- •Table of contents
- •I. Executive Summary
- •II. Recommendations
- •I. Executive Summary
- •II. Recommendations
- •1.1 Operational Environment and System Configuration
- •1.1.1 The Risk Assessment Team
- •1.1.2 Organization Details of Organisation a
- •1.1.3 Physical Plant and Physical Security
- •1.1.4 System Configuration
- •1.2 Terms and Definitions
- •1.3 Risk Analysis Methodology
- •1.4 RiskWatch Parameters and Data Analysis
- •Executive Summary Scope
- •Risk Analysis Steps
- •Key Risk Analysis Report Findings
- •Summary of asset categories
- •Assets within category
- •Direct, Personnel
- •Dollars
- •Safeguard: Physical Access Control
- •Safeguard: Classification Markings
- •Safeguard: Data Encryption
- •Safeguard: Life Cycle Management
- •Safeguard: Personnel Clearances
- •Safeguard: Quality Assurance
- •Safeguard: Security Policy
- •Recommendations
- •Physical Access Control
- •Application Controls
- •Classification Markings
- •Contract Specifications
- •Data Encryption
- •Detection System
- •Life Cycle Management
- •Passwords/Authenticaion
- •Personnel Clearances
- •Personnel Control
- •Quality Assurance
- •Risk Analysis
- •Security Policy
- •Return On Invest ment(roi). Calculated in order of the 10 highest roIs.
- •5.1 Summary of safeguards
- •Initial costs
- •Access Control (26.0%)
- •Evaluation (6.0%)
- •Policy (26.0%) Reliability (16.0%)
МИНОБРНАУКИ РОССИИ
САНКТ-ПЕТЕРБУРГСКИЙ ГОСУДАРСТВЕННЫЙ
ЭЛЕКТРОТЕХНИЧЕСКИЙ УНИВЕРСИТЕТ
«ЛЭТИ» ИМ. В.И. УЛЬЯНОВА (ЛЕНИНА)
Кафедра ИБ
ОТЧЕТ
по практической работе №10
по дисциплине «Основы информационной безопасности»
«Изучение оценки безопасность предприятия с помощью ПО Risk Watch»
Студент гр ________________
Преподаватель ________________
Санкт-Петербург
2023
11/25/2021 10:38:00 PM
FINAL REPORT
Risk Analysis of Organisation A
Prepared by:
[[[-----------------]]] [[[----------------]]] [[[------------------]]]
NAME NAME NAME
Project Manager Asst Project Manager Senior Security Analyst
Risk Analysis Team Risk Analysis Team Risk Analysis Team
Table of contents
I. Executive Summary
II. Recommendations
Chapter 1 - General Information
Operational Environment and System Configuration
1.1.1 The Risk Assessment Team
1.1.2 Organizational Details of Organisation A
1.1.3 Physical Plant and Physical Security
System Configuration
Terms and Definitions
1.3 Risk Analysis Methodology
RiskWatch Parameters and Data Analysis
Chapter 2 - Assets
Summary of Asset Categories
2.2 Assets Listed Within Category
2.2.1 Assets Within Category 1
===
2.2.N Assets Within Category N
Chapter 3 - Threats
3.1 Summary of Threats
3.2 Incidents Involving Each Threats
3.2.1 Incidents Involving Threat 1
===
3.2.N Incidents Involving Threat N
Chapter 4 - Areas of Vulnerability
4.1 Summary of Vulnerabilities
4.2 Question Report
4.2.1 Question Report For Vulnerability Area 1
===
4.2.N Question Report For Vulnerability Area N
4.3 Incidents Linked to Each Vulnerability Area
4.3.1 Incidents Linked To Vulnerability Area 1
===
4.3.N Incidents Linked To Vulnerability Area N
Chapter 5 - Safeguards
5.1 Summary of Safeguards
5.2 Cost-Benefit Analysis Report
5.2.1 Cost-Benefit Analysis Report For Safeguard 1
===
5.2.N Cost-Benefit Analysis Report For Safeguard N
5.3 Incidents Affected by Each Safeguard
5.3.1 Incidents Affected By Safeguard 1
===
5.3.N Incidents Affected By Safeguard N
Appendixes
Appendix A - Assets
Appendix B - Threats
Appendix C - Vulnerability Areas
Appendix D – Safeguards
I. Executive Summary
Scope
This risk analysis was limited to Organisation A Data Center.
[[[Minicomputers and microcomputers were included in the analysis only to the extent they posed a risk to Organisation A.]]]
Risk Analysis Steps
Questionnaire diskettes or network sub-directories were developed containing [[[532]]] questions covering all areas of Organisation A AIS security;
[[[One hundred eleven]]] Organisation A employees and users of the Organisation A answered and returned the responses to the questions;
The RiskWatch software determined Organisation A vulnerabilities based on information on diskettes;
Identified vulnerabilities were validated by Organisation A management;
A risk analysis report was prepared.
Key Risk Analysis Report Findings
Assets
[[[
The asset replacement cost for Organisation A is approximately $100M.
Hardware, personnel (government and contractor), and intangibles (reputation) are the major asset categories at Organisation A.
Important assets, such as system software, applications, and databases can be replaced relatively inexpensively because they are backed-up.
]]]
Vulnerabilities
[[[
The risk analysis identified 170 vulnerabilities covering twenty-two vulnerability areas.
Organisation A is most vulnerable in five areas: (see Figure 1)
The labeling and control of output listings.
The security of remote terminals.
The level and extent of security training.
The level of staffing and separation of duties at the DATA CENTER.
The level of training for the identification of Privacy Act records and insufficient labeling of Privacy Act-related materials.
A physical survey of DATA CENTER revealed four fire detection and control vulnerabilities not identified by the questionnaire diskettes (see Chapter VII).
]]]
Threats
[[[
The four most significant threats to Organisation A on an annual basis are: (see Figure 2)
Data Destruction
Misuse of the Computer
Theft of Assets
Data integrity loss.
]]]
Safeguards
[[[
The safeguards with the greatest return on investment, which are also among the least costly safeguards, are: (see Figure 3)
Property Management
Organizational Structure
Visitor Control
Security Plan
Application Control
]]]