Добавил:

triple666mafia north memphis Опубликованный материал нарушает ваши авторские права? Сообщите нам.

Вуз:

Санкт-Петербургский государственный электротехнический университет "ЛЭТИ"

Предмет:

Основы информационной безопасности

Файл:

лаба_10 / лаб_10_16_4.pdf

Скачиваний:

Добавлен:

27.10.2025

Размер:

588.45 Кб

Скачать

☆

<<< < Предыдущая 1 2 3 45 / 55

Introduction

1.4RiskWatch Parameters and Data Analysis

RiskWatch Parameters

This section provides the parameters selected by the Risk Analysis Team and approved by the work group for use in this analysis. The information provided includes the hours and days of operation, the number of records handled, the number of users, and the questionnaire non-compliance threshold.

Name of Organization:	SpecOrg
Number/Code of Organizational Unit:	1101
System to be analyzed:
How many days/week does system operate:	7
How many hours/day does system operate:	24
Down time before serious consequences:	0.00
Time to replace Minimum Function:	0.00
Number of full-time users:
Data sensitivity level:	1
Security mode:	Not Applicable
Orange Book Level:	Not Applicable
Maximum $$ handled:	$000.
Interpret xx% or more as 100	xx = 85

(answers less than 85% were flagged as potential vulnerabilities)

Figure 3: Summary of Parameters

Data Analysis

[[[

The team began the risk analysis by preparing and distributing questionnaire diskettes to 113 individuals. Included among these individuals were SpecOrg and NAME employees, Central Office and Regional Office System Security Officers, RACF Group Administrators, and NAME and non-SpecOrg users of the DATA CENTER. Although diskettes were sent to a broad range of users, the scope of the risk analysis was limited to the DATA CENTER.

Each diskette contained 449 questions from which the respondents were instructed to select and answer questions in one or more functional areas. Each participant was instructed to indicate how each question (statement) applied or was perceived by the person on a scale of 0 (low) to 100 (high). If the question was not applicable or the person was unfamiliar with it, he or she was instructed to respond "N".

The team received 102 completed diskettes. The response diskettes were downloaded to the RiskWatch program which processed the responses to produce a list of vulnerabilities (weaknesses) which were reviewed by the risk analysis team and validated by a review team comprised of SpecOrg and NAME managers and technical experts.

Using the validated set of applicable vulnerabilities and a list of assets which was prepared by the risk analysis team and validated by the Director, NAME, the risk analysis team used the RiskWatch software to determine the applicable threats and annual loss expectancies and develop a set of recommended safeguards which, if implemented, could substantially reduce potential losses.

]]]

Threat: Data Disclosure
Safeguard	Original ALE	ALE w/ Safeguard
Classification Markings	$5,813.	$3,459.
Data Encryption	$5,813.	$2,861.
Detection System	$5,813.	$5,373.
Passwords/Authenticaion	$5,813.	$5,741.
Personnel Clearances	$5,813.	$4,337.
Personnel Control	$5,813.	$5,749.
Physical Access Control	$5,813.	$4,915.
Risk Analysis	$5,813.	$5,232.

Executive Summary

I. Executive Summary

Scope

This risk analysis was limited to SpecOrg Data Center.

[[[Minicomputers and microcomputers were included in the analysis only to the extent they posed a risk to SpecOrg.]]]

Risk Analysis Steps

Questionnaire diskettes or network sub-directories were developed containing

[[[532]]] questions covering all areas of SpecOrg AIS security;

[[[One hundred eleven]]] SpecOrg employees and users of the SpecOrg answered and returned the responses to the questions;

The RiskWatch software determined SpecOrg vulnerabilities based on information on diskettes;

Identified vulnerabilities were validated by SpecOrg management;

A risk analysis report was prepared.

Key Risk Analysis Report Findings

Assets

[[[

The asset replacement cost for SpecOrg is approximately $100M.

Hardware, personnel (government and contractor), and intangibles (reputation) are the major asset categories at SpecOrg.

Important assets, such as system software, applications, and databases can be replaced relatively inexpensively because they are backed-up.

]]]

Vulnerabilities

[[[

The risk analysis identified 170 vulnerabilities covering twenty-two vulnerability areas.

SpecOrg is most vulnerable in five areas: (see Figure 1)

1.The labeling and control of output listings.

2.The security of remote terminals.

Executive Summary

3.The level and extent of security training.

4.The level of staffing and separation of duties at the DATA CENTER.

5.The level of training for the identification of Privacy Act records and insufficient labeling of Privacy Act-related materials.

A physical survey of DATA CENTER revealed four fire detection and control vulnerabilities not identified by the questionnaire diskettes (see Chapter VII).

]]]

Threats

[[[

The four most significant threats to SpecOrg on an annual basis are: (see Figure 2)

1.Data Destruction

2.Misuse of the Computer

3.Theft of Assets

4.Data integrity loss.

]]]

Safeguards

[[[

The safeguards with the greatest return on investment, which are also among the least costly safeguards, are: (see Figure 3)

1.Property Management

2.Organizational Structure

3.Visitor Control

4.Security Plan

5.Application Control

]]]

Asset Summary Report

CHAPTER 2. ASSETS

The SpecOrg risk analysis included 12 asset categories. [[[Some of the categories were divided into more descriptive sub-categories. For example, communication consisted of three resource names (Communication Support Hardware, Communication Diagnostic Equipment, and Communication Modem/DSU).]]] The determination of categories and values of assets was accomplished through interviews with [[[NAME and NAME personnel]]]. A review of the assets was performed by the Risk Analysis Team and SpecOrg [[[and NAME]]] management.

The asset values were determined based on the cost of replacing the particular asset. The largest replacement value was for Accounts Receivable, which is estimated at $50,000. (see Figure 4) and which constitutes 20.8% (see Figures 4 and 6) of the total value of all DATA CENTER assets. The next highest values for replacement cost were for categories Applications and Communications Hardware. The values and percentages of the whole are, respectively, $50,000., at 20.8% and $50,000. at 20.8%.

2.1SUMMARY OF ASSET CATEGORIES

The following table provides a summary of the total replacement costs for each of the asset categories considered in the analysis.

Asset Category	Replacement	Percentage of
Accounts Receivable	Cost	Total
Accounts Receivable	$50,000.	20.8%
Applications	$50,000.	20.8%
Communications	$50,000.	20.8%
Hardware	$25,000.	10.4%
Communications	$25,000.	10.4%
Software	$25,000.	10.4%
Hardware	$25,000.	10.4%
Office Equipment	$12,500.	5.2%
Documentation	$10,000.	4.2%
Databases	$7,500.	3.1%
System Software	$7,500.	3.1%
Personnel	$2,000.	0.8%
Accounts Payable	$1,337.	0.6%
Utilities	$0.	0.0%

FIGURE 4

This information is presented below as a barchart.

	Acct s	50,000
	Acct s	50,000
	Rec	50,000
	Rec	50,000
	Applicatns	50,000
	Applicatns	25,000
		25,000
	Comms	25,000
	H/W	12,500
	Comms	10,000
	S/W	7,500
	Hardware	7,500
	Hardware	2,000
	Off Equip	2,000
	Off Equip	1,337
	Document'n	1,337
	Document'n
	Databases
	System

Asset Summary Report

S/W

Personne

l Acct s

Pay

50 (x 1 ,000)

Dollars

FIGURE 5

The percentage of the total replacement cost for each category is indicated in the following diagram.

Asset Summary Report

Acct s Rec (20.8%)

Applicatns (20.8%)

FIGURE 6

6 Others

(11.8%) Off

Equip (5.2%)

Hardware (10.4%)

Comms S/W (10.4%)

Comms H/W (20.8%

Vulnerability Report

VULNERABILITY AREA

REPORT OVERALL

COMPLIANCE:

Compliance (1.4%)

Non-Compliance (98.6%)

VULNERABILITY AREA: Access Control

Compliance (5.3%)

Non-Compliance (94.7%)

VULNERABILITY AREA: Accountability

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Administration

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Data Integrity

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Disclosure

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Documentation

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Evaluation

There is 100% non-compliance in this area of vulnerability.

Vulnerability Report		2
VULNERABILITY	AREA:	Policy
There is 100%	non-compliance in this area of vulnerability.

VULNERABILITY AREA: Privacy Act

There is 100% non-compliance in this area of vulnerability. VULNERABILITY AREA: Reliability

Vulnerability Report

There is 100% non-compliance in this area of vulnerability.

Full Asset Report	1
2.2 ASSETS WITHIN CATEGORY

Assets are identified, by category, by commonly used name; associated with each individual asset there is other related information. Depending on the asset category, other data is also provided for each asset. This will include the level of sensitivity for data, the quantity of a duplicated hardware item, etc.. When the information is available, an indication is included about the basic attribute(s) of each assets that states whether the asset is

critical (in the sense that the mission of the enterprise depends on the correct and timely functioning of this asset), or

financial (with respect to the need to control modification), or sensitive (with respect to disclosure), or

supportive (non of the above).

The definition of each asset category is also provided

The monetary values assigned represent the estimated replacement or purchase cost of the asset, not its current value. For example, the recruitment cost, the training cost, and the staff salaries and benefits were used to determine personnel costs. For leased equipment, replacement cost of obtaining a new lease is used since the organization is responsible for obtaining a replacement resource.

The value of sensitive resources could be greater than the replacement value to account for the loss of future opportunity and the extent of exposure that agencies have resulting from the disclosure of data subject to the Privacy Act; awards of $1,000 to $5,000 per individual record have been assessed by the courts based on the sanctions included in the Privacy Act of 1974.

The sections below deal, in turn, with each of the asset categories included in the analysis.

2.2.1 Accounts Payable


Asset	Replacement Cost Percentage
of Total RTG		$1,337. 100.0%

Figure 7.1

This information about replacement costs is presented below as a barchart.

1,337

RTG

2 3

4 5

6 7

8 9 10 11 12 13 (x 100 )

Dollars

Figure 8.1

2.2.2 Accounts Receivable

Asset	Replacement Cost Percentage of Total
321	$50,000. 100.0%

Figure 7.2

This information about replacement costs is presented below as a barchart.

Full Asset Report				2
321
	5	10 15 20	25 30 35 40 45	50 (x 1,000)
			Dollars
Figure 8.2
2.2.3	Applications
Asset	Replacement Cost		Percentage of Total
345		$50,000. 100.0%

Full Asset Report

Figure 7.3

This information about replacement costs is presented below as a barchart.

50,000

345

50 (x 1,000)

Dollars

Figure 8.3

2.2.4 Communications Hardware

Asset	Replacement Cost Percentage of Total
	$50,000. 100.0%

Figure 7.4

This information about replacement costs is presented below as a barchart.

50,000

50 (x 1 ,000)

Dollars

Figure 8.4

2.2.5 Communications Software


Asset	Replacement Cost Percentage
of Total EWQ		$25,000. 100.0%

Figure 7.5

This information about replacement costs is presented below as a barchart.

EWQ	25,000

25	50	75 100 125 150	175 200 225 250 (x 100)
		Dollars

Figure 8.5

2.2.6 Databases

Asset	Replacement Cost Percentage of Total
456	$7,500. 100.0%

Full Asset Report	4
Figure 7.6

This information about replacement costs is presented below as a barchart.

Full Asset Report

456	7,500

1	2	3	4	5	6	7 (x 1 ,000 )
			Dollars

Figure 8.6

2.2.7 Documentation


Asset	Replacement Cost Percentage
of Total OI		$10,000. 100.0%

Figure 7.7

This information about replacement costs is presented below as a barchart.

10,000

10 (x 1 ,000)

Dollars

Figure 8.7

2.2.8 Hardware


Asset	Replacement Cost Percentage
of Total HARD		$25,000. 100.0%

Figure 7.8

This information about replacement costs is presented below as a barchart.

HARD	25,000

25	50	75 100 125 150	175 200 225 250 (x 100)
		Dollars

Figure 8.8

2.2.9 Office Equipment

Asset	Replacement Cost	Percentage
of Total QWE		$7,500. 60.0%
QWE	$5,000.	40.0%

Figure 7.9

This information about replacement costs is presented below as a barchart.

Full Asset Report

7,500

5,000

1	2	3	4	5	6	7 (x 1 ,000 )
			Dollars

Figure 8.9

The percentage of the total replacement cost for this category that is contributed by each asset is indicated in the following diagram.

QWE (40.0%)

QWE (60.0%)

Figure 9.9
2.2.10	Personnel
Asset	Replacement	Percentage of
PERS	Cost	Total
PERS	$2,000.	100.0%

Figure 7.10

This information about replacement costs is presented below as a barchart.

PERS

100

125

150

175

200 (x 10 )

Dollars

Figure 8.10

Full Asset Report		7
2.2.11	System Software
Asset	Replacement Cost	Percentage
of Total HELPMEPLEASE		$7,500.
	100.0%

Figure 7.11

This information about replacement costs is presented below as a barchart.

Full Asset Report

LPMEPLEASE	7,500

1	2	3	4	5	6	7 (x 1 ,000 )
			Dollars

Figure 8.11

2.2.12 Utilities

Asset	Replacement Cost	Percentage of Total
42	$0.	0.0%
42	$0.	0.0%

Figure 7.12

Full Threat Report

3.2 INCIDENTS INVOLVING EACH THREAT

Each Incident is defined as triple of the form <threat, loss category, asset category>. By doing things this way it is possible to separate the various forms of loss that a given threat may cause to the enterprise as the result of acting on the same asset category.

The sections below look at each threat and indicate the various incidents that were associated with it in the analysis. For each incident, a table is presented (FIGURES 13.1, 13.2, ...) indicating its SLE and ALE (where the ALE is generated by multiplying the SLE for the incident by the AFE of the threat). The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. This is shown as the total of the third column. The percentage of this total represented by the ALE for each incident is indicated in the fourth column.

Also shown for each threat is a barchart that provides a visual presentation of the relative magnitudes of the ALE for each incident. These are shown as FIGURES 14.1, 14.2, ....

Piecharts are then also provided that indicate the percentage of each threat ALE that is accounted for by each incident that is used in its calculation.


3.2.1 Blackmail - AFE: 0.05
The	various incident classes associated with				this threat are shown in
the	following table: Incident Class			SLE ALE	% of total ALE
Direct		Loss, Personnel	$20. $1.	0.0%
Figure		13.1

Direct, Personnel	20

2	4	6	8	10	12	14	16	18	20
				Dollars
Figure 16.1 Blackmail - SLE's
3.2.2 Budget Loss -	AFE: 0.50

The	various	incident classes associated with this threat are shown in
the	following table: Incident Class SLE		ALE	% of total ALE
Disclosure,		Databases
		$25,000. $12,500.
		100.0% Figure 13.2

12,500

Disclosure, Databases

9 10 11 12 (x 1,000)

Dollars

Figure 14.2 Budget Loss - ALE's

Full Threat Report

Disclosure, Databases
25	50	75 100 125 150	175 200 225 250 (x 100)
		Dollars
Figure 16.2 Budget Loss	-	SLE's

Full Threat Report

3.2.3 Cold/Frost/Snow - AFE: 5.00

The various incident classes associated with this threat are shown in the following table:

Incident Class	SLE	ALE	% of total
Disclosure,	$12,500	$62,500	ALE
Disclosure,	$12,500	$62,500	100.0%
Databases	.	.
Figure 13.3

Disclosure, Databases	62,500

5 10 15	20 25 30 35 40 45 50 55 60 (x 1,000)
	Dollars
Figure 14.3 Cold/Frost/Snow -	ALE's

Disclosure, Databases	12,500

1 2	3	4 5 6 7 8 9 10 11 12 (x 1,000)
		Dollars
Figure 16.3 Cold/Frost/Snow	-	SLE's

3.2.4 Data Destruction - AFE: 20.00

The various incident classes associated with this threat are shown in the following table:

Incident Class	SLE	ALE	% of total
Disclosure,	$250,000.	$5,000,00	ALE
Disclosure,	$250,000.	$5,000,00	98.9%
Databases	$2,751.	0.	1.1%
Direct Loss,	$2,751.	$55,027	1.1%
Databases		.

Figure 13.4

5,000,000

Disclosure, Databases

50 (x 100 ,000 )

Dollars

55,027

Direct, Dat abases

Full Threat	Report		4
	5 10 15	20	25 30 35 40 45 50 55 (x 1 ,000)
			Dollars
Figure 14.4	Data Destruction	-	ALE's

Full Threat Report

Direct, Dat abases (1.1%)

Disclosure, Databases (98.9%)

Figure 15.4 Data Destruction - ALE's

Disclosure, Databases	250,000

25	50	75 100 125 150 175 200 225 250 (x 1,000)
		Dollars

Direct, Dat abases	2,751

25	50	75	100	125 150 175 200 225 250 275 (x 10 )
				Dollars
Figure 16.4 Data Destruction			-	SLE's
3.2.5 Data Disclosure	-	AFE: 3.00

The various	incident classes associated with this threat are shown in
the following table: Incident ClassSLE ALE		% of total ALE
Disclosure,	Databases
	$1,938. $5,813.
	100.0% Figure 13.5

Disclosure, Databases	5,813

5	10 15 20 25 30 35 40 45 50 55 (x 100 )
	Dollars

Figure 14.5 Data Disclosure - ALE's

Full Threat Report

1,938

Disclosure, Databases

100

125

150

175 (x 10 )

Dollars

Figure 16.5 Data Disclosure - SLE's

3.2.6 Data Integrity Loss - AFE: 3.00

The various incident classes associated with this threat are shown in the following table:

Incident Class	SLE	ALE	% of total
Direct Loss, Accounts	$5,526.	$16,576	ALE
			27.8%
Receivable	$5,507.	.	27.7%
Direct Loss, Applications		$16,523
Disclosure, Personnel	$4,500.	.	22.7%
		$13,500
Direct Loss, Communications	$2,723.	.	13.7%
		$8,171.
Software	$817.	$2,451.	4.1%
Direct Loss, System Software
Direct Loss, Databases	$640.	$1,921.	3.2%
Direct Loss, Accounts Payable	$147.	$443.	0.7%
Disclosure, Databases	$0.	$0.	0.0%

Figure 13.6

Direct, Accts

Rec Direct,

Applicatns

Disclosure,

Personnel Direct,

Comms S/W

Direct, System S/W

Direct, Dat abases

16,576

16,523

13,500

8,171

2,451

1,921

25	50	75	100	125	150 (x 100)
			Dollars

Direct, Accts Pay	443

5	10	15	20	25	30	35	40 (x 10)
				Dollars
Figure 14.6 Data Integrity Loss			- ALE's

Full Threat Report	7
	4 Ot hers (8.1%)
Direct, Accts Rec	Direct, Comms S/W (13.7%)
(27.8%)

Disclosure, Personnel (22.7%)

Direct, Applicatns (27.7%)

Figure 15.6 Data Integrity Loss - ALE's

Direct, Accts

Rec Direct,

Applicatns

Disclosure,

Personnel Direct,

Comms S/W

Direct, System S/W

Direct, Dat abases

Direct, Accts Pay

5,526

5,507

4,500

2,723

817

640

147

5 10 15	20	25 30 35 40 45 50 55 (x 100 )
		Dollars
Figure 16.6 Data Integrity Loss	-	SLE's

3.2.7 Flooding/Water Damage - AFE: 0.01

The various incident classes associated with this threat are shown in

the following table: Incident Class			SLE	ALE % of total ALE
Direct Loss, Communications Hardware			$6.	$10,001. $100.	93.5%
Direct	Loss, Office Equipment	$625.	$6.	5.8%
Disclosure, Databases		$250.	$3.	2.3%
Figure	13.7

100

Direct, Comms H/W

10 (x 10)

Full Threat Report

Dollars

Full Threat Report

	Direct, Off Equip	6
		3
	Disclosure, Databases

1	2	3	4	5	6
		Dollars
Figure 14.7 Flooding/Water Damage -		ALE's

Disclosure, Databases (2.8%)

Direct, Off Equip (5.5%)

Direct, Comms H/W (91.7%)

Figure 15.7 Flooding/Water Damage - ALE's

10,001

Direct, Comms H/W

10 (x 1 ,000)

Dollars

	Direct, Off Equip	625
		250
	Disclosure, Databases

5 10 15 20	25	30 35 40 45 50 55 60 (x 10)
		Dollars
Figure 16.7 Flooding/Water Damage	-	SLE's

3.2.8 Hardware Failure - AFE: 70.00

The various incident classes associated with this threat are shown in

the following table: Incident Class			SLE ALE	% of total ALE
Direct Loss, Hardware		$375,000.
$26,250,000.	100.0% Disclosure,
Databases		$0.	$0.

Full Threat Report

0.0%

Figure 13.8

Full Threat Report

Direct, Hardware	26,250,000

25 50 75	100	125 150 175 200 225 250 (x 100,000)
		Dollars
Figure 14.8 Hardware Failure	-	ALE's

Direct, Hardware
	5	10	15		20	25	30	35 (x 10,000)
					Dollars
Figure 16.8 Hardware Failure			-	SLE's
3.2.9 Pirating	Key Personnel		-	AFE:	1.00

The various incident classes associated with this threat are shown in

the following table: There are no incidents associated with this

threat.

Safeguard vs Threat Report

The section below looks at each safeguard and indicates, for each threat, the ALE before and after the safeguard is implemented. The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. The percentage by which the ALE is reduced by the safeguard is also indicated.

The next section contains a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented.

Safeguard: Physical Access Control
Threat	Original ALE	ALE with	Percentage
		Safeguard	Drop
Data Destruction	$5,055,028.	$5,035,861.	0.38%
Data Disclosure	$5,813.	$4,915.	15.45%
Data Integrity Loss	$59,584.	$43,827.	26.45%

Safeguard: Application Controls
Threat	Original ALE	ALE with	Percentage
		Safeguard	Drop
Data Destruction	$5,055,028.	$4,549,525.	10.00%

Safeguard: Classification Markings
Threat	Original ALE	ALE with	Percentage
		Safeguard	Drop
Data Disclosure	$5,813.	$3,459.	40.50%

Safeguard:	Contract Specifications
Threat		Original	ALE with	Percentage
		ALE	Safeguard	Drop
Safeguard:	Data Encryption
Threat		Original ALE	ALE with	Percentage
			Safeguard	Drop
Data Destruction		$5,055,028.	$2,527,514.	50.00%
Data Disclosure		$5,813.	$2,861.	50.78%
Data Integrity Loss		$59,584.	$44,688.	25.00%
Safeguard:	Detection System
Threat		Original ALE	ALE with	Percentage
			Safeguard	Drop
Data Destruction		$5,055,028.	$5,047,361.	0.15%
Data Disclosure		$5,813.	$5,372.	7.59%
Data Integrity Loss		$59,584.	$53,251.	10.63%
Safeguard:	Life Cycle Management
Threat		Original ALE	ALE with	Percentage
			Safeguard	Drop
Data Integrity Loss		$59,584.	$59,238.	0.58%
Safeguard:	Passwords/Authenticaion
Threat		Original ALE	ALE with	Percentage
			Safeguard	Drop
Data Disclosure		$5,813.	$5,740.	1.26%
Safeguard:	Personnel Clearances
Threat		Original ALE	ALE with	Percentage
			Safeguard	Drop
Data Destruction		$5,055,028.	$5,050,854.	0.08%
Data Disclosure		$5,813.	$4,337.	25.39%
Data Integrity Loss		$59,584.	$56,505.	5.17%
Safeguard:	Personnel Control
Threat		Original ALE	ALE with	Percentage
			Safeguard	Drop
Data Disclosure		$5,813.	$5,749.	1.10%
Data Integrity Loss		$59,584.	$59,563.	0.04%

Safeguard vs Threat Report				2
Safeguard:	Quality Assurance
Threat		Original ALE	ALE with	Percentage
			Safeguard	Drop
Data Integrity Loss		$59,584.	$53,627.	10.00%
Safeguard:	Risk Analysis
Threat		Original ALE	ALE with	Percentage
			Safeguard	Drop
Data Destruction		$5,055,028.	$5,049,525.	0.11%

Safeguard vs Threat Report			3
Data Disclosure	$5,813.	$5,232.	9.99%
Data Integrity Loss	$59,584.	$54,977.	7.73%
Safeguard: Security Policy
Threat	Original ALE	ALE with	Percentage
		Safeguard	Drop
Data Destruction	$5,055,028.	$4,796,256.	5.12%
Data Disclosure	$5,813.	$4,703.	19.10%
Data Integrity Loss	$59,584.	$52,058.	12.63%

The following is a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented (ALE with Safeguard). This table also indicates the difference between the two ALE values.

Also shown is a barchart that provides a visual presentation of the difference in ALE for each safeguard.


Safeguard		Original ALE		ALE with		Difference
				Safeguard
Physical Access Control		$31,445,536.		$31,409,712.		$35,824.
Application Controls	$31,445,536.		$30,940,033.		$505,503.
Classification Markings	$31,445,536.		$31,443,182.		$2,354.
Contract Specifications	$31,445,536.		$31,445,536.		$0.
Data Encryption	$31,445,536.		$28,900,174.		$2,545,362.
Detection System	$31,445,536.		$31,431,094.		$14,442.
Life Cycle Management	$31,445,536.		$31,445,189.		$347.
Passwords/Authenticaion	$31,445,536.		$31,445,463.		$73.
Personnel Clearances	$31,445,536.		$31,436,806.		$8,730.
Personnel Control	$31,445,536.		$31,445,451.		$85.
Quality Assurance	$31,445,536.		$31,439,578.		$5,958.
Risk Analysis	$31,445,536.		$31,434,844.		$10,692.
Security Policy	$31,445,536.		$31,178,127.		$267,409.

	Data	2,545,362
		505,503
	Encryption
		267,409
	Application Cont

	rols Security Policy

25 50	75 100 125 150 175 200 225 250 (x 10 ,000 )
	Dollars

	Physical Access	35,824
	Physical Access	14,442
	Control	14,442
	Control	10,692
	Detection Syst	10,692
	Detection Syst	8,730
		8,730
	em Risk	5,958
	Analysis	2,354
	Personnel

Clearances Quality

Assurance

Classification

Safeguard vs Threat Report	4
Markings
25 50 75	100 125 150 175 200 225 250 275 300 325 350 (x 100)
	Dollars

Safeguard vs Threat Report

	Life Cycle	347
		85
	Management
		73

Personnel Control

Passwords/Aut

henticaion

25 50 75 100 125 150 175 200 225 250 275 300 325 Dollars

Instructions for preparing Final Reports.

In Phase 4, there are many different reports that can be generated. To facilitate the assembly of these smaller specialized reports into a single "Final Report" for submission to management, provision is made to attach the name of each selected report file (each is a .WRI file) to a list that is made available to the analyst at the end of the reporting phase, Phase 4.

A couple of points must be kept in mind when the final report is assembled; it is assumed that a word processor will be used to prepare the Final Report and the following are tasks and ideas that are within the purview of most word processors:

1.On the parameter screen in Phase 1, you indicated that the sensitivity level of the system being analyzed is 1. Because reports that deal with a system must bear markings that indicated that the report is of a similar level of sensitivity, you are warned that the word processor used in the assembly process must also be used to indicate, as both Headers and Footers, this level of sensitivity on EVERY page;

2.There is no provision in the RiskWatch system for the title page or pages that come before paragraphs, sections, or diagrams. The analyst wishing these must provide them himself using the facilities of the word processor employed;

3.The ordering of sections is left to the discretion of the analyst -

some people prefer to have the Executive Summary as the very first section, even preceding the Table of Contents, while others may wish to have their Table of Contents immediately following the Cover page;

4.Because of the strong possibility that different enterprises will opt to assemble different pieces (sub-reports) into their respective Final Reports, the Table of Contents for the Final Report is left to the analyst, using the power of a modern word processor.

5.In the text provided by RiskWatch as part of the reports that embody the results of the analysis and the initial data, there are several sections that are enclosed in triple square brackets (that is, [[[ and

]]] ). All text that is between these braces is given SOLELY as a guide to suggested text to surround the numbers that form the basis of the reports. The text serves no other purpose. Please replace this text with other text that is more appropriate to your enterprise.

Reommendations

II. Recommendations

[[[One hundred seventy]]] vulnerabilities were identified which, if not corrected, could result in considerable loss to SpecOrg.

Immediate steps which can be taken are:

[[[

Correct the fire detection and control vulnerabilities identified during the walk-through.

Publish and disseminate SpecOrg Disaster Recovery Plan.

Develop a system-generated cover page for and improve the control of sensitive output listings.

Review the security of terminals at the Parkview Building.

Test the adequacy of current system software and user file backups.

Remind users of the importance of backing up tape files.

Provide additional training on and enforce existing security policies and procedures.

Publish and disseminate an SpecOrg-wide policy on the handling of sensitive documents and develop a uniform cover sheet for these documents.

Review SpecOrg staffing and separation of duties.

SpecOrg System Security Officer, in coordination with SpecOrg management, should develop a Risk Management Plan to address the implementation of the safeguards with the greatest return on investment.

]]]

[[[

Twelve major safeguards (see CHAPTER IX., Applicable Safeguard Cost Benefit Analysis Summary Table) were recommended which, if implemented, would

substantially reduce losses if these threats occurred or prevent the threats from occurring altogether.

SpecOrg System Security Officer should develop a Risk Management Plan in cooperation with SpecOrg management, who will make the final decision as to the selection of applicable safeguards. The Plan will identify the specific steps required to implement the selected safeguards and recommend to SpecOrg management the priority for safeguard implementation.

]]]

Safeguard Report

5.2 FULL SAFEGUARD REPORT

This report contains information about each safeguard, including a cost benefit analysis.

5.2.1 Physical Access Control

Lifetime: 3 Implementation Cost: $2,000,000. Annual Maintenance Cost: $500,000.


Year		Benefits		Costs		Disc. Ben(0.1)		Disc.		DB-DC(0.1)
								Cost(0.1)
1		$35,824.		$2,000,000		$32,567.		$1,818,181.		$-1,785,614.
2	$35,824.		.		$29,606.		$413,223.		$-383,616.
			$500,000.
3	$35,824.		$500,000.		$26,915.		$375,657.		$-348,742.

Sum of discounted benefits (0.05): $97,557. Sum of discounted benefits (0.1): $89,088. Sum of discounted benefits (0.15): $81,793. Sum of discounted costs (0.05): $2,790,193. Sum of discounted costs (0.1): $2,607,061. Sum of discounted costs (0.15): $2,445,959. Benefit Cost Ratio (0.05): 0.03

Benefit Cost Ratio (0.1): 0.03

Benefit Cost Ratio (0.15): 0.03

Return On Investment (0.05): 0.01

Return On Investment (0.1): 0.01

Return On Investment (0.15): 0.01

Payback period (0.05): 0

Payback period (0.1): 0

Payback period (0.15): 0

5.2.2 Application Controls

Lifetime: 3 Implementation Cost: $50,000. Annual Maintenance Cost: $50,000.


Year		Benefits		Costs		Disc. Ben(0.1)		Disc.		DB-DC(0.1)
								Cost(0.1)
1		$505,503.		$50,000.		$459,547.		$45,454.		$414,093.
2	$505,503.		$50,000.		$417,770.		$41,322.		$376,448.
3	$505,503.		$50,000.		$379,791.		$37,565.		$342,225.

Sum of discounted benefits (0.05): $1,376,608. Sum of discounted benefits (0.1): $1,257,108. Sum of discounted benefits (0.15): $1,154,175. Sum of discounted costs (0.05): $136,161. Sum of discounted costs (0.1): $124,341. Sum of discounted costs (0.15): $114,160. Benefit Cost

Ratio (0.05): 10.11

Benefit Cost Ratio (0.1): 10.11

Benefit Cost Ratio (0.15): 10.11

Return On Investment (0.05): 3.37

Return On Investment (0.1): 3.37

Return On Investment (0.15): 3.37

Payback period (0.05): 1

Payback period (0.1): 1

Payback period (0.15): 1

5.2.3 Classification Markings

Safeguard Report									2
Lifetime: 3 Implementation Cost: $500,000. Annual Maintenance Cost: $50,000.

Year		Benefits		Costs		Disc. Ben(0.1)		Disc.		DB-DC(0.1)
								Cost(0.1)
1		$2,354.		$500,000.		$2,140.		$454,545.		$-452,405.
2	$2,354.		$50,000.		$1,945.		$41,322.		$-39,376.
3	$2,354.		$50,000.		$1,768.		$37,565.		$-35,796.

Sum of discounted benefits (0.05): $6,410. Sum of discounted benefits (0.1): $5,853. Sum of discounted benefits (0.15): $5,375. Sum of discounted costs (0.05): $564,732. Sum of discounted costs (0.1): $533,432.

Sum of discounted costs (0.15): $505,464.

Safeguard Report

Benefit Cost Ratio (0.05): 0.01

Benefit Cost Ratio (0.1): 0.01

Benefit Cost Ratio (0.15): 0.01

Return On Investment (0.05): 0.00

Return On Investment (0.1): 0.00

Return On Investment (0.15): 0.00

Payback period (0.05): 0

Payback period (0.1): 0

Payback period (0.15): 0

5.2.4 Contract Specifications

Lifetime: 1 Implementation Cost: $50,000. Annual Maintenance Cost: $100,000.


Year	Benefits	Costs	Disc. Ben(0.1)	Disc.	DB-DC(0.1)
				Cost(0.1)
1	$0.	$50,000.	$0.	$45,454.	$-45,454.

Sum of discounted benefits (0.05): $0. Sum of discounted benefits (0.1): $0. Sum of discounted benefits (0.15): $0. Sum of discounted costs (0.05): $47,619. Sum of discounted costs (0.1): $45,454. Sum of discounted costs (0.15): $43,478. Benefit Cost Ratio (0.05): 0.00

Benefit Cost Ratio (0.1): 0.00

Benefit Cost Ratio (0.15): 0.00

Return On Investment (0.05): 0.00

Return On Investment (0.1): 0.00

Return On Investment (0.15): 0.00

Payback period (0.05): 0

Payback period (0.1): 0

Payback period (0.15): 0

5.2.5 Data Encryption

Lifetime: 5 Implementation Cost: $500,000. Annual Maintenance Cost: $500,000.


Year		Benefits		Costs		Disc. Ben(0.1)		Disc.		DB-DC(0.1)
								Cost(0.1)
1		$2,545,362.		$500,000.		$2,313,965.		$454,545.		$1,859,420.
2	$2,545,362.		$500,000.		$2,103,605.		$413,223.		$1,690,381.
3	$2,545,362.		$500,000.		$1,912,368.		$375,657.		$1,536,710.
4	$2,545,362.		$500,000.		$1,738,516.		$341,506.		$1,397,009.
5	$2,545,362.		$500,000.		$1,580,469.		$310,460.		$1,270,009.

Sum of discounted benefits (0.05): $11,020,083. Sum of discounted benefits (0.1): $9,648,923.

Sum of discounted benefits (0.15): $8,532,446. Sum of discounted costs (0.05): $2,164,736.

Sum of discounted costs (0.1): $1,895,391. Sum of discounted costs (0.15): $1,676,075. Benefit Cost Ratio (0.05): 5.09

Benefit Cost Ratio (0.1): 5.09

Benefit Cost Ratio (0.15): 5.09

Return On Investment (0.05): 1.02

Return On Investment (0.1): 1.02

Return On Investment (0.15): 1.02

Payback period (0.05): 1

Payback period (0.1): 1

Safeguard Report									4
Payback period (0.15): 1
5.2.6	Detection System
Lifetime: 3 Implementation Cost: $1,000,000. Annual Maintenance Cost: $200,000.

Year		Benefits		Costs		Disc. Ben(0.1)		Disc.		DB-DC(0.1)
								Cost(0.1)
1		$14,442.		$1,000,000		$13,129.		$909,090.		$-895,961.
2	$14,442.		.		$11,935.		$165,289.		$-153,353.
2	$14,442.		$200,000.		$11,935.		$165,289.		$-153,353.
3	$14,442.		$200,000.		$10,850.		$150,262.		$-139,412.

Safeguard Report

Sum of discounted benefits (0.05): $39,328. Sum of discounted benefits (0.1): $35,914. Sum of discounted benefits (0.15): $32,974. Sum of discounted costs (0.05): $1,306,552. Sum of discounted costs (0.1): $1,224,641. Sum of discounted costs (0.15): $1,152,296. Benefit Cost Ratio (0.05): 0.03

Benefit Cost Ratio (0.1): 0.03

Benefit Cost Ratio (0.15): 0.03

Return On Investment (0.05): 0.01

Return On Investment (0.1): 0.01

Return On Investment (0.15): 0.01

Payback period (0.05): 0

Payback period (0.1): 0

Payback period (0.15): 0

5.2.7	Life Cycle Management
Lifetime: 1 Implementation Cost: $200,000. Annual Maintenance Cost: $0.

Year		Benefits	Costs	Disc. Ben(0.1)	Disc.	DB-DC(0.1)
					Cost(0.1)
1		$347.	$200,000.	$315.	$181,818.	$-181,502.

Sum of discounted benefits (0.05): $330. Sum of discounted benefits (0.1): $315. Sum of discounted benefits (0.15): $301. Sum of discounted costs (0.05): $190,476. Sum of discounted costs (0.1): $181,818. Sum of discounted costs (0.15): $173,913. Benefit Cost Ratio (0.05): 0.00

Benefit Cost Ratio (0.1): 0.00

Benefit Cost Ratio (0.15): 0.00

Return On Investment (0.05): 0.00

Return On Investment (0.1): 0.00

Return On Investment (0.15): 0.00

Payback period (0.05): 0

Payback period (0.1): 0

Payback period (0.15): 0

5.2.8 Passwords/Authenticaion

Lifetime: 5 Implementation Cost: $40,000. Annual Maintenance Cost: $200,000.


Year		Benefits		Costs		Disc. Ben(0.1)		Disc.		DB-DC(0.1)
								Cost(0.1)
1		$73.		$40,000.		$66.		$36,363.		$-36,297.
2	$73.		$200,000.		$60.		$165,289.		$-165,228.
3	$73.		$200,000.		$54.		$150,262.		$-150,208.
4	$73.		$200,000.		$49.		$136,602.		$-136,552.
5	$73.		$200,000.		$45.		$124,184.		$-124,138.

Sum of discounted benefits (0.05): $313. Sum of discounted benefits (0.1): $274. Sum of discounted benefits (0.15): $242. Sum of discounted costs (0.05): $713,512. Sum of discounted costs

Safeguard	Report	6
(0.1): $612,700. Sum of
discounted costs (0.15):
$531,298.	Benefit Cost Ratio

(0.05): 0.00

Benefit Cost Ratio (0.1): 0.00

Benefit Cost Ratio (0.15): 0.00

Return On Investment (0.05): 0.00

Return On Investment (0.1): 0.00

Return On Investment (0.15): 0.00

Payback period (0.05): 0

Payback period (0.1): 0

Payback period (0.15): 0

5.2.9 Personnel Clearances

Safeguard Report

Lifetime: 1 Implementation Cost: $50,000. Annual Maintenance Cost: $100,000.


Year	Benefits	Costs	Disc. Ben(0.1)	Disc.	DB-DC(0.1)
				Cost(0.1)
1	$8,730.	$50,000.	$7,936.	$45,454.	$-37,518.

Sum of discounted benefits (0.05): $8,314. Sum of discounted benefits (0.1): $7,936. Sum of discounted benefits (0.15): $7,591. Sum of discounted costs (0.05): $47,619. Sum of discounted costs (0.1): $45,454. Sum of discounted costs (0.15): $43,478. Benefit Cost Ratio (0.05): 0.17

Benefit Cost Ratio (0.1): 0.17

Benefit Cost Ratio (0.15): 0.17

Return On Investment (0.05): 0.17

Return On Investment (0.1): 0.17

Return On Investment (0.15): 0.17

Payback period (0.05): 0

Payback period (0.1): 0

Payback period (0.15): 0

5.2.10 Personnel Control

Lifetime: 3 Implementation Cost: $200,000. Annual Maintenance Cost: $100,000.


Year		Benefits		Costs		Disc. Ben(0.1)		Disc.		DB-DC(0.1)
								Cost(0.1)
1		$85.		$200,000.		$77.		$181,818.		$-181,740.
2	$85.		$100,000.		$70.		$82,644.		$-82,574.
3	$85.		$100,000.		$63.		$75,131.		$-75,067.

Sum of discounted benefits (0.05): $230. Sum of discounted benefits (0.1): $210. Sum of discounted benefits (0.15): $192. Sum of discounted costs (0.05): $367,561. Sum of discounted costs (0.1): $339,593. Sum of discounted costs (0.15): $315,278. Benefit Cost Ratio (0.05): 0.00

Benefit Cost Ratio (0.1): 0.00

Benefit Cost Ratio (0.15): 0.00

Return On Investment (0.05): 0.00

Return On Investment (0.1): 0.00

Return On Investment (0.15): 0.00

Payback period (0.05): 0

Payback period (0.1): 0

Payback period (0.15): 0

5.2.11 Quality Assurance

Lifetime: 5 Implementation Cost: $400,000. Annual Maintenance Cost: $300,000.


Year		Benefits		Costs		Disc. Ben(0.1)		Disc.		DB-DC(0.1)
								Cost(0.1)
1		$5,959.		$400,000.		$5,416.		$363,636.		$-358,219.
2	$5,959.		$300,000.		$4,924.		$247,933.		$-243,009.
3	$5,959.		$300,000.		$4,476.		$225,394.		$-220,917.
4	$5,959.		$300,000.		$4,069.		$204,904.		$-200,834.
5	$5,959.		$300,000.		$3,699.		$186,276.		$-182,576.

Safeguard Report		8
Sum of discounted benefits (0.05):
$25,795. Sum of discounted benefits
(0.1): $22,584. Sum of discounted
benefits (0.15): $19,971. Sum of
discounted costs (0.05):
$1,394,078. Sum of discounted costs
(0.1): $1,228,143. Sum of
discounted costs (0.15):
$1,092,601. Benefit Cost Ratio
(0.05):	0.02

Benefit Cost Ratio (0.1): 0.02

Benefit Cost Ratio (0.15): 0.02

Return On Investment (0.05): 0.00

Return On Investment (0.1): 0.00

Return On Investment (0.15): 0.00

Safeguard Report

Payback period (0.05): 0

Payback period (0.1): 0

Payback period (0.15): 0

5.2.12 Risk Analysis

Lifetime: 3 Implementation Cost: $100,000. Annual Maintenance Cost: $30,000.


Year		Benefits		Costs		Disc. Ben(0.1)		Disc.		DB-DC(0.1)
								Cost(0.1)
1		$10,693.		$100,000.		$9,720.		$90,909.		$-81,188.
2	$10,693.		$30,000.		$8,836.		$24,793.		$-15,956.
3	$10,693.		$30,000.		$8,033.		$22,539.		$-14,505.

Sum of discounted benefits (0.05): $29,117. Sum of discounted benefits (0.1): $26,589. Sum of discounted benefits (0.15): $24,412. Sum of discounted costs (0.05): $148,363. Sum of discounted costs (0.1): $138,241. Sum of discounted costs (0.15): $129,365. Benefit Cost Ratio (0.05): 0.20

Benefit Cost Ratio (0.1): 0.19

Benefit Cost Ratio (0.15): 0.19

Return On Investment (0.05): 0.07

Return On Investment (0.1): 0.06

Return On Investment (0.15): 0.06

Payback period (0.05): 0

Payback period (0.1): 0

Payback period (0.15): 0

5.2.13 Security Policy

Lifetime: 3 Implementation Cost: $70,000. Annual Maintenance Cost: $40,000.


Year		Benefits		Costs		Disc. Ben(0.1)		Disc.		DB-DC(0.1)
								Cost(0.1)
1		$267,409.		$70,000.		$243,099.		$63,636.		$179,462.
2	$267,409.		$40,000.		$220,999.		$33,057.		$187,941.
3	$267,409.		$40,000.		$200,908.		$30,052.		$170,855.

Sum of discounted benefits (0.05): $728,219. Sum of discounted benefits (0.1): $665,006. Sum of discounted benefits (0.15): $610,553. Sum of discounted costs (0.05): $137,500. Sum of discounted costs (0.1): $126,745. Sum of discounted costs (0.15): $117,414. Benefit Cost Ratio (0.05): 5.30

Benefit Cost Ratio (0.1): 5.25

Benefit Cost Ratio (0.15): 5.20

Return On Investment (0.05): 1.77

Return On Investment (0.1): 1.75

Return On Investment (0.15): 1.73

Payback period (0.05): 1

Payback period (0.1): 1

Payback period (0.15): 1

Here is a summary of the Return on Investment (R.O.I) for each safeguard.


Safeguard	ROI(10%)	Percentage of
		Total
Application Controls	3.37	52.6%

Safeguard Report		1
Security Policy	1.75	27.3%
Data Encryption	1.02	15.9%
Personnel Clearances	0.17	2.7%
Risk Analysis	0.06	1.0%
Physical Access Control	0.01	0.2%
Detection System	0.01	0.2%
Quality Assurance	0.00	0.1%
Classification Markings	0.00	0.1%
Life Cycle Management	0.00	0.0%
Personnel Control	0.00	0.0%
Passwords/Authenticaion	0.00	0.0%

Safeguard Report

Contract Specifications

0.00

0.0%

ROI

Application Cont

rols Security

Policy Data

Encryption

Return On Invest ment(ROI).

Calculated in order of the 10 highest ROIs.

Cost Benefit Report

CHAPTER 5. SAFEGUARDS

The analysis recommends a total of [[[ thirty-six (36) ]]] safeguards out of a possible 42 for use (at the AIS).

Figures 16 through 18 reflect the total cost of each safeguard for the life cycle of the safeguard.

It is generally taken that safeguards can fall into three categories:

(1) those that prevent incidents;

(2) those that permit the timely detection of incidents that have not been detected;

(3) those that aid in the recovery process after an incident has occurred.

The goal of a safeguard is to reduce the Annual Loss Expectancy (ALE) of one or more incidents, thereby reducing the overall ALE for the enterprise. This reduction is calculated by noticing that various safeguards impact the overall system in different ways. Three different forms of impact have been noted:

(1)the reduction in certain evaluative parameters for assets (for example the (recovery) safeguard of Insurance can reduce the Replacement Cost of all assets covered by the insurance);

(2)the reduction in the level of vulnerability in certain areas (for example the (preventative) safeguard of Data Encryption) can significantly reduce the

vulnerability called Disclosure (or Data Disclosure); the (detective) safeguard of Monitor System can act to lessen the difficulty that can arise from the slowly degrading Reliability of hardware components);

(3) the reduction in the frequency of a threat (or threat event) (for example, the safeguard called Training is expected to reduce the frequency of the threat of Errors).

Not only is a safeguard intended to reduce ALE, but it must do it in a costeffect way. RiskWatch II for Windows considers all possible safeguards and their impact on the overall system. For each, in turn, a full Cost-Benefit Analysis (CBA) is performed.

This analysis uses the reduction in ALE, expected annually, as the benefit and the initial and maintenance costs over the lifetime of the safeguard, and considers three different possible discount rates of 5,

10 and 15% to permit the calculation of the net present value of all projected figures.

In the tables below, three figures, one for each discount rate, are provided, for each safeguard,

(1) the ratio of Total Benefits over Total Costs;

(2) the annualized Rate of Return on Investment obtained by dividing this ratio by the number of years involved;

(3) the Pay-back Period - the year in which accumulating benefits overtake the (initially greater) accumulating costs.

The degree to which each safeguard may already be implemented can be derived from the responses to the questions, in each area of vulnerability, that pertain to a particular safeguard.

5.1SUMMARY OF SAFEGUARDS

The tables below show information about each of the safeguards considered by RiskWatch. It is sorted on the basis of the annualized Rate of Return on Investment (ROI) using Discount Rate of 10%.

The twelve numeric columns are, respectively,

1.the lifetime of the safeguard in years (Lifetime)

2.the initial cost (Initial Cost)

3.the annual maintenance cost (Maint. Cost)

4.the Basic Ratio of Total Benefits to Total Costs for Discount Rate 5% (B/C-5%)

5.the Annualized ROI with Discount Rate 5% (RoI-5%)

6.the Pay-back Period with Discount Rate 5% (PP-5%)

7.the Basic Ratio of Total Benefits to Total Costs for Discount Rate 10% (B/C- 10%)

8.the Annualized ROI with Discount Rate 10% (RoI-10%)

9.the Pay-back Period with Discount Rate 10% (PP-10%)

Cost Benefit Report

10.the Basic Ratio of Total Benefits to Total Costs for Discount Rate 15% (B/C- 15%)

11.the Annualized ROI with Discount Rate 15% (RoI-15%)

12.the Pay-back Period with Discount Rate 15% (PP-15%).


Safeguards		Lifetime		Initial Cost		Maint. Cost
Application Controls		3		$50,000.		$50,000.
Security Policy	3		$70,000.		$40,000.
Data Encryption	5		$500,000.		$500,000.
Personnel Clearances	1		$50,000.		$100,000.
Risk Analysis	3		$100,000.		$30,000.
Physical Access Control	3		$2,000,000.		$500,000.
Detection System	3		$1,000,000.		$200,000.
Quality Assurance	5		$400,000.		$300,000.
Classification Markings	3		$500,000.		$50,000.
Life Cycle Management	1		$200,000.		$0.
Personnel Control	3		$200,000.		$100,000.
Passwords/Authenticaion	5		$40,000.		$200,000.
Contract Specifications	1		$50,000.		$100,000.

Cost Benefit Report					3

Safeguards		B/C-5%		ROI-5%		PP-5%
Application Controls		10.11		3.37		1
Security Policy	5.30		1.77		1
Data Encryption	5.09		1.02		1
Personnel Clearances	0.17		0.17		0
Risk Analysis	0.20		0.07		0
Physical Access Control	0.03		0.01		0
Detection System	0.03		0.01		0
Quality Assurance	0.02		0.00		0
Classification Markings	0.01		0.00		0
Life Cycle Management	0.00		0.00		0
Personnel Control	0.00		0.00		0
Passwords/Authenticaion	0.00		0.00		0
Contract Specifications	0.00		0.00		0

Safeguards		B/C-10%		ROI-10%		PP-10%
Application Controls	10.11		3.37		1
Security Policy	5.25		1.75		1
Data Encryption	5.09		1.02		1
Personnel Clearances	0.17		0.17		0
Risk Analysis	0.19		0.06		0
Physical Access Control	0.03		0.01		0
Detection System	0.03		0.01		0
Quality Assurance	0.02		0.00		0
Classification Markings	0.01		0.00		0
Life Cycle Management	0.00		0.00		0
Personnel Control	0.00		0.00		0
Passwords/Authenticaion	0.00		0.00		0
Contract Specifications	0.00		0.00		0

Safeguards		B/C-15%		ROI-15%		PP-15%
Application Controls	10.11		3.37		1
Security Policy	5.20		1.73		1
Data Encryption	5.09		1.02		1
Personnel Clearances	0.17		0.17		0
Risk Analysis	0.19		0.06		0
Physical Access Control	0.03		0.01		0
Detection System	0.03		0.01		0
Quality Assurance	0.02		0.00		0
Classification Markings	0.01		0.00		0
Life Cycle Management	0.00		0.00		0
Personnel Control	0.00		0.00		0
Passwords/Authenticaion	0.00		0.00		0
Contract Specifications	0.00		0.00		0

The following table shows the safeguards with the 10 greatest Return on Investment (ROI-10%). Also shown are the Initial and Maintenance Costs of those safeguards. Following the table are barcharts and piecharts of the costs.


Safeguards		ROI-10%		Initial Cost		Maint. Cost
Application Controls		3.37		$50,000.		$50,000.
Security Policy	1.75		$70,000.		$40,000.
Data Encryption	1.02		$500,000.		$500,000.
Personnel Clearances	0.17		$50,000.		$100,000.
Risk Analysis	0.06		$100,000.		$30,000.
Physical Access Control	0.01		$2,000,000.		$500,000.
Detection System	0.01		$1,000,000.		$200,000.
Quality Assurance	0.00		$400,000.		$300,000.
Classification Markings	0.00		$500,000.		$50,000.
Life Cycle Management	0.00		$200,000.		$0.

INITIAL COSTS

Cost Benefit Report

Physical Access Control Detection Syst em Data Encryption

Classification Markings Quality

Assurance

Life Cycle Management Risk Analysis

2,000,000

1,000,000

500,000

400,000

200,000

100,000

100

125

150

175

200 (x 10 ,000 )

Dollars

Security

Policy Application Cont rols Personnel Clearances

70,000

50,000

5 10 15 20 25 30 35 40 45 50 55 60 65 70 (x 1 ,000) Dollars

Physical Access Control (41.1%)

Personnel Clearances (1.0%) Application Cont rols (1.0%)

Security Policy (1.4%)

Risk Analysis (2.1%)

Life Cycle Management (4.1%) Quality Assurance (8.2%) Classification Markings (10.3%)

Data Encryption (10.3%)

Detection System (20.5%)

MAINTENANCE COSTS

Cost Benefit Report

										500,000
Physical Access Control										500,000

										500,000

Data


									300,000
Encryption Quality									300,000
									200,000

Assurance Detection

									100,000



Syst em Personnel									50,000



Clearances									50,000


Application Cont rols									40,000


Classification									30,000


Markings


Security
Policy Risk
Analysis
5	10	15	20	25	30	35	40	45	50 (x 10,000)
					Dollars

Risk Analysis (1.7%)

Security Policy (2.3%) Classification Markings (2.8%)

Physical Access Control (28.2%) Application Cont rols (2.8%) Personnel Clearances (5.6%) Detection System (11.3%)

Quality Assurance (16.9%)

Data Encryption (28.2%)

SAFEGUARD DEFINITIONS

ACCESS CONTROL - The Access Control safeguard refers to the existence of a verifiable and coordinated access control system. The system can range from simple (key lock systems) to complex (cypher/key card identification systems).

APPLICATION CONTROL STANDARDS - Application control refers to a specific system of controls designed by a team of internal auditors to ensure that universal programming standards,

Cost Benefit Report

data element dictionaries and record association conventions are maintained.

AUDIT TRAILS - The safeguard of Audit Trails refers to the organization having a fully implemented audit trail capability so that it is simple to track which user was accessing any system at any point in time.

CLASSIFICATION MARKING - The safeguard of Classification Marking refers to having all media and reports containing information which is classified as Classified, Sensitive, or Privacy Act data marked on the top and bottom of each page.

Cost Benefit Report

CONTINGENCY PLAN - The Contingency Plan is also known as a Continuity of Operations Plans (COOP), or as a Disaster Recovery Plan; and it contains a detailed blueprint of backup procedures to be followed in case of emergency disruption to the ADP facility, as well as a guide to getting the programs operational as quickly as possible.

CONTRACT SPECIFICATIONS - The Contract Specification safeguard refers to the practice of requiring each contractor to include as a formal contract deliverable, a plan for including appropriate security controls, addressing of pertinent threats, and possible loss quantification.

DATA ENCRYPTION - This safeguard involves the application of encipherment techniques to one or more datasets or to data traveling over communications systems.

DETECTION SYSTEM - The Detection System safeguard refers to having a coordinated fire detection/access control violation system which will alert the proper authorities to smoke, heat, water, humidity fluctuations, grounding problems, as well as monitoring any attempt at unauthorized access.

DOCUMENTATION - The Documentation safeguard refers to the need for the organization to provide backup documentation for every file, program, and process; including providing hard copies retained in a safe location.

ELECTRICAL POWER CONDITIONING - The Electrical Power Conditioning safeguard refers to the establishment of a stable sources of electrical power, including a consideration of a source of uninterruptable power, backup generators, as well as consideration of phasebalancing to prevent power fluctuations.

EMERGENCY RESPONSE - The emergency response safeguard deals with a having a detailed guide of how the organization can continue to operate in the event of large scale emergencies, such as chemical spills, civil disobedience, or nuclear mishaps.

FILE/PROGRAM CONTROL - The safeguard of File/Program Control refers to the practice of establishing a system of access controls and authorizations for programs and files based on "need to know".

FIRE SUPPRESSION SYSTEM - The Fire Suppression safeguard refers to the appropriate combination of water and CO2 which should be installed in any ADP facility.

GROUNDING SYSTEM - The Grounding System safeguard refers to provision for proper

Cost Benefit Report		8
electrical grounding for all equipment,
including lightning arrestors;	a separate
grounding system for all signal cables.		For

sites processing classified information, a local low resistance ground is required.

INSURANCE - Insurance policies should be considered as a safeguard for situations where other types of safeguards may not be currently available or cost-effective. Financial institutions should consider bonding insurance for key personnel.

LIFE CYCLE MANAGEMENT - The safeguard of Life Cycle Management refers to the adoption of a formal, written plan for all systems, including security and audit controls, This plan should address general management, personnel, organizational, system design, data center management, and computer applications controls.

MATERIAL SEGREGATION - The Material Segregation safeguard refers to the procedure of separating Classified, Sensitive and Privacy Act data from all other material in order to guard against inadvertent disclosure.

Cost Benefit Report

MONITOR SYSTEM - The Monitoring System safeguard refers to having an effective system in place which covers checking of remote sites, critical components, operational status of various programs and applications as well as sensitive operational areas.

NEW CONSTRUCTION - The New Construction safeguard covers a variety of considerations which should be reviewed for any new facility. These include, but are not limited to, use of fire retardant and low combustion building materials, use of floor-to-ceiling walls, automatic vent closures, inside hinges on doors and windows, and proper drainage.

OFFICE OF PRIMARY RESPONSIBILITY (OPR) - An Office of Primary Responsibility (OPR) should be

designated for each data base, data file, and removable media containing data or programs, The OPR designation is necessary to ensure integrity of data files and accuracy of their contents.

OPERATING PROCEDURES - The safeguard of operating procedures refers to having a monitoring program in place in order to determine the effectiveness and efficiency of the system's operating procedures, as well as a method of monitoring that these procedures are continuously upgraded.

ORGANIZATIONAL STRUCTURE - Organizational structure refers to the safeguard of having the organization not only staffed, but also responsive to the need for redundancy of critical job functions and that the necessary guidelines are in place to ensure functional separation of duties.

PASSWORDS - The safeguard of Passwords refers to the organization having an effective policy of user passwords which should be fully implemented for every system.

PERSONNEL CLEARANCE - The Personnel Clearance safeguard refers to having an organizational policy governing personnel clearance in which each individual must have a security clearance of equal or greater classification than the highest level of data processed in the system they are accessing. This safeguard also includes background investigation of all employees.

PERSONNEL CONTROL - The safeguard of Personnel Control refers to the organization having proper procedures for automatic background checks, authority based on "need to know" criteria, as well as timely method for updating personnel records when individuals are reassigned, transferred or discharged.

PREVENTIVE MAINTENANCE - The Preventive

Cost Benefit Report

Maintenance safeguard refers to having an effective maintenance program in place which should include all computer hardware, generators, air conditioning equipment, grounding systems, lightning arrestors, fire systems and structured components such as vent closures, floor plates, doors, etc.

PROPERTY MANAGEMENT - The Property Management safeguard refers to the organization having a comprehensive and effective program for property inventory control, allocation and accountability.

QUALITY ASSURANCE - The safeguard of Quality Assurance refers to the formal establishment of a program which will regularly monitor (and find ways to improve) programming quality, user error, communication ability, etc.

REDUNDANT POWER - The safeguard of Redundant Power refers to having a secondary independent source of electrical power to backup the primary power source.

REVIEW OF SENSITIVE APPLICATIONS - The safeguard of Review of Sensitive Applications refers to the need of the organization to conduct a formal risk assessment of each

Cost Benefit Report

Sensitive Application program on a regular basis.

RISK ANALYSIS - The safeguard of Risk Analysis refers to the organization having recently conducted a formal risk assessment of each major system and application program.

SECURITY CLASSIFICATION - The Security Classification safeguard requires that each activity have policies in place addressing the proper classification of sensitive materials, including a receipt program, and general handling procedures for all sensitive and classified materials.

SECURITY PLAN - The Security Plan refers to the existence of a document which defines the tasks and charges of the security organization; as well as planning the security procedures necessary for the protection of the organization.

SECURITY POLICY - Security policy refers to the existence of written, defined guidelines which dictate how the organization manages its resources and protects them from both internal and external threats.

SECURITY STAFF - The Security Staff refers to the individuals in the organization who maintain or manage security tasks, as well as addressing full-time security staff, include managers who have part-time security responsibilities for the resources they manage.

SYSTEM SECURITY TEST AND EVALUATION (SST&E) - The safeguard of SST&E (System Security Test and Evaluation)

refers to the organization having a formal procedure to test each individual safeguard for effectiveness and accuracy.

SYSTEM VALIDATION - The System Validation safeguard refers to the practice of ensuring that the operating system contains only approved code; and that changes to the operating system are accounted for, are verified, and are transmitted in a secure and acknowledged mode.

TECHNICAL SURVEILLANCE - This safeguard is applicable to Classified environments and refers to a (possibly external) organization that can conduct a survey to identify potential security problems.

TEMPEST SURVEY - This safeguard is applicable to Classified environments and refers to the gathering of information, by inspection or survey, about all instrumentation and sites that store or process classified information.

TRAINING - The training safeguard refers to the organization having a written implemented

Cost Benefit Report

program for security training of new employees, and security awareness programs for current employees.

VISITOR CONTROL - The visitor control safeguard refers to ensuring that visitors to a facility are monitored twentyfour hours a day, that an audit trail of visitors exists and that this official record is maintained for at least two years.

WATER DRAINAGE - The Water Drainage safeguard refers to ensuring that the facility is equipped with a drainage system so that water from broken pipes, water from activated sprinkler systems or water used in fire fighting can be easily and effectively drained from the facility.

Vulnerability Distribution Report

VULNERABILITY DISTRIBUTION REP0RT

Those individual questions that indicate the largest degree of perceived vulnerability, as tallied from the responses, are shown below. Following each question is its associated area of vulnerability.

1. Sensitive information is not transmitted electronically over public communication media unless it has been appropriately encrypted or proper authentication of user is achieved?

Vulnerability Area: Disclosure

2.The requirements for the security organization are reflected in an applicable position description?

Vulnerability Area: Policy

3. The organization has a viable, verifiable system of accountability and control for all equipment and material entrusted to the organization?

Vulnerability Area: Accountability

4.The organization provides protection of staff from hostile clients? Vulnerability Area: Policy

5.The organization has established confidentiality policy and has issued directives, guidelines and operating procedures?

Vulnerability Area: Privacy Act

6.Water detectors are located under raised floors? Vulnerability Area: Reliability

7.Error checking software is used when performing file transfers using networks?

Vulnerability Area: Data Integrity

8. There is continuous accountability and control for all equipment and materials maintained by the organization?

Vulnerability Area: Accountability

9.The organization has a written computer security policy? Vulnerability Area: Policy

10.Visitor Logs are always used, maintained and retained for a minimum period of two (2) years?

Vulnerability Area: Access Control

11. The facility has a source of quality electrical power so that it does not experience excessive down time as a result of power fluctuations, power reductions, brownouts, power outages and blackouts?

Vulnerability Area: Reliability

12. The placement of the system security officer within the organization has been reviewed and evaluated to ensure effective and unfiltered reporting structure?

Vulnerability Area: Policy

Vulnerability Distribution Report

13.All data files are accounted for on servers or systems? Vulnerability Area: Accountability

14.Written consent is required and identifies other networks before enabling connection or interconnection?

Vulnerability Area: Administration

15. The organization has a space formulation standard that provides adequate environment and elevates space concerns to management for review and requested modifications?

Vulnerability Area: Policy

Vulnerability Distribution Report

16. Employees have sufficient and appropriate furniture, equipment and supplies to perform their job functions efficiently?

Vulnerability Area: Administration

17. When an employee notifies of quitting, or is about to be terminated, the supervisor notifies Security when the action becomes known?

Vulnerability Area: Access Control

18.There are at least two independent sources of power available to the computer system and the facility?

Vulnerability Area: Reliability

19.3rd party security software is not used in conjunction with the network? Vulnerability Area: Data Integrity

20.All communication lines are uniquely identified?

Vulnerability Area: Accountability

21. The organization has implemented policy and guidelines for background checks, investigations and surety programs for new applicants, system users, sensitive operations staff and for verification of contractor personnel clearances?

Vulnerability Area: Policy

22.Communication support equipment such as controllers and modems are located in secure areas?

Vulnerability Area: Access Control

23. The computer room walls, doors, windows, etc., are designed, constructed and/or installed to specifications that would minimize the possibility of access from adjacent areas or from the outside of the facility?

Vulnerability Area: Access Control

24. The organization has attempted to increase performance, and reduce costs by selectively purchasing advanced hardware and software?

Vulnerability Area: Policy

25. The agency security staff is responsible for ensuring that all personnel who install, operate, maintain, or use the computer systems have access authorization?

Vulnerability Area: Access Control

26. Emergency power-off switches for the computers and other equipment are adequately protected to prevent accidental shutdown?

Vulnerability Area: Reliability

27. The network (NOS) system files are kept in a protected directory or are encrypted by the system (i.e. password files, configuration files, etc.)?

Vulnerability Area: Disclosure

28. There is adequate interior and exterior lighting for the facility during non-daylight hours, and doors and windows have adequate locking devices?

Vulnerability Distribution Report

Vulnerability Area: Access Control

29. The organization has a current and effective Life Cycle Management Plan (LCMP) to ensure that the systems meet specified requirements with appropriate internal controls?

Vulnerability Area: Policy

30.Password modification is required by the Network Operating System? Vulnerability Area: Access Control

31.The facility has adequate electrical power that meets or exceeds local needs and codes?

Vulnerability Distribution Report

Vulnerability Area: Reliability

32. All supervisors immediately notify the Security Representative of all transfer and employment termination?

Vulnerability Area: Access Control

33. Log-on, system commands, and on-line transaction documentation manuals placed in a secure area when not in use?

Vulnerability Area: Documentation

34. Supporting utilities such as electrical power, air conditioning, natural gas, fuel, water and communication systems are provided with appropriate security?

Vulnerability Area: Reliability

35. Users, networks and computer systems accessing any network take all precautions necessary to protect the networks?

Vulnerability Area: Access Control

36.Sufficient water proof sheets are available for covering computer equipment in an emergency situation?

Vulnerability Area: Reliability

37.The water cooling system is protected from sabotage attempts? Vulnerability Area: Reliability

38.All network connections via dial-up facilities are managed, controlled and secure?

Vulnerability Area: Access Control

39. Door hinges are installed on the inside of the door or are pinned/welded when installed on the outside to prevent door removal?

Vulnerability Area: Access Control

40.Written policy exists which defines adequate backup frequency and retention periods for backup data?

Vulnerability Area: Policy

41. All external user, network or system access to mission-critical AIS resources are performed through a C2-designated resource?

Vulnerability Area: Access Control

42.All work areas (local and remote) are equipped with security systems? Vulnerability Area: Access Control

43.The program security staff is responsible for investigating and resolving all computer security incidents?

Vulnerability Area: Policy

44. New communication links are approved by the Security Officer?

Vulnerability	Distribution Report	6
Vulnerability	Area: Evaluation

45.Reproduction facilities and copy machines are secured or locked to prevent abuse?

Vulnerability Area: Accountability

46. A quantitative risk analysis required by current directives has been performed within the past three years?

Vulnerability Area: Evaluation

47.There is documentation that demonstrates that all network systems are approved by management?

Vulnerability Area: Policy

Vulnerability Distribution Report

48. The Program Security Officer has prescribed the security measures to be used at each workstation and work area?

Vulnerability Area: Policy

49. The facility has been audited for security within the last twelve months?

Vulnerability Area: Evaluation

50. Management strives to reduce employee turnover by retaining qualified personnel through fair promotion policies?

Vulnerability Area: Policy

The areas of vulnerability associated with the questions above are shown below, ranked according to the number of questions in each.

Following the table is a chart indicating the relative importance of each area of vulnerability, as determined from the question set.

Vulnerability Areas Number of Questions
1.	Access Control	13
2.	Policy	13
3.	Reliability	8
4.	Accountability	5
5.	Evaluation	3
6.	Administration	2
7.	Data Integrity	2
8.	Disclosure	2
9.	Privacy Act	1
10.	Documentation	1

5 Others (16.0%)

Access Control (26.0%)

Evaluation (6.0%)

Account ability (10.0%)

Policy (26.0%)	Reliability (16.0%)

<<< < Предыдущая 1 2 3 45 / 55

Соседние файлы в папке лаба_10

#
27.10.2025969.62 Кб4лаб_10_15_2.pdf
#
27.10.20251.46 Mб3лаб_10_15_3.docx
#
27.10.20251.57 Mб4лаб_10_15_4.docx
#
27.10.20251.25 Mб3лаб_10_16_2.pdf
#
27.10.20251.57 Mб4лаб_10_16_3.docx
#
27.10.2025588.45 Кб3лаб_10_16_4.pdf
#
27.10.20252.61 Mб4лаб_10_17_2.pdf
#
27.10.20251.45 Mб4лаб_10_17_3.docx
#
27.10.2025413.73 Кб3лаб_10_17_4.docx
#
27.10.2025973.14 Кб3лаб_10_18_2.pdf
#
27.10.20251.21 Mб3лаб_10_18_3.docx