LARION QM CON 009 General Risk Management Strategy 4.0 PDF

Document Details

LuckyChalcedony1151

Uploaded by LuckyChalcedony1151

2024

Truc Du-Thi-Thanh

Tags

risk management business strategy internal document general guidelines

Summary

This document is a general risk management strategy for LARION. It details risk identification, analysis, and response strategies within the organization, and includes details on the opportunity/threat approach, asset-based risk assessment, and monitoring and control procedures.

Full Transcript

---------------------------------- QM General Risk Management Strategy ---------------------------------- -- -------------------------- --------------------- Security classification: INTERNAL Document code: LARION.QM.CON.009 Last updated by: Truc Du-Th...

---------------------------------- QM General Risk Management Strategy ---------------------------------- -- -------------------------- --------------------- Security classification: INTERNAL Document code: LARION.QM.CON.009 Last updated by: Truc Du-Thi-Thanh Effective date: Aug 05, 2024 Version: 4.0 Template ID: ODT\_Base\_Template -- -------------------------- --------------------- Document Control +-----------+-----------+-----------+-----------+-----------+-----------+ | 2.1.1 | \- Update | TrucDTT | Jun 26, | N/A | N/A | | | Scope of | | 2018 | | | | | this | | | | | | | strategy | | | | | | | | | | | | | | \- Update | | | | | | | section | | | | | | | 2.1. | | | | | | | Threat / | | | | | | | Opportuni | | | | | | | ty | | | | | | | (Risk) | | | | | | | Identific | | | | | | | ation | | | | | | | Criteria | | | | | | | | | | | | | | \- Update | | | | | | | ranks of | | | | | | | threat | | | | | | | impact in | | | | | | | project | | | | | | | level and | | | | | | | in | | | | | | | corporate | | | | | | | level | | | | | | | | | | | | | | \- Update | | | | | | | Opportuni | | | | | | | ty | | | | | | | / Threat | | | | | | | Treatment | | | | | | | Plan | | | | | | | | | | | | | | \- Update | | | | | | | Monitorin | | | | | | | g | | | | | | | And | | | | | | | Controlli | | | | | | | ng | | | | | | | Opportuni | | | | | | | ty | | | | | | | / Threat | | | | | +-----------+-----------+-----------+-----------+-----------+-----------+ | 3.0 | Review | N/A | N/A | NhuanLD | Jun 28, | | | and | | | | 2018 | | | approve | | | | | +-----------+-----------+-----------+-----------+-----------+-----------+ | 3.1 | Add | TrucDTT | Oct 24, | ThangNT | Oct 31, | | | section | | 2022 | | 2022 | | | "Asset-ba | | | | | | | sed | | | | | | | Risk | | | | | | | Managemen | | | | | | | t | | | | | | | Approach" | | | | | | | for IT | | | | | | | departmen | | | | | | | t | | | | | +-----------+-----------+-----------+-----------+-----------+-----------+ | 3.2 | \- Update | TrucDTT | Jun 22, | HuyNQ | Jul 06, | | | purpose | | 2023 | | 2023 | | | of risk | | | | | | | managemen | | | | | | | t | | | | | | | | | | | | | | \- Update | | | | | | | section | | | | | | | 2.1: | | | | | | | Remove | | | | | | | detail | | | | | | | risk | | | | | | | guideline | | | | | | | of IT | | | | | | | services | | | | | | | | | | | | | | \- | | | | | | | Section | | | | | | | 3.2: | | | | | | | Update | | | | | | | ranks of | | | | | | | threat | | | | | | | impact in | | | | | | | project | | | | | | | level and | | | | | | | corporate | | | | | | | level | | | | | +-----------+-----------+-----------+-----------+-----------+-----------+ | 3.2.1 | \- | TrucDTT | Jul 22, | N/A | N/A | | | Section | | 2024 | | | | | 2.1.1 | | | | | | | "Corporat | | | | | | | e | | | | | | | Level": | | | | | | | Add "The | | | | | | | informati | | | | | | | on | | | | | | | from | | | | | | | threat | | | | | | | intellige | | | | | | | nt | | | | | | | report" | | | | | | | | | | | | | | \- | | | | | | | Section | | | | | | | 2.1.3.1 | | | | | | | "Asset | | | | | | | Identific | | | | | | | ation": | | | | | | | Add | | | | | | | "Other | | | | | | | departmen | | | | | | | ts | | | | | | | may apply | | | | | | | this | | | | | | | method if | | | | | | | necessary | | | | | | | " | | | | | +-----------+-----------+-----------+-----------+-----------+-----------+ | 4.0 | Approve | N/A | N/A | HuyNQ | Aug 05, | | | | | | | 2024 | +-----------+-----------+-----------+-----------+-----------+-----------+ Table of Contents Index of Tables Index of Illustration []{#anchor}Introduction ======================= []{#anchor-1}Purpose -------------------- - - This document specifies strategy for managing risks that cause negative or positive impacts to the organization, units or project objectives to: - Establish a reliable basis for decision making and planning - Increase the likelihood of achieving objectives - Improve operation effectiveness and efficiency - Improve loss prevention and incident management - This strategy is used in conjunction with General Risk Management Process ([\[1\]](#anchor-2)) or any other approved tailored processes related to risk management []{#anchor-3}Scope ------------------ - - This strategy shall be applied in all company\'s units, projects - In scope of the strategy, the risks that cause negative or positive impacts to the business objectives, information security objectives, quality objectives or others objectives of operational units / projects should be identified and managed []{#anchor-4}Abbreviations & Definitions ---------------------------------------- - - A: Availability - BoD: Board of Directors - C: Confidentiality - Contingency Plan: A plan applied to the identified threats that arise during the project - I: Integrity - InfoSec: Information Security - IT: Information Technology - LIS: Is a project management and issue tracking tool - Mitigation Plan: A plan to reduce the probability of occurrence or impact of a threat to below an acceptable threshold - PM: Project Manager - Risk: An uncertainty that causes negative (threat) or positive impact (opportunity) to objective(s) - Risk Owner: A person or unit with the accountability and authority to manage a risk - Senior manager: A senior manager who manage a Risk Owner - SOW: Scope Of Work []{#anchor-5}References ----------------------- 1. []{#anchor-2}General\_Risk\_Management\_Process 2. []{#anchor-6}Risk\_Management\_Report\_Template 3. []{#anchor-7}Risk\_Management\_Report\_InfoSec\_Template 4. []{#anchor-8}ISO 9001:2015 -- Quality Management Systems Requirements 5. ISO 31000 -- Risk Management -- Principle and guidelines 6. CMMI for Development, version 1.3 (Risk Management process area) 7. PMBOK Guide -- Fifth Edition 8. Performing a Process -- Based Information Security Risk Assessment (SANS Institute 2000 -- 2005) []{#anchor-9}Threat / Opportunity (Risk) Identification ======================================================= []{#anchor-10}Threat / Opportunity (Risk) Identification Criteria ----------------------------------------------------------------- - - The purpose of risk identification is to determine what could happen to cause negative or positive impacts to the business objectives, information security objectives, quality objectives or others objectives of operational units / projects early and continuously - In company, due to importance and periodicity of risk assessment, the approach for risk identification were applied differently in corporate level and project level ### []{#anchor-11}Corporate Level To ensure comprehensive risk identification, the following strategies will be applied to identify risk factors - - **Strategic risk identification** - BoD / Higher Managers should identify risk factors through considering both internal and external including legal, political, economic, social and technological. The information from threat intelligent report and potential impacts from the needs and expectations of interested parties should be considered also - Strategic risks should be formally reviewed concurrently with changes in strategy, or at least once a year, to re-assess and consider new / emerging risks - **Operational risk identification**: Operational risk identification to identify risks concerned with the company\'s operations. Risk should be examined in all departments / units for value adding and supporting activities - Heads of Department / unit has responsibilities to identify risk in their department / unit - Process-based approach should be used in operation risk identification ![Illustration 1: Corporate Level](Pictures/100000000000017600000121EA9F32C7.png) - - - - ***Note:*** *In this part, process mean that list of work activities are implemented to complete Department\'s / Unit\'s functions & responsibilities and achieve objectives of Organization / Department / Unit. Process may be documented or not* - Threat related to the following factors in the processes should be identified: - The inputs required and outputs expected and other related information from these processes - The activities and their interaction in the processes - The resource needed for these processes such as: legal, human, technology, infrastructure including building and associated utilities, equipment, hardware, software, information and communication technology, environment for the operation of the processes, monitoring and measuring resources\... - Stakeholder\'s expectations in the process - Maintaining network security should be a primary IT professional concern. Threats are associated with the lost of confidentiality, integrity and availability of information should be considered. ### []{#anchor-12}Project Level - - Project\'s risks should be identified for all projects in company, covering the whole project life-cycle - PM has main responsibility on risks identification in his / her project, any staff member should raise project threat if any while performing his or her daily work #### []{#anchor-13}Threat Sources - - Project team should review the program scope, cost estimates, schedule (to include evaluation of the critical path), technical maturity, key performance parameters, performance challenges, stakeholder expectations against current plan, external and internal dependencies, implementation challenges, integration, ability to handle threats, cost deviations, test event expectations, safety, security, and more - In addition, historical data from similar projects, stakeholder interviews, previous experience and existing knowledge also provide more value for consideration of threat - Following threat sources shall be used, but not limited to identify threats: -- -- Table 1: Threat Sources #### []{#anchor-14}Opportunity Sources (Optional) Following opportunity sources shall be used, but not limited to identify opportunities within the organization. Action to address opportunities can also included consideration of associated threats: -- -- Table 2: Opportunity Sources ### []{#anchor-15}Asset-based Risk Assessment Approach To ensure risk related to important assets identified and managed to reduce unexpected impact, asset-based risk management approach shall be applied for IT department. Other departments may apply this method if necessary - Risks must be assessed and considered for treatment, when an asset meets any of following conditions: - When its value -- calculated from C-I-A ranks (refer section [2.1.3.2.](#anchor-16)) -- is higher than or equal to 5 - When it has one of C / I / A value reaches the maximum ranks - Output of the activity shall be filled into Risk\_Management\_Report\_InfoSec\_Template (refer to [\[3\]](#anchor-7)) #### Asset Identification This step establishes list of asset and its value (CIA -- refer to section [2.1.3.2.](#anchor-16) below). An asset is a component or part of a total system to which an organization directly assigns value and hence for which the organization requires protection. Asset types for an information asset can be one of the following type: - Digital Information Digital Information / data valuable to operation. ***Examples:*** database, files, process documents, research report, work instruction, business plan, backup data,... - Paper Document Paper document valuable to operation. ***Examples:*** contracts, agreements, reports,\... - Physical Physical hardware or facilities used by Company Operation. ***Examples:*** server, switch, laptop, mobile, UPS, electric stabilizer, proximity,\... - Software Software used by Company Operation. ***Examples:*** applications, operating system, utilities, software development tool,\... - Service Service provided by external parties, used by Company Operations. ***Examples:*** electric supply, water supply, ISP, security guards,\... - People People with experience, knowledge and skill. ***Examples:*** management staff, execute staff, external consultant,\... #### []{#anchor-16}CIA Identification +-----------------------+-----------------------+-----------------------+ | 3 | Information | Restricted to few | | | | persons or roles in | | (Confidential) | | dedicated business | | | | units, who has unique | | | | responsibility to use | | | | the information. | | | | | | | | If wrongly disclosed, | | | | it will cause | | | | significant impact to | | | | the operation of | | | | relevant business | | | | units, but may not | | | | cause severe damage | | | | or loss to overall | | | | business. | +-----------------------+-----------------------+-----------------------+ | Software | Software only | | | | permitted to use by a | | | | few persons or roles, | | | | and is solely used to | | | | process the | | | | information asset of | | | | restricted | | | | confidentiality. | | +-----------------------+-----------------------+-----------------------+ | Physical | Physical assets to | | | | process the | | | | information asset of | | | | Restricted | | | | confidentiality. | | +-----------------------+-----------------------+-----------------------+ | Service | Service allowed to be | | | | used only by a few | | | | persons or roles, to | | | | process the | | | | information assets of | | | | restricted | | | | confidentiality. | | +-----------------------+-----------------------+-----------------------+ | People | Persons with special | | | | permissions to | | | | process the | | | | information assets of | | | | restricted | | | | confidentiality. | | +-----------------------+-----------------------+-----------------------+ | 2 | Information | Only needed to know | | | | by company staff and | | (Internal) | | permitted customers / | | | | partners. | +-----------------------+-----------------------+-----------------------+ | Software | Software to process | | | | information asset of | | | | internal | | | | confidentiality. | | +-----------------------+-----------------------+-----------------------+ | Physical | Physical assets to | | | | process information | | | | asset of internal | | | | confidentiality. | | +-----------------------+-----------------------+-----------------------+ | Service | Service to process | | | | information asset of | | | | internal | | | | confidentiality. | | +-----------------------+-----------------------+-----------------------+ | People | Company staff and | | | | permitted partners / | | | | customers. | | +-----------------------+-----------------------+-----------------------+ | 1 | Information | Information assets to | | | | be shared for use in | | (Public) | | public, outside the | | | | company staff, | | | | customer and | | | | partners. | +-----------------------+-----------------------+-----------------------+ Table 3: Asset Confidentiality Evaluation +-----------------------+-----------------------+-----------------------+ | 3 | Information | Inaccuracy or | | | | inadequate | | (High) | | information can cause | | | | catastrophic damage | | | | or complete | | | | interruption in | | | | company business, and | | | | severely hard to | | | | recover. | +-----------------------+-----------------------+-----------------------+ | Software | Malfunction or | | | | improper use can | | | | cause catastrophic | | | | impacts to integrity | | | | of the information | | | | being processed. | | +-----------------------+-----------------------+-----------------------+ | Physical | Defects can cause | | | | catastrophic impacts | | | | to integrity of the | | | | information being | | | | processed. | | +-----------------------+-----------------------+-----------------------+ | Service | Defects or | | | | interruption can | | | | cause catastrophic | | | | impacts to integrity | | | | of the information | | | | being processed. | | +-----------------------+-----------------------+-----------------------+ | People | Human errors or | | | | irresponsible actions | | | | can cause | | | | catastrophic impacts | | | | to integrity of the | | | | information being | | | | processed. | | +-----------------------+-----------------------+-----------------------+ | 2 | Information | Inaccuracy or | | | | inadequate | | (Medium) | | information can cause | | | | significant impact, | | | | but no interruption | | | | to Company business. | +-----------------------+-----------------------+-----------------------+ | Software | Malfunction or | | | | improper use can | | | | cause significant | | | | impacts to integrity | | | | of the information | | | | being processed. | | +-----------------------+-----------------------+-----------------------+ | Physical | Defects can cause | | | | significant impacts | | | | to integrity of the | | | | information being | | | | processed. | | +-----------------------+-----------------------+-----------------------+ | Service | Defects or | | | | interruption can | | | | cause significant | | | | impacts to integrity | | | | of the information | | | | being processed. | | +-----------------------+-----------------------+-----------------------+ | People | Human errors or | | | | irresponsible actions | | | | can cause significant | | | | impacts to integrity | | | | of the information | | | | being processed. | | +-----------------------+-----------------------+-----------------------+ | 1 | Information | Inaccuracy or | | | | inadequate | | (Low) | | information causes | | | | minor or no impact to | | | | Company business. | +-----------------------+-----------------------+-----------------------+ | Software | Malfunction or | | | | improper use causes | | | | minor or no impact to | | | | the information being | | | | processed. | | +-----------------------+-----------------------+-----------------------+ | Physical | Defects causes minor | | | | or no impact to the | | | | information being | | | | processed. | | +-----------------------+-----------------------+-----------------------+ | Service | Defects or | | | | interruption causes | | | | minor or no impact to | | | | the information being | | | | processed. | | +-----------------------+-----------------------+-----------------------+ | People | Human errors or | | | | irresponsible actions | | | | cause minor or no | | | | impact to the | | | | information being | | | | processed. | | +-----------------------+-----------------------+-----------------------+ Table 4: Asset Integrity Evaluation +-----------------------------------+-----------------------------------+ | 3 | Interruption of access is | | | acceptable if smaller than 1 | | (High) | hours. | +-----------------------------------+-----------------------------------+ | 2 | Interruption of access is | | | acceptable if smaller than 1 day. | | (Medium) | | +-----------------------------------+-----------------------------------+ | 1 | Interruption of access is | | | acceptable in a few days. | | (Low) | | +-----------------------------------+-----------------------------------+ Table 5: Asset Availability Evaluation #### Asset Value Asset is valuated via 3 values of C (Confidentiality) -- I (Integrity) -- A (Availability) attributes, as following formula: Asset value = Confidentiality value + Integrity value + Availability value When the asset value is greater than 3, asset owner must perform a risk assessment for this asset #### Asset Owner Determining who is responsible for each asset in company / units / projects. []{#anchor-17}**Opportunity / Threat Categories** ------------------------------------------------- The purpose of threat categories are to facilitate future lessons learned and statistical analysis related to threat management. Opportunity categories may be skipped since having there are only some opportunities sources. The following threat categories shall be used: +-----------------------------------+-----------------------------------+ | Requirement | Threats related to requirement | | | elements. | | | | | | Example: | +-----------------------------------+-----------------------------------+ | Technical | Threats related to scope, | | | technologies, external | | | dependencies. | | | | | | Example: | | | | | | Technology is new and not | | | proven | | | | | | Project is complex | +-----------------------------------+-----------------------------------+ | Resource | Threats related to people, time, | | | budget, cost. | | | | | | Example: | | | | | | Required skills not available | | | | | | Tight schedules | +-----------------------------------+-----------------------------------+ | Management | Threats related to methods for | | | managing both the development of | | | the product and program | | | personnel. | +-----------------------------------+-----------------------------------+ | Customer | Threats related to customer | | | problem. | | | | | | Example: | | | | | | Delays in customer feedback | | | | | | Changes to requirements | | | | | | Estimates are not scientific | +-----------------------------------+-----------------------------------+ | Process | Threats related to processes | | | defined, compliance. | | | | | | Example: | | | | | | *Process needs to be defined | | | for the project\ | | | Lack of process compliance* | +-----------------------------------+-----------------------------------+ | Security | Threats related to security | | | environment, confidentiality, | | | integrity and availability | | | integrity of information, | | | business continuity or other | | | threats that cause impact to | | | information security objectives | | | of an operation unit / project or | | | program. | | | | | | Example: | | | | | | Client server is not stable to | | | access | +-----------------------------------+-----------------------------------+ | Others | Include all threats that are not | | | in the above sources. | +-----------------------------------+-----------------------------------+ ::: {.caption} Table 6: *Threat* Categories ::: []{#anchor-18}Threat / Opportunity Analysis =========================================== []{#anchor-19}Opportunity Analysis ---------------------------------- ### []{#anchor-20}Ranks Of Opportunity Impact Following table describes ranks of opportunity impact to be used. The impact score will be used to calculate an opportunity level: ----------- --- ----------------------------- Very Low 1 Insignificant cost increase Low 2 \< 10% cost increase Medium 3 10 -- 20% cost increase High 4 20 -- 40% cost increase Very High 5 \> 40% cost increase ----------- --- ----------------------------- ::: {.caption} Table 7: Ranks of Opportunity Impact ::: ### []{#anchor-21}Ranks Of Opportunity Probability Following table describes ranks of opportunity probability. The probability score will be used to calculate an opportunity level: ----------- --- ---------------------- Very Low 1 Very unlikely occur Low 2 Unlikely occur Medium 3 Possible occur High 4 Likely occur Very High 5 Almost certain occur ----------- --- ---------------------- ::: {.caption} Table 8: Ranks of Opportunity Probability ::: ### []{#anchor-22}Opportunity Evaluation Opportunity Level is calculated from Opportunity Impact and Opportunity Probability per following formula: Opportunity Level = Opportunity Impact Score \* Opportunity Probability Score The Opportunity Level is described by following table: +---------+---------+---------+---------+---------+---------+---------+ | 1 | 2 | 3 | 4 | 5 | | | | | | | | | | | | Very | Low | Medium | High | Very | | | | Low | | | | High | | | +---------+---------+---------+---------+---------+---------+---------+ | Opportu | 5 | 5 | 10 | 15 | 20 | 25 | | nity | | | | | | | | Probabi | Very | | | | | | | lity | High | | | | | | +---------+---------+---------+---------+---------+---------+---------+ | 4 | 4 | 8 | 12 | 16 | 20 | | | | | | | | | | | High | | | | | | | +---------+---------+---------+---------+---------+---------+---------+ | 3 | 3 | 6 | 9 | 12 | 15 | | | | | | | | | | | Medium | | | | | | | +---------+---------+---------+---------+---------+---------+---------+ | 2 | 2 | 4 | 6 | 8 | 10 | | | | | | | | | | | Low | | | | | | | +---------+---------+---------+---------+---------+---------+---------+ | 1 | 1 | 2 | 3 | 4 | 5 | | | | | | | | | | | Very | | | | | | | | Low | | | | | | | +---------+---------+---------+---------+---------+---------+---------+ ::: {.caption} Table 9: Opportunity Level Matrix ::: The Opportunity Level is determined based on the color of the corresponding cell in above table: -------- ---------- High 11 -- 25 Medium 6 -- 10 Low \ 20% cost increase \> 20% time increase Scope creep requires major change to SOW of existing contract Requires major change to contract regarding acceptance criteria of deliverables ----------- --- ----------------------------- ----------------------------- ------------------------------------------------------------------------------------------------ ----------------------------------------------------------------------------------------------------------------- ::: {.caption} Table 11: Ranks of *Threats* Impacts ::: ### []{#anchor-25}Ranks Of Threat Impact In Corporate Level Following table describes ranks of threat impact to be used in Corporate level. The impact score will be used to calculate the threat level: +-----------+-----------+-----------+-----------+-----------+-----------+ | Very low | 1 | Impact | Small or | Cause | No or | | | | \

Use Quizgecko on...
Browser
Browser