- •Final report
- •I. Executive Summary II. Recommendations
- •1.1 Operational Environment and System Configuration
- •1.1.1 The Risk Assessment Team
- •1.1.2 Organization Details of SpecOrg
- •1.1.3 Physical Plant and Physical Security
- •1.1.4 System Configuration
- •1.2 Terms and Definitions
- •Introduction 13
- •1.3 Risk Analysis Methodology
- •1.4 RiskWatch Parameters and Data Analysis
- •I. Executive Summary
- •Executive Summary 2
- •2.1 Summary of asset categories
- •2.2 Assets within category
- •II. Recommendations
- •5.2.1 Physical Access Control
- •5.2.4 Contract Specifications
- •5.2.7 Life Cycle Management
- •5.2.9 Personnel Clearances
- •5.2.12 Risk Analysis
- •5.1 Summary of safeguards
- •Initial costs
- •5 Others (16.0%)
I. Executive Summary
Scope
This risk analysis was limited to SpecOrg Data Center.
[[[Minicomputers and microcomputers were included in the analysis only to the extent they posed a risk to SpecOrg.]]]
Risk Analysis Steps
Questionnaire diskettes or network sub-directories were developed containing [[[532]]] questions covering all areas of SpecOrg AIS security;
[[[One hundred eleven]]] SpecOrg employees and users of the SpecOrg answered and returned the responses to the questions;
The RiskWatch software determined SpecOrg vulnerabilities based on information on diskettes;
Identified vulnerabilities were validated by SpecOrg management;
A risk analysis report was prepared.
Key Risk Analysis Report Findings
Assets
[[[
The asset replacement cost for SpecOrg is approximately $100M.
Hardware, personnel (government and contractor), and intangibles (reputation) are the major asset categories at SpecOrg.
Important assets, such as system software, applications, and databases can be replaced relatively inexpensively because they are backed-up. ]]]
Vulnerabilities
[[[
The risk analysis identified 170 vulnerabilities covering twenty-two vulnerability areas.
SpecOrg is most vulnerable in five areas: (see Figure 1)
The labeling and control of output listings.
The security of remote terminals.
Executive Summary 2
The level and extent of security training.
The level of staffing and separation of duties at the DATA CENTER.
The level of training for the identification of Privacy Act records and insufficient labeling of Privacy Act-related materials.
• A physical survey of DATA CENTER revealed four fire detection and control vulnerabilities not identified by the questionnaire diskettes (see Chapter VII). ]]]
Threats
[[[
The four most significant threats to SpecOrg on an annual basis are: (see Figure 2)
Data Destruction
Misuse of the Computer
Theft of Assets
Data integrity loss.
]]]
Safeguards
[[[
The safeguards with the greatest return on investment, which are also among the least costly safeguards, are: (see Figure 3)
Property Management
Organizational Structure
Visitor Control
Security Plan
Application Control
]]]
Asset Summary
CHAPTER 2. ASSETS
The SpecOrg risk analysis included 12 asset categories. [[[Some of the categories were divided into more descriptive sub-categories. For example, communication consisted of three resource names (Communication Support Hardware, Communication Diagnostic Equipment, and Communication Modem/DSU).]]] The determination of categories and values of assets was accomplished through interviews with [[[NAME and NAME personnel]]]. A review of the assets was performed by the Risk Analysis Team and SpecOrg [[[and NAME]]] management.
The asset values were determined based on the cost of replacing the particular asset. The largest replacement value was for Accounts Receivable, which is estimated at $50,000. (see Figure 4) and which constitutes 20.8% (see Figures 4 and 6) of the total value of all DATA CENTER assets. The next highest values for replacement cost were for categories Applications and Communications Hardware. The values and percentages of the whole are, respectively, $50,000., at 20.8% and $50,000. at 20.8%.