1.1.4 System Configuration

The system consists of the following (see attached floor plan):

Figure 2 [[[ Attach Floor Plan HERE ]]]

[[[

SYSTEM

0 Processors IBM 3090-500E & 600S

0 Disk Storage IBM/STK/AMDAHL

0 Library Storage Modules (6) STK 4400 0 Cartridge Drives (96) IBM/STK

0 Cartridges (200,000) 3480's

0 Tape Reel Drives (8) 6250 BPI

0 Tapes 15,000 Round Media

0 Printers (Page) (1) Xerox 90 PPM

(Line) (1) IBM 2,000 LPM

(1) STK 1,500 LPM

Communications

High speed link to SpecOrg, Department Information Management. Exchange System to Regional Offices, Value Added Networks to SpecOrg Sites, Intermediaries, and

Contractors

0 IBM Information Network

0 FTS 2000

Introduction 8

]]]

1.2 Terms and Definitions

1.2.1 Annual Frequency Estimate (AFE):

The Annual Frequency Estimate (AFE) is a factor based on historical data which indicates the approximate number of times a defined threat might occur in a specific environment, system, or location in a given year.

1.2.2 Annual Loss Expectancy (ALE):

The sum of the Individual Annual Loss Expectancies (IALE) for all assets, of a specific loss type, and attributed to a specific threat.

1.2.3 Annual Loss Expectancy, Individual: Per Asset (IALE)

The Individual Annual Loss Expectancy (IALE) represents the proportion of an individual asset that could be lost as the result of a single instance of a threat event, multiplied by the Annual Frequency Estimate (AFE) of the specific threat.

1.2.4 Application Software:

A program or set of programs designed for a specific function such as payroll, accounts payable, inventory control, property management, etc., Both source code and object code ought to be considered..

1.2.5 Assets:

Assets are defined as useful or valuable possessions of the enterprise. All assets, including data, residing in a computer system can be properly identified, quantified with respect to one or more evaluative perspectives (such as replacement cost), and classified into one or more of the following distinct categories:

1.2.5a Critical Assets:

Those assets which provide direct support to the organization's ability to sustain its mission. Assets or resources are considered critical if their absence or non-availability would significantly degrade the ability of the organization to carry out its mission, and when the time that the organization can function with out the asset is substantially lower than the time needed to replace the asset. Critical assets can be backed up to reduce their potential impact.

1.2.5b Financial, Controlled, Validated, Certified or Accountable Assets:

Moveable property, cash, inventories, accounting or auditing systems, and automatic money-handling software are financial or accountable. These assets are susceptible to both internal and external fraud.

This category also includes payroll, billings, supply inventories, accounts payable and receivable, other financial assets, small pilfer items, cash, consumable, negotiable instruments and services as well as automated billing systems. (Special attention is required as a result of the report by the U.S. Government Accounting Office directive entitled, `Improvements Needed in Managing Automated Decision-making by Computers Throughout the Federal Government', FGMSD-76-5, April 23, 1976.) This category includes data bases, programs, and information on which unauthorized and invalid modifications can not be tolerated.

1.2.5c Sensitive Assets:

Includes processes and information, assets that need controlled dissemination and that are considered classified, controlled, proprietary, or private. The unauthorized disclosure and dissemination of sensitive matter can result in losses of high magnitude which are generally irrecoverable. Sensitivity is the status of importance accorded to an asset (generally data) which has been agreed upon between the person or organization furnishing the sensitive resource and the person or organization receiving it, and which describes the resource's warranted degree of protection. Privacy data is a subset or special case of sensitivity which requires protection under the Privacy Act of 1974. In this case, it is most important to have an effective liaison with each functional office maintaining personal data. The Privacy Act is very specific on the scope and requirements for data protection and the reporting of privacy data collected. Generally, losses relating to sensitive matters results from disclosure, in which

1.2.5d Supportive Assets:

These are all other justifiable, organizational assets not otherwise classified in one or more of the critical, sensitive or financial/accountable categories. For example, items like furniture, vending machines and other property that can be amortized. The loss resulting from the occurrence of a threat upon these assets is too small to warrant further consideration and development of safeguards. Therefore, these resources are excluded from the risk analysis evaluation.

1.2.6 Computer System:

The hardware consisting of CPU, memory, controller and peripherals, disc driver, tape drive(s), printer(s), etc.

1.2.7 Contingency Plan:

A plan that identifies resource schedules, procedures and documentation to be used in providing continued operating capability and support to all critical mission components in case of disaster.

1.2.8 Continuity of Operations Plan (COOP):

Same as Contingency Plan, (see above).

1.2.9 Emergency Response:

Identified actions, procedures, and resources to be used in emergency situations.

1.2.10 Risk Analysis:

The application of a standardized methodology in the determination of threats, risk factors, vulnerability exposures and potential losses. Risk analysis is an approach to satisfying the need of an organization to protect the assets in which it has made an investment. It also serves to identify the particular problems an organization could expect to encounter in the performance of its mission, and the adverse affects these problems might present to the organization's ability to meet its obligations. Finally, risk management, growing out of the analysis, is a mechanism by which management can address these problems according to their relative importance based on financial analysis, and to develop safeguards which are both reasonable and cost-effective.

1.2.11 Safeguards:

Safeguards are countermeasures, specifications, or controls, consisting of actions taken to decrease the organization's existing degree of vulnerability to a given threat probability (Risk), that the threat will occur. Safeguards are put into effect to reduce the organization's potential losses and resultant impact to the mission. Safeguards are designed, implemented and maintained with the objective of minimizing losses by providing improved means of deterrence, prevention, mitigation, detection of and recovery from incidents (realizations of potential threat events). Generally, the safeguards are grouped into the following broad categories:

1.2.11a Administrative Safeguards:

This category includes all policies, procedures, guidelines, auditing checks and tabulations which are defined by management.

1.2.11b Physical Safeguards:

These are devices or mechanisms that protects assets. These include such things as door locks, terminal shielding, vaults, walls, fire suppression systems, and guards;

1.2.11c Technical Safeguards:

These are usually associated with the protection of information inside of a computer system; this category includes such items as data encryption, internal access controls, system and file passwords, recovery software, and auditing software.

1.2.12 Single Loss Expectancy Individual: Per Asset (SLEI)

The monetary value of a single specified asset, or set of assets, multiplied by its associated vulnerability exposures, which are related to a specific realized threat.

1.2.13 Single Loss Expectancy: Per Threat Occurrence (SLE)

The sum of the Single Loss Expectancies for all assets attributed to a specific realized threat. These are all losses associated with the single occurrence of a defined threat.

1.2.14 System Software:

Programs that control the operation of a computer system, generally consisting of utility programs (both source code and object code. System software refers to special application programs, whose function is the operation of a computer or one of its specialized subsystems.

1.2.15 Threat:

An event, process, activity (act), or substance, either accidental or perpetrated by one or more threat agents, which, when realized, has an adverse effect on organizational assets (possibly aggravated by existing organizational or other forms of vulnerability to that threat), resulting in losses that may be classified as:

1.2.15a direct loss;

1.2.15b related direct loss;

1.2.15c delays (in processing)/denials (of service) (acting against availability of the asset);

1.2.15d disclosure(of sensitive information); (acting against its confidentiality);

1.2.15e modification(also called contamination); (acting against its integrity);

1.2.15f intangible (acting against intangible assets)

The combination of all possible losses resulting from one occurrence of a threat is called the Single Loss Expectancy (SLE).

1.2.16 Threat Agent:

Any person or thing which acts, or has the power to act, to cause, carry out, transmit or support a threat. As stated in the threat definition, it is the case that the realization of many threats will correspondingly cause the occurrence of other threats, and therefore, many threats will themselves be threat agents.

The identification of threat agents is an important element in attempting to calculate the Annual Frequency Estimate (AFE) of a threat occurrence and then the amount of loss (ALE) of an asset. Generally, a threat can occur through more than one agent, and to properly estimate the losses and subsequent impact to the mission, the individual AFEs and ALEs associated with each agent must be separately determined. Unfortunately, the statistics are not collected based on the agent. Therefore, with current statistics, the values would be overlapping and the resulting annual loss expectancy would be greatly exaggerated.

1.2.17 Threat Probability of Occurrence with Cumulative Probability, Confidence Interval, and Standard Deviation:

Based on available statistics, the probability or annual frequency estimate is calculated with the associated level of confidence and the applicable standard deviation.

1.2.18 Vulnerability:

A vulnerability, or weakness, is the susceptibility of an asset, or a set of assets, to an increased level of loss resulting from an occurrence of a defined threat against that asset. It is a characteristic, condition, or perceived lack of a procedural method or control, associated with one or more assets or safeguards, which would result in an increased loss if a threat were to be realized. The presence of a vulnerability does not in itself result in a loss, nor does the total absence of any vulnerability necessarily ensure that a loss will not occur should the threat become realized.

1.2.19 Degree of Seriousness: