_{МИНОБРНАУКИ РОССИИ}

Санкт-Петербургский государственный

электротехнический университет

«ЛЭТИ» им. В.И. Ульянова (Ленина)

Кафедра информационной безопасности

Практическа РАБОТА №10

по дисциплине «Основы Информационной Безопасности»

Тема: Изучение оценки безопасность предприятия с помощью ПО Risk Watch

Студент гр. _________________

Преподаватель _________________ Воробьев Е.Г.

Санкт-Петербург 2023

20.11.2023 14:13:00

Final report

Risk Analysis of NGY

Prepared by:

[[[]]] [[[ ---------------- ]]] [[[ ------------------ ]]]

NAME	NAME	NAME
Project Manager	Asst Project Manager	Senior Security Analyst
Risk Analysis Team	Risk Analysis Team	Risk Analysis Team

1. TABLE OF CONTENTS

I. Executive Summary II. Recommendations

Chapter 1 - General Information

1.1 Operational Environment and System Configuration

1.1.1 The Risk Assessment Team

1.1.2 Organizational Details of SpecOrg

1.1.3 Physical Plant and Physical Security

1.1.4 System Configuration

1.2 Terms and Definitions

1.3 Risk Analysis Methodology

1.4 RiskWatch Parameters and Data Analysis

Chapter 2 - Assets

2.1 Summary of Asset Categories

2.2 Assets Listed Within Category

2.2.1 Assets Within Category 1

===

2.2.N Assets Within Category N

Chapter 3 - Threats

3.1 Summary of Threats

3.2 Incidents Involving Each Threats

3.2.1 Incidents Involving Threat 1 ===

3.2.N Incidents Involving Threat N

Chapter 4 - Areas of Vulnerability

4.1 Summary of Vulnerabilities

4.2 Question Report

4.2.1 Question Report For Vulnerability Area 1 ===

4.2.N Question Report For Vulnerability Area N 4.3 Incidents Linked to Each Vulnerability Area

4.3.1 Incidents Linked To Vulnerability Area 1 ===

4.3.N Incidents Linked To Vulnerability Area N

Chapter 5 - Safeguards

5.1 Summary of Safeguards

5.2 Cost-Benefit Analysis Report

5.2.1 Cost-Benefit Analysis Report For Safeguard 1 ===

5.2.N Cost-Benefit Analysis Report For Safeguard N

5.3 Incidents Affected by Each Safeguard

5.3.1 Incidents Affected By Safeguard 1

===

5.3.N Incidents Affected By Safeguard N

Appendixes

Appendix A - Assets

Appendix B - Threats

Appendix C - Vulnerability Areas

Appendix D - Safeguards

Chapter 1 - General Introduction

The development of effective plans is a manager's most important responsibility, and the measurement of the compliance of an organization with these plans is essential. For Automated Information Systems (AIS) facilities, one of the most important categories of planning is security planning because of the catastrophic impact that total shut down of the AIS facility would have on the entire organization.

A quantitative risk analysis is a tool for measuring the compliance of an organization with applicable security requirements and is a standardized methodology which can be used to analyze a system or organization to identify vulnerabilities that could result in losses. This standardized methodology is based on the interrelationships of four key factors:

1. Asset

Any useful or valuable resource;

2. Vulnerability

Weakness or susceptibility of an asset or a collection of assets to losses of various kinds;

3. Threat

An event, process, or act which, when realized, has an adverse effect on one or more assets; and

4. Safeguard

Countermeasure, control, or action taken to decrease the existing level of vulnerability of an asset to one or more threats.

To facilitate the performance of the risk analysis, SpecOrg acquired a risk analysis system called RiskWatch II for Windows. This PC-based software package, which is available on GSA Schedule, was originally developed for the Department of the Navy; it has been redesigned and rewritten to make it a Windows application and it is currently being used by the Department of Defense, NASA, several State and local governments, and private industry.

The scope of the risk analysis was limited to SpecOrg and threats arising from its environment including all telecommunications links to SpecOrg. The purpose of the risk analysis was to identify the vulnerability of the assets of SpecOrg to a variety of threats and to recommend safeguards which could reduce or eliminate the vulnerability of SpecOrg to these threats.

In some instances, applicable safeguards were 100% implemented, but were not being fully employed by the user community. As a general rule, when such noncompliance with policy within the enterprise occurs, it is frequently because there is a lack of awareness of the security issues; this may result from inadequate security training and enforcement of security requirements .