Define Information Assets: Option 2: Cybersecurity Office Excel

Define Information Assets: Option 2: Cybersecurity Office Excel

This is a one of the options for Defining the Consequences.

Cybersecurity Office Excel

The Risk & Information Asset Classification Framework can currently only be customised via Excel.
  1. If the Options section is not open, click on it to expand the available Options.
  2. Click on 'Option 2: Cybersecurity Office Excel'
    Risk Framework Excel Import Option

  3. If you don't already have an excel file in the right format, click the 'here' link to generate one from the current state of your Security Profile, which includes the Risk & Information Asset Classification Frameworks.
  4. Update the details on the InformationAssets worksheet in Excel and save the changes
    1. Categories & Consequences are defined on the RiskFrameworkConsequences worksheet.
      The first column defines the Risk Categories. The first row defines the increasingly severe Consequences applicable to each Risk Category.
      New rows and columns can be added, however the number of each should be kept to a manageable number. There are rarely more than 5 or 6 consequence columns.
      Each cell corresponding to a Risk Category and Risk Consequence must have a description of what would constitute that consequence level for that category.
      Risk Framework Consequences Worksheet
    2. Likelihoods are defined on the RiskFrameworkLikelihoods worksheet.
      The first column defines the Likelihood labels in increasingly likely order, the second column provides the description of each corresponding Likelihood.
      Risk Framework Likelihoods Worksheet

    3. The Risk Matrix is defined on the RiskFrameworkMatrix worksheet.
      The Risk Matrix in the spreadsheet is a little complex as it needs to align with the Risk Level Label definitions on the RiskFrameworkAppetite worksheet (see next step). The quantitative definition of Risk is "Likelihood multiplied by Consequence". Cybersecurity Office uses a quantitative representation of Risk, so the Risk Matrix needs to be defined mathematically.
      The simplest approach, if no Risk Matrix is already defined, is to attribute a 1-5 value for Likelihood and a 1-5 value for Consequence and then just place a corresponding Likelihood X Consequence value in each corresponding cell. This approach is shown in the image below.
      The first column must match the Likelihoods from the RiskFrameworkLikelihoods worksheet in order from least likely to most likely.
      The rows must match the Consequence names from the RiskFrameworkConsequences worksheet in order of increasing severity.
      Risk Framework Matrix Default Worksheet

      However, many organisations define the Risk Matrix with the labels first (e.g. Low, Medium, High, Extreme), in a layout that doesn't necessarily make clean sense from a mathematical perspective. Cybersecurity Office can still support a Risk Matrix defined in this way, so long as every cell value increases from left to right and top to bottom and the Risk Matrix Labels are defined based on these labels.
    4. Risk Level Labels and Risk Appetite are defined on the RiskFrameworkAppetite worksheet.
      The Risk Labels labels that will be associated with each combination of Likelihood/Consequence from the above tables, is defined in the RiskFrameworkAppetite worksheet.
      Risk Framework Appetite Default Worksheet
      The Threshold column defines which labels apply to the cells from the previous worksheet up to and including that threshold value.
      When combined in the service, the above Risk Matrix and Label Thresholds map to the following:

      Risk Framework Matrix

    5. Only ever change the summary field on the SecurityObjectives worksheet. The Confidentiality, Integrity and Availability names must not be altered.
      Security Objective Definitions

    6. The Information Asset Classification Framework Confidentiality Labels are defined on the SO-Confidentiality worksheet.
      The classification labels are defined in the first column. The number of labels should not exceed the number of consequences, but there can be fewer.
      The Consequence Threshold column is used to map the label to the consequence index that is given the label. In the example below, 'Public' is only applied to assets that would result in a 'No Impact' consequence if the Confidentiality was compromised, while 'Internal Use' applies to assets with both 'Insignificant' and 'Minor' consequences.
      Confidentiality Labels

    7. The Information Asset Classification Framework Integrity Labels are defined on the SO-Integrity worksheet.
      Integrity Labels


    8. The Information Asset Classification Framework Availability Labels are defined on the SO-Availability worksheet.
      Availability Labels

    9. Optional Handling Caveats, as defined by OVIC can be defined on the HandlingCaveats worksheet.

      Handling Caveats are constrained to a specific range of consequences. The following example shows the Cabinet-In-Confidence handling caveat defined by OVIC. Note that if you re-map the consequences in your organisation specific Risk Framework to the state-wide Business Impact Levels, you'll need to ensure the consequence level indexes are updated accordingly.

      Handling Caveats

    10. Optional Handling Restrictions, as defined by OVIC, can be defined on the HandlingRestrictions worksheet.
      Handling Restrictions correspond to a checkbox list that can be selected when classifying an asset. These aren't tied to the Risk Consequences.
      Handling Restrictions

    11. Business Impact Levels (BILs) can be defined on the ImpactBaselines worksheet.
      Applying the Impact Baselines follows the same approach as the Security Objective labels. For example, if the highest Business Impact Level for your organisation is BIL 3, you may reshuffle your mapping as follows

      Custom Business Impact Level Mapping
      The above corresponds to the following:

      Reshuffled Business Impact Levels


  5. Click on the 'Import Asset Registry' button, click the 'Choose File' button on the dialog and then click the 'Import' button
    Risk Framework Excel Import Dialog

  6. When it is complete, the Risk & Information Asset Classification Frameworks should be updated to reflect the content of the spreadsheet.

    • Related Articles

    • Define Information Assets: Option 2: Cybersecurity Office Excel

      This is one of the options available for Defining the System Assets. Cybersecurity Office Excel The primary means by which Information Assets are typically imported into Cybersecurity Office is in bulk via an Excel spreadsheet. Victorian Public ...

    • Define System Assets: Option 2: Cybersecurity Office Excel

      This is one of the options available for Defining the System Assets. Cybersecurity Office Excel The primary means by which System Assets are typically imported into Cybersecurity Office is in bulk via an Excel spreadsheet. In most cases, an existing ...

    • Define Platform Teams: Option 3: Cybersecurity Office Excel

      This is one of the options available for Defining the Platform Teams. Cybersecurity Office Excel This is only applicable if you have an excel file in the required format pre-populated with the tenant profile information required. If the Options ...

    • Define Information Assets

      This follows on from the VPDSF Setup guide, however this step may be revisited multiple times. Step 1.5 Define Information Assets An Information Asset refers to any piece of information or data within an organisation, regardless of its value. This ...

    • Define System Assets

      This follows on from the VPDSF Setup guide, however this step may be revisited multiple times. Step 1.4 Define System Assets A System Asset refers to any component, whether hardware, software, network, or information system, that is essential to the ...