IT Risk Registration Form

Business Unit : Information Technology

Division : Technology Application
Risk Area : Physical & Environmental Security Management
Created By : Kean Chanrith

No. Risk Name Risk Nature Consequence Cause Likelihood Implication Recommendation Remedial Action Severity Risk Owner

1 Shortcomings of Natural disaster risk can be
Location Selection happened and destroy or damage
& Survey for the the critical system such as flood,
critical system in earthquakes.
term of physical
and environmental Man-Made Disaster risk can be
security happened such as the area where
management. the possibility of riots, strikes,
explosions and fires.
Infrastructure risk can be happened
due to non-standard electrical
installation, consumption.
Sole purpose risk can be happened
as the data center or critical system
room/building shared with others
due to cost concerned.
Cause to damaged critical
system, facility, operation and
financial lost. Significant data
can be lost and can't be
restored in case of no DR site,
Full HA and full data backup
with replication method.
Lack of Site and Location
Selection Procedure and Survey
for the data center/critical
system location.
Weakness of Project
Management.
Weakness of sustainable safety
Compliance.
3 Risk of data lost and recovery
could not be mitigated in case
of no full HA.
Risk of operation failure and
financial lost could not be
mitigated in the acceptable
periods.
Risk of reputation lost could not
be mitigated in the mindset of
customers and stakeholders.
Head of IT, Project Manager and Top
Management is to ensure below:
1. Establish and well implementation on the
site/location selection for the data center/
critical system to protect against damage from
natural or man-made disasters such as fire,
flood, explosion etc.
2. Protect critical infrastructure and resources
from temporary losses of power or surges.
3. Setup Policy and Procedure to montior and
evaluate the project properly.
4. Emergency and DR drill must be regularly 4. Analyze the performance of all the emergency
conducted with proper procedure and records drill.
maintained.
Head of IT, Project Manager and Top management 4 Head of IT
need to: Project
Manager
1. Enguage qualified vendor, engineer, Insurer to Top
study the details on the site/location selection by Management
identifying the hazards and possibilities for the data
center/critical system before implementing.
2. Proper arrangement of power backup
(generator) with enough capacity to survive the
continuity of system with standard requirements.
3. Establish independant committee to control and
evaluate the project.

2 Shortcomings of Unsafe perimeter for the data
Perimeter Security center or critical system/server
for the data center room.
or critical system
room/building. Lack of surveillance system and
alarm system.
Unsafe Windows, doors and
Computer Room Placement.
Poor Access Points Management.
3 Unsafe Poor design of Computer server
environmental room with access control, non-
conditions for the fireproof or non-fire rated wall.
data center or
Computer Server Improper installation of firefighting
Room and fire prevention tools for the
server room.
Environmental hazard due to lack of extinguising equipments and
humidity control for the server room. also damage the critical
Unsecured Server room that share
space with others if the space is
being leased.
Unauthorized people is easily Weakness of facility security
to access data center or especially low height of fense
critical system/server room at (at least 20 feet) with guard
any time. points at each perimeter
access point.
Lack of evidence in case of
accidents happened. Weakness of CCTV installation,
monitoring for the surrounding
Data Leakage in case of of facility and critical points.
intrusion.
Weakness of facility
Lost or Damage to critical management especially
system/server in case of housekeeping that can block
intruision. the surveillance system (CCTV).
Weakness of Access points
Management especially lock
mechanism for authorized
personnel to access data
center and critical system
room.
Unauthorized people easily Weakness of server room design
access to the computer room. with standard requirement (non
compliance).
Nearby fire caused to spread
flames and damage the Lack of site/location analysis for
critical system. the physical security.
Can't set out fire if wrong fire Lack of fire code compliance.
Lack of environmental hazard
system. awareness and technical
standard for server room
Can't handle the incidents if management.
lack of automatic fire
suppression system. Lack of Access Control and
Physical access Policy and
Environmental hazard cause to Procedure.
damage or burn the system
(humidity control).
4 Risk of system
destruction/damage by intruder to:
that could not be mitigated
Risk of data leakage by the
system compromise or stolen that
could not be mitigated.
Risk of lost reputation and
business integrity with customers 3. Install sufficient surveillance (CCTV) for the
and stakeholders.
Risk of lack of evidences in case
of incidents happened that
could not be mitigated.
4 Risk of system
destruction/damage/stolen and
data leakage in case of
unsecured access, fire and
environmental hazards.
Risk of financial lost, reputation
lost with customers and
stakeholders when fire
happened.
Head of IT, Security and Top management need
1. Establish and well implementation of
Perimeter security for the facility.
2. Conduct regular training on the physical
security of building / Room access control.
facility and regularly monitor with records
maintained.
4. Better housekeeping to ensure that installed
CCTV are free from obstruction.
5. All access points are guarded or equipped
with secure access control mechanism.
6. Setup and Implement Incident Reponse and
Handling management policy and team and
reguarly conduct the training to them.
Head of IT and Top Management need to:
1. Each Computer Server Room should have
redundant access to Power, Cooling and
Networks.
2. there should be at least an 18" access to floor
to provide for air flow and cable management. 2. Proper and adequate instalation of firefighting
Computer Server room should have air filtration equipments following by International Fire Code.
with humidity control.
3. Correct type of fire extinguishers (FM-200)(
should be in place and automatic fire
suppression with centralized alarm system must 4. Site and Location Selection Policy for Server
be in place.
4. Computer Server Room shall be designed with
standard requirement especially fire-proof or fire
rated wall.
Head of IT, Security and Top Management shall: 4 Head of IT
Head of
1. Engage contractor to build secure perimeter for Security
the data center/critical system room/building. Top
Management
2. Install surveillance system (CCTV) and Alarm for
the surrounding of facility and ensure that CCTV
system is not compromised by lacking of vendor
management.
3. All windows, doors to access the data
center/critical system room are secured with
proper access control.
4. Ensure appropriate defence against intruders or
unauthorized colleagues
Head of IT and Top Management Shall: 4 Head of IT
Top
1. Setup secure and proper server room followed Management
by technical standard or requirement to ensure the
safeguards of critical system with fire proof or fire
rated wall.
3. Setup Temperature Management Policy for the
Server Room to prevent environmental hazard.
Room must be in place.

System compromise, attack,

stolen if server room shared the
space.

Page 1 of 2
IT Risk Registration Form
Business Unit : Information Technology
Division : Technology Application
Risk Area : Physical & Environmental Security Management
Created By : Kean Chanrith
No. Risk Name Risk Nature
4 Poor security Poor implementation of access
program for the control the restricted area.
Access control
Lack of Vendor Management on
Access Control Procedure.
Lack of Segregation of Duty with
multiple access to Critical Server
Room.
Lack of Intrusion System and
Communicated Device.
Poor Incident Response and
Handling Management Procedure
and Team.
5 Disaster Recovery Lack of Disaster Recovery Plan
Failure (DRP)
Lack of Regular DR exercise or drill
Lack of Security Training and
awareness on the DR Drill.
6 Power Supplies fail • Server will shut down.
Software can broken.
7 No Power Supplies • Server will shut down.
Software can broken.
8 Overheating The temperature can be high or low • Is able to make hardware
at any time that make our server
broken.
9 No Smoke Fire or smoke can occur at any time
alarm/detector that make our building or server
destroyed
10 Lighting • Server will shut down.
Software can broken.
Consequence
Unauthorized Access to data
center or critical system room
by unauthorized employees,
guests and vendors.
Data Leakage or system
compromise by unauthorized
employees, guests and
vendors.
Non-responsibility by multi-
authorized personnel
(segregation of duty) to access Lack of Incident Reponse and
the critical system.
Out of control for the incident
response.
Operational failure because of Poor setup or Lack of Disaster
poor or lack of DRP.
Lack of measurement of DR
performance.
Lower performance of
operation when real Disaster
Recovery failure.
• Affect on business operation
such core banking…
• Affect on business operation
such core banking…
and software of server broken
• Loss of information asset
• Is able to make hardware
and software of server broken
• Loss of information asset
• Affect on business operation • Inadequate lighting for
such core banking…
Cause
Lack of Access Control Policy
and Procedure or Poor
Implementation of Access
Control Policy and Procedure.
Poor Vendor Management on
the Access Control, SLA and
NDA.
Lack of Intrusion Alarm system
for the critical points of facility.
Handling Management
Procedure and Team.
Recovery Plan (DRP) Policy and
Procedure.
Poor implementation of DR
exercise due to management
overlook.
• Component or Circuit failure
Device stop working
• electricity cut-off or primary
power source loss
• No system to maintain a
consist engine temperature
such cooling system or heat
detector
• Mistake from users
• Technical Error
external and internal doors,
windows, gates, fences and
parking areas
Likelihood Implication
5 Risk of Data leakage, System
Compromise, destruction and
stolen by unauthorized person
(employees, guests, vendor).
Risk of late response on the
incidents that happened due to personnels.
lack of intrusion alarm system,
BOD and DA.
5 Risk of data lost and recovery
could not be mitigated in case
of no full HA.
Risk of operation failure and
financial lost could not be
mitigated in the acceptable
periods.
Risk of reputation could not be
mitigated in the mindset of
customers.
2 • Never perform testing or
checking
2 N/A
5 • Can't control the temperature • Cooling system or air-conditionair or heat
2 • No device to alert staffs at
different floor to know when
smoke ocurred.
2 • No back-up generators or
alternative power supplies to
ensure constant lighting during
any disruption to local power
supplies
Page 2 of 2
Recommendation Remedial Action Severity Risk Owner
Head of IT, Security and Top management need Head of IT, Security and top management shall: 4 Head of IT
to: Head of
1. Limit the number of entry points. Security
1. Establish and well implement of Access Top
Control Policy and Procedure with reguarly 2. Force all guests to go to a front desk and sign in Management
conduct training and awareness to relevant before entering the environment.
3. Reduce the number of entry ponts even further
2. Enguage with qualified supplier/vendor on the after hours or during the weekend when not as
installation of intrusion alarm system and ensure many employees are around.
that all installed system are verified with
hardening checklist. 4. Have a seurity guard validate a picutre ID before
allowing entrance.
3. Setup Computer Incident Response and
Handling Management Policy with structural 5. Required guests to sign in and be escorted.
team and detailed roles and responsibility of
each member. 6. Encourage employees to question strangers.
Head of IT and Top Management need to: Head of IT and Top Management shall: 4 Head of IT
Top
1. Ensure that DRP is in place and well 1. Proper selection of DR site by technical standard Management
implemented. or requirement.
2. Conduct the DR exercise regularly with 2. Setup and Implement DRP to ensure the
performance evaluation and records continuity of service operation.
maintained.
3. Regularly conduct the DR exercise as per stated
in the policy and guideline.
• Should porform testing as monthly or quarterly 2 IT Security
basic.
• All servers should have a UPS to provide a short- • UPS are in place to provide a short-term 2 IT Security
term in event of a primary power source loss. uninterruptible power supply to facilitate an orderly
shutdown of the information asset.
5 IT Security
detector should be properly installed.
• Smoke detector or alarm should be properly 1 IT Security
installed.
• Adequate lighting inside and outside • Plans in place to maintain and repair equipment. 2 IT Security
• Where appropriate the use of back-up
generators or alternative power supplies to
ensure constant lighting during any disruption to
local power supplies