|
|
IS1 Technical Risk Assessment Tool
Version 2.0.0.0, issued 9 December 2009
The tool supplements the technical risk assessment process contained
in IS1, it does not replace it. The tool cannot be used successfully
without the information provided in the Standard.
The tool is provided "as is" with no warranty - express
or implied - and no formal support. However, CESG should be informed
of any problems with the tool.
The tool is an executable application, therefore approval must be
sought from the relevant authority before the tool is installed on
any ICT platform.
To install the tool download the is1_risk_tool.zip
file, unzip it and you should have 3 files: help.chm, IS1
Risk Tool.exe, and is1Data.mdb. Save these files. To run the
tool run the .exe file.
Down load the is1_risk_tool.zip
now. |
IS1 Risk tool v1.0.13 (26/08/08)
This Standard is HMG's approved technical risk assessment and risk
treatment method for ICT Systems. It is also a supplement to the Security
Policy Framework(SPF)
It is a baseline requirement that organisations bound by SPF use this
Standard as their agreed method for technical risk assessment and
risk treatment of information systems. However, the Standard may also
be applied, at the organisation's discretion, across a broad range
of business contexts in both the public and private sectors.
Please note that this IS 1 tool
contains macros and has been tested within CESG (using Microsoft
Excel 2000).
These macros have to be enabled for the tool to work.
|
User Instructions
These instructions can always be access via the worksheet. In many
of the form title cells there are excel comments available explaining
the meaning or use of data.
- Select the classification of the Risk assesment, this will
be put on any pages that are printed. This can be change at any
time by coming back to the 'Intro' sheet.
- When you are ready to start click the button below labelled
"Click Here to Begin", this will take you to Form 1.
- "Asset List" - Fill out Form 1 by clicking on the
different cells and then entering your data. To add a new line
click the button labelled "Add New Line". There are
drop down menus for the Impact Levels, however you may type in
the number if you prefer.
- When you have completed Form 1 click on the button labelled
"Next" to be taken to Form 2.
- "Threat Sources" - In Form 2 you may add a new line
by clicking on the button labelled "Add New Line". Fill
out the form by clicking on the cells and entering the data. There
is no need to fill in the Threat Level column as this is calculated
for you by filling in the rest of the details and then clicking
on the button labelled "Calculate Threat". If you make
any changes to Capability, Motivation or Clearance data, the "Calculate
Threat" button will have to be clicked again to recalculate
the Threat Level.
- When you have completed Form 2 click on the button labelled
"Next" to be taken to Form 3.
- "Focus of Interest" - In Form 3 you may add a new
line by clicking on the button labelled "Add New Line".
Fill out the form by clicking on the cells and entering the data.
There are drop down menus for the Impact Levels however you may
type in the number if you prefer. Ideally you should keep the
FOI ID in the series FoI 1, FoI 2 etc.
The assets you specify in a comma delimited list will determine
the max impacts. By default all assets are selected. You can modifiy
this list and update the max impacts by clicking on the Update
Max Impacts button. When you have completed Form 3 click on the
button labelled "Next". This will generate a number
of Form 4s equal to the number of FoI's you have identified in
Form 3.
NOTE : It is important that Form 3 is completed fully as any changes
made after the Form 4's are created, will require any forms after
3 to be deleted.
- "FoI Threat Actors" - In Form 4 click on the check
boxes on the left hand side of the form to select the different
Threat Actor Types. This will unshade the cells and allow you
to enter the data for each Threat Actor. When you have completed
all of the Form 4s click on the button labelled "Next".
This will generate a number of Form 5s equal to the number of
Threat Actors selected in Form 4.
- "Threat Actor Risjk ID and Assesment" - In Form 5
you will see that all of the data has been generated for you.
You should now go through and check that you agree with the data
and make any necessary changes. You may only change the Impact
Level, Capability, Motivation and Deterrent fields.
- If any changes have been made you will then need to click on
the button labelled ReCalculate to implement the changes and generate
the new Risk Levels.
- When you are happy that all of the Form 5s are correct click
on the button labelled "End". This will take you to
Form 6 where all the Risks you have identified will be ordered
high to low by Risk Level.
- If you wish to Print Form 6 then Clck on File, Print or click
on the Print icon on the toolbar. The classification you specified
will automattically be added to the headers and foots.
NOTE:
This form has been tested, but not completely (hence the number of
recient bug fixes).
Please report any problems (or suggestions) to enquiries@cesg.gsi.gov.uk
at CESG.
Known Issues
- Currently the worksheet will not cope with any more than 100 form
4's or 5's, but this is currently not seen as a problem.
- There is no facility to import/export data from old to new versions
of the workbook.
For those that are interested, the bug changes for the past few
versions can be seen in the VB code comments under 'ThisWorkbook'
by pressing ALT-F11. |
