Change Log
Change | By Whom | When |
Sept 2022 Table | David Street | 7/09/2022 |
Risk and Asset Table
The table below shows the current risks as at Sept 2022 and their status as taken from our ISO 27001 Clause 6.1.2 Customer Facing Risk Assessment Table.
Risk Number: | Risk Description | Asset Name(s) | Risk Owner | Asset Owner | Current Risk Status |
1 | Operating System vulnerable to unauthorised access. Mitigated as Procedure for Pre-Approved change management is implemented. | Microsoft Windows Servers (TC10, TC11, TC13 -TC14) | Head of Development | Server Support | Low Medium |
2 | SQL Server vulnerable to unauthorised access. Mitigated as Procedure for Pre-Approved change management is implemented. | Microsoft SQL Servers (TC10, TC11, TC13 -TC14) | Head of Development | Server Support | Medium |
3 | Potential unavailability due to server failure. Mitigated as Server Support has implemented a zone split into Zones A to E within AWS infrastructure. | Microsoft SQL Servers (TC10, TC11, TC13 -TC14) | Head of Development | Server Support | Low |
4 | Vulnerable due to unauthorised access. Mitigated as follows: PHP application can only be accessed via an AWS desktop with a Private IP. SQL Server access via SQL Management Studio. Remote Desktop to SQL Servers. | Microsoft SQL Servers (TC10, TC11, TC13 -TC14) | Head of Development | Server Support | Medium |
5 | Vulnerable due to unauthorised access. Mitigated by urgent security and as required O/S patches. | TC & TO Web Server | Head of Development | Server Support | Low Medium |
6 | Vulnerable due to unauthorised access. Mitigated by running Jenkins (third party application) on a server with a Private IP address only. Access is only available via an AWS desktop | Jenkins Web Server | Head of Development | Server Support | Low |
7 | Vulnerable due to unauthorised access. Mitigated by running High Charts on a server with a Private IP address only. Included in TeleControl software vulnerability testing. | High Charts Web Server | Head of Development | Server Support | Low |
8 | Vulnerable to unauthorised access. Mitigated by use of AWS security systems including Web Application Firewall (WAF) to block typical SQL injections, HTTP attacks and block IP addresses outside of Australia. | TC and TO Web Server | Head of Development | Server Support | Low Medium |
9 | Threat of data being sent over the internet being stolen. Mitigated by all TeleResult URLs having https encryption so any secure information is not sent in the clear. | TC and TO Web Server | Head of Development | Server Support | Medium |
10 | Apache HTTPS Server vulnerable to unauthorised access. Mitigated by urgent security and quarterly patches. | TC and TO Web Server | Head of Development | Server Support | Low Medium |
11 | Support for PHP 7.1 not available and using an old version of encryption. Mitigated by updating PHP to a supported version of PHP and updating when any security enhancement is available. | TC and TO Web Server | Head of Development | Server Support | Medium |
12 | Vulnerable to unauthorised access, especially as application uses and EOL version of Linux Ubuntu Precise 28.4.2017. Mitigated by moving to a server behind firewall with private IP address. | Translator Web Servers | Head of Development | Server Support | Medium |
15 | Vulnerable to unauthorised access, especially as application uses old operating system. Mitigated by moving to a server behind firewall with private IP address. FTP access to all secure servers is only available via an AWS desktop. | Virtual Server FileZilla | Head of Development | Server Support | Low Medium |
17 | Vulnerable due to unauthorised access. Mitigated by including LibXL (third party application) in TeleControl software vulnerability testing. | LibXL (PHP Library) | General Manager | Head of Development | Low |
19 | Vulnerable to unauthorised access through use of MD5 encryption. November 2021 - Mitigated by migration to use of LibSodium encryption. | TeleControl Web Server | General Manager | Head of Development | Medium |
20 | Vulnerable to unauthorised access as logins. Mitigated by process to regularly review login usage and delete old logins. | TeleControl Web Server | General Manager | Head of Development | Medium |
21 | Vulnerable to unauthorised access via links in Telecontrol Private usage statements - particularly as statements go out with a URL that never expires. Mitigated by removing links in emails and upgrading to LibSodium encrypted logins. | TeleControl Web Server | General Manager | Head of Development | Medium |
22 | Vulnerable due to poor design or code. Mitigated by TeleControl and TeleOrder code release procedures and regular software vulnerability testing and monitoring. | TeleControl / TeleOrder Application | General Manager | Head of Development | Low Medium |
23 | Risk of data unavailability due to DDoS attack. Mitigated by using AWS Shield to protect data during attack. Will be a temporary loss of access until attack can be blocked. | AWS Firewall | Practice Director | Server Support | Medium |
24 | Lack of availability of AWS servers mitigated by replication in AWS regions and daily snapshot and database backups. Lack of availability of backups mitigated by regular backup monitoring and monthly database test restores. | TC & TO Web Server | Practice Director | Server Support | Low Medium |
25 | Staff release confidential information due to lack of awareness of IT security and not taking care in their day-to-day operations. Mitigated by regular staff training including phishing training campaigns | Freshdesk Server | Practice Director | General Manager | Medium |
26 | Risk of Server unavailability at AWS. Mitigated by replication across multiple zones within AWS infrastructure. | AWS Infrastructure | Practice Director | Server Support | Medium |
27 | Vulnerabilities in JIRA tool. Mitigated by use of ISO 27001 approved tool. | JIRA Service Desk | Head of Development | Head of Development | Low Medium |
28 | Vulnerabilities in Bitbucket tool. Mitigated by use of ISO 27001 approved tool. | Bitbucket | Head of Development | Head of Development | Low Medium |
29 | Vulnerable to unauthorised access and loss of data. Mitigated by automatic renewal of Domain names. | Domain names | General Manager | Server Support | Low Medium |
30 | Lack of availability of AWS servers mitigated by replication in AWS regions. | AWS Infrastructure | Practice Director | Server Support | Low Medium |
31 | Risk of database becoming full and so unavailable for new data. Mitigated by AWS configuration to dynamically adjust server and database sizes. | AWS Infrastructure | Practice Director | Server Support | Medium |
32 | Vulnerabilities in 3CX software. Mitigated by use of ISO 27001 approved tool and regular updates. | 3CX Server | Practice Director | Server Support | Low Medium |
33 | Windows 2016 O/S vulnerable to unauthorised access. Mitigated by urgent security and quarterly O/S patches. | 3CX Server | Practice Director | Server Support | Low Medium |
34 | Vulnerable to unauthorised access by sharing of login to other users. Mitigated by use of individual logins wherever possible and encrypted logins shared via Dashlane when necessary. Passwords no longer allowed to be stored in unencrypted form. | Third Party Services Access Control | Head of Development | General Manager | Medium |
36 | Vulnerable to unauthorised access and loss of data. Mitigated by automatic renewal of SSL Certificates. | SSL Certificates | General Manager | Server Support | Low Medium |
37 | Vulnerable to unauthorised access by sharing of login to other users. Mitigated by use of individual logins wherever possible and encrypted logins shared via Dashlane when necessary. Passwords no longer allowed to be stored in unencrypted form. | Third Party Services Access Control | Head of Development | General Manager | Medium |
38 | Vulnerable to unauthorised access. Mitigated by removing the VPN access to the TeleResult Crows Nest network so no direct access to servers can be made. | Wireless Access Point | Practice Director | General Manager | Medium |
39 | Vulnerable to unauthorised access. Mitigated by removing the VPN access to the TeleResult Crows Nest network so no direct access to servers can be made. | Wireless Access Point | Practice Director | General Manager | Medium |
40 | Vulnerable due to unauthorised access. Mitigated by code release procedures and regular checking with Synk vulnerably tool. | Teleservice API | Head of Development | Server Support | Low Medium |
41 | Apache HTTPS Server vulnerable to unauthorised access. Mitigated by urgent security and quarterly patches. | MySQL RDS (W11) | Head of Development | Server Support | Low Medium |
42 | Vulnerable due to poor design or code. Mitigated by TeleControl and TeleOrder code release procedures and regular software vulnerability testing and monitoring. | TeleControl / TeleOrder Application | General Manager | Head of Development | Low Medium |
43 | Linux Ubuntu O/S vulnerable to unauthorised access. Mitigated by urgent security and quarterly O/S patches. | TeleResult Web Site | Practice Director | Server Support | Medium |
18 | Lack of availability of AWS servers mitigated by replication in AWS regions and daily snapshot and database backups. Lack of availability of backups mitigated by regular backup monitoring and monthly database test restores. | AWS Servers | Practice Director | Server Support | Low Medium |
44 | Vulnerable due to unauthorised access. Mitigated by code release procedures and regular checking with Synk vulnerably tool. | AWS New Bill Importer | Head of Development | Head of Development | Low Medium |
45 | TeleAnalytics vulnerable due to unauthorised access. Mitigated by code release procedures and regular checking with Synk vulnerably tool. | TeleAnalytics Dashboard | Head of Development | Head of Development | Low Medium |
46 | TeleView vulnerable due to unauthorised access. Mitigated by code release procedures and regular checking with Synk vulnerably tool. | Teleview - Blitz reporter | Head of Development | Head of Development | Low Medium |
47 | Linux Ubuntu O/S vulnerable to unauthorised access. Mitigated by urgent security and quarterly O/S patches. | TC and TO Web Server | General Manager | Server Support | Medium |
48 | Vulnerabilities in SonarQube vulnerability tool. Mitigated by use of ISO 27001 approved tool. | SonarQube | Head of Development | Server Support | Low Medium |
50 | Risk of unauthorised access and TAP App being developed externally by a non-ISO27001 vendor. Mitigated through contracting and managing third party within our ISO 27001 framework. | TAP App for use by DCJ | Practice Director | Head of Development | Medium |
53 | Jamf / Wandera vulnerable due to potential unauthorised access to client device. | Jamf-Wandera | General Manager | General Manager | Low Medium |
54 | TeleOrder is vulnerable due to the version of Laravel 6.15.1 is out of support. TeleOrder was previously hacked on 13/03/2019 (Freshdesk ticket 1332874), so the risk is real and need to be planned and remediated. | TC and TO Web Server | General Manager | General Manager | Medium High |