- •Санкт-Петербург
- •1.1.1 The Risk Assessment Team
- •1.1.3 Physical Plant and Physical Security
- •1.2.11 Safeguards:
- •1.3 Risk Analysis Methodology
- •1.4 RiskWatch Parameters and Data Analysis
- •I. Executive Summary
- •II. Recommendations
- •2.2 Assets within category
- •2.1 Summary of asset categories
- •Insurance/Bond 0.00 0.0%
- •In the tables below, three figures, one for each discount rate, are provided, for each safeguard,
- •5.1 Summary of safeguards
- •Insurance/Bond 0.00 0.00 0
Insurance/Bond 0.00 0.00 0
Life Cycle Management 0.00 0.00 0
Material Segregation 0.00 0.00 0
Monitor System 0.00 0.00 0
New Construction 0.00 0.00 0
Operating Procedures 0.00 0.00 0
OPR for each System 0.00 0.00 0
Organizational Structure 0.00 0.00 0
Passwords/Authenticaion 0.00 0.00 0
Personnel Clearances 0.00 0.00 0
Personnel Control 0.00 0.00 0
Preventive Maintenance 0.00 0.00 0
Property Management 0.00 0.00 0
Quality Assurance 0.00 0.00 0
Redundant Power 0.00 0.00 0
Review Sens. Applications 0.00 0.00 0
Risk Analysis 0.00 0.00 0
Security Classification 0.00 0.00 0
Security Plan 0.00 0.00 0
Security Policy 0.00 0.00 0
Security Staff 0.00 0.00 0
Safeguard Test & Eval. 0.00 0.00 0
System Validation 0.00 0.00 0
Technical Surveillance 0.00 0.00 0
Tempest Survey 0.00 0.00 0
Training 0.00 0.00 0
Visitor Control 0.00 0.00 0
Water Drainage 0.00 0.00 0
Safeguards B/C-10% ROI-10% PP-10%
Physical Access Control 0.00 0.00 0
Application Controls 0.00 0.00 0
Audit Trails 0.00 0.00 0
Classification Markings 0.00 0.00 0
Contingency Plan 0.00 0.00 0
Contract Specifications 0.00 0.00 0
Data Encryption 0.00 0.00 0
Detection System 0.00 0.00 0
Documentation 0.00 0.00 0
Electrical Power 0.00 0.00 0
Emergency Response 0.00 0.00 0
File/Pgm. Control (DAC) 0.00 0.00 0
Fire Suppression 0.00 0.00 0
Grounding System 0.00 0.00 0
Insurance/Bond 0.00 0.00 0
Life Cycle Management 0.00 0.00 0
Material Segregation 0.00 0.00 0
Monitor System 0.00 0.00 0
New Construction 0.00 0.00 0
Operating Procedures 0.00 0.00 0
OPR for each System 0.00 0.00 0
Organizational Structure 0.00 0.00 0
Passwords/Authenticaion 0.00 0.00 0
Personnel Clearances 0.00 0.00 0
Personnel Control 0.00 0.00 0
Preventive Maintenance 0.00 0.00 0
Property Management 0.00 0.00 0
Quality Assurance 0.00 0.00 0
Redundant Power 0.00 0.00 0
Review Sens. Applications 0.00 0.00 0
Risk Analysis 0.00 0.00 0
Security Classification 0.00 0.00 0
Security Plan 0.00 0.00 0
Security Policy 0.00 0.00 0
Security Staff 0.00 0.00 0
Safeguard Test & Eval. 0.00 0.00 0
System Validation 0.00 0.00 0
Technical Surveillance 0.00 0.00 0
Tempest Survey 0.00 0.00 0
Training 0.00 0.00 0
Visitor Control 0.00 0.00 0
Water Drainage 0.00 0.00 0
Safeguards B/C-15% ROI-15% PP-15%
Physical Access Control 0.00 0.00 0
Application Controls 0.00 0.00 0
Audit Trails 0.00 0.00 0
Classification Markings 0.00 0.00 0
Contingency Plan 0.00 0.00 0
Contract Specifications 0.00 0.00 0
Data Encryption 0.00 0.00 0
Detection System 0.00 0.00 0
Documentation 0.00 0.00 0
Electrical Power 0.00 0.00 0
Emergency Response 0.00 0.00 0
File/Pgm. Control (DAC) 0.00 0.00 0
Fire Suppression 0.00 0.00 0
Grounding System 0.00 0.00 0
Insurance/Bond 0.00 0.00 0
Life Cycle Management 0.00 0.00 0
Material Segregation 0.00 0.00 0
Monitor System 0.00 0.00 0
New Construction 0.00 0.00 0
Operating Procedures 0.00 0.00 0
OPR for each System 0.00 0.00 0
Organizational Structure 0.00 0.00 0
Passwords/Authenticaion 0.00 0.00 0
Personnel Clearances 0.00 0.00 0
Personnel Control 0.00 0.00 0
Preventive Maintenance 0.00 0.00 0
Property Management 0.00 0.00 0
Quality Assurance 0.00 0.00 0
Redundant Power 0.00 0.00 0
Review Sens. Applications 0.00 0.00 0
Risk Analysis 0.00 0.00 0
Security Classification 0.00 0.00 0
Security Plan 0.00 0.00 0
Security Policy 0.00 0.00 0
Security Staff 0.00 0.00 0
Safeguard Test & Eval. 0.00 0.00 0
System Validation 0.00 0.00 0
Technical Surveillance 0.00 0.00 0
Tempest Survey 0.00 0.00 0
Training 0.00 0.00 0
Visitor Control 0.00 0.00 0
Water Drainage 0.00 0.00 0
The following table shows the safeguards with the 10 greatest Return on Investment (ROI-10%). Also shown are the Initial and Maintenance Costs of those safeguards. Following the table are barcharts and piecharts of the costs.
Safeguards ROI-10% Initial Cost Maint. Cost
INITIAL COSTS
MAINTENANCE COSTS
SAFEGUARD DEFINITIONS
ACCESS CONTROL - The Access Control safeguard refers to the
existence of a verifiable and coordinated access control
system. The system can range from simple (key lock systems)
to complex (cypher/key card identification systems).
APPLICATION CONTROL STANDARDS - Application control refers
to a specific system of controls designed by a team of
internal auditors to ensure that universal programming
standards, data element dictionaries and record association
conventions are maintained.
AUDIT TRAILS - The safeguard of Audit Trails refers to the
organization having a fully implemented audit trail
capability so that it is simple to track which user was
accessing any system at any point in time.
CLASSIFICATION MARKING - The safeguard of Classification
Marking refers to having all media and reports containing
information which is classified as Classified, Sensitive, or
Privacy Act data marked on the top and bottom of each page.
CONTINGENCY PLAN - The Contingency Plan is also known as a
Continuity of Operations Plans (COOP), or as a Disaster
Recovery Plan; and it contains a detailed blueprint of
backup procedures to be followed in case of emergency
disruption to the ADP facility, as well as a guide to
getting the programs operational as quickly as possible.
CONTRACT SPECIFICATIONS - The Contract Specification
safeguard refers to the practice of requiring each
contractor to include as a formal contract deliverable, a
plan for including appropriate security controls, addressing
of pertinent threats, and possible loss quantification.
DATA ENCRYPTION - This safeguard involves the application
of encipherment techniques to one or more datasets or to
data traveling over communications systems.
DETECTION SYSTEM - The Detection System safeguard refers to
having a coordinated fire detection/access control violation
system which will alert the proper authorities to smoke,
heat, water, humidity fluctuations, grounding problems, as
well as monitoring any attempt at unauthorized access.
DOCUMENTATION - The Documentation safeguard refers to the
need for the organization to provide backup documentation
for every file, program, and process; including providing
hard copies retained in a safe location.
ELECTRICAL POWER CONDITIONING - The Electrical Power
Conditioning safeguard refers to the establishment of a
stable sources of electrical power, including a
consideration of a source of uninterruptable power, backup
generators, as well as consideration of phase-balancing to
prevent power fluctuations.
EMERGENCY RESPONSE - The emergency response safeguard deals
with a having a detailed guide of how the organization can
continue to operate in the event of large scale emergencies,
such as chemical spills, civil disobedience, or nuclear
mishaps.
FILE/PROGRAM CONTROL - The safeguard of File/Program Control
refers to the practice of establishing a system of access
controls and authorizations for programs and files based on
"need to know".
FIRE SUPPRESSION SYSTEM - The Fire Suppression safeguard
refers to the appropriate combination of water and CO2 which
should be installed in any ADP facility.
GROUNDING SYSTEM - The Grounding System safeguard refers to
provision for proper electrical grounding for all equipment,
including lightning arrestors; a separate grounding system
for all signal cables. For sites processing classified
information, a local low resistance ground is required.
INSURANCE - Insurance policies should be considered as a
safeguard for situations where other types of safeguards may
not be currently available or cost-effective. Financial
institutions should consider bonding insurance for key
personnel.
LIFE CYCLE MANAGEMENT - The safeguard of Life Cycle
Management refers to the adoption of a formal, written plan
for all systems, including security and audit controls,
This plan should address general management, personnel,
organizational, system design, data center management, and
computer applications controls.
MATERIAL SEGREGATION - The Material Segregation safeguard
refers to the procedure of separating Classified, Sensitive
and Privacy Act data from all other material in order to
guard against inadvertent disclosure.
MONITOR SYSTEM - The Monitoring System safeguard refers to
having an effective system in place which covers checking of
remote sites, critical components, operational status of
various programs and applications as well as sensitive
operational areas.
NEW CONSTRUCTION - The New Construction safeguard covers a
variety of considerations which should be reviewed for any
new facility. These include, but are not limited to, use of
fire retardant and low combustion building materials, use of
floor-to-ceiling walls, automatic vent closures, inside
hinges on doors and windows, and proper drainage.
OFFICE OF PRIMARY RESPONSIBILITY (OPR) - An Office of
Primary Responsibility (OPR) should be designated for each
data base, data file, and removable media containing data or
programs, The OPR designation is necessary to ensure
integrity of data files and accuracy of their contents.
OPERATING PROCEDURES - The safeguard of operating procedures
refers to having a monitoring program in place in order to
determine the effectiveness and efficiency of the system's
operating procedures, as well as a method of monitoring that
these procedures are continuously upgraded.
ORGANIZATIONAL STRUCTURE - Organizational structure refers
to the safeguard of having the organization not only
staffed, but also responsive to the need for redundancy of
critical job functions and that the necessary guidelines are
in place to ensure functional separation of duties.
PASSWORDS - The safeguard of Passwords refers to the
organization having an effective policy of user passwords
which should be fully implemented for every system.
PERSONNEL CLEARANCE - The Personnel Clearance safeguard
refers to having an organizational policy governing
personnel clearance in which each individual must have a
security clearance of equal or greater classification than
the highest level of data processed in the system they are
accessing. This safeguard also includes background
investigation of all employees.
PERSONNEL CONTROL - The safeguard of Personnel Control
refers to the organization having proper procedures for
automatic background checks, authority based on "need to
know" criteria, as well as timely method for updating
personnel records when individuals are reassigned,
transferred or discharged.
PREVENTIVE MAINTENANCE - The Preventive Maintenance
safeguard refers to having an effective maintenance program
in place which should include all computer hardware,
generators, air conditioning equipment, grounding systems,
lightning arrestors, fire systems and structured components
such as vent closures, floor plates, doors, etc.
PROPERTY MANAGEMENT - The Property Management safeguard
refers to the organization having a comprehensive and
effective program for property inventory control, allocation
and accountability.
QUALITY ASSURANCE - The safeguard of Quality Assurance
refers to the formal establishment of a program which will
regularly monitor (and find ways to improve) programming
quality, user error, communication ability, etc.
REDUNDANT POWER - The safeguard of Redundant Power refers to
having a secondary independent source of electrical power to
backup the primary power source.
REVIEW OF SENSITIVE APPLICATIONS - The safeguard of Review
of Sensitive Applications refers to the need of the
organization to conduct a formal risk assessment of each
Sensitive Application program on a regular basis.
RISK ANALYSIS - The safeguard of Risk Analysis refers to the
organization having recently conducted a formal risk
assessment of each major system and application program.
SECURITY CLASSIFICATION - The Security Classification
safeguard requires that each activity have policies in place
addressing the proper classification of sensitive materials,
including a receipt program, and general handling procedures
for all sensitive and classified materials.
SECURITY PLAN - The Security Plan refers to the existence of
a document which defines the tasks and charges of the
security organization; as well as planning the security
procedures necessary for the protection of the organization.
SECURITY POLICY - Security policy refers to the existence of
written, defined guidelines which dictate how the
organization manages its resources and protects them from
both internal and external threats.
SECURITY STAFF - The Security Staff refers to the
individuals in the organization who maintain or manage
security tasks, as well as addressing full-time security
staff, include managers who have part-time security
responsibilities for the resources they manage.
SYSTEM SECURITY TEST AND EVALUATION (SST&E) - The safeguard
of SST&E (System Security Test and Evaluation) refers to the
organization having a formal procedure to test each
individual safeguard for effectiveness and accuracy.
SYSTEM VALIDATION - The System Validation safeguard refers
to the practice of ensuring that the operating system
contains only approved code; and that changes to the
operating system are accounted for, are verified, and are
transmitted in a secure and acknowledged mode.
TECHNICAL SURVEILLANCE - This safeguard is applicable to
Classified environments and refers to a (possibly external)
organization that can conduct a survey to identify potential
security problems.
TEMPEST SURVEY - This safeguard is applicable to Classified
environments and refers to the gathering of information, by
inspection or survey, about all instrumentation and sites
that store or process classified information.
TRAINING - The training safeguard refers to the organization
having a written implemented program for security training
of new employees, and security awareness programs for
current employees.
VISITOR CONTROL - The visitor control safeguard refers to
ensuring that visitors to a facility are monitored twenty-
four hours a day, that an audit trail of visitors exists and
that this official record is maintained for at least two
years.
WATER DRAINAGE - The Water Drainage safeguard refers to
ensuring that the facility is equipped with a drainage
system so that water from broken pipes, water from activated
sprinkler systems or water used in fire fighting can be
easily and effectively drained from the facility.
The section below looks at each safeguard and indicates, for each threat, the ALE before and after the safeguard is implemented. The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. The percentage by which the ALE is reduced by the safeguard is also indicated.
The next section contains a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented.
Safeguard: Physical Access Control
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Application Controls
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Audit Trails
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Classification Markings
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Contingency Plan
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Contract Specifications
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Data Encryption
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Detection System
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Documentation
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Electrical Power
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Emergency Response
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: File/Pgm. Control (DAC)
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Fire Suppression
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Grounding System
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Insurance/Bond
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Life Cycle Management
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Material Segregation
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Monitor System
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: New Construction
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Operating Procedures
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: OPR for each System
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Organizational Structure
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Passwords/Authenticaion
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Personnel Clearances
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Personnel Control
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Preventive Maintenance
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Property Management
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Quality Assurance
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Redundant Power
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Review Sens. Applications
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Risk Analysis
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Security Classification
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Security Plan
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Security Policy
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Security Staff
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Safeguard Test & Eval.
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: System Validation
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Technical Surveillance
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Tempest Survey
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Training
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Visitor Control
Threat Original ALE ALE with Safeguard Percentage Drop
Safeguard: Water Drainage
Threat Original ALE ALE with Safeguard Percentage Drop
The following is a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented (ALE with Safeguard). This table also indicates the difference between the two ALE values.
Also shown is a barchart that provides a visual presentation of the difference in ALE for each safeguard.
Safeguard Original ALE ALE with Safeguard Difference
Physical Access Control $0. $0. $0.
Application Controls $0. $0. $0.
Audit Trails $0. $0. $0.
Classification Markings $0. $0. $0.
Contingency Plan $0. $0. $0.
Contract Specifications $0. $0. $0.
Data Encryption $0. $0. $0.
Detection System $0. $0. $0.
Documentation $0. $0. $0.
Electrical Power $0. $0. $0.
Emergency Response $0. $0. $0.
File/Pgm. Control (DAC) $0. $0. $0.
Fire Suppression $0. $0. $0.
Grounding System $0. $0. $0.
Insurance/Bond $0. $0. $0.
Life Cycle Management $0. $0. $0.
Material Segregation $0. $0. $0.
Monitor System $0. $0. $0.
New Construction $0. $0. $0.
Operating Procedures $0. $0. $0.
OPR for each System $0. $0. $0.
Organizational Structure $0. $0. $0.
Passwords/Authenticaion $0. $0. $0.
Personnel Clearances $0. $0. $0.
Personnel Control $0. $0. $0.
Preventive Maintenance $0. $0. $0.
Property Management $0. $0. $0.
Quality Assurance $0. $0. $0.
Redundant Power $0. $0. $0.
Review Sens. Applications $0. $0. $0.
Risk Analysis $0. $0. $0.
Security Classification $0. $0. $0.
Security Plan $0. $0. $0.
Security Policy $0. $0. $0.
Security Staff $0. $0. $0.
Safeguard Test & Eval. $0. $0. $0.
System Validation $0. $0. $0.
Technical Surveillance $0. $0. $0.
Tempest Survey $0. $0. $0.
Training $0. $0. $0.
Visitor Control $0. $0. $0.
Water Drainage $0. $0. $0.
QUESTION CATEGORY REPORT
FOR QUESTION CATEGORY ADP Centers
1. AC 5 - Controls on Media
The organization has implemented procedures and controls to preclude access to removable tape and disk files in order to prevent unauthorized users and programs from accessing, reading, modifying or damaging data on these media?
Vulnerability Category: Access Control
Number of Answers: 3 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
2. ACC 6 - Individual Identification
Each individual user is assigned a unique identification number and password?
Vulnerability Category: Accountability
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
3. ACC 5 - Control over material and equipment
There is continuous accountability and control for all equipment and materials maintained in the computer facility or that are released or transferred from the facility?
Vulnerability Category: Accountability
Number of Answers: 3 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
4. ACC 6 - Individual Identification
Each individual user is assigned a unique identification number and password?
Vulnerability Category: Accountability
Number of Answers: 2 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
5. COMPL 6 - Verification of Authenticity of Software
The authenticity of the software is verified by comparing the registry or shipment number with the information contained in the communications from the originator?
Vulnerability Category: Compliance
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
6. COMPL 4 - Verification of Markings/Expectations
Users are required to verify that the information in their files and reports is in accordance with the markings and expectations?
Vulnerability Category: Compliance
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
7. COMPL 5 - Matching Configuration to Environment
The system is configured in a manner to clearly indicate a particular security environment?
Vulnerability Category: Compliance
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
8. COMPL 6 - Verification of Authenticity of Software
The authenticity of the software is verified by comparing the registry or shipment number with the information contained in the communications from the originator?
Vulnerability Category: Compliance
Number of Answers: 2 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
9. COMPL 4 - Verification of Markings/Expectations
Users are required to verify that the information in their files and reports is in accordance with the markings and expectations?
Vulnerability Category: Compliance
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
10. COMPL 5 - Matching Configuration to Environment
The system is configured in a manner to clearly indicate a particular security environment?
Vulnerability Category: Compliance
Number of Answers: 2 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
11. COMPL 4 - Verification of Markings/Expectations
Users are required to verify that the information in their files and reports is in accordance with the markings and expectations?
Vulnerability Category: Compliance
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
12. C.PLAN 7 - Fireproof Storage Facilities
The disaster recovery plan provides for local storage of magnetic media and other documentation in metal or other fire retardant cabinets within the facility?
Vulnerability Category: Contingency Plan
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 1 Not Applicable: 0
13. C.PLAN 8 - Alternate Sites
The disaster recovery plan provides for an alternate site containing compatible equipment?
Vulnerability Category: Contingency Plan
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 1
14. C.PLAN 6 - Duplication of Systems
The disaster recovery plan provides for duplicate system programs, start-up programs, and data base backups?
Vulnerability Category: Contingency Plan
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 1
15. C.PLAN 7 - Fireproof Storage Facilities
The disaster recovery plan provides for local storage of magnetic media and other documentation in metal or other fire retardant cabinets within the facility?
Vulnerability Category: Contingency Plan
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 1 Not Applicable: 0
16. C.PLAN 8 - Alternate Sites
The disaster recovery plan provides for an alternate site containing compatible equipment?
Vulnerability Category: Contingency Plan
Number of Answers: 2 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 2
17. C.PLAN 6 - Duplication of Systems
The disaster recovery plan provides for duplicate system programs, start-up programs, and data base backups?
Vulnerability Category: Contingency Plan
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 1
18. C.PLAN 5 - Plans for Computer Failure
The organization has viable plans for recovery in the event of computer failure?
Vulnerability Category: Contingency Plan
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
19. C.PLAN 6 - Duplication of Systems
The disaster recovery plan provides for duplicate system programs, start-up programs, and data base backups?
Vulnerability Category: Contingency Plan
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 1
20. C.PLAN 5 - Plans for Computer Failure
The organization has viable plans for recovery in the event of computer failure?
Vulnerability Category: Contingency Plan
Number of Answers: 2 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
21. C.PLAN 7 - Fireproof Storage Facilities
The disaster recovery plan provides for local storage of magnetic media and other documentation in metal or other fire retardant cabinets within the facility?
Vulnerability Category: Contingency Plan
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 1 Not Applicable: 0
22. D.INTEG 2 - Data Validation in Media Transfer
Sufficient controls exist to ensure that data is validated at each point as it moves from one medium to another?
Vulnerability Category: Data Integrity
Number of Answers: 3 Below 11% threshold: 0 Don't Know: 3 Not Applicable: 0
23. DISC 1 - Hiding Passwords when Entered
The user password is hidden (not displayed) when it is typed into the system to protect password information?
Vulnerability Category: Disclosure
Number of Answers: 2 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
24. DISC 2 - Maintenance Personnel
All personnel who service and maintain the computer and its support systems are properly cleared or monitored by well qualified escorts?
Vulnerability Category: Disclosure
Number of Answers: 3 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
25. DISC 1 - Hiding Passwords when Entered
The user password is hidden (not displayed) when it is typed into the system to protect password information?
Vulnerability Category: Disclosure
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
26. EVAL 5 - Risk Analysis for new Installations
A risk analysis is performed prior to the approval of design specifications for new computer installations?
Vulnerability Category: Evaluation
Number of Answers: 2 Below 11% threshold: 0 Don't Know: 2 Not Applicable: 0
27. EVAL 3 - Design Reviews on Applications
An official design review has been conducted, documented and maintained for each operating application?
Vulnerability Category: Evaluation
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 1 Not Applicable: 0
28. EVAL 6 - Risk Analysis on Changes to Software/Hardware
A risk analysis is performed whenever there is a major change to facility software?
Vulnerability Category: Evaluation
Number of Answers: 3 Below 11% threshold: 0 Don't Know: 3 Not Applicable: 0
29. EVAL 3 - Design Reviews on Applications
An official design review has been conducted, documented and maintained for each operating application?
Vulnerability Category: Evaluation
Number of Answers: 2 Below 11% threshold: 0 Don't Know: 2 Not Applicable: 0
30. EVAL 4 - Determining Criticality
Criticality determinations are made for all data maintained on the system?
Vulnerability Category: Evaluation
Number of Answers: 3 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 3
31. EVAL 5 - Risk Analysis for new Installations
A risk analysis is performed prior to the approval of design specifications for new computer installations?
Vulnerability Category: Evaluation
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 1 Not Applicable: 0
32. EVAL 3 - Design Reviews on Applications
An official design review has been conducted, documented and maintained for each operating application?
Vulnerability Category: Evaluation
Respondent(s) did not answer this question.
33. MAINT 4 - Media Cleaning and Maintenance
The organization has an effective magnetic media maintenance system to ensure that the media are clean, error-free and properly labeled internally and externally in a manner that indicates use, content, classification and restrictions?
Vulnerability Category: Maintenance
Respondent(s) did not answer this question.
34. MAINT 5 - Quarterly Printer Maintenance
Printers are serviced on a quarterly maintenance schedule to assure continued, trouble-free operation?
Vulnerability Category: Maintenance
Number of Answers: 3 Below 11% threshold: 0 Don't Know: 3 Not Applicable: 0
35. MAINT 4 - Media Cleaning and Maintenance
The organization has an effective magnetic media maintenance system to ensure that the media are clean, error-free and properly labeled internally and externally in a manner that indicates use, content, classification and restrictions?
Vulnerability Category: Maintenance
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
36. MAINT 2 - Labeling Electrical Switches etc.
All switches, control panels and circuit breaker panels are adequately labeled to indicate the specific functions, outlets and/or equipment they support?
Vulnerability Category: Maintenance
Respondent(s) did not answer this question.
37. MAINT 4 - Media Cleaning and Maintenance
The organization has an effective magnetic media maintenance system to ensure that the media are clean, error-free and properly labeled internally and externally in a manner that indicates use, content, classification and restrictions?
Vulnerability Category: Maintenance
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
38. MAINT 3 - Preventative Maintenance
Preventive maintenance of ADP equipment is performed according to published schedules?
Vulnerability Category: Maintenance
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 1 Not Applicable: 0
39. MAINT 4 - Media Cleaning and Maintenance
The organization has an effective magnetic media maintenance system to ensure that the media are clean, error-free and properly labeled internally and externally in a manner that indicates use, content, classification and restrictions?
Vulnerability Category: Maintenance
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
40. MAINT 3 - Preventative Maintenance
Preventive maintenance of ADP equipment is performed according to published schedules?
Vulnerability Category: Maintenance
Number of Answers: 2 Below 11% threshold: 0 Don't Know: 2 Not Applicable: 0
41. MAINT 2 - Labeling Electrical Switches etc.
All switches, control panels and circuit breaker panels are adequately labeled to indicate the specific functions, outlets and/or equipment they support?
Vulnerability Category: Maintenance
Number of Answers: 3 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
42. ORG 4 - Separation of Duties
Critical computer systems and functions are protected by separation of duties and other internal controls?
Vulnerability Category: Organization
Number of Answers: 3 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
43. POL 7 - Testing of Changes to Software
System and application software changes and new releases are always tested using pre-approved procedures that are approved by the security or internal audit functions before being placed into operational service?
Vulnerability Category: Policy
Number of Answers: 3 Below 11% threshold: 3 Don't Know: 0 Not Applicable: 0
44. PROC 7 - Operating procedures to Minimize Errors
The organization has viable system operating procedures in order to minimize errors in data bases, program execution, communications and data entry?
Vulnerability Category: Procedures
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
45. PROC 5 - Protecting Operational Data during Testing
Only test data or copies of operational data files are used in the testing of programs?
Vulnerability Category: Procedures
Number of Answers: 2 Below 11% threshold: 2 Don't Know: 0 Not Applicable: 0
46. PROC 7 - Operating procedures to Minimize Errors
The organization has viable system operating procedures in order to minimize errors in data bases, program execution, communications and data entry?
Vulnerability Category: Procedures
Respondent(s) did not answer this question.
47. PROC 5 - Protecting Operational Data during Testing
Only test data or copies of operational data files are used in the testing of programs?
Vulnerability Category: Procedures
Number of Answers: 1 Below 11% threshold: 1 Don't Know: 0 Not Applicable: 0
48. PROC 7 - Operating procedures to Minimize Errors
The organization has viable system operating procedures in order to minimize errors in data bases, program execution, communications and data entry?
Vulnerability Category: Procedures
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
49. PROC 6 - input/output Controls for Data/Printouts/Media
The organization and site have effective and verifiable input and output control systems to ensure that authorized and validated data only is entered, and that printouts and other media are provided to authorized individuals only?
Vulnerability Category: Procedures
Number of Answers: 3 Below 11% threshold: 3 Don't Know: 0 Not Applicable: 0
50. PROC 7 - Operating procedures to Minimize Errors
The organization has viable system operating procedures in order to minimize errors in data bases, program execution, communications and data entry?
Vulnerability Category: Procedures
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
51. REL 3 - Training to Reduce Data Errors
The training provided to the operators and user is current and sufficient to minimize most data entry errors, and to reduce the likelihood of data contamination and destruction?
Vulnerability Category: Reliability
Number of Answers: 1 Below 11% threshold: 1 Don't Know: 0 Not Applicable: 0
52. REL 2 - Mainframe Reliability and Availability
The Main Frame Computer system is reliable and provides maximum availability, response time and support to the users?
Vulnerability Category: Reliability
Number of Answers: 2 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
53. REL 3 - Training to Reduce Data Errors
The training provided to the operators and user is current and sufficient to minimize most data entry errors, and to reduce the likelihood of data contamination and destruction?
Vulnerability Category: Reliability
Respondent(s) did not answer this question.
54. REL 2 - Mainframe Reliability and Availability
The Main Frame Computer system is reliable and provides maximum availability, response time and support to the users?
Vulnerability Category: Reliability
Number of Answers: 1 Below 11% threshold: 0 Don't Know: 0 Not Applicable: 0
55. REL 3 - Training to Reduce Data Errors
The training provided to the operators and user is current and sufficient to minimize most data entry errors, and to reduce the likelihood of data contamination and destruction?
Vulnerability Category: Reliability
Number of Answers: 1 Below 11% threshold: 1 Don't Know: 0 Not Applicable: 0
56. REL 2 - Mainframe Reliability and Availability
The Main Frame Computer system is reliable and provides maximum availability, response time and support to the users?
Vulnerability Category: Reliability
Respondent(s) did not answer this question.
57. REL 3 - Training to Reduce Data Errors
The training provided to the operators and user is current and sufficient to minimize most data entry errors, and to reduce the likelihood of data contamination and destruction?
Vulnerability Category: Reliability
Number of Answers: 1 Below 11% threshold: 1 Don't Know: 0 Not Applicable: 0
58. TRAIN 6 - User Familiarization Training
The organization has a user familiarization and training program in effect?
Vulnerability Category: Training
Number of Answers: 3 Below 11% threshold: 3 Don't Know: 0 Not Applicable: 0
RESPONDENT REPORT
Legend:
* - Below Threshold value: 11
FOR RESPONDENT Nelly
1. AC 2 - Security Notified of Employee Transfer or Termination
Answer: 5*
2. ACC 1 - Adequate Accountability Control
Answer: 6*
3. ACC 2 - Securing Copying Facilities
Answer: 5*
4. ACC 3 - Continuous Accountability
Answer: 6*
5. ACC 4 - Written Accountability Policy
Answer: 5*
6. ADMIN 1 - Security Program and Staff
Answer: 6*
7. ADMIN 2 - Analysis of Operational Problems
Answer: 5*
8. AUD.TR 1 - Maintain Investigation Reports
Answer: 6*
9. COMPL 1 - Act on Audit Review Concerns
Answer: 5*
10. COMPL 2 - Training for Awareness
Answer: 6*
11. COMPL 3 - Investigate Incidents
Answer: 5*
12. C.PLAN 1 - Backup Personnel
Answer: 6*
13. C.PLAN 2 - Distribute Emergency Instructions
Answer: 5*
14. C.PLAN 3 - Periodic Testing of Plans and Equipment
Answer: 6*
15. C.PLAN 4 - Existence of Plan
Answer: 6*
16. D.INTEG 1 - Existence of Data Security Policy
Answer: 66
17. DOC 1 - Security Testing Records
Answer: 77
18. EM.RESP 1 - Evacuation Plan
Answer: 63
19. EVAL 1 - Annual Security Audit
Answer: 66
20. EVAL 2 - Risk Analysis
Answer: Don't Know
21. FIRE 1 - Existence of Fire Control Plan
Answer: Don't Know
22. FIRE 2 - Separate Storage of Hazardous Material
Answer: Don't Know
23. FIRE 3 - Inspection Schedule
Answer: 66
24. MAINT 1 - Equipment Operation
Answer: 6*
25. ORG 1 - Centralized Purchasing Authority
Answer: 4*
26. ORG 2 - Security Organization
Answer: 4*
27. ORG 3 - Internal Audit
Answer: 5*
28. POL 1 - Life Cycle Management
Answer: 4*
29. POL 2 - Acquisition of Hardware and Software
Answer: 5*
30. POL 3 - Personnel Background Checks
Answer: 5*
31. POL 4 - SSO Reporting
Answer: 4*
32. POL 5 - Security Policy
Answer: 55
33. POL 6 - Security Organization
Answer: 5*
34. PRIV.ACT 1 - Confidentiality Policy
Answer: 4*
35. PROC 1 - Inspection of Goods
Answer: 4*
36. PROC 2 - Badges
Answer: 5*
37. PROC 3 - Operating Procedures
Answer: 6*
38. PROC 4 - Escorting Visitors
Answer: 8*
39. REL 1 - Waterproof Coverings for Computer Equipment
Answer: 6*
40. TRAIN 1 - Training Budget
Answer: 4*
41. TRAIN 2 - Technological Training
Answer: 5*
42. TRAIN 3 - All Personnel made Aware of Data Security
Answer: 6*
43. TRAIN 4 - Immediate Awareness Training
Answer: 5*
44. TRAIN 5 - QA and Performance Program
Answer: 4*
45. AC 34 - Visitor Logs
Answer: 5*
46. AC 35 - Authorized Access
Answer: 55
47. ADMIN 6 - Background Check for New Employees
Answer: 5*
48. ADMIN 7 - Tracking Personnel Documents
Answer: 4*
49. ADMIN 8 - Benefits for Permanent Employees
Answer: 5*
50. ADMIN 9 - Pay Raises
Answer: 4*
51. COMPL 18 - Performance Raises
Answer: 5*
52. COMP 19 - Personnel Files
Answer: 4*
53. ORG 8 - Vacancies Filled
Answer: 55
54. ORG 9 Automating Human Resource Management
Answer: 55
55. POL 17 - Fair Promotion Practices
Answer: 6*
56. POL 18 - Compensation Packages
Answer: 7*
57. POL 19 - Conflict of Interest Awareness
Answer: 5*
58. POL 20 - Retirement Plan
Answer: 7*
59. POL 21 - Promotions from Within Organization
Answer: 6*
60. PROC 21 - Procedures for Documentation Requirements
Answer: 5*
61. PROC 22 - Screening Candidates
Answer: 66
62. PROC 23 - Procedures to Stop rehiring Previously Terminated (for Cause) Employee
Answer: 77
63. TRAIN 10 - New Employee Orientation
Answer: 66
64. TRAIN 11 - Safety Training
Answer: 77
65. TRAIN 12 - Technical Training and Grievance Procedures
Answer: 66
66. AC 36 - Access Control Defined for Individuals and/or Groups
Answer: 55
67. AC 37 - Furthering Access Rights
Answer: 64
68. AC 38 - RACF Profiles
Answer: 4*
69. AC 39 - RACF and TSO user Information
Answer: 4*
70. AC 40 - RACF and Data
Answer: Not Applicable
71. AC 41 - Spooled Environment
Answer: Not Applicable
72. AC 42 - Initial Passwords
Answer: Don't Know
73. AC 43 - Nature of Passwords
Answer: Don't Know
74. AC 44 - Changing Passwords
Answer: Don't Know
75. AC 45 - Authorizing Access to Files
Answer: Don't Know
76. ACC 19 - Tracking Sensitive Output
Answer: Don't Know
77. ACC 20 - Separation of Duties
Answer: Don't Know
78. AUD.TR 2 - Trail to include File Names
Answer: Don't Know
79. AUD.TR 3 - Individual Audibility
Answer: 55
80. AUD.TR 4 - Linking Users to Actions
Answer: 5*
81. COMPL 20 - Incident Investigation
Answer: 5*
82. COMPL 21 - Front Cover of Sensitive Listings
Answer: 5*
83. COMPL 22 - User Clearances
Answer: 5*
84. COMPL 23 - Physical Security Requirements
Answer: 5*
85. C.PLAN 9 - Provisions for Sensitive Material on Evacuation
Answer: 5*
86. DISC 14 - Need for Two Persons
Answer: 6*
87. DISC 15 - Sensitive Output Distribution
Answer: 7*
88. DISC 16 - Communications Links Requirements
Answer: 4*
89. DISC 17 - Sensitivity Determination for All Data
Answer: 6*
90. DISC 18 - Requirements for Unescorted Access
Answer: 5*
91. DISC 19 - Role of Office of Primary Responsibility
Answer: 6*
92. DISC 20 - Verifying Requests
Answer: 6*
93. DISC 21 - Control of Removable Media
Answer: 6*
94. DISC 22 - Customer Awareness of Overall Classification
Answer: 6*
95. DISC 23 - After-hours Removal of Sensitive Material
Answer: 4*
96. DISC 24 - User Awareness of Discrepancy Reporting
Answer: 44
97. DISC 25 - Receipts Issued
Answer: 44
98. DISC 26 - Customer Receipts
Answer: 55
99. DISC 27 - Customer Review
Answer: 23
100. DISC 28 - Testing Tapes for Reusability
Answer: 44
101. DISC 29 - Operations Personnel Awareness
Answer: 55
102. DISC 30 - Protecting System Tapes
Answer: 6*
103. DISC 31 - Restricted Access to Written Records
Answer: 5*
104. DISC 32 - Telephone Esquires
Answer: 6*
105. DISC 33 - Degaussing Media
Answer: 5*
106. DISC 34 - No Public Discussion
Answer: 6*
107. DOC 3 - Manufacturer's Statement on Protection
Answer: 5*
108. DOC 4 - Summary of Protection Mechanisms
Answer: 6*
109. DOC 5 - System Administration Manual
Answer: 5*
110. EVAL 9 - Boundary Maintenance
Answer: 44
111. LABEL 5 - Utility for Printer Direction Labeling
Answer: 33
112. LABEL 6 - Storage Devices Labeled
Answer: 44
113. LABEL 7 - Output is Labeled
Answer: 33
114. LABEL 8 - Universal System Labeling Utility Available
Answer: 44
115. LABEL 9 - System Labeling Utility Available
Answer: 22
116. PRIV.ACT 2 - Media Labeling
Answer: 33
117. PRIV.ACT 3 - Appointment of Officer
Answer: 44
118. PRIV.ACT 4 - Relevant markings are System Generated
Answer: 23
119. PRIV.ACT 5 - Duties of Privacy Act Officer
Answer: 24
120. PRIV.ACT 6 - Procedures to Enforce Local Regulations
Answer: 24
121. PROC 24 - Challenge Unescorted Visitors
Answer: 33
122. PROC 25 - Escort Procedures
Answer: 33
123. REL 13 - Periodic Validation of Hardware and Firmware
Answer: 33
124. REL 14 - Testing Security Mechanisms
Answer: 33
125. REL 15 - Operating System free from Tampering
Answer: 33
126. TRAIN 13 - Group Course for Security Staff
Answer: 33
127. AC 3 - Authorizing Access
Answer: 6*
128. AC 4 - Visitor Logs
Answer: 5*
129. AC 5 - Controls on Media
Answer: 45
130. ACC 5 - Control over material and equipment
Answer: 54
131. ACC 6 - Individual Identification
Answer: 56
132. COMPL 4 - Verification of Markings/Expectations
Answer: 67
133. COMPL 5 - Matching Configuration to Environment
Answer: 55
134. COMPL 6 - Verification of Authenticity of Software
Answer: 36
135. C.PLAN 5 - Plans for Computer Failure
Answer: 55
136. C.PLAN 6 - Duplication of Systems
Answer: Not Applicable
137. C.PLAN 7 - Fireproof Storage Facilities
Answer: Don't Know
138. C.PLAN 8 - Alternate Sites
Answer: Not Applicable
139. D.INTEG 2 - Data Validation in Media Transfer
Answer: Don't Know
140. DISC 1 - Hiding Passwords when Entered
Answer: 56
141. DISC 2 - Maintenance Personnel
Answer: 77
142. EVAL 3 - Design Reviews on Applications
Answer: Don't Know
143. EVAL 4 - Determining Criticality
Answer: Not Applicable
144. EVAL 5 - Risk Analysis for new Installations
Answer: Don't Know
145. EVAL 6 - Risk Analysis on Changes to Software/Hardware
Answer: Don't Know
146. MAINT 2 - Labeling Electrical Switches etc.
Answer: 44
147. MAINT 3 - Preventative Maintenance
Answer: Don't Know
148. MAINT 4 - Media Cleaning and Maintenance
Answer: 44
149. MAINT 5 - Quarterly Printer Maintenance
Answer: Don't Know
150. ORG 4 - Separation of Duties
Answer: 44
151. POL 7 - Testing of Changes to Software
Answer: 4*
152. PROC 5 - Protecting Operational Data during Testing
Answer: 4*
153. PROC 6 - input/output Controls for Data/Printouts/Media
Answer: 4*
154. PROC 7 - Operating procedures to Minimize Errors
Answer: 65
155. REL 2 - Mainframe Reliability and Availability
Answer: 56
156. REL 3 - Training to Reduce Data Errors
Answer: 7*
157. TRAIN 6 - User Familiarization Training
Answer: 7*
158. AC 6 - Access only to Relevant Data
Answer: 76
159. AC 7 - Program Fund Diversion Control
Answer: 79
160. AC 9 - Access only to Relevant Systems and Applications
Answer: 44
161. ACC 7 - Control Access to Forms
Answer: 34
162. ACC 8 - Securing Negotiable Instruments
Answer: 23
163. APPL 1 - Securing Site-Specific Applications
Answer: 32
164. COMPL 7 - Policy Violation Action and Reporting
Answer: 12
165. COMPL 8 - Review Reports of Policy Violation
Answer: 11
166. ORG 5 - Federal Reporting Requirements
Answer: 10*
167. POL 8 - Staff responsible for Security Incident Follow-up
Answer: 100
168. POL 9 - Work Area Security Procedures Prescribed
Answer: 56
169. POL 10 - Employee Data Security Affirmation
Answer: 45
170. PROC 8 - Remote Facility Security Responsibility
Answer: 67
171. PROC 9 - Reporting Security Abnormalities
Answer: 22
172. TRAIN 7 - Program Security Rep. Awareness
Answer: Don't Know
173. TRAIN 8 - Office of Data Security Awareness
Answer: Don't Know
174. AC 10 - Formal requests for access to Classified Files
Answer: Not Applicable
175. COMPL 9 - Annually Verified Inventories of Classified Devices
Answer: Don't Know
176. DISC 3 - Timely Disconnection of dial up Access
Answer: 34
177. DISC 4 - AUTODIN interfacing
Answer: 33
178. DISC 5 - Semi-Annually Verified Inventories of Classified Devices
Answer: 22
179. DISC 6 - Guidelines for De-classifying Equipment
Answer: 45
180. DISC 7 - Full requirements for De-classifying ADP Equipment
Answer: 66
181. DISC 8 - Erasing Magnetic Media
Answer: 76
182. DISC 9 - Working Papers Appropriately Marked
Answer: 66
183. EVAL 7 - Handling STE Results
Answer: 66
184. LABEL 1 - Marking Printed Listings
Answer: 77
185. TEMP 1 - TEMPEST evaluation
Answer: 76
186. TEMP 2 - TEMPEST Compliance
Answer: 55
187. TEMP 3 - TEMPEST applied to ADP equipment
Answer: 78
188. AC 32 - Changing Passwords
Answer: 70
189. ACC 17 - Data File Accountability
Answer: 100
190. DISC 12 - Protect Network System Files
Answer: Not Applicable
191. DOC 2 - Secure Unused Documentation
Answer: Don't Know
192. FIRE 22 - Adequate Fire Protection for Network Facilities
Answer: 33
193. POL 14 - Written Policy for Backup
Answer: 44
194. AC 11 - Mission-critical AIS Resources
Answer: 5*
195. AC 12 - Insecurity of Dial-up Comms
Answer: 3*
196. AC 13 - Precautions for Network Protection
Answer: 5*
197. AC 14 - Use Passwords for Network Access
Answer: 35
198. AC 15 - Secure Location for Comms Equipment
Answer: 63
199. ACC 10 - Unique Identification of Comms lines
Answer: 22
200. ADMIN 3 - Prior Written consent for Network Interconnection
Answer: 45
201. D.INTEG 3 - Use of Error Checking on Comms Systems
Answer: 22
202. DISC 10 - Public Comms and Sensitive Data
Answer: 4*
203. EVAL 8 - Approval for new Comms Links
Answer: 34
204. POL 11 - Management Approval for Network Systems
Answer: 35
205. REL 4 - Log-in Data Maintenance
Answer: 36
206. REL 5 - Comms Equipment Location
Answer: 79
207. ADMIN - Establish Risk Management
Answer: Don't Know
208. COMPL - Perform Detailed Risk Analysis
Answer: Not Applicable
209. PROC - Risk Analysis of Environment
Answer: Don't Know
210. REL - Risk Analysis of Hardware
Answer: Not Applicable
211. REL - Risk Analysis of all Interconnections.
Answer: Don't Know
212. POL - Susceptibility to Each Risk
Answer: Not Applicable
213. POL - Definition of "Terms of Sale"
Answer: Don't Know
214. POL - Trading Partner Coordination
Answer: Not Applicable
215. REL - Official Records
Answer: Don't Know
216. PROC - Detect Conflicts
Answer: 44
217. REL - Requirements for Timely Processing
Answer: 45
218. AUD.TR - Audit Trail Effectiveness
Answer: 46
219. D.INTEG - Minimize Data Flow Uncertainty
Answer: 55
220. D.INTEG - Detecting Transaction Changes
Answer: 55
221. AC - Authorized Access
Answer: 55
222. AC - Technological & Procedural Controls
Answer: 44
223. PROC - Prevention of Wiretapping
Answer: 44
224. C.PLAN - Protective Measures
Answer: 33
225. D.INTEG - Name of Message Originator
Answer: 22
226. ACC - Stronger Authentication
Answer: 11
227. C.PLAN - Contingency Plans Developed
Answer: 12
228. POL - Record of Electronic Messages.
Answer: 12
229. D.INTEG - Controls of Unauthorized Modification
Answer: 12
230. AUD.TR - Audit Trail of all Modifications
Answer: 12
231. AUD.TR - Audit Trail Id/Date/Time/Activity
Answer: 12
232. ACC
Answer: 2*
233. PROC - Transaction Agreement
Answer: 1*
234. PROC - Authentication Mechanisms Agreement
Answer: 2*
235. PROC - Message Verification
Answer: 1*
236. COMPL - Digital Signatures Requirement
Answer: 2*
237. APPL - Digital Signature Requirements
Answer: 12
238. DIS - Cryptography When Cost Effective
Answer: 22
239. POL - Non-Cryptographic Methodologies
Answer: 33
240. AC 16 - Door Hinges
Answer: 2*
241. AC 17 - Alarmed and Secure Work Areas
Answer: 3*
242. AC 18 - Well Lighted and Locked Facility
Answer: 2*
243. AC 19 - Separation of Areas from Each Other and Outside
Answer: 3*
244. ADMIN 4 - Furniture and Supplies
Answer: 2*
245. COMPL 10 - Access to Handicapped Personnel
Answer: 3*
246. COMPL 11 - Environmental Hazards
Answer: 2*
247. CONST 1 - Nearby Air Traffic
Answer: 3*
248. CONST 2 - Distance from Industrial Activity
Answer: 2*
249. CONST 3 - Environmental Concerns
Answer: 3*
250. CONST 4 - Perimeter Lighting
Answer: 5*
251. CONST 5 - Low Noise Levels
Answer: 6*
252. CONST 6 - Good Working Light Levels
Answer: 3*
253. CONST 7 - Adequate Electrical Outlets
Answer: 65
254. CONST 8 - Good Temperature Control
Answer: 7*
255. CONST 9 - Adequate Parking
Answer: 7*
256. CONST 10 - Visitor Waiting Areas
Answer: 4*
257. CONST 11 - Safe secure Working Areas
Answer: 45
258. CONST 12 - Water Drainage
Answer: 65
259. CONST 13 - Flood Plains
Answer: 55
260. CONST 14 External Access to the Roof
Answer: 55
261. CONST 15 - Nearby Hazardous Material
Answer: 5*
262. CONST 16 - Protective Covering for Glass Windows
Answer: 5*
263. EM.RESP 2 - Emergency Power Shut-off
Answer: 5*
264. EM.RESP 3 - Adequate Public Address System
Answer: 5*
265. FIRE 4 - Designation of Personnel to assist Evacuation
Answer: 5*
266. FIRE 5 - Inadvertent activation of Fire Suppression Systems
Answer: 5*
267. FIRE 6 - Evacuation Routing for Visitors
Answer: 5*
268. FIRE 7 - Adequate Fire Suppression Equipment
Answer: 5*
269. FIRE 8 - Floor to Ceiling Walls
Answer: 5*
270. FIRE 9 - Periodic Inspection of Fire Equipment
Answer: 5*
271. FIRE 10 - Evacuation Routing
Answer: 5*
272. FIRE 11 - Fire Hydrants
Answer: 5*
273. FIRE 12 - Control Panel for Smoke Detectors
Answer: 5*
274. FIRE 13 - Fire Alarm Pull Boxes
Answer: 5*
275. FIRE 14 - Dampers in Ducting
Answer: 5*
276. FIRE 15 - Adequate Fire Suppression in Computer Room
Answer: 5*
277. FIRE 16 - Fire and Smoke Detection
Answer: Don't Know
278. FIRE 17 - Shut-Off Valve for Fire Suppression System
Answer: Don't Know
279. FIRE 18 - Standards to Include Fire Alarms
Answer: 55
280. FIRE 19 - Adequate Fire Alarm
Answer: 44
281. FIRE 20 - Fire Suppression Systems
Answer: 55
282. FIRE 21 - Fire Alarm Location Awareness
Answer: 44
283. MAINT 6 - Janitorial service
Answer: 5*
284. MAINT 7 - Restroom
Answer: 5*
285. MAINT 8 - Pest Control
Answer: 5*
286. MAINT 9 - Hazard-free Working Area
Answer: 5*
287. MAINT 11 - Preventative Maintenance Program
Answer: 5*
288. MAINT 12 - Adequate Electrical Grounding
Answer: 5*
289. MAINT 13 - Anchoring Carpets
Answer: 5*
290. ORG 6 - Adequate Work Space for Employees
Answer: 4*
291. POL 12 - Space Concerns in Work Environment
Answer: 4*
292. POL 13 - Avoiding Staff Contact with Hostile Clients
Answer: 5*
293. PROC
Answer: 4*
294. REL 6 - Water Detectors
Answer: 35
295. REL 7 - Reliable High Quality Electrical Power
Answer: 4*
296. REL 8 - Independent Power Sources
Answer: 5*
297. REL 9 - Avoiding Accidental Shutdowns
Answer: 4*
298. REL 10 - Adequate electrical Power
Answer: 5*
299. REL 11 Securing Supporting Utilities
Answer: 4*
300. REL 12 - Water Cooling System Protection
Answer: 5*
301. AC - Additional Authentication
Answer: 4*
302. AC - Application Restrictions Via Firewall
Answer: 5*
303. D.INTEG - External Privileges
Answer: 4*
304. AUD.TR - Sharing Audit Trails
Answer: 5*
305. DISC - Audit Trail of External Functions
Answer: 4*
306. D.INTEG - Audit Trail of External Update Access
Answer: 5*
307. AC - Firewall Protection
Answer: 5*
308. PROC - External User Request
Answer: 66
309. AUD.TR - Logs of External Activity.
Answer: 66
310. AUD.TR - Maintain Logs
Answer: 66
311. AC - User Authentication
Answer: 77
312. AC - Minimize External Connections
Answer: 77
313. POL - Authorizing Network Connection
Answer: 77
314. PROC - External User Authorization
Answer: 67
315. PROC - Session Initiation
Answer: 65
316. TRN - External Access
Answer: 45
317. AUD.TR - Log All Activity
Answer: 45
318. REL - Transmitting Controls
Answer: 45
319. APPL - Transmission of Executable Code
Answer: 45
320. PROC - Unsolicited Executable Files
Answer: 23
321. AC - Proxy Server
Answer: 22
322. POL - International Standard 7498-2
Answer: 33
323. TRN - Train Administrators
Answer: 44
324. TRN - Train Users
Answer: 55
325. PROC - Reporting Security Breaches
Answer: 44
326. AC - Blocking Unwanted Logons
Answer: 44
327. AC - Gateway Used for Validation
Answer: 44
328. AC - Anonymous FTP
Answer: 55
329. AC - Disable TFTP
Answer: 55
330. ACC - Record of Patches
Answer: 45
331. ACC - Unsupported Versions
Answer: 34
332. ACC - Install Latest Version of TCP
Answer: 35
333. AC - Implement Trusted Host
Answer: 23
334. ACC - Implementing Patches
Answer: 24
335. ACC - Reporting Incidents
Answer: 33
336. ACC - Virus Checking
Answer: 44
337. D.INTEG - Moving Data
Answer: 55
338. ACC - Communication Line Identification #
Answer: 12
339. AC - Passwords Changed Periodically
Answer: 34
340. AC - Password Modification
Answer: 34
341. AC - Memorizing Passwords
Answer: 23
342. ADMIN - Reviewing Sensitivity
Answer: 66
343. AC - Building Access
Answer: 56
344. AC - Renewed Passwords
Answer: 56
345. ACC - Property Management
Answer: 86
346. ADMIN - IT Security Program
Answer: 87
347. ACC - One Logon Session Per User
Answer: 87
348. PROC - Reporting and Investigating Incidents
Answer: 97
349. ACC - IT Security Individual Accountability
Answer: 87
350. POL - Copyright License
Answer: 98
351. AC - Secure Telecommunications Equipment
Answer: 78
352. PROC - Compliance with Copyright Licenses
Answer: 77
353. AC - Secure Office Areas
Answer: 77
354. ACC - Copyright Licenses
Answer: 88
355. ADMIN - High Retention and Morale
Answer: 77
356. ADMIN - Security Plan Reviewed
Answer: Don't Know
357. ADMIN - Fair Promotions
Answer: Don't Know
358. ADMIN - Conflict of Interest
Answer: Don't Know
359. ADMIN - Retirement Plan
Answer: Don't Know
360. ADMIN - Re-employment
Answer: Not Applicable
361. COMPL - Investigating IT Security Incidents
Answer: Not Applicable
362. POL - Approval for System & Network Changes
Answer: Not Applicable
363. DISC - Secure Communications
Answer: Not Applicable
364. COMPL - Documenting System Changes
Answer: Not Applicable
365. AC - Securing Network Connections
Answer: Not Applicable
366. AC - Interagency Data Protection
Answer: 33
367. AC - Network Passwords
Answer: 3*
368. ADMIN - Interagency Agreements
Answer: 3*
369. ACC - Identifying all Port Connections
Answer: 3*
370. REL - Clean/Cool Communications Area
Answer: 3*
371. EVAL - Risk Analysis on Telecommunications
Answer: 3*
372. COMPL - Implementing Security Controls
Answer: 3*
373. ORG - ITSSO Placement
Answer: 3*
374. COMPL - Periodic Audit Reviews
Answer: 3*
375. AC - Password Protected Screen Saver
Answer: 3*
376. POL - Workstation Security
Answer: 3*
377. POL - Reporting Security Incidents
Answer: 89
378. COMPL - Violation Reporting
Answer: 99
379. ACC - New Communication Links
Answer: 9*
380. PROC - Reporting Security Incidents
Answer: 100
381. COMPL - Reporting to the ITSO
Answer: 5*
382. COMPL - IT Security Requirements
Answer: 5*
383. AC - Restricted User Access
Answer: 5*
384. AC - Uploading & Downloading Data
Answer: 5*
385. COMPL - Virus Detection on File Servers
Answer: 6*
386. COMPL - Life Cycle Management Plan
Answer: 7*
387. ORG - Advanced Technical Solutions
Answer: 8*
388. ADMIN - Defined Operating Procedures
Answer: 5*
389. C.PLAN - Develop & Maintain Disaster Recovery
Answer: 44
390. TRAIN - Security Training Budget
Answer: 5*
391. ADMIN - Formal IT Security Plan
Answer: 55
392. C.PLAN - Managers Contingency Plan Participation
Answer: 66
393. C.PLAN - Off-Site Equipment
Answer: 77
394. POL - Maintain Written IT Security Policy
Answer: 88
395. ORG - IT Security Designation
Answer: 56
396. AC - Cleared Service Personnel
Answer: 45
397. POL - Property Management
Answer: 64
398. POL - Provisions for Data Integrity
Answer: 75
399. ORG - ITSSO Position Description
Answer: 76
400. C.PLAN - Testing Contingency Plan
Answer: 55
401. COMPL - Investigating Security Incidents
Answer: 66
402. ORG - Internal Controls Effective
Answer: Don't Know
403. AC - AC to all Facilities
Answer: Don't Know
404. ORG - Minimum Work Space
Answer: Not Applicable
405. POL - Protecting Sensitive Information
Answer: 12
406. POL - Sensitive Information Storage
Answer: 22
407. PROC - Protecting Sensitive Information
Answer: 22
408. PROC - Data Sensitivity Controls
Answer: 2*
409. AC - Locking Devices
Answer: 2*
410. POL - Key Control Policy
Answer: 2*
411. POL - Password Control
Answer: 2*
412. AC - Unique Identifiers
Answer: 2*
413. AC - Dial Access Lines
Answer: 2*
414. AC - Restricted Line Access
Answer: 2*
415. C.PLAN - Alternate Telecommunications Paths
Answer: 2*
416. PROC - Telecommunications Specialist
Answer: 2*
417. POL - Review Security Policy
Answer: 2*
418. ACC - Data Ownership
Answer: 2*
419. AC 20 - Authorized Access to Areas
Answer: 2*
420. AC 21 - Log Off on Leaving Area
Answer: 33
421. AC 22 - Physical Security of sites
Answer: 44
422. AC 23 - Current Access List for Each Site
Answer: 5*
423. AC 24 - Physical Access Logs
Answer: 6*
424. ACC 11 - Single Workstation Access by Each User
Answer: 5*
425. ACC 12 - No sharing of Codes or Passwords
Answer: 6*
426. ACC 13 - No Lending of Codes or Passwords
Answer: 5*
427. ACC 14 - Unique ID for Printers or Workstations
Answer: 6*
428. COMPL 12 - Work Area Procedures consistent with Organization Plan
Answer: 5*
429. COMPL 13 - Security Officer Appointment
Answer: 6*
430. COMPL 14 - Local Procedures consistent with Organization Plan
Answer: 5*
431. COMPL 15 - Virus Scanning for Imported Software
Answer: 6*
432. COMPL 16 - Internal Virus Detection
Answer: 5*
433. COMPL 17 - External Virus Detection
Answer: 6*
434. DISC 11 - Secure Area
Answer: 5*
435. LABEL 2 - Unique ID for Printers and Workstations
Answer: 6*
436. PROC 11 - Full Implementation of Security Procedures
Answer: 5*
437. PROC 12 - Procedures for Incidents at Remote Sites
Answer: 6*
438. T.SITE 1 - Securing Work Areas
Answer: 5*
439. T.SITE 2 - Monitoring by Security Staff
Answer: 6*
440. T.SITE 3 - Monitoring by Security Office
Answer: 5*
441. AC 1 - Security Notified of Impending Employee Termination
Answer: 6*
ВЫВОДЫ
В ходе лабораторной работы была изучена оценка безопасности предприятия с помощью ПО Risk Watch. Автоматически сгенерирован отчёт с помощью контекстного меню.