Last edited 2 years ago
by Demo writer

RM:Mobile devices: Difference between revisions

(Created page with "{{Risk infobox |riskID=AS1 |riskDate=2021-11-26 |riskDomain=External |riskAffects=Asset, Data protection |riskOwner=User:Parnoux |riskFactor=C3 |riskMeasuresExist=Yes |riskFac...")
 
m ((username removed) (log details removed))
 
(One intermediate revision by the same user not shown)
Line 10: Line 10:
}}
}}
==Risk description==
==Risk description==
The company generally provides employees with a laptop and other mobile devices as standard equipment. Since these are also used in the home office and at customer appointments, there is a risk of loss outside the office. The main risk here is the loss of data, both internal and customer data.


==Risk treatment considerations==
==Risk treatment considerations==


''Replace the information below with your own considerations.''
The following considerations were included in the risk treatment:
During risk mitigation planning, the following information should be considered:


* possible vulnerabilities (people, systems)
* Loss of a device in public transport or other public places (restaurant, hotel, etc.)
* legal requirements
* Statutory data protection requirements
* industry best practices
* Data classification (for data protection risks): public, internal, confidential, strictly confidential
* cost and resources
* Replacement costs
* data classification: public, private, restricted, confidential (for data protection risks only)


==Risk treatment plan==
==Risk treatment plan==
''Replace the information below with the actual risk treatment plan that you want to implement.''
The purpose of a risk management plan is to show: (1) what actions are planned, (2) how they will be implemented, and (3) whether they have already been implemented. It is important that the implementation of the plan and the state of planning and implementation of the plan are understood by all concerned. It should also be possible at any time to track the progress towards the plan.


The purpose of the risk treatment plan is to specify: (1) which measures are planned, (2) how they will be implemented, and (3) if they are already implemented. It is important that all affected parties understand the plan and its implementation. Progress against the plan needs to be monitored consistently.
=== Technical measures ===


=== Technical measures ===
* All mobile devices are password-protected (only strong passwords are technically possible) and can be locked "remotely". (implemented)
==== Cybersecurity ====
* All devices are physically marked with stickers and provided with a telephone number (implemented)
==== Encryption and pseudonymisation ====
* Passwords are generally not saved directly, but via the central password manager Bitwarden. (implemented)
==== Passwords ====
==== Access rights ====
==== Physical security ====
==== Data disposal ====


=== Organisational measures ===
=== Organisational measures ===
==== Policies and procedures ====
 
==== Business continuity plan ====
* All employees complete an annual training course on data protection. The topic of data loss is dealt with here. (implemented)
==== Awareness and training ====
* In all cases of loss, the internal and external reporting requirements are checked and applied in accordance with the guidelines. (implemented)

Latest revision as of 17:01, 2 December 2021

Risk matrix
Impact →
Negligible

(A)

Marginal

(B)

Considerable

(C)

Critical

(D)

Catastrophic

(E)

Consequence Environment (IE) Slight effect Minor effect Localized effect Major effect Massive effect
Asset (IA) Slight damage Minor damage Medium damage Major damage Extensive damage
Health (IH) Slight physical or mental harm Minor physical or mental harm Major physical or mental harm Single fatality Multiple fatalities
Business continuity (IB) Minor visible or barely recognizable disruption of service Recognizable temporary disruption of service Minor functional (permanent) disruption of service Major functional (permanent) disruption of service Complete outage of service
Data protection (ID) No data loss / no data disclosure Loss of rebuildable secondary data, disclosure of public data Loss of easily recoverable data, disclosure of internal data Loss of recoverable data, disclosure of some protected data Irrecoverable data loss, full disclosure of protected data
↓ Probability
(within 5yrs)
Certain (5)
81-100%
A5 B5 C5 D5 E5
Likely (4)
61-80%
A4 B4 C4 D4 E4
Possible (3)
41-60%
A3 B3 C3 D3 E3
Unlikely (2)
21-40%
A2 B2 C2 D2 E2
Improbable (1)
0-20%
A1 B1 C1 D1 E1
Mitigated risk Original risk
Factor B3 ID AS1 Affects Asset

Data protection

Factor C3
Level Low Discovered on 2021-11-26 Owner User:Parnoux Level Medium
Probability Possible Domain External Measures exist? no Probability Possible
Impact Marginal Incidents 1 Last audit Impact Considerable

Reported incidents

Incident pageDateIncident NameIncident TypeClosed?
Lost laptop2021-12-02Lost laptopAsset
Data protection
No

Risk description

The company generally provides employees with a laptop and other mobile devices as standard equipment. Since these are also used in the home office and at customer appointments, there is a risk of loss outside the office. The main risk here is the loss of data, both internal and customer data.

Risk treatment considerations

The following considerations were included in the risk treatment:

  • Loss of a device in public transport or other public places (restaurant, hotel, etc.)
  • Statutory data protection requirements
  • Data classification (for data protection risks): public, internal, confidential, strictly confidential
  • Replacement costs

Risk treatment plan

The purpose of a risk management plan is to show: (1) what actions are planned, (2) how they will be implemented, and (3) whether they have already been implemented. It is important that the implementation of the plan and the state of planning and implementation of the plan are understood by all concerned. It should also be possible at any time to track the progress towards the plan.

Technical measures

  • All mobile devices are password-protected (only strong passwords are technically possible) and can be locked "remotely". (implemented)
  • All devices are physically marked with stickers and provided with a telephone number (implemented)
  • Passwords are generally not saved directly, but via the central password manager Bitwarden. (implemented)

Organisational measures

  • All employees complete an annual training course on data protection. The topic of data loss is dealt with here. (implemented)
  • In all cases of loss, the internal and external reporting requirements are checked and applied in accordance with the guidelines. (implemented)