Beruflich Dokumente
Kultur Dokumente
Revised on:
Risk Assessment
Technique
Description of Risk
Scales
Asset Value
Very High
High
Medium
Low
The Risk Assessment was based on the Industry-standard Risk Assessment methods like the
Risk Management Guide for Quality Management Sytems. The Risk Assessment was done in
following phases.
1. Facility / Equipment Model: This was done by studying the existing documentation,
interviewing the concerned people, and then drawing up a Model which shows the criticality
of the Risk based on severity, detection methods and probability of occurence ratings.
2. Reviewing Facility architecture: The mechanisms and technologies in place were
reviewed and areas of improvement were identified.
3. Understanding Supply Chain: An indepth understanding of the supply chain
mechanism of the company was understood to evaluate the risks related to the faulty
performance of the vendors based on severity, detection methods and probability of
occurence.
4. Vulnerability assessment: This exercise was carried out to identify the vulnerabilities
associated with QMS that includes facility/equipment availability, maintenance, supplier
performance, delivery of non-conforming product, availability of competant personnel etc.
5. Risk analysis: This was
done by gathering and analyzing information collected from above phases,
identifying
threat
probabilities
and
these
Risks and
vulnerability levels.
To
identify the
Current
Risk level
(Acombining
x B x C), we
havewith
to evaluate
the:
A = Risk Severity
B = Occurrence Probability
C = Duration
For mathematical evalution, numeric values are assigned to all the parameters, as follows
Very High - 4 ( For Duration Between 6 months to 1 year )
High
- 3 ( For Duration Between 3-6 months )
Medium - 2 ( For Duration Between 1-3 months )
SCALES USED
The value of the asset in terms of its criticality towards the organization's ability
to provide its services in a timely, adequate, and secure manner. The asset values
have been derived from "List of Information Assets.doc"
A compromise on the confidentiality, integrity or availability or a combination
asset would result in extermely high financial impact on the organization.
A compromise on the confidentiality, integrity or availability or a combination
asset would result in a very high financial impact on the organization.
A compromise on the confidentiality, integrity or availability or a combination
asset would result in a significant financial impact on the organization.
A compromise on the confidentiality, integrity or availability or a combination
asset would result in a low or negligible financial impact on the organization
of these of the
of these of the
of these of the
of these of the
Vulnerability
Criticality
Very High
The level of impact on the asset if an attack occurred which exploited this specific
vulnerability. The vulnerability criticality values have been derived from the
"Vulnerability
Assessment
Report.doc"
Very
High Criticality
indicates that
the attack would allow the attacker to gain complete
control of the system AND/OR lead to total degradation/stoppage of customer service. This
is an attack that allows the attacker to gain full super-user privileges o
High
High Criticality indicates that the attack would allow the attacker to gain complete control of
the system AND/OR lead to severe or substantial degradation/stoppage of customer
service. This is an attack that allows the attacker to gain full super-user p
Medium
Medium Criticality indicates that the attack would allow the attacker to gain some sort of
access to the system, AND/OR lead to some degradation of customer services. This is usually
an attack that allows the attacker to login with non-super user privileg
Low
Low Criticality indicates that the attack would only reveal some information that may then be
used to gain further access, but the attack itself would not allow any significant access to the
system. This is usually an information disclosure or banner-grab
Threat Probability
Very High
High
Medium
Low
Asset
Vulnerability
Risk Rating
Action
Ranking of Risk
Treatment
Methodology
The probability that such an attack would occur, given compensating controls,
availability of tools for the attack, and knowledge level that the attacker should
have.
Very High Likelihood of occurrence. Threat source is very highly motivated and extremely
capable. Other compensating controls do not exist, or are very weak.
High Likelihood of occurrence. Threat source is highly motivated and extremely capable.
Other compensating controls do not exist or are weak.
Medium Likelihood of occurrence. Threat source is adequately motivated and sufficiently
capable. Other commpensating controls are not strong enough.
Very Low Likelihood of occurrence. Threat source is neither motivated nor capable. Other
compensating controls are adequately strong
RISK TREATMENT PLAN
The asset that is affected by this particular vulnerability
Vulnerabilities on the mentioned assets that can be exploited
The risk calculated from the Risk Assessment Report
The brief recommendation to address the vulnerability
The status of the task - Treat, Transfer, Terminate, Tolerate
Risk Treatment is carried out for Risks which are over 16 in numerical value and fall under the
category MEDIUM. These risks are treated and proper corrective measures for the same are
initiated to ensure that the risk level remains LOW.
SHREERAJ INDUSTRIES
Last Review Date:
Vulnerab
ility
Detoriatio Material
n of
getting
material / damaged
product
during
storage
Material
wrong
color
code
Use of
wronge
material
Inventory Material
not
not get
maintaine easily
d
Threat
Business
Impact ( On
delivery &
Quality )
Current
Control
API Q1
Cl.no.
Material
shortage
Loss of time
and money
Procedure
for
preservati
on of
product
7.5.5
Requireme
nts of
products
not
fullfilled
Unsatisfied
customer
Provide
color code
on
materials
Incoming
inspection
and
periodic
checking
Delay in
Loss of time
production
and
production
planning
Inventory
control as
per
procedure
Periodic
checking
of
inventory
Periodic
surveilanc
e
Stock
Material
register
not get
not
easily
maintaine and stock
d
of
material
not
identified
Material
shortage
Delay in
delivery
Verify
physical
stock and
control
stock
Periodic
verification
of stock
assessmen
t
Stock
Stock not
assessme identified
nt was
not done
properly
Material
condition
and
material
quantity
not
identified
Delay in
delivery
Verify
stock for
quantity
and quality
Stock
assessmen
r
periodicall
y
Action
Rati
ng