- •Final report
- •I. Executive Summary II. Recommendations
- •1.1 Operational Environment and System Configuration
- •1.1.1 The Risk Assessment Team
- •1.1.2 Organization Details of SpecOrg
- •1.1.3 Physical Plant and Physical Security
- •1.1.4 System Configuration
- •1.2 Terms and Definitions
- •Introduction 13
- •1.3 Risk Analysis Methodology
- •1.4 RiskWatch Parameters and Data Analysis
- •I. Executive Summary
- •Executive Summary 2
- •2.1 Summary of asset categories
- •2.2 Assets within category
- •II. Recommendations
- •5.2.1 Physical Access Control
- •5.2.4 Contract Specifications
- •5.2.7 Life Cycle Management
- •5.2.9 Personnel Clearances
- •5.2.12 Risk Analysis
- •5.1 Summary of safeguards
- •Initial costs
- •5 Others (16.0%)
1.4 RiskWatch Parameters and Data Analysis
RiskWatch Parameters
This section provides the parameters selected by the Risk Analysis Team and approved by the work group for use in this analysis. The information provided includes the hours and days of operation, the number of records handled, the number of users, and the questionnaire non-compliance threshold.
Name of Organization: |
SpecOrg |
Number/Code of Organizational Unit: System to be analyzed: |
1101 |
How many days/week does system operate: |
7 |
How many hours/day does system operate: |
24 |
Down time before serious consequences: |
0.00 |
Time to replace Minimum Function: Number of full-time users: |
0.00 |
Data sensitivity level: |
1 |
Security mode: |
Not Applicable |
Orange Book Level: |
Not Applicable |
Maximum $$ handled: |
$000. |
Interpret xx% or more as 100 |
xx = 85 |
(answers less than 85% were flagged as potential vulnerabilities)
Figure 3: Summary of Parameters
Data Analysis
[[[
The team began the risk analysis by preparing and distributing questionnaire diskettes to 113 individuals. Included among these individuals were SpecOrg and NAME employees, Central Office and Regional Office System Security Officers, RACF Group Administrators, and NAME and non-SpecOrg users of the DATA CENTER. Although diskettes were sent to a broad range of users, the scope of the risk analysis was limited to the DATA CENTER.
Each diskette contained 449 questions from which the respondents were instructed to select and answer questions in one or more functional areas. Each participant was instructed to indicate how each question (statement) applied or was perceived by the person on a scale of 0 (low) to 100 (high). If the question was not applicable or the person was unfamiliar with it, he or she was instructed to respond "N".
The team received 102 completed diskettes. The response diskettes were downloaded to the RiskWatch program which processed the responses to produce a list of vulnerabilities (weaknesses) which were reviewed by the risk analysis team and validated by a review team comprised of SpecOrg and NAME managers and technical experts.
Using the validated set of applicable vulnerabilities and a list of assets which was prepared by the risk analysis team and validated by the Director, NAME, the risk analysis team used the RiskWatch software to determine the applicable threats and annual loss expectancies and develop a set of recommended safeguards which, if implemented, could substantially reduce potential losses.
]]]
Threat: Data Disclosure
Safeguard |
Original ALE |
ALE w/ Safeguard |
Classification Markings |
$5,813. |
$3,459. |
Data Encryption |
$5,813. |
$2,861. |
Detection System |
$5,813. |
$5,373. |
Passwords/Authenticaion |
$5,813. |
$5,741. |
Personnel Clearances |
$5,813. |
$4,337. |
Personnel Control |
$5,813. |
$5,749. |
Physical Access Control |
$5,813. |
$4,915. |
Risk Analysis |
$5,813. |
$5,232. |
Executive Summary 1