- •Санкт-Петербург
- •1.1.1 The Risk Assessment Team
- •1.1.3 Physical Plant and Physical Security
- •1.2.11 Safeguards:
- •1.3 Risk Analysis Methodology
- •1.4 RiskWatch Parameters and Data Analysis
- •I. Executive Summary
- •II. Recommendations
- •2.2 Assets within category
- •2.1 Summary of asset categories
- •Insurance/Bond 0.00 0.0%
- •In the tables below, three figures, one for each discount rate, are provided, for each safeguard,
- •5.1 Summary of safeguards
- •Insurance/Bond 0.00 0.00 0
1.2.11 Safeguards:
Safeguards are countermeasures, specifications, or controls, consisting of actions taken to decrease the organization's existing degree of vulnerability to a given threat probability (Risk), that the threat will occur. Safeguards are put into effect to reduce the organization's potential losses and resultant impact to the mission. Safeguards are designed, implemented and maintained with the objective of minimizing losses by providing improved means of deterrence, prevention, mitigation, detection of and recovery from incidents (realizations of potential threat events). Generally, the safeguards are grouped into the following broad categories:
1.2.11a Administrative Safeguards:
This category includes all policies, procedures, guidelines, auditing checks and tabulations which are defined by management.
1.2.11b Physical Safeguards:
These are devices or mechanisms that protects assets. These include such things as door locks, terminal shielding, vaults, walls, fire suppression systems, and guards;
1.2.11c Technical Safeguards:
These are usually associated with the protection of information inside of a computer system; this category includes such items as data encryption, internal access controls, system and file passwords, recovery software, and auditing software.
1.2.12 Single Loss Expectancy Individual: Per Asset (SLEI)
The monetary value of a single specified asset, or set of assets, multiplied by its associated vulnerability exposures, which are related to a specific realized threat.
1.2.13 Single Loss Expectancy: Per Threat Occurrence (SLE)
The sum of the Single Loss Expectancies for all assets attributed to a specific realized threat. These are all losses associated with the single occurrence of a defined threat.
1.2.14 System Software:
Programs that control the operation of a computer system, generally consisting of utility programs (both source code and object code. System software refers to special application programs, whose function is the operation of a computer or one of its specialized subsystems.
1.2.15 Threat:
An event, process, activity (act), or substance, either accidental or perpetrated by one or more threat agents, which, when realized, has an adverse effect on organizational assets (possibly aggravated by existing organizational or other forms of vulnerability to that threat), resulting in losses that may be classified as:
1.2.15a direct loss;
1.2.15b related direct loss;
1.2.15c delays (in processing)/denials (of service) (acting against availability of the asset);
1.2.15d disclosure(of sensitive information); (acting against its confidentiality);
1.2.15e modification(also called contamination); (acting against its integrity);
1.2.15f intangible (acting against intangible assets)
The combination of all possible losses resulting from one occurrence of a threat is called the Single Loss Expectancy (SLE).
1.2.16 Threat Agent:
Any person or thing which acts, or has the power to act, to cause, carry out, transmit or support a threat. As stated in the threat definition, it is the case that the realization of many threats will correspondingly cause the occurrence of other threats, and therefore, many threats will themselves be threat agents.
The identification of threat agents is an important element in attempting to calculate the Annual Frequency Estimate (AFE) of a threat occurrence and then the amount of loss (ALE) of an asset. Generally, a threat can occur through more than one agent, and to properly estimate the losses and subsequent impact to the mission, the individual AFEs and ALEs associated with each agent must be separately determined. Unfortunately, the statistics are not collected based on the agent. Therefore, with current statistics, the values would be overlapping and the resulting annual loss expectancy would be greatly exaggerated.
1.2.17 Threat Probability of Occurrence with Cumulative Probability, Confidence Interval, and Standard Deviation:
Based on available statistics, the probability or annual frequency estimate is calculated with the associated level of confidence and the applicable standard deviation.
1.2.18 Vulnerability:
A vulnerability, or weakness, is the susceptibility of an asset, or a set of assets, to an increased level of loss resulting from an occurrence of a defined threat against that asset. It is a characteristic, condition, or perceived lack of a procedural method or control, associated with one or more assets or safeguards, which would result in an increased loss if a threat were to be realized. The presence of a vulnerability does not in itself result in a loss, nor does the total absence of any vulnerability necessarily ensure that a loss will not occur should the threat become realized.
1.2.19 Degree of Seriousness:
The extent (for denial/delay forms of loss), or percentage of the value of affected assets (for all other forms of loss), that would be experienced as a result of the realization of a particular threat.