Allegro Worksheet 1
Impact Area
RISK MEASUREMENT CRITERIA REPUTATION AND CUSTOMER CONFIDENCE
Low
Moderate
High
Reputation
Reputation is minimally
affected; little or no effort
or expense is required to
recover.
Reputationisdamaged,
andsomeeffortand
expenseisrequiredto
recover.
Reputation is irrevocably
destroyed or damaged.
Customer Loss
Less than _______%
reduction in customers
due to loss of confidence
_______to_______%
reductionincustomers
duetolossofconfidence
More than _______%
reduction in customers
due to loss of confidence
Other:
�Allegro Worksheet 2
Impact Area
RISK MEASUREMENT CRITERIA FINANCIAL
Low
Moderate
High
Operating Costs
Increase of less than
_______% in yearly
operating costs
Yearly operating costs
increase by _______to
_______%.
Yearly operating costs
increase by more than
_______%.
Revenue Loss
Less than _______%
yearly revenue loss
_______to _______%
yearly revenue loss
Greaterthan_______%
yearlyrevenueloss
OneTimeFinancialLoss
One-time financial cost of
less than
$_______________
Onetimefinancialcostof
$_______________to
$_______________
Onetimefinancialcost
greaterthan
$_______________
Other:
�Allegro Worksheet 3
Impact Area
Staff Hours
Other:
Other:
Other:
RISK MEASUREMENT CRITERIA PRODUCTIVITY
Low
Moderate
High
Staff work hours are
increased by less than
_______% for _______to
_______ day(s).
Staffworkhoursare
increasedbetween
_______%and_______
%for_______to_______
day(s).
Staffworkhoursare
increasedbygreaterthan
_______%for_______to
_______day(s).
�Allegro Worksheet 4
Impact Area
RISK MEASUREMENT CRITERIA SAFETY AND HEALTH
Low
Moderate
High
Life
No loss or significant
threat to customers or
staff members lives
Customers or staff
members lives are
threatened, but they will
recover after receiving
medical treatment.
Loss of customers or
staff members lives
Health
Minimal,immediately
treatabledegradationin
customersorstaff
membershealthwith
recoverywithinfourdays
Temporaryorrecoverable
impairmentofcustomers
orstaffmembershealth
Permanentimpairmentof
significantaspectsof
customersorstaff
membershealth
Safety
Safetyquestioned
Safetyaffected
Safetyviolated
Other:
�Allegro Worksheet 5
Impact Area
RISK MEASUREMENT CRITERIA FINES AND LEGAL PENALTIES
Low
Moderate
High
Fines
Fines less than
$_______________are
levied.
Fines between
$_______________and
$_______________are
levied.
Fines greater than
$_______________are
levied.
Lawsuits
Non-frivolous lawsuit or
lawsuits less than
$_______________ are
filed against the
organization, or frivolous
lawsuit(s) are filed against
the organization.
Non-frivolous lawsuit or
lawsuits between
$_______________ and
$_______________are
filed against the
organization.
Non-frivolous lawsuit or
lawsuits greater than
$_______________ are
filed against the
organization.
Investigations
No queries from
government or other
investigative
organizations
Governmentorother
investigativeorganization
requestsinformationor
records(lowprofile).
Governmentorother
investigativeorganization
initiatesahighprofile,in
depthinvestigationinto
organizationalpractices.
Other:
�Allegro Worksheet 7
IMPACT AREA PRIORITIZATION WORKSHEET
PRIORITY
IMPACT AREAS
Reputation and Customer Confidence
Financial
Productivity
Safety and Health
Fines and Legal Penalties
User Defined
�Allegro Worksheet 8
CRITICAL INFORMATION ASSET PROFILE
(1) Critical Asset
(2) Rationale for Selection
(3) Description
What is the critical information
asset?
Why is this information asset important to
the organization?
What is the agreed-upon description of
this information asset?
(4) Owner(s)
Who owns this information asset?
(5) Security Requirements
What are the security requirements for this information asset?
Confidentiality
Only authorized personnel can view this
information asset, as follows:
Integrity
Only authorized personnel can modify this
information asset, as follows:
This asset must be available for these personnel
to do their jobs, as follows:
Availability
This asset must be available for _____ hours,
_____ days/week, _____ weeks/year.
Other
This asset has special regulatory compliance
protection requirements, as follows:
(6) Most Important Security Requirement
What is the most important security requirement for this information asset?
Confidentiality
Integrity
Availability
Other
�AllegroWorksheet10
INFORMATIONASSETRISKWORKSHEET
Information
Asset
Area of
Concern
(1) Actor
Who would exploit the area of concern or
threat?
Information Asset Risk
Threat
(2) Means
How would the actor do it? What would they
do?
(3) Motive
What is the actors reason for doing it?
(4) Outcome
Disclosure
Destruction
What would be the resulting effect on the
information asset?
Modification
Interruption
(5) Security Requirements
How would the information assets security
requirements be breached?
(6) Probability
What is the likelihood that this threat scenario
could occur?
High
Medium
Low
(7) Consequences
(8) Severity
What are the consequences to the organization or the information asset
owner as a result of the outcome and breach of security requirements?
How severe are these consequences to the
organization or asset owner by impact area?
Impact Area
Value
Reputation &
Customer
Confidence
Financial
Productivity
Safety & Health
Fines & Legal
Penalties
User Defined Impact
Area
Relative Risk Score
Score
�(9) Risk Mitigation
Based on the total score for this risk, what action will you take?
Accept
Defer
Mitigate
Transfer
For the risks that you decide to mitigate, perform the following:
On what container would
you apply controls?
What administrative, technical, and physical controls would you apply on this container? What residual risk
would still be accepted by the organization?
