Change Log


ChangeBy WhomWhen
Sept 2022 TableDavid Street7/09/2022




Risk and Asset Table


The table below shows the current risks as at Sept 2022 and their status as taken from our ISO 27001 Clause 6.1.2 Customer Facing Risk Assessment Table.

 

Risk Number:Risk DescriptionAsset Name(s)Risk OwnerAsset OwnerCurrent Risk Status
1Operating System vulnerable to unauthorised access. Mitigated as Procedure for Pre-Approved change management is implemented. Microsoft Windows Servers
 (TC10, TC11, TC13 -TC14) 
Head of DevelopmentServer SupportLow Medium
2SQL Server vulnerable to unauthorised access. Mitigated as Procedure for Pre-Approved change management is implemented. Microsoft SQL Servers
 (TC10, TC11, TC13 -TC14) 
Head of DevelopmentServer SupportMedium
3Potential unavailability due to server failure. Mitigated as Server Support has implemented a zone split into Zones A to E within AWS infrastructure.Microsoft SQL Servers
 (TC10, TC11, TC13 -TC14) 
Head of DevelopmentServer SupportLow
4Vulnerable due to unauthorised access. Mitigated as follows:
PHP application can only be accessed via an AWS desktop with a Private IP.
SQL Server access via SQL Management Studio.
Remote Desktop to SQL Servers.

Microsoft SQL Servers
 (TC10, TC11, TC13 -TC14) 
Head of DevelopmentServer SupportMedium
5Vulnerable due to unauthorised access. Mitigated by urgent security and as required O/S patches.                    TC & TO Web ServerHead of DevelopmentServer SupportLow Medium
6Vulnerable due to unauthorised access. Mitigated by running Jenkins (third party application) on a server with a Private IP address only. Access is only available via an AWS desktopJenkins Web Server Head of DevelopmentServer SupportLow
7Vulnerable due to unauthorised access. Mitigated by running High Charts on a server with a Private IP address only. Included in TeleControl software vulnerability testing.High Charts Web ServerHead of DevelopmentServer SupportLow
8Vulnerable to unauthorised access. Mitigated by use of AWS security systems including Web Application Firewall (WAF) to block typical SQL injections, HTTP attacks and block IP addresses outside of Australia.TC and TO Web ServerHead of DevelopmentServer SupportLow Medium
9Threat of data being sent over the internet being stolen. Mitigated by all TeleResult URLs having https encryption so any secure information is not sent in the clear.TC and TO Web ServerHead of DevelopmentServer SupportMedium
10Apache HTTPS Server vulnerable to unauthorised access. Mitigated by urgent security and quarterly patches.TC and TO Web ServerHead of DevelopmentServer SupportLow Medium
11 Support for PHP 7.1 not available and using an old version of encryption. Mitigated by updating PHP to a supported version of PHP and updating when any security enhancement is available. TC and TO Web ServerHead of DevelopmentServer SupportMedium
12Vulnerable to unauthorised access, especially as application uses and EOL version of Linux Ubuntu Precise 28.4.2017. Mitigated by moving to a server behind firewall with private IP address.Translator Web ServersHead of DevelopmentServer SupportMedium
15Vulnerable to unauthorised access, especially as application uses old operating system. Mitigated by moving to a server behind firewall with private IP address. FTP access to all secure servers is only available via an AWS desktop.Virtual Server FileZillaHead of DevelopmentServer SupportLow Medium
17Vulnerable due to unauthorised access. Mitigated by including LibXL (third party application) in TeleControl software vulnerability testing.LibXL (PHP Library)General ManagerHead of DevelopmentLow
19Vulnerable to unauthorised access through use of MD5 encryption. November 2021 - Mitigated by migration to use of LibSodium encryption.TeleControl Web ServerGeneral ManagerHead of DevelopmentMedium
20Vulnerable to unauthorised access as logins. Mitigated by process to regularly review login usage and delete old logins.TeleControl Web ServerGeneral ManagerHead of DevelopmentMedium
21Vulnerable to unauthorised access via links in Telecontrol Private usage statements - particularly as statements go out with a URL that never expires. Mitigated by removing links in emails and upgrading to LibSodium encrypted logins.TeleControl Web ServerGeneral ManagerHead of DevelopmentMedium
22Vulnerable due to poor design or code. Mitigated by TeleControl and TeleOrder code release procedures and regular software vulnerability testing and monitoring.TeleControl / TeleOrder ApplicationGeneral ManagerHead of DevelopmentLow Medium
23Risk of data unavailability due to DDoS attack. Mitigated by using AWS Shield to protect data during attack. Will be a temporary loss of access until attack can be blocked.AWS FirewallPractice DirectorServer SupportMedium
24Lack of availability of AWS servers mitigated by replication in AWS regions and daily snapshot and database backups. Lack of availability of backups mitigated by regular backup monitoring and monthly database test restores. TC & TO Web ServerPractice DirectorServer SupportLow Medium
25Staff release confidential information due to lack of awareness of IT security and not taking care in their day-to-day operations. Mitigated by regular staff training including phishing training campaignsFreshdesk ServerPractice DirectorGeneral ManagerMedium
26Risk of Server unavailability at AWS. Mitigated by replication across multiple zones within AWS infrastructure.AWS InfrastructurePractice DirectorServer SupportMedium
27Vulnerabilities in JIRA tool. Mitigated by use of ISO 27001 approved tool.JIRA Service DeskHead of DevelopmentHead of DevelopmentLow Medium
28Vulnerabilities in Bitbucket tool. Mitigated by use of ISO 27001 approved tool.BitbucketHead of DevelopmentHead of DevelopmentLow Medium
29Vulnerable to unauthorised access and loss of data. Mitigated by automatic renewal of Domain names.Domain namesGeneral ManagerServer SupportLow Medium
30Lack of availability of AWS servers mitigated by replication in AWS regions.AWS InfrastructurePractice DirectorServer SupportLow Medium
31Risk of database becoming full and so unavailable for new data. Mitigated by AWS configuration to dynamically adjust server and database sizes.AWS InfrastructurePractice DirectorServer SupportMedium
32Vulnerabilities in 3CX software. Mitigated by use of ISO 27001 approved tool and regular updates.3CX ServerPractice DirectorServer SupportLow Medium
33Windows 2016 O/S vulnerable to unauthorised access. Mitigated by urgent security and quarterly O/S patches.3CX ServerPractice DirectorServer SupportLow Medium
34Vulnerable to unauthorised access by sharing of login to other users. Mitigated by use of individual logins wherever possible and encrypted logins shared via Dashlane when necessary. Passwords no longer allowed to be stored in unencrypted form.Third Party Services Access ControlHead of DevelopmentGeneral ManagerMedium
36Vulnerable to unauthorised access and loss of data. Mitigated by automatic renewal of SSL Certificates.SSL CertificatesGeneral ManagerServer SupportLow Medium
37Vulnerable to unauthorised access by sharing of login to other users. Mitigated by use of individual logins wherever possible and encrypted logins shared via Dashlane when necessary. Passwords no longer allowed to be stored in unencrypted form.Third Party Services Access ControlHead of DevelopmentGeneral ManagerMedium
38Vulnerable to unauthorised access. Mitigated by removing the VPN access to the TeleResult Crows Nest network so no direct access to servers can be made.Wireless Access PointPractice DirectorGeneral ManagerMedium
39Vulnerable to unauthorised access. Mitigated by removing the VPN access to the TeleResult Crows Nest network so no direct access to servers can be made.Wireless Access PointPractice DirectorGeneral ManagerMedium
40Vulnerable due to unauthorised access. Mitigated by code release procedures and regular checking with Synk vulnerably tool.Teleservice APIHead of DevelopmentServer SupportLow Medium
41Apache HTTPS Server vulnerable to unauthorised access. Mitigated by urgent security and quarterly patches.MySQL RDS (W11)Head of DevelopmentServer SupportLow Medium
42Vulnerable due to poor design or code. Mitigated by TeleControl and TeleOrder code release procedures and regular software vulnerability testing and monitoring.TeleControl / TeleOrder ApplicationGeneral ManagerHead of DevelopmentLow Medium
43Linux Ubuntu O/S vulnerable to unauthorised access. Mitigated by urgent security and quarterly O/S patches.TeleResult Web SitePractice DirectorServer SupportMedium
18Lack of availability of AWS servers mitigated by replication in AWS regions and daily snapshot and database backups. Lack of availability of backups mitigated by regular backup monitoring and monthly database test restores. AWS ServersPractice DirectorServer SupportLow Medium
44Vulnerable due to unauthorised access. Mitigated by code release procedures and regular checking with Synk vulnerably tool.AWS New Bill Importer Head of DevelopmentHead of DevelopmentLow Medium
45TeleAnalytics vulnerable due to unauthorised access. Mitigated by code release procedures and regular checking with Synk vulnerably tool.TeleAnalytics DashboardHead of DevelopmentHead of DevelopmentLow Medium
46TeleView vulnerable due to unauthorised access. Mitigated by code release procedures and regular checking with Synk vulnerably tool.Teleview - Blitz reporterHead of DevelopmentHead of DevelopmentLow Medium
47Linux Ubuntu O/S vulnerable to unauthorised access. Mitigated by urgent security and quarterly O/S patches.TC and TO Web ServerGeneral ManagerServer SupportMedium
48Vulnerabilities in SonarQube vulnerability tool. Mitigated by use of ISO 27001 approved tool.SonarQube Head of DevelopmentServer SupportLow Medium
50Risk of unauthorised access and TAP App being developed externally by a non-ISO27001 vendor. Mitigated through contracting and managing third party within our ISO 27001 framework.TAP App for use by DCJPractice DirectorHead of DevelopmentMedium
53Jamf / Wandera vulnerable due to potential unauthorised access to client device. Jamf-WanderaGeneral ManagerGeneral ManagerLow Medium
54TeleOrder is vulnerable due to the version of Laravel 6.15.1 is out of support. TeleOrder was previously hacked on 13/03/2019 (Freshdesk ticket 1332874), so the risk is real and need to be planned and remediated. TC and TO Web ServerGeneral ManagerGeneral ManagerMedium High