МИНОБРНАУКИ РОССИИ

Санкт-Петербургский государственный

электротехнический университет

«ЛЭТИ» им. В.И. Ульянова (Ленина)

Кафедра информационной безопасности

ОТЧЕТ

ПО ЛабораторНОЙ работЕ № 10

по дисциплине «Основы информационной безопасности»

Тема: Изучение оценки безопасности предприятия с помощью ПО Risk Watch.

Студент гр.
Преподаватель

Санкт-Петербург

2023

ЦЕЛЬ РАБОТЫ

Изучить оценку безопасности предприятия с помощью ПО Risk Watch. Автоматически сгенерировать отчёт с помощью контекстного меню.

27/11/23 11:43 AM

FINAL REPORT

Risk Analysis of Avito

Prepared by:

[[[]]] [[[----------------]]] [[[------------------]]]

NAME NAME NAME

Project Manager Asst Project Manager Senior Security Analyst

Risk Analysis Team Risk Analysis Team Risk Analysis Team

TABLE OF CONTENTS

I. Executive Summary

II. Recommendations

Chapter 1 - General Information

Operational Environment and System Configuration

1.1.1 The Risk Assessment Team

1.1.2 Organizational Details of ETU

1.1.3 Physical Plant and Physical Security

System Configuration

Terms and Definitions

1.3 Risk Analysis Methodology

RiskWatch Parameters and Data Analysis

Chapter 2 - Assets

Summary of Asset Categories

2.2 Assets Listed Within Category

2.2.1 Assets Within Category 1

===

2.2.N Assets Within Category N

Chapter 3 - Threats

3.1 Summary of Threats

3.2 Incidents Involving Each Threats

3.2.1 Incidents Involving Threat 1

===

3.2.N Incidents Involving Threat N

Chapter 4 - Areas of Vulnerability

4.1 Summary of Vulnerabilities

4.2 Question Report

4.2.1 Question Report For Vulnerability Area 1

===

4.2.N Question Report For Vulnerability Area N

4.3 Incidents Linked to Each Vulnerability Area

4.3.1 Incidents Linked To Vulnerability Area 1

===

4.3.N Incidents Linked To Vulnerability Area N

Chapter 5 - Safeguards

5.1 Summary of Safeguards

5.2 Cost-Benefit Analysis Report

5.2.1 Cost-Benefit Analysis Report For Safeguard 1

===

5.2.N Cost-Benefit Analysis Report For Safeguard N

5.3 Incidents Affected by Each Safeguard

5.3.1 Incidents Affected By Safeguard 1

===

5.3.N Incidents Affected By Safeguard N

Appendixes

Appendix A - Assets

Appendix B - Threats

Appendix C - Vulnerability Areas

Appendix D - Safeguards

Chapter 1 - General Introduction

The development of effective plans is a manager's most important responsibility, and the measurement of the compliance of an organization with these plans is essential. For Automated Information Systems (AIS) facilities, one of the most important categories of planning is security planning because of the catastrophic impact that total shut down of the AIS facility would have on the entire organization.

A quantitative risk analysis is a tool for measuring the compliance of an organization with applicable security requirements and is a standardized methodology which can be used to analyze a system or organization to identify vulnerabilities that could result in losses. This standardized methodology is based on the interrelationships of four key factors:

1. Asset

Any useful or valuable resource;

2. Vulnerability

Weakness or susceptibility of an asset or a collection of assets to losses of various kinds;

3. Threat

An event, process, or act which, when realized, has an adverse effect on one or more assets; and

4. Safeguard

Countermeasure, control, or action taken to decrease the existing level of vulnerability of an asset to one or more threats.

To facilitate the performance of the risk analysis, ETU acquired a risk analysis system called RiskWatch II for Windows. This PC-based software package, which is available on GSA Schedule, was originally developed for the Department of the Navy; it has been redesigned and rewritten to make it a Windows application and it is currently being used by the Department of Defense, NASA, several State and local governments, and private industry.

The scope of the risk analysis was limited to ETU and threats arising from its environment including all telecommunications links to ETU. The purpose of the risk analysis was to identify the vulnerability of the assets of ETU to a variety of threats and to recommend safeguards which could reduce or eliminate the vulnerability of ETU to these threats.

In some instances, applicable safeguards were 100% implemented, but were not being fully employed by the user community. As a general rule, when such noncompliance with policy within the enterprise occurs, it is frequently because there is a lack of awareness of the security issues; this may result from inadequate security training and enforcement of security requirements .

1.1 Operational Environment and System Configuration

The four sections below, numbered 1.1.1 through 1.1.4, provide detailed information about:

The team responsible for the management of risks within the enterprise;

The organizational details of the enterprise;

The physical plant and measures in place to ensure physical security;

The configuration of systems that are deemed within the scope of this analysis;