. Restart server 3.System monitoring by BA team. 4. Train and expose new staff Only Server Team are able to direct access & look into the server.
1. IIS stop functioning 2. Data corrupted 3. DLL Library not well function 4. Virus
1. Not well monitor
2. Not proper stop the program (during process in progress running.
3.Related to the OS 4. Antivirus not up to date or is not function
1. Application will not functioning 2. System will be slow
1. Moniter by Server Team 2. Replace the file or repare the file that has been corrupted 3. re-Register DLL 4.Antivirus update 1. Treat 2.Replace 3.Treat 4.Treat
1. Monitor the condition of the server 2. Replace the file or repare the file that has been corrupted
3. re-Register DLL 4. Monitor Antivirus update 1. Web Application Server Stop Functioning
2. Scanner Problem 3. Storage Full
1. Patches not up to date
2.Not well monitored 1. Application will not functioning 1. Monitored by Server Team
2.Monitored by Functional Team Perform daily health check/monitoring the condition of the server
Developers need to ensure their software meets the highest standards for quality from vendor Developers need to ensure their software meets the highest standards for quality from vendor SAP ECC 6.0/
SAP Customized – Configuration Management
SAP PRD SAP QAS SAP DEV ESS, MSS Non SAP Application
Left out transport number. New staff doing config. Staff left out some steps to config.
If configuration wrongly transport or done, PRD might have problem especially when its involved with daily routine like printing invoice, check, delivery process and etc.
Re-config or re-transport if the should have any problem. Testing again at QAS before transport to PRD.
SAP ECC 6.0/ SAP Customized – Enhancement Management
If requirement from user not clear and functional misconcept on user demand the enhancement not being accepted by user eventhough confirmation with user has been done.
Meeting user to gather the requirement clearly and get the user confirmation on the user request.
SAP ECC 6.0/ SAP Customized – Program Change Management
If requirement from user not clear and functional misconcept on user demand the enhancement not being accepted by user eventhough confirmation with user has been done.
Meeting user to gather the requirement clearly and get the user confirmation on the user request.
SAP ECC 6.0/ SAP Customized – ESS integration with SAP ECC6 system
Monitor, check and reporting.
SAP ECC 6.0/ SAP Customized – MSS integration with SAP ECC6 system
Monitor, check and reporting.
SAP ECC 6.0/ SAP Customized – Integration between other systems with SAP ECC6.0 (Non-SAP)
Integration system down. System cannot be
access. Power failure. Most probably for schedule job to integrate between Non-SAP and SAP system.
Whenever the schedule job fail to perform then need to do manually t interface the information and data from the non-SAP system such WBS.
Monitor, check and reporting.
Trigger for crash course training or whenever there are certain period that staff is leave.
Staff still not competent to give training especially for new staff. No staff to provide training as number of staff is insufficient to fulfill two services which are for system support and training.
Junior trainer need to undergo relevant training to build up competency skills to conduct training.
Data duplicate as key in data entry in SAP without checking first. Missing details to ease the creation. New staff don't know th procedure.
If detail of master data is not completely provided, buffer time will increase as need to gather the info from user and fulfill any other relevant data.
Checking the master table before do the new creation of master data. Checking all relevant info are sufficient to create the new master data.Make sure every staff understand and follow the SOP
Daily routine cannot be carried out eg, print cheque, invoice,
delivery process, etc. Sometimes at peak times(closing) some process is not up to expectation.
During peak time server need to provide the most usage at practical speeds. Ask to Shift location/ Too many user training at one time (not
enough lab)/Staff Growth. a. additional rented space. - Technical staffs transfer to City 1 - Project
rooms transfer to Anjung
No answer call (15-25 calls) will effect the company reputation.
1. 24 Hours Notice
2. Senior/certified staff resign a. Ensure support staff has equivalent knowledge and skill (increase competency).
b. Document all activities and project. c. work with Prodata's subsidiaries
Confidential document/information might be stolen by
unauthorized person 1. Staff to conduct handover job2. Fill in HR007 form (Inter Deparmental Staff Transfer
Form) 1. The staff (Security) change without the written
approval.
2. Admin did not raise request to extend the expired access card.
1. Admin shall reminds the respective Head of Unit on the expiry of the access card. 2. If necessary, Head of Unit shall fill-up HR05 Form to extend the access card.
New staff may find it difficult to understand and perform the
daily operation work. Centralize and integrate SOP into online knowledge base with backup.
Insufficient training / knowledge / experiences in managing the tasks.
Email on ad hoc basis when discover any issue and the possible solution. Updating internal knowledge base. Existing team member to take over the job until the new