The National Technical Authority for Information Assurance
 
  ABOUT US   PRODUCTS & SERVICES   PUBLICATIONS   POLICY & TECHNOLOGIES   FIND A .....
Policy development

Business Impact Levels (pdf)

IS1 Risk Tool Worksheet

 
 
IS1 Risk Tool Worksheet

Welcome to the IS1 Risk tool v1.0.11 (03/07/08)

This Standard is HMG's approved technical risk assessment and risk treatment method for ICT Systems. It is also a supplement to the Manual of Protective Security (MPS)

It is a baseline requirement that organisations bound by MPS use this Standard as their agreed method for technical risk assessment and risk treatment of information systems. However, the Standard may also be applied, at the organisation's discretion, across a broad range of business contexts in both the public and private sectors.

Please note that this IS 1 tool contains macros and has been tested within CESG (using Microsoft Excel 2000).
These macros have to be enabled for the tool to work.



User Instructions

These instructions can always be access via the worksheet. In many of the form title cells there are excel comments available explaining the meaning or use of data.
  1. Select the classification of the Risk assesment, this will be put on any pages that are printed. This can be change at any time by coming back to the 'Intro' sheet.
     
  2. When you are ready to start click the button below labelled "Click Here to Begin", this will take you to Form 1.
     
  3. Fill out Form 1 by double clicking on the different boxes and then entering in your data. To add a new line click the button labelled "Add New Line". There are drop down menus for the Impact Levels, however you may type in the number if you prefer.
     
  4. When you have completed Form 1 click on the button labelled "Next" to be taken to Form 2.
     
  5. In Form 2 you may add a new line by clicking on the button labelled "Add New Line". Fill out the Form by Double Clicking on the boxes and entering the data. There is no need to fill in the Threat Level column as this is calculated for you by filling in the rest of the details and then clicking on the button labelled "Calculate Threat". If you make any changes to Capability, Motivation or Clearance data, the "Calculate Threat" button will have to be clicked again to recalculate the Threat Level.
     
  6. When you have completed Form 2 click on the button labelled "Next" to be taken to Form 3.
     
  7. In Form 3 you may add a new line by clicking on the button labelled "Add New Line". Fill out the Form by Double Clicking on the boxes and entering the data. There are drop down menus for the Impact Levels however you may type in the number if you prefer.
    The assets you specify in a comma delimited list will determine the max impacts. By default all assets are selected. You can modifiy this list and update the max impacts by clicking on the Update Max Impacts button. When you have completed Form 3 click on the button labelled "Next". This will generate a number of Form 4s equal to the number of FoI's you have identified in Form 3.

    NOTE : It is important that Form 3 is completed fully as any changes made after the Form 4's are created, will require any forms after 3 to be deleted.
     
  8. In Form 4 click on the check boxes on the left hand side of the form to select the different Threat Actor Types. This will ungrey the cells and allow you to enter the data for each Threat Actor. When you have completed all of the Form 4s click on the button labelled "Next". This will generate a number of Form 5s equal to the number of Threat Actors selected in Form 4.
     
  9. Now in Form 5 you will see that all the data has been generated for you. You should now go through and check that you agree with the data and make any necessary changes. You may only change the Impact Level, Capability, Motivation and Deterrent fields.
     
  10. If any changes have been made you will then need to click on the button labelled ReCalculate to implement the changes and generate the new Risk Levels.
     
  11. When you are happy that all of the Form 5s are correct click on the button labelled "End". This will take you to Form 6 where all the Risks you have identified will be ordered high to low by Risk Level.
     
  12. If you wish to Print Form 6 then Clck on File, Print or click on the Print icon on the toolbar. The classification you specified will automattically be added to the headers and foots.
NOTE:
This form has been tested, but not completely. We know that not following the instructions above may cause problems.
Please report any problems to enquiries@cesg.gsi.gov.uk.
Currently the worksheet will not cope with any more than 100 form 4's or 5's, but this is currently not seen as a problem.
 © Crown copyright, 2008. This CESG Website is maintained for your personal use and viewing. Access and use by you of this site constitutes acceptance of our terms and conditions which take effect from the date of first use. Click here for our terms and conditions CESGweb@cesg.gsi.gov.uk