1. Executive Summary Scope

• This risk analysis was limited to SpecOrg Data Center.

• [[[Minicomputers and microcomputers were included in the analysis only to the extent they posed a risk to SpecOrg.]]]

Risk Analysis Steps

• Questionnaire diskettes or network sub-directories were developed containing [[[532]]] questions covering all areas of SpecOrg AIS security;

• [[[One hundred eleven]]] SpecOrg employees and users of the SpecOrg answered and returned the responses to the questions;

• The RiskWatch software determined SpecOrg vulnerabilities based on information on diskettes;

• Identified vulnerabilities were validated by SpecOrg management;

• A risk analysis report was prepared.

Key Risk Analysis Report Findings

Assets [[[

• The asset replacement cost for SpecOrg is approximately $100M.

• Hardware, personnel (government and contractor), and intangibles (reputation) are the major asset categories at SpecOrg.

• Important assets, such as system software, applications, and databases can be replaced relatively inexpensively because they are backed-up.

]]]

Vulnerabilities [[[

• The risk analysis identified 170 vulnerabilities covering twenty-two vulnerability areas.

• SpecOrg is most vulnerable in five areas: (see Figure 1)

  1. The labeling and control of output listings.

  2. The security of remote terminals.

3. The level and extent of security training.

4. The level of staffing and separation of duties at the DATA CENTER.

5. The level of training for the identification of Privacy Act records and insufficient labeling of Privacy Act-related materials.