NATIONAL CYBER SECURITY POLICY - ENTITY/SUB-ENTITY RISK ASSESSMENT PROCESS

Worksheets in this Workbook

1. Process Charts - this worksheet
2. Summary & Declaration - Summary of risk assessment and declaration by officer submitting the risk
assessment
3. Part 1 - CNI Entity Information - Profile of Entity/Sub-Entity submitting the risk assessment (Please read the
instructions in this CNII Entity Information worksheet to start doing the risk assessment)
4. High level risk assessment worksheets:
a. Part 2 - HL Impact - High level impact analysis
b. Part 3 - HL Dependency - High level dependency (on ICT or cyber systems) analysis
c. Part 4 - HL Controls - High level controls analysis
5. Detailed risk assessment worksheets:
a. Part 5 - Detailed Impact Analysis - Impact to various segments/elements of the Nation/National Economy
b. Part 6 - Detailed Threat Analysis - Likelihood of threats exploiting vulnerabilities
c. Part 7 - Detailed Risk Assessment Result

Summary of Charts In This Worksheet (for infomation only)

Chart 1 : Risk Assessment Framework
Chart 2 : Risk Assessment Process Framework (that is referred in Chart 1)
Chart 3 : Compliance Governance Framework (that is referred in Chart 1)
Chart 4 : High Level Risk Assessment and Detailed Risk Assessment

Note : Adjust the appropriate zoom factor to be able to see each complete chart within your screen.

CHART 3 : COMPLIANCE GOVERNANCE FRAMEWORK

1. CGSO ASSEMBLES ANNUAL QUESTIONNAIRE

WITH INPUTS FROM MKN AND NC3-PT6
Includes Risk
Assessment
2. CGSO SENDS QUESTIONNAIRE TO REGULATORY Information
BODIES AND CNI ENTITIES Required

3. CNI ENTITIES FILL QUESTIONNAIRE AND SEND

RESPONSE TO PT6
 3. CNI ENTITIES FILL QUESTIONNAIRE AND SEND
RESPONSE TO PT6
Compliance and
Risk Assessment
Information
4. NC3-PT6 CONSOLIDATE OVERALL AND SEND
TO CGSO FOR KEY POINTS COMMITTEE APROVAL

5. KEY POINTS COMMITTEE APPROVES AND Compliance

CGSO PROVIDES UPDATED LIST TO NC3-PTs Information
Risk-Impact Rank
Information

6. NC3-PTs USE UPDATED LIST/COMPLIANCE INFO

TO PRIORITIZE ACTIVITIES AND FOCUS AREAS
 SUMMARY AND DECLARATION - ENTITY/SUB-ENTITY RISK ASSESSMENT

Ref Code : For Office Use Only

SUMMARY FOR (SUB-) ENTITY'S SERVICE OR PRODUCT

HIGH LEVEL RISK ASSESSMENT

Low Impact

Detailed Risk
Dependency Analysis Not Required Assessment Not
Compulsory

Controls Assessment Not Required

FILL IN THE PARTICULARS OF RESPONDENT AND REVIEWER/APPROVER BELOW (Items 1 to 4 to be filled in Part 1, not here)
1 CNI ENTITY : Lembaga Pelabuhan Johor
2 CNI SUB-ENTITY :
3 ADDRESS WHERE SERVICE IS 4A1-8A1, Pusat Perdagangan Pasir Gudang, Jalan Bandar, 81700 Pasir Gudang, Johor
CENTERED/DELIVERED/ORIGINATED
FROM OR ADDRESS WHERE PRODUCT
IS PRODUCED :
4 SHORT NAME OF SERVICE OR PRODUCT
(GROUP) :

8 NAME OF RESPONDENT : To the best of my knowledge, I declare that information

9 DESIGNATION : submitted here are true and assessments submitted in
the remaining worksheets are fair reflection of the
10 DEPARTMENT/ DIVISION / SECTION
organisation.
11 /UNIT:
CORRESPONDENCE ADDRESS :

12 TELEPHONE NOS. :
13 FAX NOS. :
14 EMAIL ADDRESS : Signature and Stamp
15 WEBSITE/PORTAL ADDRESS : Date :
16 NAME OF REVIEWER/APPROVER OF
RESPONSE :
17 POSITION :
18 DEPARTMENT/ DIVISION / SECTION
19 /UNIT:
CORRESPONDENCE ADDRESS :

20 TELEPHONE NOS. :
21 FAX NOS. :
22 EMAIL ADDRESS : Signature and Stamp
Date :

10/27/2009 21:54:36 24067438.xls (Summary & Declaration)

PART 1 : GENERAL INFORMATION
Instructions :
a. Please fill in this Part 1 and then do the high level risk assesment by providing inputs in
Part 2 - HL Impact Worksheet, Part 3 - HL Dependency Worksheet and Part 4 - HL Controls
Worksheet.
b. If the verdict from the high level risk assessment (see cell G5 in this worksheet)
indicates that a detailed risk assessment is necessary, then please proceed to do the SUMMARY FOR (SUB-) ENTITY'S SERVICE OR
detailed risk assessment by filling in Part 5 - Detailed Impact Analysis Worksheet and Part PRODUCT
6 - Threats-Vulnerability Analysis Worksheet and view the results in Part 7 - Detailed Risk HIGH LEVEL RISK ASSESSMENT
Assessment Result Worksheet. The summary of the detailed risk assessment (if required)
will appear in cells E9 to G12 of this worksheet.
c. In the detailed risk assessment, if it is obvious that the impact of disrpution of the Low Impact
critical services and products is medium to very high, then this input can be entered direct
in cell G12 in Part 7 - Detailed Risk Assessment Result Worksheet instead of filling the
Detailed Risk
details in the Part 5 - Detailed Impact Analysis Worksheet.
Dependency Analysis Not Required Assessment Not
Compulsory
Note :
1. This part must be filled by all CNI (sub-)Entities, irrespective whether they are doing the Controls Assessment Not Required
high level risk assessment first (See Part 2, Part 3 and Part 4), or whether they are
bypassing the high level risk assessment and doing the full risk assessment only (Parts 5, 6
and 7). (To bypass high level risk assessment, go to Part 2 and put Y in a 'High Impact'
column.)
2. IMPORTANT : Please fill and submit one set of response separately for EACH SERVICE OR
PRODUCT (GROUP) from the same Sub-Entity if there are several services or products
(group) from the same Sub-Entity.
3. Entities are to use their own internally devised identifier codes for the following:
a. Service or Product Code in Section B
b. Critical Systems Code (non cyber) in Section D
c. Critical Cyber Systems Code in Section D.

SECTION A

FILL IN THE PARTICULARS OF THE ENTITY AND SUB-ENTITY

1 CNI ENTITY : Lembaga Pelabuhan Johor

2 CNI SUB-ENTITY :
3 ADDRESS WHERE SERVICE IS 4A1-8A1, Pusat Perdagangan Pasir Gudang, Jalan Bandar, 81700 Pasir Gudang, Johor
CENTERED/DELIVERED/ORIGINATED FROM OR ADDRESS
WHERE PRODUCT IS PRODUCED :
4 SHORT NAME OF SERVICE OR PRODUCT (GROUP) * :
(See note 2 above)
5 DESCRIPTION OF SERVICE OR PRODUCT (GROUP) * :
(Please describe what is the service or product and not
what the entity does to produce the service or product.
For GROUP, please list each service/product in section B
below)

10/27/2009 21:54:36 4 24067438.xls (Part 1 - CNI Entity Information)

 6 AREA OF COVERAGE OF SERVICE OR PRODUCT : (Please Johor
provide the name or unique identifier of the Region,
State, District, Township, Industrial Area, Operations
Area, Business District etc)
7 KEY PARAMETERS OF AREA OF COVERAGE : Perairan Johor
1. Residential Population (estimated numbers)
2. Commercial Population (number of companies)
3. Industries (number of industries)
4. Business Value (estimated RM value of business)
5. Others (Please describe)
Please enter for all the major ones in the particular area
of coverage that apply.

SECTION B
* ITEMISE THE CRITICAL SERVICES OR PRODUCTS INCLUDED IN THE DEFINED GROUP, IF THESE CRITICAL SERVICES OR SERVICE OR PRODUCT
PRODUCTS ARE TO BE ADDRESSED AS ONE GROUP (in Section A4 and Section A5 above) IN THE RISK ASSESSMENT. CODE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

SECTION C
* ITEMISE THE LIST OF SERVICES OR PRODUCTS LOGICALLY IN THE GROUP (in Sections A4 and A5 above) THAT ARE NOT CATEGORISED AS
CRITICAL SERVICES OR PRODUCTS
1
2
3
4
5
6
7
8
9

10/27/2009 21:54:36 5 24067438.xls (Part 1 - CNI Entity Information)

 10
11
12
13
14
15

SECTION D
MAP THE SERVICE OR PRODUCT (GROUP) TO CRITICAL (NON-CYBER) SYSTEMS (IF ANY) AND CRITICAL CYBER SYSTEMS THAT DELIVER/PRODUCE
THE SERVICE OR PRODUCT (GROUP)

CRITICAL CYBER SYSTEMS CRITICAL

CRITICAL DEGREE OF
(NOTE : ONE CYBER SYSTEM CAN MANAGE/CONTROL CYBER
CRITICAL SYSTEMS (NON-CYBER) SYSTEMS DEPENDENCY ** (see
MORE THAN ONE CRITICAL SYSTEM TO DELIVER THE SYSTEMS
CODE guide on right)
SERVICE OR PRODUCT) CODE

1
2
3
4
5
6
7
8
9
10

10/27/2009 21:54:36 6 24067438.xls (Part 1 - CNI Entity Information)

PART 2 : HIGH LEVEL IMPACT ASSESSMENT

For each of the following dimensions that may be impacted in the event of the disruption to your critical services or products (group) in
Part 1 , select the appropriate estimated level of impact with a 'Y' in the appropriate impact column.
Note : Do not factor in any dependency on cyber systems at this stage. Just focus on your service or product and the impact of its
disruption.

Very Very
Low Medium High
Dimensions Low High
Impact Impact Impact
Impact Impact
Defense and Security x y x x x
Low Impact

Economy x y x x x
Low Impact

National Image x y x x x
Low Impact

Government Services x y x x x
Low Impact

Health and Safety x y x x x

Low Impact

Maximum Level >> Low Impact

Explanation on Dimensions
Defense and Security Compromise or weakening of our ability to defend (MAF, APMM) and ensure security (Police etc).
Economy Covers commerce, banking, industrial activity, logistics and transportation including airport and port management, domestic and
international trade, stock exchange etc
National Image

Government Services Online and core government services dependent on ICT like RTD, Immigration, Customs, NRD, e-Procurement, e-SPKB, GFMAS,
SPEKS, SAGA etc
Health and Safety Hospital services, emergency services including ambulance, fire brigade, civil defense, seach and rescue and public safety

10/27/2009 21:54:36 7 24067438.xls (Part 2 - HL Impact)

PART 3 : HIGH LEVEL ASSESSMENT OF DEPENDENCY ON INFORMATION OR CYBER SYSTEMS

You need not respond below as the impact assessment shows that impact is low.

Very Low Very

Low Medium High
Cyber Systems Main High
Depende Depende Depende
Components Depende Depende
ncy ncy ncy
ncy ncy

Online Applications x y x x x
Low Dependency

Backend Applications x y x x x
Low Dependency

Databases/Repository x y x x x
Low Dependency

SAN/NAS x y x x x
Low Dependency

Corporate Network x x x y x
High Dependency

Private Network x y x x x
Low Dependency

Internet y x x x x
Very Low Dependency

Control Systems Network y x x x x

Very Low Dependency

Remote Services x y x x x
Low Dependency

Maximum Level >> High Dependency

10/27/2009 21:54:36 8 24067438.xls (Part 3 - HL Dependency)

PART 4 : HIGH LEVEL ASSESSMENT OF STATUS OF CONTROLS ON INFORMATION OR CYBER SYSTEMS THAT ARE USED IN THE DELIVERY OF CRITICAL
PRODUCTS AND SERVICES

You need not respond below as the Impact is low or Dependency on Cyber Systems is low.

Very
High Medium Low Very Low
Information Security Dimensions High
Controls Controls Controls Controls
Controls

Risk Assessment/Treatment x x y x x Medium Controls

Security Policy x x y x x Medium Controls

Organization of Information Security x y x x x High Controls

Asset Management x x x y x Low Controls

Human Resources Security x x y x x Medium Controls

Physical & Environmental Security x x y x x Medium Controls

Communications and Operations Mgmt y x x x x Very High Controls

Access Control x x y x x Medium Controls

Info Systems Acqusition, Dev & Maintenance

x x y x x Medium Controls

Information Security Incident Mgmt x x y x x Medium Controls

Business Continuity Management x x y x x Medium Controls

Compliance x x y x x Medium Controls

Minimum Level >> Low Controls

10/27/2009 21:54:37 9 24067438.xls (Part 4 - HL Controls)

 PART 5 : CNII (SUB-)ENTITIES' DETERMINATION OF IMPACT DUE TO UNAVAILABILITY/COMPROMISE OF THEIR CRITICAL PRODUCTS AND SERVICES

You need not respond here as the High Level Risk Assessment indicates that risk is low.

PLEASE IGNORE THE TABLE BELOW. YOU NEED NOT FILL IN THE DETAILS IN ROW 11.

Impact to National
Impact to National Impact to Government Impact to Public
SEIGH Dimensions >> TOTAL Defense and Impact to National Economic Strength
Image Capabilities to Function Health and Safety
Security

Public Pensions, Trusts

Industrial Production

Immigration Services
Banking and Finance

People Identity and

International Trade

Investor Perception

Foreign Perception
Citizen Perception
Military Readiness

Foreign Exchange
Police Operations

APMM Operations

Domestic Trade

Health Services
(Weight Averaged)

E-Government
(Rounded Wt Avg)

Public Health

Public Safety
E-Commerce

and Savings
E-Payment
Securities

Totals

Totals
Components of SEIGH Dimensions >>
Impact
Impact

Critical Products and Services Group

4.0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ### 4 4 4 ###

10/27/2009 21:54:37 10 24067438.xls (Part 5-Detailed Impact Analysis)

 PART 6 : CNII (SUB-)ENTITY'S DETAILED ANALYSIS OF THREATS-VULNERABILITIES-COUNTERMEASURES THAT WILL ASSURE THE DELIVERY OF THEIR CRITICAL
PRODUCTS AND SERVICES

You need not respond here as the High Level Risk Assessment indicates that risk is low.

PLEASE IGNORE THE TABLE BELOW. YOU NEED NOT FILL IN THE DETAILED THREATS-VULNERABILITIES LIKELIHOOD TABLE BELOW.

Likelihood of
Threats Asset Group Overall
Controls/ Safeguards/
Asset Group Asset Name Threats Vulnerabilities Exploiting Likelihood (0 Likelihood (0
Countermeasures
Vulnerabilities to 4) to 4)
(0 to 4)
4

People

Logical Access
Procedures

Perimeter
Protection
Measures

Patch Control and

Updates Measures

Hardware
10/27/2009 21:54:37 11 24067438.xls (Part 6-Detailed Threat Analysis)
 PART 6 : CNII (SUB-)ENTITY'S DETAILED ANALYSIS OF THREATS-VULNERABILITIES-COUNTERMEASURES THAT WILL ASSURE THE DELIVERY OF THEIR CRITICAL
PRODUCTS AND SERVICES

You need not respond here as the High Level Risk Assessment indicates that risk is low.
4

PLEASE IGNORE THE TABLE BELOW. YOU NEED NOT FILL IN THE DETAILED THREATS-VULNERABILITIES LIKELIHOOD TABLE BELOW.

Likelihood of
Threats Asset Group Overall
Controls/ Safeguards/
Asset Group Asset Name Threats Vulnerabilities Exploiting Likelihood (0 Likelihood (0
Countermeasures
Vulnerabilities to 4) to 4)
(0 to 4)

Hardware

Software

Network

Physical Security

Environmental &
Support Systems
10/27/2009 21:54:37 12 24067438.xls (Part 6-Detailed Threat Analysis)
 PART 6 : CNII (SUB-)ENTITY'S DETAILED ANALYSIS OF THREATS-VULNERABILITIES-COUNTERMEASURES THAT WILL ASSURE THE DELIVERY OF THEIR CRITICAL
PRODUCTS AND SERVICES

You need not respond here as the High Level Risk Assessment indicates that risk is low.

PLEASE IGNORE THE TABLE BELOW. YOU NEED NOT FILL IN THE DETAILED THREATS-VULNERABILITIES LIKELIHOOD TABLE BELOW.

Likelihood of
Threats Asset Group Overall
Controls/ Safeguards/
Asset Group Asset Name Threats Vulnerabilities Exploiting Likelihood (0 Likelihood (0
Countermeasures
Vulnerabilities to 4) to 4)
(0 to 4)

Environmental &
Support Systems

10/27/2009 21:54:37 13 24067438.xls (Part 6-Detailed Threat Analysis)

 PART 7 : CNII (SUB-)ENTITIES' RISK ASSESSMENT TAKING THE OVERALL IMPACT FROM PART 5 AND THE OVERALL THREATS EXPLOITING
VULNERABILITIES LIKELIHOOD FROM PART 6

THIS TABLE IS IGNORED AS THE HIGH LEVEL RISK ASSESSMENT INDICATES THAT RISK IS LOW.

Likelihood of Incident Scenario

(i.e. Likelihood of Threats Exploiting Vulnerabilities)
Risk Rating Matrix
Very Low-0 Low-1 Medium -2 High-3 Very High-4

Very Low-0 0 1 2 3 4

Low-1 1 2 3 4 5

Impact of Incident to
Medium-2 2 3 4 5 6
Nation

High-3 3 4 5 6 7

Very High-4 4 5 6 7 8

Low Risk : 0 to 2 Impact rating manually entered (only allowed if rating is 2,3 or 4):
Medium Risk : 3 to 5 Impact from Part 5 (Detailed Impact Analysis): 4
High Risk : 6 to 8 SUMMARY OF DETAILED RISK ANALYSIS FOR :

Impact rating from Part 5 used: 4

Threats Likelihood from Part 6 (Threats-Vulnerability Analysis): 4
Overall Risk : HIGH RISK
Numerical Risk Rating (Threat Likelihood and Impact) : 8

10/27/2009 21:54:37 14 24067438.xls (Part 7 - Detailed Results)

Compatibility Report for Risk Assessment Worksheets - NCSP - V4
User(1).xls
Run on 10/23/2009 10:31

The following features in this workbook are not supported by earlier versions of
Excel. These features may be lost or degraded when you save this workbook in
an earlier file format.

Significant loss of functionality

Some cells have more conditional formats than are supported by the selected
file format. Only the first three conditions will be displayed in earlier versions of
Excel.
Some cells have overlapping conditional formatting ranges. Earlier versions of
Excel will not evaluate all of the conditional formatting rules on the overlapping
cells. The overlapping cells will show different conditional formatting.
Some cells contain conditional formatting with the 'Stop if True' option cleared.
Earlier versions of Excel do not recognize this option and will stop after the first
true condition.

Minor loss of fidelity

Some cells or styles in this workbook contain formatting that is not supported by
the selected file format. These formats will be converted to the closest format
available.
# of occurrences

29

'Summary & Declaration'!C5:C7

'Part 1 - CNI Entity Information'!E5:F7

'Part 2 - HL Impact'!G7:G12

'Part 2 - HL Impact'!S7:S9

'Part 3 - HL Dependency'!G9:G17

'Part 3 - HL Dependency'!R9:R11

'Part 3 - HL Dependency'!S9

'Part 3 - HL Dependency'!R13:S14

'Part 4 - HL Controls'!G9:G20

'Part 4 - HL Controls'!R9:R11

'Part 4 - HL Controls'!S9

'Part 4 - HL Controls'!R13:S14
'Part 5-Detailed Impact Analysis'!AF15:AF17

'Part 6-Detailed Threat Analysis'!K53:K55

'Part 6-Detailed Threat Analysis'!L53

'Part 6-Detailed Threat Analysis'!K57:L58

'Part 7 - Detailed Results'!J4:J6

22

'Summary & Declaration'!C11:C12

'Part 1 - CNI Entity Information'!E11:E12

'Part 2 - HL Impact'!S13:S14

'Part 3 - HL Dependency'!R15:R16

'Part 4 - HL Controls'!R15:R16

'Part 5-Detailed Impact Analysis'!AF21:AF22

'Part 6-Detailed Threat Analysis'!K59:K60

'Part 7 - Detailed Results'!J10:J11

24

'Part 2 - HL Impact'!B7:F11

'Part 2 - HL Impact'!G7:G14

'Part 3 - HL Dependency'!B9:G17

'Part 3 - HL Dependency'!G19:G20

'Part 4 - HL Controls'!B9:G20

'Part 4 - HL Controls'!G22:G23

89