лаба_10 / лаб_10_08_2

28.11.2022 17:13:00

FINAL REPORT

Risk Analysis of GC Mart

Prepared by:

TABLE OF CONTENTS

I. Executive Summary II. Recommendations

Chapter 1 - General Information

1.1Operational Environment and System Configuration

1.1.1The Risk Assessment Team

1.1.2Organizational Details of GC Mart

1.1.3Physical Plant and Physical Security

1.1.4System Configuration

1.2Terms and Definitions

1.3Risk Analysis Methodology

1.4RiskWatch Parameters and Data Analysis

Chapter 2 - Assets

2.1Summary of Asset Categories

2.2Assets Listed Within Category

2.2.1Assets Within Category 1

===

2.2.N Assets Within Category N

Chapter 3 - Threats

3.1Summary of Threats

3.2Incidents Involving Each Threats

3.2.1Incidents Involving Threat 1

===

3.2.N Incidents Involving Threat N

Chapter 4 - Areas of Vulnerability

4.1Summary of Vulnerabilities

4.2Question Report

4.2.1Question Report For Vulnerability Area 1

===

4.2.N Question Report For Vulnerability Area N

4.3Incidents Linked to Each Vulnerability Area

4.3.1Incidents Linked To Vulnerability Area 1

===

4.3.N Incidents Linked To Vulnerability Area N

Chapter 5 - Safeguards

5.1Summary of Safeguards

5.2Cost-Benefit Analysis Report

5.2.1Cost-Benefit Analysis Report For Safeguard 1

===

5.2.N Cost-Benefit Analysis Report For Safeguard N

5.3Incidents Affected by Each Safeguard

5.3.1Incidents Affected By Safeguard 1

===

5.3.N Incidents Affected By Safeguard N

Appendixes

Appendix A - Assets

Appendix B - Threats

Appendix C - Vulnerability Areas

Appendix D - Safeguards

Chapter 1 - General Introduction

The development of effective plans is a manager's most important responsibility, and the measurement of the compliance of an organization with these plans is essential. For Automated Information Systems (AIS) facilities, one of the most important categories of planning is security planning because of the catastrophic impact that total shut down of the AIS facility would have on the entire organization.

A quantitative risk analysis is a tool for measuring the compliance of an organization with applicable security requirements and is a standardized methodology which can be used to analyze a system or organization to identify vulnerabilities that could result in losses. This standardized methodology is based on the interrelationships of four key factors:

1.Asset

Any useful or valuable resource;

2.Vulnerability

Weakness or susceptibility of an asset or a collection of assets to losses of various kinds;

3.Threat

An event, process, or act which, when realized, has an adverse effect on one or more assets; and

4.Safeguard

Countermeasure, control, or action taken to decrease the existing level of vulnerability of an asset to one or more threats.

To facilitate the performance of the risk analysis, GC Mart acquired a risk analysis system called RiskWatch II for Windows. This PC-based software package, which is available on GSA Schedule, was originally developed for the Department of the Navy; it has been redesigned and rewritten to make it a Windows application and it is currently being used by the Department of Defense, NASA, several State and local governments, and private industry.

The scope of the risk analysis was limited to GC Mart and threats arising from its environment including all telecommunications links to GC Mart. The purpose of the risk analysis was to identify the vulnerability of the assets of GC Mart to a variety of threats and to recommend safeguards which could reduce or eliminate the vulnerability of GC Mart to these threats.

In some instances, applicable safeguards were 100% implemented, but were not being fully employed by the user community. As a general rule, when such noncompliance with policy within the enterprise occurs, it is frequently because there is a lack of awareness of the security issues; this may result from inadequate security training and enforcement of security requirements .

1.1 Operational Environment and System Configuration

The four sections below, numbered 1.1.1 through 1.1.4, provide detailed information about:

1.The team responsible for the management of risks within the enterprise;

2.The organizational details of the enterprise;

3.The physical plant and measures in place to ensure physical security;

4.The configuration of systems that are deemed within the scope of this analysis;

1.1.1 The Risk Assessment Team

[[[

The Risk Analysis Team for the analysis of GC Mart consisted of NAME, Project Manager; NAME, Assistant Project Manager, and NAME, Senior Security Analyst.

The following individuals provided considerable support to the project by providing advice on risk analysis and internal control review planning, meeting to discuss the progress of the risk analysis effort, and reviewing and commenting on risk analysis deliverables:

1.1.2 Organization Details of GC Mart

Organization and Staffing

The Office of Computer Operations, which is headed by [[[NAME]]].

[[[NAME]]], directs the management, operation, and maintenance of all GC Mart facilities and equipment (see organization chart immediately below). GC Mart's staffing level is [[[xx]]].

[[[

[[[NAME]]] is the current contractor for the DATA CENTER. [[[NAME]]] is the project manager for the [[[NAME Contract]]] which is responsible for performing tasks assigned by GC Mart for the operation and maintenance of GC Mart facilities (see organization chart on page 9). GC Mart and its subcontractor, [[[NAME]]],

have [[[xx]]] staff assigned to this contract.

]]]

[[[

THE DATA CENTER provides data processing for GC Mart application systems, program management systems, GC Mart financial management and other administrative systems, and decision support systems supporting GC Mart policy formulation. For the approximate 7,000 Statewide users, the data center processes approximately 50,000 batch jobs and 26,000 individual sessions per month; along with about 150,000 tape mounts. In addition, the data center maintains near 100% availability of the system for its users

]]]

1.1.3 Physical Plant and Physical Security

[[[

Data Center Building

GC Mart Data Center is a Government-owned, contractor-operated facility housed in the NAME building at ADDRESS which is a 32,000+ square foot facility which consists of the following: computer equipment area, office area, uninterruptible power system area, tape library area, and warehouse.

Physical Security

The NAME Building is a single level building of masonry construction with embedded windows around the perimeter. There are twelve (12) exterior doors leading into the facility. Two (2) doors are secured via a card key system, and six (10) are manually locked at all times. The facility is equipped with an intrusion detection alarm system that is monitored by the local security service.

One of the two entrances controlled by the card system is located in the front of the building facing NAME Road. The other is the visitors' entrance located on the side of the building facing the parking lot. The visitors' entrance is monitored by a security guard twenty-four (24) hours a day, seven

(7) days a week. The visitors' entrance card key system is in operation Monday through Friday from 6:00 P.M. to 6:00 A.M. and twenty-four (24) hours a day on weekends and holidays. Although the front door card key system is operational twenty-four (24) hours a day, seven (7) days a week, the exterior door is bolted and key locked from 6:00 P.M. to 6:00 A.M.

The Computer room has four entrances. All four entrances are off a hallway that leads into a raised floor, recessed ceiling environment. Each

door has a card key system with different access levels that is in operation twenty-four (24) hours a day, seven (7) days a week.

Fire Detection and Suppression

The fire detection system consists of heat detectors and Ionization-type smoke detectors located above and below the suspended ceiling and under the raised floor. When an alarm sounds, a panel inside the computer room indicates which device detected the problem. The fire alarm system is also monitored by the local security service.

The building contains an automatic fire suppression system consisting of a "total-flooding, wet-pipe system" with sprinkler heads above and below the suspended ceiling.

Energy Management

The data center is environmentally controlled by twelve 20 ton Liebert air conditioning units that compensate for the generated heat load, which varies across the seasons. Heat and air conditioning are provided to office space external to the data center by roof-mounted units and a oil-fired, hot water baseboard heat system. The warehouse area is environmentally controlled by a eight-ton, roof-mounted heat pump.

Electrical power is provided by redundant feeds originating in separate commercial electric power substations. Critical electrical power is provided by two Emmerson Electric automatic transfer switches and two Liebert Uninterruptible Power Systems (UPS), with 15-minute battery backup. One of the two 500 KVA UPS systems is modular in design, with a total capacity of 2,000 kVA.

Off-Site Data Storage

The data center backs-up all data media storage on a daily basis. The data are then transported to the NAME off-site storage facility in ADDRESS. The NAME facility subcontract is managed by the NAME Contractor. NAME meets all Government requirements for an off-site storage facility.

Hot-Site for Disaster Recovery

GC Mart has a contract with NAME of ADDRESS, for hot-site support. In the event of a total or partial disaster at GC Mart data center and the decision is made to activate the hot-site, a designated team will travel to the hot site to operate the facility in place of the GC Mart data center.

]]]

1.1.4 System Configuration

The system consists of the following (see attached floor plan):

Communications

High speed link to GC Mart, Department Information Management. Exchange System to Regional Offices, Value Added Networks to GC Mart Sites, Intermediaries, and Contractors

0 IBM Information Network

0 FTS 2000

]]]