1.4 RiskWatch Parameters and Data Analysis
RiskWatch Parameters
This section provides the parameters selected by the Risk Analysis Team and approved by the work group for use in this analysis. The information provided includes the hours and days of operation, the number of records handled, the number of users, and the questionnaire non-compliance threshold.
Name of Organization: |
|
Tori |
Number/Code of Organizational Unit: |
|
8 |
System to be analyzed: |
|
Recycle |
How many days/week does system operate: |
7 |
|
How many hours/day does system operate: |
24 |
|
Down time before serious consequences: |
|
0.22 |
Time to replace Minimum Function: |
|
0.30 |
Number of full-time users: |
|
43 |
Data sensitivity level: |
|
1 |
Security mode: |
|
A1 |
Orange Book Level: |
|
Secret |
Maximum $$ handled: |
|
$000. |
Interpret xx% or more as 100 |
xx = 82 |
|
(answers less than 85% were flagged as potential vulnerabilities)
Figure 3: Summary of Parameters
Data Analysis
[[[
The team began the risk analysis by preparing and distributing questionnaire diskettes to 113 individuals. Included among these individuals were Tori and NAME employees, Central Office and Regional Office System Security Officers, RACF Group Administrators, and NAME and non-Tori users of the DATA CENTER. Although diskettes were sent to a broad range of users, the scope of the risk analysis was limited to the DATA CENTER.
Each diskette contained 449 questions from which the respondents were instructed to select and answer questions in one or more functional areas. Each participant was instructed to indicate how each question (statement) applied or was perceived by the person on a scale of 0 (low) to 100 (high). If the question was not applicable or the person was unfamiliar with it, he or she was instructed to respond "N".
The team received 102 completed diskettes. The response diskettes were downloaded to the RiskWatch program which processed the responses to produce a list of vulnerabilities (weaknesses) which were reviewed by the risk analysis team and validated by a review team comprised of Tori and NAME managers and technical experts.
Using the validated set of applicable vulnerabilities and a list of assets which was prepared by the risk analysis team and validated by the Director, NAME, the risk analysis team used the RiskWatch software to determine the applicable threats and annual loss expectancies and develop a set of recommended safeguards which, if implemented, could substantially reduce potential losses.
]]]
I.Executive Summary
Scope
This risk analysis was limited to Tori Central Facility.
[[[Adjacent areas were included in the analysis only to the extent they posed a risk to Tori.]]]
Risk Analysis Steps
Questionnaire diskettes or network sub-directories were developed containing [[[532]]] questions covering all areas of Tori AIS security;
[[[One hundred eleven]]] Tori employees and users of the Tori answered and returned the responses to the questions;
The RiskWatch software determined Tori vulnerabilities based on information on diskettes;
Identified vulnerabilities were validated by Tori management;
A risk analysis report was prepared.
Key Risk Analysis Report Findings
Assets
[[[
The asset replacement cost for Tori is approximately $100M.
Hardware, personnel (government and contractor), and intangibles (reputation) are the major asset categories at Tori.
]]]
Vulnerabilities
[[[
The risk analysis identified 170 vulnerabilities covering twenty-two vulnerability areas.
Tori is most vulnerable in five areas: (see Figure 1)
1.Lighting at each of the entrances.
2.No smoke detectors in the return air ducts.
3.The level and extent of security training.
4.The level of staffing and separation of duties in the inventory center.
5.The level of training for the identification and control of Privacy Act and proprietary records.
]]]
Threats
[[[
The four most significant threats to Tori on an annual basis are: (see Figure 2)
1.Major Fire
2.Power Failure
3.Theft of company assets
4.Employee Sabotage
]]]
Safeguards
[[[
The safeguards with the greatest return on investment, which are also among the least costly safeguards, are: (see Figure 3)
1.Property management
2.Organizational structure
3.Visitor Control
4.Fire Suppression
5.Fire Detection
]]]
II.Recommendations
[[[One hundred seventy]]] vulnerabilities were identified which, if not corrected, could result in considerable loss to Tori.
Immediate steps which can be taken are:
[[[
Correct the fire detection and control vulnerabilities identified during the walk-through.
Publish and disseminate Tori Disaster Recovery Plan.
Develop a system-generated cover page for and improve the control of sensitive output listings.
Review the security of terminals at the Parkview Building.
Test the adequacy of current system software and user file backups.
Remind users of the importance of backing up tape files.
Provide additional training on and enforce existing security policies and procedures.
Publish and disseminate an Tori-wide policy on the handling of sensitive documents and develop a uniform cover sheet for these documents.
Review Tori staffing and separation of duties.
System Security Officer, in coordination with Tori management, should develop a Risk Management Plan to address the implementation of the safeguards with the greatest return on investment.
]]]
[[[
Twelve major safeguards (see CHAPTER IX., Applicable Safeguard Cost Benefit Analysis Summary Table) were recommended which, if implemented, would substantially reduce losses if these threats occurred or prevent the threats from occurring altogether.
Tori System Security Officer should develop a Risk Management Plan in cooperation with Tori management, who will make the final decision as to the selection of applicable safeguards. The Plan will identify the specific steps required to implement the selected safeguards and recommend to Tori management the priority for safeguard implementation.
]]]
2.2 ASSETS WITHIN CATEGORY
Assets are identified, by category, by commonly used name; associated with each individual asset there is other related information. Depending on the asset category, other data is also provided for each asset. This will include the level of sensitivity for data, the quantity of a duplicated hardware item, etc.. When the information is available, an indication is included about the basic
attribute(s) of each assets that states whether the asset is
critical (in the sense that the mission of the enterprise depends on the correct and timely functioning of this asset), or
financial (with respect to the need to control modification), or
sensitive (with respect to disclosure), or
supportive (non of the above).
The definition of each asset category is also provided
The monetary values assigned represent the estimated replacement or purchase cost of the asset, not its current value. For example, the recruitment cost, the training cost, and the staff salaries and benefits were used to determine personnel costs. For leased equipment, replacement cost of obtaining a new lease is used since the organization is responsible for obtaining a replacement resource.
The value of sensitive resources could be greater than the replacement value to account for the loss of future opportunity and the extent of exposure that agencies have resulting from the disclosure of data subject to the Privacy Act; awards of $1,000 to $5,000 per individual record have been assessed by the courts based on the sanctions included in the Privacy Act of 1974.
The sections below deal, in turn, with each of the asset categories included in the analysis.
2.2.1Aircraft
There are no assets in this category.
2.2.2Ammunition/Explosives
There are no assets in this category.
2.2.3Art/Paintings
There are no assets in this category.
2.2.4Business Market Share
There are no assets in this category.
2.2.5Cash
There are no assets in this category.
2.2.6Communications Equipment
There are no assets in this category.
2.2.7Computer Hardware
There are no assets in this category.
2.2.8Construction Equipment
There are no assets in this category.
2.2.9Controlled Substances
There are no assets in this category.
2.2.10Customers
Asset |
Replacement Cost |
Percentage of Total |
Sample Customer |
$2,000. |
100.0% |
Figure 7.10 |
|
|
This information about replacement costs is presented below as a barchart.
Sample Cus tomer |
|
|
|
|
|
|
2,000 |
|
|
|
|
|
|
|
|
25 |
50 |
75 |
10 0 |
12 5 |
15 0 |
17 5 |
200 (x 10) |
|
|
|
Dollars |
|
|
|
|
Figure 8.10
2.2.11Electronic Equipment
There are no assets in this category.
2.2.12Evidence
There are no assets in this category.
2.2.13Facilities/Building
There are no assets in this category.
2.2.14Food/Water/Perishables
There are no assets in this category.
2.2.15Gold/Silver Gems
There are no assets in this category.
2.2.16Intangibles
There are no assets in this category.
2.2.17Large Weapons
There are no assets in this category.
2.2.18Manufacturing Equipment
There are no assets in this category.
2.2.19Negotiable Instruments
There are no assets in this category.
2.2.20Nuclear Materials
There are no assets in this category.
2.2.21Office Equipment
There are no assets in this category.
2.2.22Personnel
There are no assets in this category.
2.2.23Petroleum/Oils
There are no assets in this category.
2.2.24Physical Inventory/Product
There are no assets in this category.
2.2.25Production Resources
There are no assets in this category.
2.2.26Proprietary Information
There are no assets in this category.
2.2.27Real Property
There are no assets in this category.
2.2.28Security System
There are no assets in this category.
2.2.29Small Weapons
There are no assets in this category.