Executive Summary |
1 |
I.Executive Summary
Scope
This risk analysis was limited to GC Mart Data Center.
•[[[Minicomputers and microcomputers were included in the analysis only to the extent they posed a risk to GC Mart.]]]
Risk Analysis Steps
•Questionnaire diskettes or network sub-directories were developed containing
[[[532]]] questions covering all areas of GC Mart AIS security;
•[[[One hundred eleven]]] GC Mart employees and users of the GC Mart answered and returned the responses to the questions;
•The RiskWatch software determined GC Mart vulnerabilities based on information on diskettes;
•Identified vulnerabilities were validated by GC Mart management;
•A risk analysis report was prepared.
Key Risk Analysis Report Findings
Assets
[[[ The asset replacement cost for GC Mart is approximately $100M.
•Hardware, personnel (government and contractor), and intangibles (reputation) are the major asset categories at GC Mart.
•Important assets, such as system software, applications, and databases can be
replaced relatively inexpensively because they are backed-up.
]]]
Vulnerabilities
[[[
•The risk analysis identified 170 vulnerabilities covering twenty-two vulnerability areas.
•GC Mart is most vulnerable in five areas: (see Figure 1)
1.The labeling and control of output listings.
2.The security of remote terminals.
Executive Summary |
2 |
3.The level and extent of security training.
4.The level of staffing and separation of duties at the DATA CENTER.
5.The level of training for the identification of Privacy Act records and insufficient labeling of Privacy Act-related materials.
A physical survey of DATA CENTER revealed four fire detection and control vulnerabilities not identified by the questionnaire diskettes (see Chapter VII).
]]]
Threats
[[[
The four most significant threats to GC Mart on an annual basis are: (see Figure 2)
1.Data Destruction
2.Misuse of the Computer
3.Theft of Assets
4.Data integrity loss.
]]]
Safeguards
[[[
The safeguards with the greatest return on investment, which are also among the least costly safeguards, are: (see Figure 3)
1.Property Management
2.Organizational Structure
3.Visitor Control
4.Security Plan
5.Application Control
]]]
1
Asset Summary Report
CHAPTER 2. ASSETS
The GC Mart risk analysis included 12 asset categories. [[[Some of the categories were divided into more descriptive sub-categories. For example, communication consisted of three resource names (Communication Support Hardware, Communication Diagnostic Equipment, and Communication Modem/DSU).]]] The determination of categories and values of assets was accomplished through interviews with [[[NAME
and NAME personnel]]]. A review of the assets was performed by the Risk Analysis Team and GC Mart
[[[and NAME]]] management.
The asset values were determined based on the cost of replacing the particular asset. The largest replacement value was for Accounts Receivable, which is estimated at $50,000. (see Figure 4) and which constitutes 20.8% (see Figures 4 and 6) of the total value of all DATA CENTER assets. The next highest values for replacement cost were for categories Applications and Communications Hardware. The values and percentages of the whole are, respectively, $50,000., at 20.8% and $50,000. at 20.8%.
2.1SUMMARY OF ASSET CATEGORIES
The following table provides a summary of the total replacement costs for each of the asset categories considered in the analysis.
Asset Category |
Replacement Cost |
Percentage of Total |
Accounts Receivable |
$50,000. |
20.8% |
Applications |
$50,000. |
20.8% |
Communications Hardware |
$50,000. |
20.8% |
Communications Software |
$25,000. |
10.4% |
Hardware |
$25,000. |
10.4% |
Office Equipment |
$12,500. |
5.2% |
Documentation |
$10,000. |
4.2% |
Databases |
$7,500. |
3.1% |
System Software |
$7,500. |
3.1% |
Personnel |
$2,000. |
0.8% |
Accounts Payable |
$1,337. |
0.6% |
Utilities |
$0. |
0.0% |
FIGURE 4
This information is presented below as a barchart.
Accts Rec
Applicatns
Comms H/W
Comms S/W
Hardware
Off Equip
Document'n
Databases
System S/W
Personnel
Accts Pay
|
|
|
|
|
|
|
|
|
50,000 |
|
|
|
|
|
|
|
|
|
50,000 |
|
|
|
|
|
|
|
|
|
50,000 |
|
|
|
|
|
|
|
|
|
25,000 |
|
|
|
|
|
|
|
|
|
25,000 |
|
|
|
|
|
|
|
|
|
12,500 |
|
|
|
|
|
|
|
|
|
10,000 |
|
|
|
|
|
|
|
|
|
7,500 |
|
|
|
|
|
|
|
|
|
7,500 |
|
|
|
|
|
|
|
|
|
2,000 |
|
|
|
|
|
|
|
|
|
1,337 |
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 (x1,000) |
Dollars
FIGURE
5
The percentage of the total replacement cost for each category is indicated in the following diagram.
Asset Summary
Accts Rec (20.8%)
Applicatns (20.8%)
Report |
2
6 Others (11.8% )
Off Equip (5.2%)
Hardware (10.4%)
Comms S/W (10.4%)
Comms H/W (20.8%)
FIGURE 6
1
Vulnerability Report
VULNERABILITY AREA REPORT
OVERALL COMPLIANCE:
Compliance (1.4%)
Non-Compliance (98.6%)
VULNERABILITY AREA: Access Control
Compliance (5.3%)
Non-Compliance (94.7%)
VULNERABILITY AREA: Accountability
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Administration
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Data Integrity
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Disclosure
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Documentation
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Evaluation
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: |
Policy |
|
|
There is 100% |
non-compliance in this area of vulnerability. |
|
|
VULNERABILITY AREA: |
Privacy Act |
|
|
There is 100% |
non-compliance in this area of vulnerability. |
|
|
VULNERABILITY AREA: |
Reliability |
|
|
Vulnerability Report |
2 |
||
There is 100% non-compliance in this area of vulnerability.
Full Asset Report |
1 |
2.2 ASSETS WITHIN CATEGORY
Assets are identified, by category, by commonly used name; associated with each individual asset there is other related information. Depending on the asset category, other data is also provided for each asset. This will include the level of sensitivity for data, the quantity of a duplicated hardware item, etc.. When the information is available, an indication is included about the basic attribute(s) of each assets that states whether the asset is
critical (in the sense that the mission of the enterprise depends on the correct and timely functioning of this asset), or
financial (with respect to the need to control modification), or sensitive (with respect to disclosure), or supportive (non of the above).
The definition of each asset category is also provided
The monetary values assigned represent the estimated replacement or purchase cost of the asset, not its current value. For example, the recruitment cost, the training cost, and the staff salaries and benefits were used to determine personnel costs. For leased equipment, replacement cost of obtaining a new lease is used since the organization is responsible for obtaining a replacement resource.
The value of sensitive resources could be greater than the replacement value to account for the loss of future opportunity and the extent of exposure that agencies have resulting from the disclosure of data subject to the Privacy Act; awards of $1,000 to $5,000 per individual record have been assessed by the courts based on the sanctions included in the Privacy Act of 1974.
The sections below deal, in turn, with each of the asset categories included in the analysis.
2.2.1Accounts Payable
Asset |
Replacement Cost |
Percentage of Total |
RTG |
$1,337. |
100.0% |
Figure 7.1
This information about replacement costs is presented below as a barchart.
1,337 RTG 
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 (x 100) |
Dollars
Figure 8.1
2.2.2Accounts Receivable
Asset |
Replacement Cost |
Percentage of Total |
321 |
$50,000. |
100.0% |
Figure 7.2
This information about replacement costs is presented below as a barchart.
Full Asset Report
321 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
50,000 |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 (x 1,000) |
||||||||||||||||
Dollars
Figure 8.2
2.2.3Applications
Asset |
Replacement Cost Percentage of Total 345 |
$50,000. |
100.0% |
2
Figure 7.3
This information about replacement costs is presented below as a barchart.
50,000 345 
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 (x 1,000) |
Dollars
Figure 8.3
2.2.4Communications Hardware
Asset |
Replacement Cost |
Percentage of Total |
|
$50,000. |
100.0% |
Figure 7.4
This information about replacement costs is presented below as a barchart.
50,000
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 (x 1,000) |
Dollars
Figure 8.4
2.2.5Communications Software
Asset |
Replacement Cost |
Percentage of Total |
EWQ |
$25,000. |
100.0% |
Full Asset Report
Figure 7.5
This information about replacement costs is presented below as a barchart.
25,000 EWQ 
25 |
50 |
75 |
100 |
125 |
150 |
175 |
200 |
225 |
250 (x 100) |
Dollars
Figure 8.5
2.2.6Databases
Asset |
Replacement Cost |
Percentage of Total |
456 |
$7,500. |
100.0% |
Figure 7.6
This information about replacement costs is presented below as a barchart.
3
7,500
456
1 |
2 |
3 |
4 |
5 |
6 |
7 (x 1,000) |
Dollars
Figure 8.6
2.2.7Documentation
Asset |
Replacement Cost |
Percentage of Total |
OI |
$10,000. |
100.0% |
Figure 7.7
This information about replacement costs is presented below as a barchart.
10,000 OI 
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 (x 1,000) |
Dollars