15.11.2023 12:51:39

FINAL REPORT

Risk Analysis of PAO MTS

Prepared by:

TABLE OF CONTENTS

I. Executive Summary

II. Recommendations

Chapter 1 - General Information

1.1Operational Environment and System Configuration

1.1.1The Risk Assessment Team

1.1.2Organizational Details of SpecOrg

1.1.3Physical Plant and Physical Security

1.1.4System Configuration

1.2Terms and Definitions

1.3Risk Analysis Methodology

1.4RiskWatch Parameters and Data Analysis

Chapter 2 - Assets

2.1Summary of Asset Categories

2.2Assets Listed Within Category 2.2.1 Assets Within Category 1

===

2.2.N Assets Within Category N

Chapter 3 - Threats

3.1Summary of Threats

3.2Incidents Involving Each Threats 3.2.1 Incidents Involving Threat 1

===

3.2.N Incidents Involving Threat N

Chapter 4 - Areas of Vulnerability

4.1Summary of Vulnerabilities

4.2Question Report

4.2.1Question Report For Vulnerability Area 1

===

4.2.N Question Report For Vulnerability Area N

4.3Incidents Linked to Each Vulnerability Area 4.3.1 Incidents Linked To Vulnerability Area 1

===

4.3.N Incidents Linked To Vulnerability Area N

Chapter 5 - Safeguards

5.1Summary of Safeguards

5.2Cost-Benefit Analysis Report

5.2.1Cost-Benefit Analysis Report For Safeguard 1

===

5.2.N Cost-Benefit Analysis Report For Safeguard N

5.3Incidents Affected by Each Safeguard

5.3.1Incidents Affected By Safeguard 1

===

5.3.N Incidents Affected By Safeguard N

Appendixes

Appendix A - Assets

Appendix B - Threats

Appendix C - Vulnerability Areas

Appendix D - Safeguards

Chapter 1 - General Introduction

The development of effective plans is a manager's most important responsibility, and the measurement of the compliance of an organization with these plans is essential. For Automated Information Systems (AIS) facilities, one of the most important categories of planning is security planning because of the catastrophic impact that total shut down of the AIS facility would have on the entire organization.

A quantitative risk analysis is a tool for measuring the compliance of an organization with applicable security requirements and is a standardized methodology which can be used to analyze a system or organization to identify vulnerabilities that could result in losses. This standardized methodology is based on the interrelationships of four key factors:

1.Asset

Any useful or valuable resource;

2.Vulnerability

Weakness or susceptibility of an asset or a collection of assets to losses of various kinds;

3.Threat

An event, process, or act which, when realized, has an adverse effect on one or more assets; and

4.Safeguard

Countermeasure, control, or action taken to decrease the existing level of vulnerability of an asset to one or more threats.

To facilitate the performance of the risk analysis, SpecOrg acquired a risk analysis system called RiskWatch II for Windows. This PC-based software package, which is available on GSA Schedule, was originally developed for the Department of the Navy; it has been redesigned and rewritten to make it a Windows application and it is currently being used by the Department of Defense, NASA, several State and local governments, and private industry.

The scope of the risk analysis was limited to SpecOrg and threats arising from its environment including all telecommunications links to SpecOrg. The purpose of the risk analysis was to identify the vulnerability of the assets of SpecOrg to a variety of threats and to recommend safeguards which could reduce or eliminate the vulnerability of SpecOrg to these threats.

In some instances, applicable safeguards were 100% implemented, but were not being fully employed by the user community. As a general rule, when such noncompliance with policy within the enterprise occurs, it is frequently because there is a lack of awareness of the security issues; this may result from inadequate security training and enforcement of security requirements .