Introduction |
19 |
Threat: Data Disclosure |
|
|
Safeguard |
Original ALE |
ALE w/ Safeguard |
Classification Markings |
$5,813. |
$3,459. |
Data Encryption |
$5,813. |
$2,861. |
Detection System |
$5,813. |
$5,373. |
Passwords/Authenticaion |
$5,813. |
$5,741. |
Personnel Clearances |
$5,813. |
$4,337. |
Personnel Control |
$5,813. |
$5,749. |
Physical Access Control |
$5,813. |
$4,915. |
Risk Analysis |
$5,813. |
$5,232. |
Executive Su mmary |
1 |
I.Executive Summary
Scope
This risk analysis was limited to SpecOrg Data Center.
•[[[Minicomputers and microcomputers were included in the analysis only to the extent they posed a risk to SpecOrg.]]]
Risk Analysis Steps
•Questionnaire diskettes or network sub-directories were developed containing
[[[532]]] questions covering all areas of SpecOrg AIS security;
•[[[One hundred eleven]]] SpecOrg employees and users of the SpecOrg answered and returned the responses to the questions;
• The RiskWatch software determined SpecOrg vulnerabilities based on information on diskettes;
•Identified vulnerabilities were validated by SpecOrg management;
•A risk analysis report was prepared.
Key Risk Analysis Report Findings
Assets |
|
[[[ |
The asset replacement cost for SpecOrg is approximately |
$100M. |
|
•Hardware, personnel (government and contractor), and intangibles (reputation) are the major asset categories at SpecOrg.
•Important assets, such as system software, applications, and databases can be replaced relatively inexpensively because they are backed-up.
]]]
Vulnerabilities
[[[
•The risk analysis identified 170 vulnerabilities covering twenty -two vulnerability areas.
•SpecOrg is most vulnerable in five areas: (see Figure 1)
1.The labeling and control of output listings.
2.The security of remote terminals.
Executive Su mmary |
2 |
3.The level and extent of security training.
4.The level of staffing and separation of duties at the DATA CENTER.
5.The level of training for the identification of Privacy Act records and insufficient labeling of Privacy Act-related materials.
A physical survey of DATA CENTER revealed four fire detection and control vulnerabilities not identified by the questionnaire diskettes (see Chapter VII).
]]]
Threats
[[[
The four most significant threats to SpecOrg on an annual basis are: (see Figure 2)
1.Data Destruction
2.Misuse of the Computer
3.Theft of Assets
4.Data integrity loss.
]]]
Safeguards
[[[
The safeguards with the greatest return on investment, which are also among the least costly safeguards, are: (see Figure 3)
1.Property Management
2.Organizational Structure
3.Visitor Control
4.Security Plan
5.Application Control
]]]
1
Asset Summary Report
CHAPTER 2. ASSETS
The SpecOrg risk analysis included 12 asset categories. [[[Some of the categories were divided into more descriptive sub-categories. For example, communication consisted of three resource names (Communication Support Hardware, Communication Diagnostic Equipment, and Communication Modem/DSU).]]] The determination of categories and values of assets was accomplished through interviews with [[[NAME
and NAME personnel]]]. A review of the assets was performed by the Risk Analysis Team and SpecOrg
[[[and NAME]]] management.
The asset values were determined based on the cost of replacing the particular asset. The largest replacement value was for Accounts Receivable, which is estimated at $50,000. (see Figure 4) and which constitutes 20.8% (see Figures 4 and 6) of the total value of all DATA CENTER assets. The next highest values for replacement cost were for categories Applications and Communications Hardware. The values and percentages of the whole are, respectively, $50,000., at 20.8% and $50,000. at 20. 8%.
2.1SUMMARY OF ASSET CATEGORIES
The following table provides a summary of the total replacement costs for each of the asset categories considered in the analysis.
Asset Category |
Replacement Cost |
Percentage of Total |
Accounts Receivable |
$50,000. |
20.8% |
Applications |
$50,000. |
20.8% |
Communications Hardware |
$50,000. |
20.8% |
Communications Software |
$25,000. |
10.4% |
Hardware |
$25,000. |
10.4% |
Office Equipment |
$12,500. |
5.2% |
Documentation |
$10,000. |
4.2% |
Databases |
$7,500. |
3.1% |
System Software |
$7,500. |
3.1% |
Personnel |
$2,000. |
0.8% |
Accounts Payable |
$1,337. |
0.6% |
Utilities |
$0. |
0.0% |
FIGURE 4
This information is presented below as a barchart.
Accts Rec
Applicatns
Comms H/W
Comms S/W
Hardware
Off Equip
Document'n
Databases
System S/W
Personnel
Accts Pay
|
|
|
|
|
|
|
|
|
50,000 |
|
|
|
|
|
|
|
|
|
50,000 |
|
|
|
|
|
|
|
|
|
50,000 |
|
|
|
|
|
|
|
|
|
25,000 |
|
|
|
|
|
|
|
|
|
25,000 |
|
|
|
|
|
|
|
|
|
12,500 |
|
|
|
|
|
|
|
|
|
10,000 |
|
|
|
|
|
|
|
|
|
7,500 |
|
|
|
|
|
|
|
|
|
7,500 |
|
|
|
|
|
|
|
|
|
2,000 |
|
|
|
|
|
|
|
|
|
1,337 |
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 (x1,000) |
Dollars
FIGURE
5
The percentage of the total replacement cost for each category is indicated in the following diagram.
Asset Summary
Accts Rec (20.8%)
Applicatns (20.8%)
Report |
2
6 Others (11.8% )
Off Equip (5.2%)
Hardware (10.4%)
Comms S/W (10.4%)
Comms H/W (20.8%)
FIGURE 6
1
Vulnerability Report
VULNERABILITY AREA REPORT
OVERALL COMPLIANCE:
Compliance (1.4%)
Non-Compliance (98.6%)
VULNERABILITY AREA: Access Control
Compliance (5.3%)
Non-Compliance (94.7%)
VULNERABILITY AREA: Accountability
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Administration
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Data Integrity
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Disclosure
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Documentation
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Evaluation
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: |
Policy |
|
|
There is 100% |
non-compliance in this area of vulnerability. |
|
|
VULNERABILITY AREA: |
Privacy Act |
|
|
There is 100% |
non-compliance in this area of vulnerability. |
|
|
VULNERABILITY AREA: |
Reliability |
|
|
Vulnerability Report |
2 |
||
There is 100% non-compliance in this area of vulnerability.
Full Asset Report |
1 |
2.2 ASSETS WITHIN CATEGORY |
|
Assets are identified, by category, by commonly used name; associated with each individual asset there is other related information. Depending on the asset category, other data is also provided for each asset. This will include the level of sensitivity for data, the quantity of a duplicated hardware item, etc.. When the information is available, an indication is included about the basic attribute(s) of each assets that states whether the asset is
critical (in the sense that the mission of the enterprise depends on the correct and timely functioning of this asset), or
financial (with respect to the need to control modification), or sensitive (with respect to disclosure), or supportive (non of the above).
The definition of each asset category is also provided
The monetary values assigned represent the estimated replacement or purchase cost of the asset, not its current value. For example, the recruitment cost, the training cost, and the staff salaries and benefits were used to determine personnel costs. For leased equipment, replacement cost of obtaining a new lease is used since the organization is responsible for obtaining a replacement reso urce.
The value of sensitive resources could be greater than the replacement value to account for the loss of future opportunity and the extent of exposure that agencies have resulting from the disclosure of data subject to the Privacy Act; awards of $1,000 to $5,000 per individual record have been assessed by the courts based on the sanctions included in the Privacy Act of 1974.
The sections below deal, in turn, with each of the asset categories included in the analysis.
2.2.1Accounts Payable
Asset |
Replacement Cost |
Percentage of Total |
RTG |
$1,337. |
100.0% |
Figure 7.1
This information about replacement costs is presented below as a barchart.
1,337 RTG 
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 (x 100) |
Dollars
Figure 8.1
2.2.2Accounts Receivable
Asset |
Replacement Cost |
Percentage of Total |
321 |
$50,000. |
100.0% |
Figure 7.2
This information about replacement costs is presented below as a barchart.