Introduction |
8 |
]]]
Introduction |
10 |
1.2 Terms and Definitions
1.2.1Annual Frequency Estimate (AFE):
The Annual Frequency Estimate (AFE) is a factor based on historical data which indicates the approximate number of times a defined threat might occur in a specific environment, system, or location in a given year.
1.2.2 Annual Loss Expectancy (ALE): |
|
|
The sum of the Individual Annual Loss Expectancies |
(IALE) for all |
|
assets, of a specific loss type, and |
attributed to a specific |
threat. |
1.2.3Annual Loss Expectancy, Individual: Per Asset (IALE)
|
The Individual Annual |
Loss Expectancy (IALE) represents the proportion |
of |
an individual asset that |
could be lost as the result of a single instance |
of |
a threat event, multiplied by the Annual Frequency Estimate (AFE) of the |
|
specific threat. |
|
|
1.2.4Application Software:
A program or set of programs designed for a specific function such as payroll, accounts payable, inventory control, property management, etc., Both source code and object code ought to be considered..
1.2.5Assets:
Assets are defined as useful or valuable possessions of the enterprise. All assets, including data, residing in a computer system can be properly identified, quantified with respect to one or more evaluative perspectives (such as replacement cost), and classified into one or more of th e following distinct categories:
1.2.5a Critical Assets:
Those assets which provide direct support to the organization's ability to sustain its mission. Assets or resources are considered critical if their absence or non-availability would significantly degrade the ability of the organization to carry out its mission, and when the time that the organization can function with out the asset is substantially lower than the time needed to replace the asset. Critical assets can be backed up to reduce their potential impact.
1.2.5b Financial, Controlled, Validated, Certified or Accountable Assets:
Moveable property, cash, inventories, accounting or auditing systems, and automatic money-handling software are financial or accountable. These assets are susceptible to both internal and external fraud.
Introduction |
11 |
This category also includes payroll, billings, supply inventories, |
|
accounts payable and receivable, other financial assets, small pilfer |
|
items, cash, consumable, negotiable instruments and services as well as |
|
automated billing systems. |
(Special attention is required as a result |
of the report by the U.S. Government Accounting Office directive entitled, `Improvements Needed in Managing Automated Decision-making by Computers Throughout the Federal Government', FGMSD-76-5, April 23, 1976.) This category includes data bases, programs, and information on which unauthorized and invalid modifications can not be tolerated.
1.2.5c Sensitive Assets:
Includes processes and information, assets that need controlled dissemination and that are considered classified, controlled, proprietary, or private. The unauthorized disclosure and dissemination of sensitive matter can result in losses of high magnitude which are generally irrecoverable. Sensitivity is the status of importance accorded to an asset (generally data) which has been agreed upon between the person or organization furnishing the sensitive resource and the person or organization receiving it, and which describes the resource's warranted degree of protection. Privacy data is a subset or special case of sensitivity which requires protection under the Privacy Act of 1974. In this case, it is most important to have an effective liaison with each functional office maintaining personal data. The Privacy Act is very specific on the scope and requirements for data protection and the reporting of privacy data collected. Generally, losses relating to sensitive matters results from disclosure, in which
1.2.5d Supportive Assets:
These are all other justifiable, organizational assets not otherwise classified in one or more of the critical, sensitive or financial/accountable categories. For example, items like furniture, vending machines and other property that can be amortized. The loss resulting from the occurrence of a threat upon these assets is too small to warrant further consideration and development of safeguards.
Therefore, these resources are |
excluded from the risk analysis |
evaluation. |
|
1.2.6 Computer System: |
|
The hardware consisting of CPU, memory, controller and peripherals, disc driver, tape drive(s), printer(s), etc.
1.2.7Contingency Plan:
A plan that identifies resource schedules, procedures and documentation to be used in providing continued operating capability and support to all critical mission components in case of disaster.
1.2.8 Continuity of Operations Plan (COOP):
Same as Contingency Plan, (see above).
Introduction |
12 |
1.2.9Emergency Response:
Identified actions, procedures, and resources to be used in emergency situations.
1.2.10 Risk Analysis:
The application of a standardized methodology in the determination of threats, risk factors, vulnerability exposures and potential losses. Risk analysis is an approach to satisfying the need of an organization to protect the assets in which it has made an investment. It also serves to identify the particular problems an organization could expect to encounter in the performance of its mission, and the adverse affects these problems might present to the organization's ability to meet its obligations. Finally, risk management, growing out of the analysis, is a mechanism by which management can address these problems according to their relative importance based on financial analysis, and to develop safeguards which are both reasonable and cost-effective.
1.2.11 Safeguards:
Safeguards are countermeasures, specifications, or controls, consisting of actions taken to decrease the organization's existing degree of vulnerability to a given threat probability (Risk), that the threat will occur. Safeguards are put into effect to reduce the organization's potential
losses and resultant impact to the mission. |
Safeguards are |
designed, |
implemented and maintained with the objective |
of minimizing |
losses by |
providing improved means of deterrence, prevention, mitigation, detection of and recovery from incidents (realizations of potential threat events). Generally, the safeguards are grouped into the following broad categories:
1.2.11a Administrative Safeguards:
This category includes all policies, procedures, guidelines, auditing checks and tabulations which are defined by management.
1.2.11b Physical Safeguards:
These are devices or mechanisms that protects assets. These include such things as door locks, terminal shielding, vaults, walls, fire suppression systems, and guards;
1.2.11c Technical Safeguards:
These are usually associated with the protection of information inside of a computer system; this category includes such items as data encryption, internal access controls, system and file passwords, recovery software, and auditing software.
1.2.12Single Loss Expectancy Individual: Per Asset (SLEI)
The monetary value of a single specified asset, or set of assets, multiplied by its associated vulnerability exposures, which are related to a specific realized threat.
Introduction |
13 |
1.2.13Single Loss Expectancy: Per Threat Occurrence (SLE)
The sum of the Single Loss Expectancies for all assets attributed to a specific realized threat. These are all losses associated with the single occurrence of a defined threat. 1.2.14 System Software:
Programs that control the operation of a computer system, generally consisting of utility programs (both source code and object code. System software refers to special application programs, whose function is the operation of a computer or one of its specialized subsystems.
1.2.15 Threat:
An event, process, activity (act), or substance, either accidental or perpetrated by one or more threat agents, which, when realized, has an adverse effect on organizational assets (possibly aggravated by existing organizational or other forms of vulnerability to that threat), resulting in losses that may be classified as:
1.2.15a direct loss;
1.2.15b related direct loss;
1.2.15c delays (in processing)/denials (of service) (acting against availability of the asset);
1.2.15d disclosure(of sensitive information); (acting against its confidentiality);
1.2.15e modification(also called contamination); (acting against its integrity);
1.2.15f intangible (acting against intangible assets)
The combination of all possible losses resulting from one occurrence of a threat is called the Single Loss Expectancy (SLE).
1.2.16 Threat Agent:
Any person or thing which acts, or has the power to act, to cause, carry out, transmit or support a threat. As stated in the threat definition, it is the case that the realization of many threats will correspondingly cause the occurrence of other threats, and therefore, many threats will themselves be threat agents.
The |
identification |
of threat |
agents is |
an |
important |
element |
in |
|
attempting |
to calculate the Annual Frequency |
Estimate (AFE) |
of a threat |
|||||
occurrence |
and |
then the |
amount of |
loss (ALE) |
of an |
asset. |
Generally, |
a |
threat can occur through more than one agent, and to properly estimate the losses and subsequent impact to the mission, the individual AFEs and ALEs associated with each agent must be separately determined. Unfortunately, the
Introduction |
|
|
|
|
|
|
14 |
statistics |
are |
not |
collected |
based on the |
agent. |
Therefore, |
with current |
statistics, |
the |
values would |
be overlapping and the resulting annual loss |
||||
expectancy would |
be |
greatly exaggerated. |
|
|
|
||
1.2.17 Threat |
Probability |
of Occurrence |
with |
Cumulative |
Probability, |
||
Confidence Interval, and Standard Deviation:
Based on available statistics, the probability or annual frequency estimate is calculated with the associated level of confidence and the applicable standard deviation.
1.2.18 |
Vulnerability: |
|
|
A vulnerability, or weakness, is the susceptibility of an asset, or |
a |
set of |
assets, to an increased level of loss resulting from an occurrence of |
a |
defined threat against that asset. It is a characteristic, condition, or perceived lack of a procedural method or control, associated with one or more
assets |
or safeguards, |
which would |
result in an |
increased |
loss if a |
threat |
were |
|
to be realized. The presence |
of a |
vulnerability does not |
in itself |
result |
in a |
|||
loss, |
nor does the total absence of any vulnerability necessarily ensure that |
|||||||
a loss |
will not occur |
should |
the threat become |
realized. |
|
|
|
|
1.2.19 |
Degree of Seriousness: |
|
|
|
|
|
||
Introduction |
13 |
The extent (for denial/delay forms of loss), or percentage of the value of affected assets (for all other forms of loss), that would be experienced as a result of the realization of a particular threat.
Introduction |
16 |
1.3Risk Analysis Methodology
The automated risk analysis program is based on a standardized methodology which has been developed through the collective experiences and expertise of security consultants and analysts that have actually performed a multitude of risk analyses.
In accordance with this methodology, members of the analysis team familiarized themselves with the physical facilities, overall organizational structure, and the integration of the data processing system into the
structure |
of the organization. Following a study of the working relationships |
|||||
within |
the organization, |
a project |
plan was prepared. A |
list was made of all |
||
the organizational elements |
which |
either support or draw support from the |
||||
system |
under analysis. |
Work |
assignments were then made |
for the team member s |
||
to assess |
the threats to the data processing system. |
|
||||
The team then collected all readily identifiable data necessary for a quantitative risk assessment. Included were computerized lists of assets, floor plans, etc., and documentation on policies and procedures.
After the collected data was analyzed, the function of each component of the organization was identified and the mission of the organization was defined. As a result of this analysis, the critical components of the organization were discovered and analyzed in depth.
From the data collected, an organizational resource structure was identified for all assets (both tangible and intangible) used either directly or indirectly, in support of the organizational mission tasks and functions. The assets were classified according to their criticality, sensitivity, or use within the organization.
A number of questionnaire diskettes were prepared and distributed to SpecOrg and NAME employees, and to NAME and non-NAME users of SpecOrg data center to identify any vulnerabilities that may be present at the data center.
Based on an examination of the organization's related functions and assigned resources, a list of applicable threats was developed. Each threat listed could, if realized, cause a significant loss of organizational assets, and consequently, a significant loss of the ability to carry out some facet of the mission.
To analyze the vulnerabilities, an analysis was made of each asset, and the threats which could act against it. For each asset/threat/vulnerability combination, a determination was made and a numerical value was assigned which represented the actual percentage of the value of the asset which is exposed and subject to loss if the threat were to occur. Given the value of the asset and the percentage of that value exposed to each threat, a computation was made of the loss which could be expected for each occurrence of the threat - regardless of the likelihood that the threat would occur.
Introduction |
17 |
For each of the threats identified as applicable, the adequacy of the protection afforded by existing controls and safeguards was assessed based on responses to the RiskWatch questionnaires.
Given the nature of the threats previously identified, a determination was made (by conducting extensive research of many data bases, both automated
and |
manual), of the threat's frequency of occurrence within any |
given |
year. |
The |
determination of these factors involved both data collected |
from |
within |
the organization through the questionnaire evolution, and various data bases obtained from over 100 sources by a variety of access modes, from direct online to mag-tape copies, microfiche or hard copy media. The data were then analyzed by statistical routines to obtain the mean, standard deviation, confidence interval, and dependent variables acting as maximizing factors. Multiplication of the value of each asset, times its vulnerability exposure to each threat which might affect it, resulted in the estimated loss per occurrence for the asset. This estimate was multiplied by the Annual Frequency Estimate of the threats to annualize the loss expectancies (ALE) for the asset, threat, and vulnerability combination
The estimated loss per occurrence and the Annual Loss Expectancies attributed to the various assets affected by a given threat were summed and an analysis was made of the impact such a threat occurrence would produce. The analysis involved evaluating details relating to the physical and logical interrelationships of all the components, both within and outside the organization, which would be affected. The result of this analysis was a realistic impression of the snowball effect that the threat could produce.
The figures produced represent the total direct and indirect losses which could be anticipated by all parties, both within and associated with the organization.
A series of safeguards was then identified to address each threat with a high percentage of occurrence.
In each case, recommended additional safeguards had to be costeffective, unless they were specifically required by law, regulation, or contractual agreement. The cost of implementing and operating the safeguard had to be less than the reduction in the (ALE) associated with the threats against which a safeguard was effective unless specifically required by law. Costs and savings were amortized over the lesser of the estimated safeguard, system, or facility life cycles.
Money to be spent or saved in future years was discounted to reflect its value at the present time by using discount factors based on the inflation adjusted, cost-of-capital rate of 10%.
Multiple effects -- that is, the reduction of more than one ALE, from more than one threat, by a single additional safeguard -- were evaluated by analyzing the difference in ALE of all affected threats.
After applying these analytical techniques to the costs and savings associated with each proposed additional safeguard and the ALE's which it affected, a savings figure, normalized to the present time, was obtained, to assist management in deciding whether or not to implement the recommende d additional safeguard.
Introduction |
18 |
1.4RiskWatch Parameters and Data Analysis
RiskWatch Parameters
This section provides the parameters selected by the Risk Analysis Team and approved by the work group for use in this analysis. The information provided includes the hours and days of operation, the number of records handled, the number of users, and the questionnaire non-compliance threshold.
Name of Organization: |
SpecOrg |
Number/Code of Organizational Unit: |
1101 |
System to be analyzed: |
|
How many days/week does system operate: |
7 |
How many hours/day does system operate: |
24 |
Down time before serious consequences: |
0.00 |
Time to replace Minimum Function: |
0.00 |
Number of full-time users: |
|
Data sensitivity level: |
1 |
Security mode: |
Not Applicable |
Orange Book Level: |
Not Applicable |
Maximum $$ handled: |
$000. |
Interpret xx% or more as 100 |
xx = 85 |
(answers less than 85% were flagged as potential vulnerabilities)
Figure 3: Summary of Parameters
Data Analysis
[[[
The team began the risk analysis by preparing and distributing questionnaire diskettes to 113 individuals. Included among these individuals were SpecOrg and NAME employees, Central Office and Regional Office System Security Officers, RACF Group Administrators, and NAME and non-SpecOrg users of the DATA CENTER. Although diskettes were sent to a broad range of users, the scope of the risk analysis was limited to the DATA CENTER.
Each diskette contained 449 questions from which the respondents were instructed to select and answer questions in one or more functional areas. Each participant was instructed to indicate how each question (statement) applied or was perceived by the person on a scale of 0 (low) to 100 (high). If the question was not applicable or the person was unfamiliar with it, he or she was instructed to respond "N".
The team received 102 completed diskettes. The response diskettes were downloaded to the RiskWatch program which processed the responses to produce a list of vulnerabilities (weaknesses) which were reviewed by the risk analysis team and validated by a review team comprised of SpecOrg and NAME managers and technical experts.
Using the validated set of applicable vulnerabilities and a list of assets which was prepared by the risk analysis team and validated by the
Director, |
NAME, the |
risk analysis team |
used the RiskWatch |
software |
to |
determine |
the applicable threats and annual loss expectancies |
and develop |
a |
||
set of recommended |
safeguards which, if |
implemented, could |
substantially |
||
reduce potential losses.
]]]