The data center backs-up all data media storage on a daily basis. The data are then transported to the NAME offsite storage facility in ADDRESS. The NAME facility subcontract is managed by the NAME Contractor. NAME meets all Government requirements for an off-site storage facility.
Hot-Site for Disaster Recovery
Tori has a contract with NAME of ADDRESS, for hot-site support. In the event of a total or partial disaster at Tori data center and the decision is made to activate the hot-site, a designated team will travel to the hot site to operate the facility in place of the Tori data center.
]]]
1.1.4 System Configuration
The system consists of the following (see attached floor plan):
Figure 2 [[[ Attach Floor Plan HERE ]]]
[[[
SYSTEM |
|
|
0 Processors |
IBM 3090-500E & 600S |
|
0 Disk Storage |
IBM/STK/AMDAHL |
|
0 |
Library Storage Modules |
(6) STK 4400 |
0 |
Cartridge Drives |
(96) IBM/STK |
0 |
Cartridges |
(200,000) 3480's |
0 |
Tape Reel Drives |
(8) 6250 BPI |
0 Tapes |
15,000 Round Media |
|
0 |
Printers (Page) |
(1) Xerox 90 PPM |
|
(Line) |
(1) IBM 2,000 LPM |
(1) STK 1,500 LPM
Communications
High speed link to Tori, Department Information Management. Exchange System to Regional Offices, Value Added Networks to Tori Sites, Intermediaries, and Contractors
0 IBM Information Network
0 FTS 2000
]]]
1.2 Terms and Definitions
1.2.1 Annual Frequency Estimate (AFE):
The Annual Frequency Estimate (AFE) is a factor based on historical data which indicates the approximate number of times a defined threat might occur in a specific environment, system, or location in a given year.
1.2.2 Annual Loss Expectancy (ALE):
The sum of the Individual Annual Loss Expectancies (IALE) for all assets, of a specific loss type, and attributed to a specific threat.
1.2.3 Annual Loss Expectancy, Individual: Per Asset (IALE)
The Individual Annual Loss Expectancy (IALE) represents the proportion of an individual asset that could be lost as the result of a single instance of a threat event, multiplied by the Annual Frequency Estimate (AFE) of the specific threat.
1.2.4 Application Software:
A program or set of programs designed for a specific function such as payroll, accounts payable, inventory control, property management, etc., Both source code and object code ought to be considered..
1.2.5 Assets:
Assets are defined as useful or valuable possessions of the enterprise. All assets, including data, residing in a computer system can be properly identified, quantified with respect to one or more evaluative perspectives (such as replacement cost), and classified into one or more of the following distinct categories:
1.2.5a Critical Assets:
Those assets which provide direct support to the organization's ability to sustain its mission. Assets or resources are considered critical if their absence or non-availability would significantly degrade the ability of the organization to carry out its mission, and when the time that the organization can function with out the asset is substantially lower than the time needed to replace the asset. Critical assets can be backed up to reduce their potential impact.
1.2.5b Financial, Controlled, Validated, Certified or Accountable Assets:
Moveable property, cash, inventories, accounting or auditing systems, and automatic money-handling software are financial or accountable. These assets are susceptible to both internal and external fraud.
This category also includes payroll, billings, supply inventories, accounts payable and receivable, other financial assets, small pilfer items, cash, consumable, negotiable instruments and services as well as automated billing systems. (Special attention is required as a result of the report by the U.S. Government Accounting Office directive entitled, `Improvements Needed in Managing Automated Decision-making by Computers Throughout the Federal Government', FGMSD-76-5, April 23, 1976.) This category includes data bases, programs, and information on which unauthorized and invalid modifications can not be tolerated.
1.2.5c Sensitive Assets:
Includes processes and information, assets that need controlled dissemination and that are considered classified, controlled, proprietary, or private. The unauthorized disclosure and dissemination of sensitive matter can result in losses of high magnitude which are generally irrecoverable. Sensitivity is the status of importance accorded to an asset (generally data) which has been agreed upon between the person or organization furnishing the sensitive resource and the person or organization receiving it, and which describes the resource's warranted degree of protection. Privacy data is a subset or special case of sensitivity which requires protection under the Privacy Act of 1974. In this case, it is most important to have an effective liaison with each functional office maintaining personal data. The Privacy Act is very specific on the scope and requirements for data protection and the reporting of privacy data collected. Generally, losses relating to sensitive matters results from disclosure, in which
1.2.5d Supportive Assets:
These are all other justifiable, organizational assets not otherwise classified in one or more of the critical, sensitive or financial/accountable categories. For example, items like furniture, vending machines and other property that can be amortized. The loss resulting from the occurrence of a threat upon these assets is too small to warrant further consideration and development of safeguards. Therefore, these resources are excluded from the risk analysis evaluation.
1.2.6 Computer System:
The hardware consisting of CPU, memory, controller and peripherals, disc driver, tape drive(s), printer(s), etc.
1.2.7 Contingency Plan:
A plan that identifies resource schedules, procedures and documentation to be used in providing continued operating capability and support to all critical mission components in case of disaster.
1.2.8 Continuity of Operations Plan (COOP):
Same as Contingency Plan, (see above).
1.2.9 Emergency Response:
Identified actions, procedures, and resources to be used in emergency situations.
1.2.10 Risk Analysis:
The application of a standardized methodology in the determination of threats, risk factors, vulnerability exposures and potential losses. Risk analysis is an approach to satisfying the need of an organization to protect the assets in which it has made an investment. It also serves to identify the particular problems an organization could expect to encounter in the performance of its mission, and the adverse affects these problems might present to the organization's ability to meet its obligations. Finally, risk management, growing out of the analysis, is a mechanism by which management can address these problems according to their relative importance based on financial analysis, and to develop safeguards which are both reasonable and cost-effective.
1.2.11 Safeguards:
Safeguards are countermeasures, specifications, or controls, consisting of actions taken to decrease the organization's existing degree of vulnerability to a given threat probability (Risk), that the threat will occur. Safeguards are put into effect to reduce the organization's potential losses and resultant impact to the mission. Safeguards are designed, implemented and maintained with the objective of minimizing losses by providing improved means of deterrence, prevention, mitigation, detection of and recovery from incidents (realizations of potential threat events). Generally, the safeguards are grouped into the following broad categories:
1.2.11a Administrative Safeguards:
This category includes all policies, procedures, guidelines, auditing checks and tabulations which are defined by management.
1.2.11b Physical Safeguards:
These are devices or mechanisms that protects assets. These include such things as door locks, terminal shielding, vaults, walls, fire suppression systems, and guards;
1.2.11c Technical Safeguards:
These are usually associated with the protection of information inside of a computer system; this category includes such items as data encryption, internal access controls, system and file passwords, recovery software, and auditing
software.
1.2.12 Single Loss Expectancy Individual: Per Asset (SLEI)
The monetary value of a single specified asset, or set of assets, multiplied by its associated vulnerability exposures, which are related to a specific realized threat.
1.2.13 Single Loss Expectancy: Per Threat Occurrence (SLE)
The sum of the Single Loss Expectancies for all assets attributed to a specific realized threat. These are all losses associated with the single occurrence of a defined threat.
1.2.14 System Software:
Programs that control the operation of a computer system, generally consisting of utility programs (both source code and object code. System software refers to special application programs, whose function is the operation of a computer or one of its specialized subsystems.
1.2.15 Threat:
An event, process, activity (act), or substance, either accidental or perpetrated by one or more threat agents, which, when realized, has an adverse effect on organizational assets (possibly aggravated by existing organizational or other forms of vulnerability to that threat), resulting in losses that may be classified as:
1.2.15a direct loss;
1.2.15b related direct loss;
1.2.15c delays (in processing)/denials (of service) (acting against availability of the asset);
1.2.15d disclosure(of sensitive information); (acting against its confidentiality);
1.2.15e intangible (acting against intangible assets)
1.2.15f profit
1.2.15g strategic
1.2.15h Life
1.2.15i Morale
The combination of all possible losses resulting from one occurrence of a threat is called the Single Loss Expectancy (SLE).
1.2.16 Threat Agent:
Any person or thing which acts, or has the power to act, to cause, carry out, transmit or support a threat. As stated in the threat definition, it is the case that the realization of many threats will correspondingly cause the occurrence of other threats, and therefore, many threats will themselves be threat agents.
The identification of threat agents is an important element in attempting to calculate the Annual Frequency Estimate (AFE) of a threat occurrence and then the amount of loss (ALE) of an asset. Generally, a threat can occur through more than one agent, and to properly estimate the losses and subsequent impact to the mission, the individual AFEs and ALEs associated with each agent must be separately determined. Unfortunately, the statistics are not collected based on the agent. Therefore, with current statistics, the values would be overlapping and the resulting annual loss expectancy would be greatly exaggerated.
1.2.17 Threat Probability of Occurrence with Cumulative Probability, Confidence Interval, and Standard Deviation:
Based on available statistics, the probability or annual frequency estimate is calculated with the associated level of confidence and the applicable standard deviation.
1.2.18 Vulnerability:
A vulnerability, or weakness, is the susceptibility of an asset, or a set of assets, to an increased level of loss resulting from an occurrence of a defined threat against that asset. It is a characteristic, condition, or perceived lack of a procedural method or control, associated with one or more assets or safeguards, which would result in an increased loss if a threat were to be realized. The presence of a vulnerability does not in itself result in a loss, nor does the total absence of any vulnerability necessarily ensure that a loss will not occur should the threat become realized.
1.2.19 Degree of Seriousness:
The extent (for denial/delay forms of loss), or percentage of the value of affected assets (for all other forms of loss), that would be experienced as a result of the realization of a particular threat.
1.3Risk Analysis Methodology
The automated risk analysis program is based on a standardized methodology which has been developed through the collective experiences and expertise of security consultants and analysts that have actually performed a multitude of risk analyses.
In accordance with this methodology, members of the analysis team familiarized themselves with the physical facilities, overall organizational structure, and the integration of the data processing system into the structure of the organization. Following a study of the working relationships within the organization, a project plan was prepared. A list was made of all the organizational elements which either support or draw support from the system under analysis. Work assignments were then made for the team members to assess the threats to the data processing system.
The team then collected all readily identifiable data necessary for a quantitative risk assessment. Included were computerized lists of assets, floor plans, etc., and documentation on policies and procedures.
After the collected data was analyzed, the function of each component of the organization was identified and the mission of the organization was defined. As a result of this analysis, the critical components of the organization were discovered and analyzed in depth.
From the data collected, an organizational resource structure was identified for all assets (both tangible and intangible) used either directly or indirectly, in support of the organizational mission tasks and functions. The assets were classified according to their criticality, sensitivity, or use within the organization.
A number of questionnaire diskettes were prepared and distributed to Tori and NAME employees, and to NAME and non-NAME users of Tori data center to identify any vulnerabilities that may be present at the data center.
Based on an examination of the organization's related functions and assigned resources, a list of applicable threats was developed. Each threat listed could, if realized, cause a significant loss of organizational assets, and consequently, a significant loss of the ability to carry out some facet of the mission.
To analyze the vulnerabilities, an analysis was made of each asset, and the threats which could act against it. For each asset/threat/vulnerability combination, a determination was made and a numerical value was assigned which represented the actual percentage of the value of the asset which is exposed and subject to loss if the threat were to occur. Given the value of the asset and the percentage of that value exposed to each threat, a computation was made of the loss which could be expected for each occurrence of the threat - regardless of the likelihood that the threat would occur.
For each of the threats identified as applicable, the adequacy of the protection afforded by existing controls and safeguards was assessed based on responses to the RiskWatch questionnaires.
Given the nature of the threats previously identified, a determination was made (by conducting extensive research of many data bases, both automated and manual), of the threat's frequency of occurrence within any given year. The determination of these factors involved both data collected from within the organization through the questionnaire evolution, and various data bases obtained from over 100 sources by a variety of access modes, from direct on-line to mag-tape copies, microfiche or hard copy media. The data were then analyzed by statistical routines to obtain the mean, standard deviation, confidence interval, and dependent variables acting as maximizing factors. Multiplication of the value of each asset, times its vulnerability exposure to each threat which might affect it, resulted in the estimated loss per occurrence for the asset. This estimate was multiplied by the Annual Frequency Estimate of the threats to annualize the loss expectancies (ALE) for the asset, threat, and vulnerability combination
The estimated loss per occurrence and the Annual Loss Expectancies attributed to the various assets affected by a given threat were summed and an analysis was made of the impact such a threat occurrence would produce. The analysis involved evaluating details relating to the physical and logical interrelationships of all the components, both within and outside the organization, which would be affected. The result of this analysis was a realistic impression of the snowball effect that the threat could produce.
The figures produced represent the total direct and indirect losses which could be anticipated by all parties, both within and associated with the organization.
A series of safeguards was then identified to address each threat with a high percentage of occurrence.
In each case, recommended additional safeguards had to be cost-effective, unless they were specifically required by law, regulation, or contractual agreement. The cost of implementing and operating the safeguard had to be less than the reduction in the (ALE) associated with the threats against which a safeguard was effective unless specifically required by law. Costs and savings were amortized over the lesser of the estimated safeguard, system, or facility life cycles.
Money to be spent or saved in future years was discounted to reflect its value at the present time by using discount factors based on the inflation adjusted, cost-of-capital rate of 10%.
Multiple effects -- that is, the reduction of more than one ALE, from more than one threat, by a single additional safeguard -- were evaluated by analyzing the difference in ALE of all affected threats.
After applying these analytical techniques to the costs and savings associated with each proposed additional safeguard and the ALE's which it affected, a savings figure, normalized to the present time, was obtained, to assist management in deciding whether or not to implement the recommended additional safeguard.