2.2 Assets within category
Assets are identified, by category, by commonly used name; associated with each individual asset there is other related information. Depending on the asset category, other data is also provided for each asset. This will include the level of sensitivity for data, the quantity of a duplicated hardware item, etc.. When the information is available, an indication is included about the basic attribute(s) of each assets that states whether the asset is
critical (in the sense that the mission of the enterprise depends on the correct and timely functioning of this asset), or
financial (with respect to the need to control modification), or sensitive (with respect to disclosure), or supportive (non of the above).
The definition of each asset category is also provided
The monetary values assigned represent the estimated replacement or purchase cost of the asset, not its current value. For example, the recruitment cost, the training cost, and the staff salaries and benefits were used to determine personnel costs. For leased equipment, replacement cost of obtaining a new lease is used since the organization is responsible for obtaining a replacement resource.
The value of sensitive resources could be greater than the replacement value to account for the loss of future opportunity and the extent of exposure that agencies have resulting from the disclosure of data subject to the Privacy Act; awards of $1,000 to $5,000 per individual record have been assessed by the courts based on the sanctions included in the Privacy Act of 1974.
The sections below deal, in turn, with each of the asset categories included in the analysis.
2.2.1 Accounts Payable
Asset Replacement Cost Percentage of Total
RTG $1,337. 100.0%
Figure 7.1
This information about replacement costs is presented below as a barchart.
RTG
1 2 3 4 5 6 7 8 9 10 11 12 13 (x 100 )
Dollars
Figure 8.1
2.2.2 Accounts Receivable
Asset Replacement Cost Percentage of Total
321 $50,000. 100.0%
Figure 7.2
This information about replacement costs is presented below as a barchart.
321
5 10 15 20 25 30 35 40 45 50 (x 1,000)
Dollars
Figure 8.2
2.2.3 Applications
Asset Replacement Cost Percentage of Total
345 $50,000. 100.0%
2
Figure 7.3
This information about replacement costs is presented below as a barchart.
345
5 10 15 20 25 30 35 40 45 50 (x 1,000)
Dollars
Figure 8.3
2.2.4 Communications Hardware
Asset Replacement Cost Percentage of Total
$50,000. 100.0%
Figure 7.4
This information about replacement costs is presented below as a barchart.
5 10 15 20 25 30 35 40 45 50 (x 1 ,000)
Dollars
Figure 8.4
2.2.5 Communications Software
Asset Replacement Cost Percentage of Total
EWQ $25,000. 100.0%
Figure 7.5
This information about replacement costs is presented below as a barchart.
EWQ
25 50 75 100 125 150 175 200 225 250 (x 100)
Dollars
Figure 8.5
2.2.6 Databases
Asset Replacement Cost Percentage of Total
456 $7,500. 100.0%
Figure 7.6
This information about replacement costs is presented below as a barchart.
3
456
1 2 3 4 5 6 7 (x 1 ,000 )
Dollars
Figure 8.6
2.2.7 Documentation
Asset Replacement Cost Percentage of Total
OI $10,000. 100.0%
Figure 7.7
This information about replacement costs is presented below as a barchart.
OI
1 2 3 4 5 6 7 8 9 10 (x 1 ,000)
Dollars
Figure 8.7
2.2.8 Hardware
Asset Replacement Cost Percentage of Total
HARD $25,000. 100.0%
Figure 7.8
This information about replacement costs is presented below as a barchart.
HARD
25 50 75 100 125 150 175 Dollars
Figure 8.8 2.2.9 Office Equipment Asset Replacement Cost Percentage of Total QWE $7,500. 60.0% QWE $5,000. 40.0% |
200 |
225 |
250 (x 100) |
Figure 7.9
This information about replacement costs is presented below as a barchart.
4
Figure 8.9
The percentage of the total replacement cost for this category that is contributed by each asset is indicated in the following diagram.
Figure 9.9
2.2.10 Personnel
Asset Replacement Cost Percentage of Total
PERS $2,000. 100.0%
Figure 7.10
This information about replacement costs is presented below as a barchart.
PERS
25 50 75 100 125 150 175 200 (x 10 )
Dollars
Figure 8.10
2.2.11 System Software
-
Asset
Replacement Cost Percentage of Total
HELPMEPLEASE
$7,500. 100.0%
Figure 7.11
This information about replacement costs is presented below as a barchart.
5
LPMEPLEASE
1 2 3 4 5 6 7 (x 1 ,000 )
Dollars
Figure 8.11
2.2.12 Utilities
Asset Replacement Cost Percentage of Total
42 $0. 0.0%
42 $0. 0.0%
Figure 7.12
3.2 INCIDENTS INVOLVING EACH THREAT
Each Incident is defined as triple of the form <threat, loss category, asset category>. By doing things this way it is possible to separate the various forms of loss that a given threat may cause to the enterprise as the result of acting on the same asset category.
The sections below look at each threat and indicate the various incidents that were associated with it in the analysis. For each incident, a table is presented (FIGURES 13.1, 13.2, ...) indicating its SLE and ALE (where the ALE is generated by multiplying the SLE for the incident by the AFE of the threat). The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. This is shown as the total of the third column. The percentage of this total represented by the ALE for each incident is indicated in the fourth column.
Also shown for each threat is a barchart that provides a visual presentation of the relative magnitudes of the ALE for each incident. These are shown as FIGURES 14.1, 14.2, ....
Piecharts are then also provided that indicate the percentage of each threat ALE that is accounted for by each incident that is used in its calculation.
3.2.1 Blackmail - AFE: 0.05
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Direct Loss, Personnel $20. $1. 0.0%
Figure 13.1
Direct, Personnel
2 4 6 8 10 12 14 16 18 20
Dollars
Figure 16.1 Blackmail - SLE's
3.2.2 Budget Loss - AFE: 0.50
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Disclosure, Databases $25,000. $12,500. 100.0%
Figure 13.2
Disclosure, Databases
1 2 3 4 5 6 7 8 9 10 11 12 (x 1,000)
Dollars
Figure 14.2 Budget Loss - ALE's
Disclosure, Databases
25 50 75 100 125 150 175 200 225 250 (x 100)
Dollars
Figure 16.2 Budget Loss - SLE's
3.2.3 Cold/Frost/Snow - AFE: 5.00
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Disclosure, Databases $12,500. $62,500. 100.0%
Figure 13.3
Disclosure, Databases
5 10 15 20 25 30 35 40 45 50 55 60 (x 1,000)
Dollars
Figure 14.3 Cold/Frost/Snow - ALE's
Disclosure, Databases
1 2 3 4 5 6 7 8 9 10 11 12 (x 1,000)
Dollars
Figure 16.3 Cold/Frost/Snow - SLE's
3.2.4 Data Destruction - AFE: 20.00
The various incident classes associated with this threat are shown in the following table:
-
Incident Class
SLE ALE
% of total ALE
Disclosure, Databases
$250,000. $5,000,000.
98.9%
Direct Loss, Databases
$2,751. $55,027.
1.1%
Figure 13.4
Disclosure, Databases
5 10 15 20 25 30 35 40 45 50 (x 100 ,000 )
Dollars
Direct, Dat abases
5 10 15 20 25 30 35 40 45 50 55 (x 1 ,000)
Dollars
Figure 14.4 Data Destruction - ALE's
Direct, Dat abases (1.1%)
Disclosure, Databases (98.9%)
Figure 15.4 Data Destruction - ALE's
Disclosure, Databases
25 50 75 100 125 150 175 200 225 250 (x 1,000)
Dollars
Direct, Dat abases
25 50 75 100 125 150 175 200 225 250 275 (x 10 )
Dollars
Figure 16.4 Data Destruction - SLE's
3.2.5 Data Disclosure - AFE: 3.00
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Disclosure, Databases $1,938. $5,813. 100.0%
Figure 13.5
Disclosure, Databases
5 10 15 20 25 30 35 40 45 50 55 (x 100 )
Dollars
Figure 14.5 Data Disclosure - ALE's
Disclosure, Databases
25 50 75 100 125 150 175 (x 10 )
Dollars
Figure 16.5 Data Disclosure - SLE's
3.2.6 Data Integrity Loss - AFE: 3.00
The various incident classes associated with this threat are shown in the following table:
-
Incident Class
SLE ALE
% of total ALE
Direct Loss, Accounts Receivable
$5,526. $16,576.
27.8%
Direct Loss, Applications
$5,507. $16,523.
27.7%
Disclosure, Personnel
$4,500. $13,500.
22.7%
Direct Loss, Communications Software
$2,723. $8,171.
13.7%
Direct Loss, System Software
$817. $2,451.
4.1%
Direct Loss, Databases
$640. $1,921.
3.2%
Direct Loss, Accounts Payable
$147. $443.
0.7%
Disclosure, Databases
$0. $0.
0.0%
Figure 13.6
Direct, Accts Pay
5 10 15 20 25 30 35 40 (x 10)
Dollars
Figure 14.6 Data Integrity Loss - ALE's
4 Ot hers (8.1%)
Direct, Accts Rec (27.8%) Direct, Comms S/W (13.7%)
Disclosure, Personnel (22.7%)
Direct, Applicatns (27.7%)
Figure 15.6 Data Integrity Loss - ALE's
Figure 16.6 Data Integrity Loss - SLE's
3.2.7 Flooding/Water Damage - AFE: 0.01
The various incident classes associated with this threat are shown in the following table:
-
Incident Class
SLE ALE
% of total ALE
Direct Loss, Communications Hardware
$10,001. $100.
93.5%
Direct Loss, Office Equipment
$625. $6.
5.8%
Disclosure, Databases
$250. $3.
2.3%
Figure 13.7
Direct, Comms H/W
1 2 3 4 5 6 7 8 9 10 (x 10)
Dollars
Figure 14.7 Flooding/Water Damage - ALE's
Disclosure, Databases (2.8%) Direct, Off Equip (5.5%)
Direct, Comms H/W (91.7%)
Figure 15.7 Flooding/Water Damage - ALE's
Direct, Comms H/W
1 2 3 4 5 6 7 8 9 10 (x 1 ,000)
Dollars
Figure 16.7 Flooding/Water Damage - SLE's
3.2.8 Hardware Failure - AFE: 70.00
The various incident classes associated with this threat are shown in the following table:
-
Incident Class
SLE ALE
% of total ALE
Direct Loss, Hardware
$375,000. $26,250,000.
100.0%
Disclosure, Databases
$0. $0.
0.0%
Figure 13.8
Direct, Hardware
25 50 75 100 125 150 175 200 225 250 (x 100,000)
Dollars
Figure 14.8 Hardware Failure - ALE's
Direct, Hardware
5 10 15 20 25 30 35 (x 10,000)
Dollars
Figure 16.8 Hardware Failure - SLE's
3.2.9 Pirating Key Personnel - AFE: 1.00
The various incident classes associated with this threat are shown in the following table:
There are no incidents associated with this threat.
The section below looks at each safeguard and indicates, for each threat, the ALE before and after the safeguard is implemented. The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. The percentage by which the ALE is reduced by the safeguard is also indicated.
The next section contains a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented.
Safeguard: Physical Access Control
-
Threat
Original ALE
ALE with Safeguard
Percentage Drop
Data Destruction
$5,055,028.
$5,035,861.
0.38%
Data Disclosure
$5,813.
$4,915.
15.45%
Data Integrity Loss
Safeguard: Application Controls
$59,584.
$43,827.
26.45%
Threat
Original ALE
ALE with Safeguard
Percentage Drop
Data Destruction
Safeguard: Classification Markings
$5,055,028.
$4,549,525.
10.00%
Threat
Original ALE
ALE with Safeguard
Percentage Drop
Data Disclosure $5,813. $3,459. 40.50%
Safeguard: Contract Specifications
Threat
Original ALE ALE with Safeguard Percentage Drop
Safeguard: Data Encryption
-
Threat
Original ALE
ALE
with Safeguard
Percentage Drop
Data Destruction
$5,055,028.
$2,527,514.
50.00%
Data Disclosure
$5,813.
$2,861.
50.78%
Data Integrity Loss
Safeguard: Detection System
$59,584.
$44,688.
25.00%
Threat
Original ALE
ALE
with Safeguard
Percentage Drop
Data Destruction
$5,055,028.
$5,047,361.
0.15%
Data Disclosure
$5,813.
$5,372.
7.59%
Data Integrity Loss
Safeguard: Life Cycle Management
$59,584.
$53,251.
10.63%
Threat
Original ALE
ALE
with
Safeguard
Percentage Drop
Data Integrity Loss
Safeguard: Passwords/Authenticaion
$59,584.
$59,238.
0.58%
Threat
Original ALE
ALE
with
Safeguard
Percentage Drop
Data Disclosure
Safeguard: Personnel Clearances
$5,813.
$5,740.
1.26%
Threat
Original ALE
ALE
with
Safeguard
Percentage Drop
Data Destruction
$5,055,028.
$5,050,854.
0.08%
Data Disclosure
$5,813.
$4,337.
25.39%
Data Integrity Loss
Safeguard: Personnel Control
$59,584.
$56,505.
5.17%
Threat
Original ALE
ALE
with
Safeguard
Percentage Drop
Data Disclosure
$5,813.
$5,749.
1.10%
Data Integrity Loss
Safeguard: Quality Assurance
$59,584.
$59,563.
0.04%
Threat
Original ALE
ALE
with
Safeguard
Percentage Drop
Data Integrity Loss Safeguard: Risk Analysis
$59,584.
$53,627.
10.00%
Threat
Original ALE
ALE
with
Safeguard
Percentage Drop
Data Destruction $5,055,028. $5,049,525. 0.11%
-
Data Disclosure
$5,813.
$5,232.
9.99%
Data Integrity Loss
$59,584.
$54,977.
7.73%
Safeguard: Security Policy
-
Threat
Original ALE
ALE with Safeguard
Percentage Drop
Data Destruction
$5,055,028.
$4,796,256.
5.12%
Data Disclosure
$5,813.
$4,703.
19.10%
Data Integrity Loss
$59,584.
$52,058.
12.63%
The following is a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented (ALE with Safeguard). This table also indicates the difference between the two ALE values.
Also shown is a barchart that provides a visual presentation of the difference in ALE for each safeguard.
-
Safeguard
Original ALE
ALE with Safeguard
Difference
Physical Access Control
$31,445,536.
$31,409,712.
$35,824.
Application Controls
$31,445,536.
$30,940,033.
$505,503.
Classification Markings
$31,445,536.
$31,443,182.
$2,354.
Contract Specifications
$31,445,536.
$31,445,536.
$0.
Data Encryption
$31,445,536.
$28,900,174.
$2,545,362.
Detection System
$31,445,536.
$31,431,094.
$14,442.
Life Cycle Management
$31,445,536.
$31,445,189.
$347.
Passwords/Authenticaion
$31,445,536.
$31,445,463.
$73.
Personnel Clearances
$31,445,536.
$31,436,806.
$8,730.
Personnel Control
$31,445,536.
$31,445,451.
$85.
Quality Assurance
$31,445,536.
$31,439,578.
$5,958.
Risk Analysis
$31,445,536.
$31,434,844.
$10,692.
Security Policy
$31,445,536.
$31,178,127.
$267,409.
Dollars
Physical Access Control
Detection Syst em
Risk Analysis
Personnel Clearances
Quality Assurance
Classification Markings
Dollars
Instructions for preparing Final Reports.
In Phase 4, there are many different reports that can be generated. To facilitate the assembly of these smaller specialized reports into a single "Final Report" for submission to management, provision is made to attach the name of each selected report file (each is a .WRI file) to a list that is made available to the analyst at the end of the reporting phase, Phase 4.
A couple of points must be kept in mind when the final report is assembled; it is assumed that a word processor will be used to prepare the Final Report and the following are tasks and ideas that are within the purview of most word processors:
On the parameter screen in Phase 1, you indicated that the sensitivity level of the system being analyzed is 1. Because reports that deal with a system must bear markings that indicated that the report is of a similar level of sensitivity, you are warned that the word processor used in the assembly process must also be used to indicate, as both Headers and Footers, this level of sensitivity on EVERY page;
There is no provision in the RiskWatch system for the title page or pages that come before paragraphs, sections, or diagrams. The analyst wishing these must provide them himself using the facilities of the word processor employed;
The ordering of sections is left to the discretion of the analyst - some people prefer to have the Executive Summary as the very first section, even preceding the Table of Contents, while others may wish to have their Table of Contents immediately following the Cover page;
Because of the strong possibility that different enterprises will opt to assemble different pieces (sub-reports) into their respective Final Reports, the Table of Contents for the Final Report is left to the analyst, using the power of a modern word processor.
In the text provided by RiskWatch as part of the reports that embody the results of the analysis and the initial data, there are several sections that are enclosed in triple square brackets (that is, [[[ and ]]] ). All text that is between these braces is given SOLELY as a guide to suggested text to surround the numbers that form the basis of the reports. The text serves no other purpose. Please replace this text with other text that is more appropriate to your enterprise.
Reommendations 1