Safeguard vs Threat Report |
1 |
The section below looks at each safeguard and indicates, for each threat, the ALE before and after the safeguard is implemented. The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. The percentage by which the ALE is reduced by the safeguard is also indicated.
The next section contains a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented.
Safeguard: Physical Access Control |
|
|
|
|
|
|
|
|
|
|
|
Threat |
Original ALE |
|
ALE with Safeguard |
|
Percentage Drop |
|
|
|
|
|
|
Data Destruction |
$5,055,028. |
$5,035,861. |
0.38% |
||
Data Disclosure |
$5,813. |
$4,915. |
15.45% |
||
Data Integrity Loss |
$59,584. |
$43,827. |
26.45% |
||
Safeguard: |
Application Controls |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Threat |
|
Original ALE |
|
ALE with Safeguard |
|
Percentage Drop |
|
Data Destruction |
$5,055,028. |
|
|
$4,549,525. |
10.00% |
||
Safeguard: |
Classification Markings |
|
|
|
|
|
|
|
|
|
|
|
|
||
Threat |
|
Original ALE |
|
|
ALE with Safeguard |
|
Percentage Drop |
|
|
|
|
|
|
|
|
Data Disclosure |
$5,813. |
|
|
$3,459. |
40.50% |
||
Safeguard: |
Contract Specifications |
|
|
|
|
|
|
Data Destruction |
$5,055,028. |
|
|
|
$2,527,514. |
|
50.00% |
||||
Data Disclosure |
$5,813. |
|
$2,861. |
|
50.78% |
||||||
Data Integrity Loss |
$59,584. |
|
$44,688. |
|
25.00% |
||||||
Safeguard: |
Detection System |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
Threat |
|
|
Original ALE |
|
ALE with Safeguard |
Percentage Drop |
|||||
Data Destruction |
$5,055,028. |
|
|
|
$5,047,361. |
|
0.15% |
||||
Data Disclosure |
$5,813. |
|
$5,372. |
|
7.59% |
||||||
Data Integrity Loss |
$59,584. |
|
$53,251. |
|
10.63% |
||||||
|
|
|
|
|
|
|
|
|
|
|
|
Threat |
|
ALE |
OriginwithSalfeguardALE |
|
Percentage Drop |
|
|||||
Safeguard: |
Data Encryption |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
ALE |
with Safeguard |
|
|
|
Percentage Drop |
|
|||
Threat |
|
|
Original ALE |
|
|
|
|
|
|
|
|
Safeguard: |
Life Cycle Management |
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|||
Threat |
|
Original ALE |
|
|
ALE with Safeguard |
|
|
Percentage Drop |
|||
|
|
|
|
|
|
|
|
|
|
|
|
Data Integrity Loss |
$59,584. |
|
|
|
$59,238. |
|
|
0.58% |
|||
Safeguard vs Threat Report |
|
|
|
|
|
|
|
2 |
|
|
||
Safeguard: |
Passwords/Authenticaion |
|
|
|
|
|
|
|
|
|
|
|
Data Disclosure |
$5,813. |
|
|
$5,740. |
1.26% |
|
||||||
Safeguard: |
Personnel Clearances |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
Threat |
|
|
Original ALE |
|
ALE with Safeguard |
Percentage Drop |
|
|||||
Data Destruction |
$5,055,028. |
|
$5,050,854. |
0.08% |
|
|||||||
Data Disclosure |
$5,813. |
|
|
$4,337. |
25.39% |
|
||||||
Data Integrity Loss |
$59,584. |
|
|
$56,505. |
5.17% |
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
Threat |
|
|
Original ALE |
|
ALE with Safeguard |
|
Percentage Drop |
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
Threat |
|
|
Original ALE |
|
ALE with Safeguard |
|
Percentage Drop |
|
|
|||
Data Disclosure |
|
$5,813. |
|
|
|
|
|
|
|
|||
|
Safeguard: |
Personnel Control |
|
|||||||||
Data Integrity Loss |
$59,584. |
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
$5,749. |
1.10% |
|
|||
|
|
|
|
|
|
|
$59,563. |
0.04% |
|
|||
Safeguard: |
Quality Assurance |
|
|
|
|
|
|
|
|
|
|
|
Threat |
|
|
Original ALE |
|
|
|
|
|
|
|
|
|
Data Integrity Loss |
$59,584. |
|
|
|
|
|||||||
|
ALE with Safeguard |
|
Percentage Drop |
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$53,627. |
10.00% |
|
|
|
|
|
|
Safeguard: |
Risk Analysis |
|
|
|
|
|
|
|
|
|
|
|
Threat |
|
|
Original ALE |
|
ALE with Safeguard |
|
Percentage Drop |
|
Data |
|||
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
Destruction |
|
$5,055,028. |
$5,049,525. |
|
0.11% |
|
||||||
Data Disclosure |
$5,813. |
|
|
$5,232. |
9.99% |
|
||||||
Data Integrity Loss |
$59,584. |
|
|
$54,977. |
7.73% |
|
||||||
Safeguard: |
Security Policy |
|
|
|
|
|
|
|
|
|
|
|
Threat |
|
Original ALE |
|
|
ALE with Safeguard |
|
Percentage Drop |
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
Data Destruction |
$5,055,028. |
|
$4,796,256. |
|
5.12% |
|
|
|
||||
Data Disclosure |
$5,813. |
|
|
|
$4,703. |
|
19.10% |
|
|
|
||
Data Integrity Loss |
$59,584. |
|
|
|
$52,058. |
|
12.63% |
|
|
|
||
The following is a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented (ALE with Safeguard). This table also indicates the difference between the two ALE values.
Also shown is a barchart that provides a visual presentation of the difference in ALE for each safeguard.
Safeguard |
Original ALE |
|
ALE with Safeguard |
|
Difference |
|
|
|
|
|
|
Physical Access Control |
$31,445,536. |
$31,409,712. |
$35,824. |
||
Application Controls |
$31,445,536. |
$30,940,033. |
$505,503. |
||
Classification Markings |
$31,445,536. |
$31,443,182. |
$2,354. |
||
Contract Specifications |
$31,445,536. |
$31,445,536. |
$0. |
||
Data Encryption |
$31,445,536. |
$28,900,174. |
$2,545,362. |
||
Detection System |
$31,445,536. |
$31,431,094. |
$14,442. |
||
Life Cycle Management |
$31,445,536. |
$31,445,189. |
$347. |
||
Passwords/Authenticaion |
$31,445,536. |
$31,445,463. |
$73. |
||
Personnel Clearances |
$31,445,536. |
$31,436,806. |
$8,730. |
||
Personnel Control |
$31,445,536. |
$31,445,451. |
$85. |
||
Quality Assurance |
$31,445,536. |
$31,439,578. |
$5,958. |
||
Risk Analysis |
$31,445,536. |
$31,434,844. |
$10,692. |
||
Security Policy |
$31,445,536. |
$31,178,127. |
$267,409. |
||
Safeguard vs Threat Report |
3 |
Data Encryption
Application Controls
Security Policy
2,545,362 |
505,503 |
267,409 |
Physical Access Control
Detection System
Risk Analysis
Personnel Clearances
Quality Assurance
Classification Markings
Life Cycle Management
Personnel Control
Passwords/Authenticaion
25 |
50 |
75 |
100 |
|
125 |
|
150 |
175 |
200 |
225 |
250 (x 10,000) |
||||
|
|
|
|
|
|
|
|
Dollars |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
35,824 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14,442 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10,692 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8,730 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5,958 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2,354 |
25 |
50 |
75 |
100 |
125 |
150 |
175 200 |
225 |
250 |
|
275 |
300 |
325 |
350 (x 100) |
||
|
|
|
|
|
|
|
|
Dollars |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
347 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
85 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
73 |
25 |
50 |
75 |
100 |
125 |
150 |
175 |
200 |
225 |
250 |
275 |
300 |
325 |
|||
|
|
|
|
|
|
|
|
Dollars |
|
|
|
|
|
|
|
Instructions for preparing Final Reports.
In Phase 4, there are many different reports that can be generated. To facilitate the assembly of these smaller specialized reports into a single "Final Report" for submission to management, provision is made to attach the name of each selected report file (each is a .WRI file) to a list that is made available to the analyst at the end of the reporting phase, Phase 4.
A couple of points must be kept in mind when the final report is assembled; it is assumed that a word processor will be used to prepare the Final Report and the following are tasks and ideas that are within the purview of most word processors:
1. On the parameter screen in Phase 1, you indicated that the sensitivity level of the system being analyzed is 1. Because reports that deal with a system must bear markings that indicated that the report is of a similar level of sensitivity, you are warned that the word processor used in the assembly process must also be used to indicate, as both Headers and
Footers, this level of sensitivity on EVERY page;
2.There is no provision in the RiskWatch system for the title page or pages that come before paragraphs, sections, or diagrams. The analyst wishing these must provide them himself using the facilities of the word processor employed;
3.The ordering of sections is left to the discretion of the analyst - some people prefer to have the Executive Summary as the very first section, even preceding the Table of Contents, while others may wish to have their Table of Contents immediately following the Cover page;
4.Because of the strong possibility that different enterprises will opt to assemble different pieces (sub-reports) into their respective Final Reports, the Table of Contents for the Final Report is left to the analyst, using the power of a modern word processor.
5.In the text provided by RiskWatch as part of the reports that embody the results of the analysis and the initial data, there are several sections that are enclosed in triple square brackets (that is, [[[ and
]]] ). All text that is between these braces is given SOLELY as a guide to suggested text to surround the numbers that form the basis of the reports. The text serves no other purpose. Please replace this text with other text that is more appropriate to your enterprise.
Reommendations |
1 |
II.Recommendations
[[[One hundred seventy]]] vulnerabilities were identified which, if not corrected, could result in considerable loss to SpecOrg.
Immediate steps which can be taken are:
[[[
•Correct the fire detection and control vulnerabilities identified during the walk-through.
•Publish and disseminate SpecOrg Disaster Recovery Plan.
•Develop a system-generated cover page for and improve the control of sensitive output listings.
•Review the security of terminals at the Parkview Building.
•Test the adequacy of current system software and user file backups.
•Remind users of the importance of backing up tape files.
•Provide additional training on and enforce existing security policies and procedures.
•Publish and disseminate an SpecOrg-wide policy on the handling of sensitive documents and develop a uniform cover sheet for these documents.
•Review SpecOrg staffing and separation of duties.
•SpecOrg System Security Officer, in coordination with SpecOrg management, should develop a Risk Management Plan to address the implementation of the safeguards with the greatest return on investment.
]]]
[[[
Twelve major safeguards (see CHAPTER IX., Applicable Safeguard Cost Benefit Analysis Summary Table) were recommended which, if implemented, would substantially reduce losses if these threats occurred or prevent the threats from occurring altogether.
SpecOrg System Security Officer should develop a Risk Management Plan in cooperation with SpecOrg management, who will make the final decision as to the selection of applicable safeguards. The Plan will identify the specific steps required to implement the selected safeguards and recommend to SpecOrg management the priority for safeguard implementation.
]]]
Safeguard Report |
1 |
5.2 FULL SAFEGUARD REPORT
This report contains information about each safeguard, including a cost benefit analysis.
5.2.1Physical Access Control
Lifetime: 3 Implementation Cost: $2,000,000. Annual Maintenance Cost: $500,000. |
|
|||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Year |
|
Benefits |
|
Costs |
|
|
Disc. Ben(0.1) |
|
Disc. Cost(0.1) |
|
|
DB-DC(0.1) |
|
1 |
$35,824. |
$2,000,000. |
$32,567. $1,818,181. $-1,785,614. 2 |
|
$35,824. $500,000. $29,606. $413,223. $-383,616. |
||||||||||||||
3 |
|
|
$35,824. |
$500,000. |
|
$26,915. |
$375,657. |
$-348,742. |
||||||||
Sum of discounted benefits (0.05): $97,557. Sum of discounted benefits (0.1): $89,088.
Sum of discounted benefits (0.15): $81,793. Sum of discounted costs (0.05): $2,790,193. Sum of discounted costs (0.1): $2,607,061.
Sum of discounted costs (0.15): $2,445,959. Benefit Cost Ratio (0.05): 0.03 Benefit Cost Ratio (0.1): 0.03
Benefit Cost Ratio (0.15): 0.03
Return On Investment (0.05): 0.01 Return On Investment (0.1): 0.01
Return On Investment (0.15): 0.01 Payback period (0.05): 0
Payback period (0.1): 0 Payback period (0.15): 0
5.2.2Application Controls
Lifetime: 3 Implementation Cost: $50,000. Annual Maintenance Cost: $50,000.
Year |
|
Benefits |
|
Costs |
|
Disc. Ben(0.1) |
|
Disc. Cost(0.1) |
|
DB-DC(0.1) |
|
1 |
$505,503. $50,000. |
|
$459,547. $45,454. $414,093. |
|
|
|
|
|
|
|
|||||||
2 |
|
|
$505,503. |
$50,000. |
$417,770. |
$41,322. |
$376,448. |
|||||||
3 |
|
|
$505,503. |
$50,000. |
$379,791. |
$37,565. |
$342,225. |
|||||||
Sum of discounted benefits (0.05): $1,376,608. Sum of discounted benefits (0.1): $1,257,108.
Sum of discounted benefits (0.15): $1,154,175. Sum of discounted costs (0.05): $136,161. Sum of discounted costs (0.1): $124,341.
Sum of discounted costs (0.15): $114,160. Benefit Cost Ratio (0.05): 10.11 Benefit Cost Ratio (0.1): 10.11
Benefit Cost Ratio (0.15): 10.11
Return On Investment (0.05): 3.37 Return On Investment (0.1): 3.37
Return On Investment (0.15): 3.37 Payback period (0.05): 1
Payback period (0.1): 1 Payback period (0.15): 1
5.2.3Classification Markings
Lifetime: 3 Implementation Cost: $500,000. Annual Maintenance Cost: $50,000.
Safeguard Report |
|
|
|
|
|
|
|
|
|
2 |
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Year |
|
Benefits |
|
Costs |
|
Disc. Ben(0.1) |
|
|
Disc. Cost(0.1) |
|
DB-DC(0.1) |
|
1 |
$2,354. $500,000. |
$2,140. |
|
$454,545. $-452,405. 2 |
$2,354. $50,000. $1,945. $41,322. $-39,376. |
|
||||||||||||||
3 |
|
|
|
$2,354. |
$50,000. |
$1,768. |
|
|
$37,565. |
$-35,796. |
||||||
Sum of discounted benefits (0.05): $6,410. Sum of discounted benefits (0.1): $5,853.
Sum of discounted benefits (0.15): $5,375. Sum of discounted costs (0.05): $564,732. Sum of discounted costs (0.1): $533,432.
Sum of discounted costs (0.15): $505,464. Benefit Cost Ratio (0.05): 0.01 Benefit Cost Ratio (0.1): 0.01
Benefit Cost Ratio (0.15): 0.01
Return On Investment (0.05): 0.00
Return On Investment (0.1): 0.00
Return On Investment (0.15): 0.00 Payback period (0.05): 0 Payback period (0.1): 0
Payback period (0.15): 0
5.2.4Contract Specifications
Lifetime: 1 Implementation Cost: $50,000. Annual Maintenance Cost: $100,000. |
|
|||||||||
Year |
|
|
|
|
|
|
|
|
|
|
Benefits |
|
Costs |
|
Disc. Ben(0.1) |
|
Disc. Cost(0.1) |
|
|
DB-DC(0.1) |
|
|
|
|
|
|
|
|
|
|
|
|
1 |
$0. |
$50,000. |
|
$0. |
|
$45,454. |
|
$-45,454. |
||
Sum of discounted benefits (0.05): $0. Sum of discounted benefits (0.1): $0.
Sum of discounted benefits (0.15): $0.
Sum of discounted costs (0.05): $47,619. Sum of discounted costs (0.1): $45,454.
Sum of discounted costs (0.15): $43,478. Benefit Cost Ratio (0.05): 0.00 Benefit Cost Ratio (0.1): 0.00
Benefit Cost Ratio (0.15): 0.00
Return On Investment (0.05): 0.00
Return On Investment (0.1): 0.00
Return On Investment (0.15): 0.00 Payback period (0.05): 0 Payback period (0.1): 0
Payback period (0.15): 0
5.2.5Data Encryption
Lifetime: 5 Implementation Cost: $500,000. Annual Maintenance Cost: $500,000.
Year |
Benefits |
|
|
|
Costs |
|
Disc. Ben(0.1) |
|
Disc. Cost(0.1) |
|
|
DB-DC(0.1) |
||||
|
|
|
|
|
|
|
||||||||||
1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$2,545,362. |
$500,000. |
$2,313,965. |
$454,545. |
$1,859,420. |
|
|
||||||||||
|
|
|
||||||||||||||
2 |
$2,545,362. |
|
|
$500,000. |
$2,103,605. |
$413,223. |
$1,690,381. |
|
||||||||
3 |
$2,545,362. |
|
|
$500,000. |
$1,912,368. |
$375,657. |
$1,536,710. |
|
||||||||
4 |
$2,545,362. |
|
|
$500,000. |
$1,738,516. |
$341,506. |
$1,397,009. |
5 |
||||||||
|
$2,545,362. |
$500,000. |
$1,580,469. |
$310,460. |
$1,270,009. |
|
||||||||||
Sum of discounted benefits (0.05): $11,020,083.
Sum of discounted benefits (0.1): $9,648,923.
Sum of discounted benefits (0.15): $8,532,446.
Safeguard Report |
3 |
Sum of discounted costs (0.05): $2,164,736. Sum of discounted costs (0.1): $1,895,391.
Sum of discounted costs (0.15): $1,676,075. Benefit Cost Ratio (0.05): 5.09 Benefit Cost Ratio (0.1): 5.09
Benefit Cost Ratio (0.15): 5.09
Return On Investment (0.05): 1.02
Return On Investment (0.1): 1.02
Return On Investment (0.15): 1.02 Payback period (0.05): 1 Payback period (0.1): 1
Payback period (0.15): 1
5.2.6Detection System
Lifetime: 3 Implementation Cost: $1,000,000. Annual Maintenance Cost: $200,000.
Year |
|
Benefits |
|
Costs |
|
Disc. Ben(0.1) |
|
Disc. Cost(0.1) |
|
DB-DC(0.1) |
|
|
|
|
|
|
|
|
|||||||
1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$14,442. $1,000,000. $13,129. $909,090. $-895,961. 2 |
$14,442. $200,000. $11,935. $165,289. |
|
||||||||||
$-153,353. |
|
|
|
|
|
|
|
|
|
|
|
|
3 |
|
$14,442. |
$200,000. |
$10,850. |
$150,262. |
|
$-139,412. |
|||||
Sum of discounted benefits (0.05): $39,328. Sum of discounted benefits (0.1): $35,914.
Sum of discounted benefits (0.15): $32,974. Sum of discounted costs (0.05): $1,306,552. Sum of discounted costs (0.1): $1,224,641.
Sum of discounted costs (0.15): $1,152,296. Benefit Cost Ratio (0.05): 0.03
Benefit Cost Ratio (0.1): 0.03
Benefit Cost Ratio (0.15): 0.03
Return On Investment (0.05): 0.01 Return On Investment (0.1): 0.01
Return On Investment (0.15): 0.01 Payback period (0.05): 0
Payback period (0.1): 0 Payback period (0.15): 0
5.2.7Life Cycle Management
Lifetime: 1 Implementation Cost: $200,000. Annual Maintenance Cost: $0. |
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
Year |
Benefits |
|
Costs |
|
Disc. Ben(0.1) |
|
Disc. Cost(0.1) |
|
DB-DC(0.1) |
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
1 |
$347. |
$200,000. |
$315. |
$181,818. |
$-181,502. |
|||||
Sum of discounted benefits (0.05): $330. Sum of discounted benefits (0.1): $315.
Sum of discounted benefits (0.15): $301.
Sum of discounted costs (0.05): $190,476. Sum of discounted costs (0.1): $181,818.
Sum of discounted costs (0.15): $173,913. Benefit Cost Ratio (0.05): 0.00
Benefit Cost Ratio (0.1): 0.00
Benefit Cost Ratio (0.15): 0.00
Return On Investment (0.05): 0.00 Return On Investment (0.1): 0.00
Return On Investment (0.15): 0.00 Payback period (0.05): 0
Payback period (0.1): 0