1.4 RiskWatch Parameters and Data Analysis

RiskWatch Parameters

This section provides the parameters selected by the Risk Analysis Team and approved by the work group for use in this analysis. The information provided includes the hours and days of operation, the number of records handled, the number of users, and the questionnaire non-compliance threshold.

Name of Organization: VKONTAKTE

Number/Code of Organizational Unit: OIS

System to be analyzed:

How many days/week does system operate: 7

How many hours/day does system operate: 24

Down time before serious consequences: 0.00

Time to replace Minimum Function: 0.00

Number of full-time users: 0

Data sensitivity level: 1

Security mode: Not Applicable

Orange Book Level: Not Applicable

Maximum $$ handled: $000.

Interpret xx% or more as 100 xx = 11

(answers less than 85% were flagged as potential vulnerabilities)

Figure 3: Summary of Parameters

Data Analysis

[[[

The team began the risk analysis by preparing and distributing questionnaire diskettes to 113 individuals. Included among these individuals were VKONTAKTE and NAME employees, Central Office and Regional Office System Security Officers, RACF Group Administrators, and NAME and non-VKONTAKTE users of the DATA CENTER. Although diskettes were sent to a broad range of users, the scope of the risk analysis was limited to the DATA CENTER.

Each diskette contained 449 questions from which the respondents were instructed to select and answer questions in one or more functional areas. Each participant was instructed to indicate how each question (statement) applied or was perceived by the person on a scale of 0 (low) to 100 (high). If the question was not applicable or the person was unfamiliar with it, he or she was instructed to respond "N".

The team received 102 completed diskettes. The response diskettes were downloaded to the RiskWatch program which processed the responses to produce a list of vulnerabilities (weaknesses) which were reviewed by the risk analysis team and validated by a review team comprised of VKONTAKTE and NAME managers and technical experts.

Using the validated set of applicable vulnerabilities and a list of assets which was prepared by the risk analysis team and validated by the Director, NAME, the risk analysis team used the RiskWatch software to determine the applicable threats and annual loss expectancies and develop a set of recommended safeguards which, if implemented, could substantially reduce potential losses.

]]]

I. Executive Summary

Scope

This risk analysis was limited to VKONTAKTE Data Center.

[[[Minicomputers and microcomputers were included in the analysis only to the extent they posed a risk to VKONTAKTE.]]]

Risk Analysis Steps

Questionnaire diskettes or network sub-directories were developed containing [[[532]]] questions covering all areas of VKONTAKTE AIS security;

[[[One hundred eleven]]] VKONTAKTE employees and users of the VKONTAKTE answered and rVKONTAKTErned the responses to the questions;

The RiskWatch software determined VKONTAKTE vulnerabilities based on information on diskettes;

Identified vulnerabilities were validated by VKONTAKTE management;

A risk analysis report was prepared.

Key Risk Analysis Report Findings

Assets

[[[

The asset replacement cost for VKONTAKTE is approximately $100M.

Hardware, personnel (government and contractor), and intangibles (reputation) are the major asset categories at VKONTAKTE.

Important assets, such as system software, applications, and databases can be replaced relatively inexpensively because they are backed-up.

]]]

Vulnerabilities

[[[

The risk analysis identified 170 vulnerabilities covering twenty-two vulnerability areas.

VKONTAKTE is most vulnerable in five areas: (see Figure 1)

The labeling and control of output listings.

The security of remote terminals.

The level and extent of security training.

The level of staffing and separation of duties at the DATA CENTER.

The level of training for the identification of Privacy Act records and insufficient labeling of Privacy Act-related materials.

A physical survey of DATA CENTER revealed four fire detection and control vulnerabilities not identified by the questionnaire diskettes (see Chapter VII).

]]]

Threats

[[[

The four most significant threats to VKONTAKTE on an annual basis are: (see Figure 2)

Data Destruction

Misuse of the Computer

Theft of Assets

Data integrity loss.

]]]

Safeguards

[[[

The safeguards with the greatest rVKONTAKTErn on investment, which are also among the least costly safeguards, are: (see Figure 3)

Property Management

Organizational Structure

Visitor Control

Security Plan

Application Control

]]]