Safeguard Report |
9 |
Payback period (0.05): 0
Payback period (0.1): 0
Payback period (0.15): 0
5.2.12 Risk Analysis
Lifetime: 3 Implementation Cost: $100,000. Annual Maintenance Cost: $30,000.
Year |
Benefits |
Costs |
Disc. Ben(0.1) |
Disc. |
DB-DC(0.1) |
|
|
|
|
Cost(0.1) |
|
1 |
$10,693. |
$100,000. |
$9,720. |
$90,909. |
$-81,188. |
2 |
$10,693. |
$30,000. |
$8,836. |
$24,793. |
$-15,956. |
3 |
$10,693. |
$30,000. |
$8,033. |
$22,539. |
$-14,505. |
Sum of discounted benefits (0.05): $29,117. Sum of discounted benefits (0.1): $26,589. Sum of discounted benefits (0.15): $24,412. Sum of discounted costs (0.05): $148,363. Sum of discounted costs (0.1): $138,241. Sum of discounted costs (0.15): $129,365. Benefit Cost Ratio (0.05): 0.20
Benefit Cost Ratio (0.1): 0.19 Benefit Cost Ratio (0.15): 0.19
Return On Investment (0.05): 0.07
Return On Investment (0.1): 0.06 Return On Investment (0.15): 0.06 Payback period (0.05): 0
Payback period (0.1): 0 Payback period (0.15): 0
5.2.13 Security Policy
Lifetime: 3 Implementation Cost: $70,000. Annual Maintenance Cost: $40,000.
Year |
Benefits |
Costs |
Disc. Ben(0.1) |
Disc. |
DB-DC(0.1) |
|
|
|
|
Cost(0.1) |
|
1 |
$267,409. |
$70,000. |
$243,099. |
$63,636. |
$179,462. |
2 |
$267,409. |
$40,000. |
$220,999. |
$33,057. |
$187,941. |
3 |
$267,409. |
$40,000. |
$200,908. |
$30,052. |
$170,855. |
Sum of discounted benefits (0.05): $728,219. Sum of discounted benefits (0.1): $665,006. Sum of discounted benefits (0.15): $610,553. Sum of discounted costs (0.05): $137,500. Sum of discounted costs (0.1): $126,745. Sum of discounted costs (0.15): $117,414. Benefit Cost
Ratio (0.05): 5.30
Benefit Cost Ratio (0.1): 5.25
Benefit Cost Ratio (0.15): 5.20 Return On Investment (0.05): 1.77 Return On Investment (0.1): 1.75 Return On Investment (0.15): 1.73 Payback period (0.05): 1
Payback period (0.1): 1 Payback period (0.15): 1
Here is a summary of the Return on Investment (R.O.I) for each safeguard.
Safeguard |
ROI(10%) |
Percentage of |
|
|
Total |
Application Controls |
3.37 |
52.6% |
Safeguard Report |
10 |
Security Policy |
1.75 |
27.3% |
Data Encryption |
1.02 |
15.9% |
Personnel Clearances |
0.17 |
2.7% |
Risk Analysis |
0.06 |
1.0% |
Physical Access Control |
0.01 |
0.2% |
Detection System |
0.01 |
0.2% |
Quality Assurance |
0.00 |
0.1% |
Classification Markings |
0.00 |
0.1% |
Life Cycle Management |
0.00 |
0.0% |
Personnel Control |
0.00 |
0.0% |
Passwords/Authenticaion |
0.00 |
0.0% |
Safeguard Report |
11 |
Contract Specifications |
0.00 |
|
|
0.0% |
|
|
|||||
|
|
|
|
|
|
|
|
|
ROI |
||
|
|
|
|
|
|
|
|
|
|
3 |
|
|
|
|
|
|
|
|
|
|
|
||
Application Cont |
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
1 |
||||||
rols Security |
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
1 |
||||||
Policy Data |
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|||
Encryption |
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|||||
|
|
|
|
|
1 |
|
2 |
3 |
|
|
|
Return On Invest ment(ROI). Calculated in order of the 10 highest ROIs.
Cost Benefit Report |
1 |
CHAPTER 5. SAFEGUARDS |
|
The analysis recommends a total of [[[ thirty-six (36) ]]] safeguards out of a possible 42 for use (at the AIS).
Figures 16 through 18 reflect the total cost of each safeguard for the life cycle of the safeguard.
It is generally taken that safeguards can fall into three categories:
(1)those that prevent incidents;
(2)those that permit the timely detection of incidents that have not been detected;
(3)those that aid in the recovery process after an incident has occurred.
The goal of a safeguard is to reduce the Annual Loss Expectancy (ALE) of one or more incidents, thereby reducing the overall ALE for the enterprise. This reduction is calculated by noticing that various safeguards impact the overall system in different ways. Three different forms of impact have been noted:
(1)the reduction in certain evaluative parameters for assets (for example the (recovery) safeguard of Insurance can reduce the Replacement Cost of all assets covered by the insurance);
(2)the reduction in the level of vulnerability in certain areas (for example the (preventative) safeguard of Data Encryption) can significantly reduce the vulnerability called Disclosure (or Data Disclosure); the (detective) safeguard of Monitor System can act to lessen the difficulty that can arise from the slowly degrading Reliability of hardware components);
(3)the reduction in the frequency of a threat (or threat event) (for example, the safeguard called Training is expected to reduce the frequency of the threat of Errors).
Not only is a safeguard intended to reduce ALE, but it must do it in a cost-effect way. RiskWatch II for Windows considers all possible safeguards and their impact on the overall system. For each, in turn, a full Cost-Benefit Analysis (CBA) is performed.
This analysis uses the reduction in ALE, expected annually, as the benefit and the initial and maintenance costs over the lifetime of the safeguard, and considers three different possible discount rates of 5,
10 and 15% to permit the calculation of the net present value of all projected
figures.
In the tables below, three figures, one for each discount rate, are provided, for each safeguard,
(1)the ratio of Total Benefits over Total Costs;
(2)the annualized Rate of Return on Investment obtained by dividing this ratio by
the number of years involved;
(3) the Pay-back Period - the year in which accumulating benefits overtake the (initially greater) accumulating costs.
The degree to which each safeguard may already be implemented can be derived from the responses to the questions, in each area of vulnerability, that pertain to a particular safeguard.
5.1SUMMARY OF SAFEGUARDS
The tables below show information about each of the safeguards considered by RiskWatch. It is sorted on the basis of the annualized Rate of Return on Investment (ROI) using Discount Rate of 10%.
The twelve numeric columns are, respectively,
1.the lifetime of the safeguard in years (Lifetime)
2.the initial cost (Initial Cost)
3.the annual maintenance cost (Maint. Cost)
4.the Basic Ratio of Total Benefits to Total Costs for Discount Rate 5% (B/C-5%)
5.the Annualized ROI with Discount Rate 5% (RoI-5%)
6.the Pay-back Period with Discount Rate 5% (PP-5%)
7.the Basic Ratio of Total Benefits to Total Costs for Discount Rate 10% (B/C- 10%)
8.the Annualized ROI with Discount Rate 10% (RoI-10%)
9.the Pay-back Period with Discount Rate 10% (PP-10%)
Cost Benefit Report |
2 |
10.the Basic Ratio of Total Benefits to Total Costs for Discount Rate 15% (B/C- 15%)
11.the Annualized ROI with Discount Rate 15% (RoI-15%)
12.the Pay-back Period with Discount Rate 15% (PP-15%).
Safeguards |
Lifetime |
Initial Cost |
Maint. Cost |
Application Controls |
3 |
$50,000. |
$50,000. |
Security Policy |
3 |
$70,000. |
$40,000. |
Data Encryption |
5 |
$500,000. |
$500,000. |
Personnel Clearances |
1 |
$50,000. |
$100,000. |
Risk Analysis |
3 |
$100,000. |
$30,000. |
Physical Access Control |
3 |
$2,000,000. |
$500,000. |
Detection System |
3 |
$1,000,000. |
$200,000. |
Quality Assurance |
5 |
$400,000. |
$300,000. |
Classification Markings |
3 |
$500,000. |
$50,000. |
Life Cycle Management |
1 |
$200,000. |
$0. |
Personnel Control |
3 |
$200,000. |
$100,000. |
Passwords/Authenticaion |
5 |
$40,000. |
$200,000. |
Contract Specifications |
1 |
$50,000. |
$100,000. |
Cost Benefit Report |
|
|
3 |
|
|
|
|
Safeguards |
B/C-5% |
ROI-5% |
PP-5% |
Application Controls |
10.11 |
3.37 |
1 |
Security Policy |
5.30 |
1.77 |
1 |
Data Encryption |
5.09 |
1.02 |
1 |
Personnel Clearances |
0.17 |
0.17 |
0 |
Risk Analysis |
0.20 |
0.07 |
0 |
Physical Access Control |
0.03 |
0.01 |
0 |
Detection System |
0.03 |
0.01 |
0 |
Quality Assurance |
0.02 |
0.00 |
0 |
Classification Markings |
0.01 |
0.00 |
0 |
Life Cycle Management |
0.00 |
0.00 |
0 |
Personnel Control |
0.00 |
0.00 |
0 |
Passwords/Authenticaion |
0.00 |
0.00 |
0 |
Contract Specifications |
0.00 |
0.00 |
0 |
|
|
|
|
Safeguards |
B/C-10% |
ROI-10% |
PP-10% |
Application Controls |
10.11 |
3.37 |
1 |
Security Policy |
5.25 |
1.75 |
1 |
Data Encryption |
5.09 |
1.02 |
1 |
Personnel Clearances |
0.17 |
0.17 |
0 |
Risk Analysis |
0.19 |
0.06 |
0 |
Physical Access Control |
0.03 |
0.01 |
0 |
Detection System |
0.03 |
0.01 |
0 |
Quality Assurance |
0.02 |
0.00 |
0 |
Classification Markings |
0.01 |
0.00 |
0 |
Life Cycle Management |
0.00 |
0.00 |
0 |
Personnel Control |
0.00 |
0.00 |
0 |
Passwords/Authenticaion |
0.00 |
0.00 |
0 |
Contract Specifications |
0.00 |
0.00 |
0 |
|
|
|
|
Safeguards |
B/C-15% |
ROI-15% |
PP-15% |
Application Controls |
10.11 |
3.37 |
1 |
Security Policy |
5.20 |
1.73 |
1 |
Data Encryption |
5.09 |
1.02 |
1 |
Personnel Clearances |
0.17 |
0.17 |
0 |
Risk Analysis |
0.19 |
0.06 |
0 |
Physical Access Control |
0.03 |
0.01 |
0 |
Detection System |
0.03 |
0.01 |
0 |
Quality Assurance |
0.02 |
0.00 |
0 |
Classification Markings |
0.01 |
0.00 |
0 |
Life Cycle Management |
0.00 |
0.00 |
0 |
Personnel Control |
0.00 |
0.00 |
0 |
Passwords/Authenticaion |
0.00 |
0.00 |
0 |
Contract Specifications |
0.00 |
0.00 |
0 |
The following table shows the safeguards with the 10 greatest Return on Investment (ROI-10%). Also shown are the Initial and Maintenance Costs of those safeguards. Following the table are barcharts and piecharts of the costs.
Safeguards |
ROI-10% |
Initial Cost |
Maint. Cost |
Application Controls |
3.37 |
$50,000. |
$50,000. |
Security Policy |
1.75 |
$70,000. |
$40,000. |
Data Encryption |
1.02 |
$500,000. |
$500,000. |
Personnel Clearances |
0.17 |
$50,000. |
$100,000. |
Risk Analysis |
0.06 |
$100,000. |
$30,000. |
Physical Access Control |
0.01 |
$2,000,000. |
$500,000. |
Detection System |
0.01 |
$1,000,000. |
$200,000. |
Quality Assurance |
0.00 |
$400,000. |
$300,000. |
Classification Markings |
0.00 |
$500,000. |
$50,000. |
Life Cycle Management |
0.00 |
$200,000. |
$0. |
INITIAL COSTS
Cost Benefit Report |
4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2,000,000 |
|
Physical |
Access |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
1,000,000 |
||||||||||
Control |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
500,000 |
|||
Detection |
Syst |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
500,000 |
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
em |
|
Data |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
400,000 |
||
Encryption |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
200,000 |
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Classification |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
100,000 |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
Markings |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Quality |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Assurance |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Life Cycle Management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
Risk Analysis |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
|
|
25 |
50 |
75 |
100 |
125 |
150 |
175 |
200 (x 10 ,000 ) |
||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Dollars |
|
|
|
|
|
|
|
|
Security |
70,000 |
|
50,000 |
||
|
||
Policy Application |
50,000 |
|
|
||
Cont rols Personnel |
|
|
Clearances |
|
5 10 15 20 25 30 35 40 45 50 55 60 65 70 (x 1 ,000) Dollars
Physical Access Control (41.1%)
Personnel Clearances (1.0%) Application Cont rols (1.0%) Security Policy (1.4%)
Risk Analysis (2.1%)
Life Cycle Management (4.1%) Quality Assurance (8.2%) Classification Markings (10.3%)
Data Encryption (10.3%)
Detection System (20.5%)
MAINTENANCE COSTS
Cost Benefit Report |
5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
500,000 |
|
Physical Access Control |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
500,000 |
||||||||||
Data |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
300,000 |
|||||
Encryption Quality |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
200,000 |
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Assurance Detection |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
100,000 |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Syst em Personnel |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
50,000 |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Clearances |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
50,000 |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
Application Cont rols |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
40,000 |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
30,000 |
||
Classification |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Markings |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
Security |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
Policy Risk |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
Analysis |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 (x 10,000) |
||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Dollars |
|
|
|
|
|
|
|
|
|
|
Risk Analysis (1.7%)
Security Policy (2.3%) Classification Markings (2.8%)
Physical Access Control (28.2%) Application Cont rols (2.8%) Personnel Clearances (5.6%) Detection System (11.3%)
Quality Assurance (16.9%)
Data Encryption (28.2%)
SAFEGUARD DEFINITIONS
ACCESS CONTROL - The Access Control safeguard refers to the existence of a verifiable and coordinated access control system. The system can range from simple (key lock systems) to complex (cypher/key card identification systems).
APPLICATION CONTROL STANDARDS - Application control refers to a specific system of controls designed by a team of internal auditors to
Cost Benefit Report |
6 |
|
ensure that |
universal programming standards, |
|
data element dictionaries and record association |
|
|
conventions |
are maintained. |
|
AUDIT TRAILS - The safeguard of Audit Trails refers to the organization having a fully implemented audit trail capability so that it is simple to track which user was accessing any system at any point in time.
CLASSIFICATION MARKING - The safeguard of Classification Marking refers to having all media and reports containing information which is classified as Classified, Sensitive, or Privacy Act data marked on the top and bottom of each page.
Cost Benefit Report |
7 |
CONTINGENCY PLAN - The Contingency Plan is also known as a Continuity of Operations Plans (COOP), or as a Disaster Recovery Plan; and it contains a detailed blueprint of backup procedures to be followed in case of emergency disruption to the ADP facility, as well as a guide to getting the programs operational as quickly as possible.
CONTRACT SPECIFICATIONS - The Contract Specification safeguard refers to the practice of requiring each contractor to include as a formal contract deliverable, a plan for including appropriate security controls, addressing of pertinent threats, and possible loss quantification.
DATA ENCRYPTION - This safeguard involves the application of encipherment techniques to one or more datasets or to data traveling over communications systems.
DETECTION SYSTEM - The Detection System safeguard refers to having a coordinated fire detection/access control violation system which will alert the proper authorities to smoke, heat, water, humidity fluctuations, grounding problems, as well as monitoring any attempt at unauthorized access.
DOCUMENTATION - The Documentation safeguard refers to the need for the organization to provide backup documentation for every file, program, and process; including providing hard copies retained in a safe location.
ELECTRICAL POWER CONDITIONING - The Electrical Power Conditioning safeguard refers to the establishment of a stable sources of electrical power, including a consideration of a source of uninterruptable power, backup generators, as well as consideration of phasebalancing to prevent power fluctuations.
EMERGENCY RESPONSE - The emergency response safeguard deals with a having a detailed guide of how the organization can continue to operate in the event of large scale emergencies, such as chemical spills, civil disobedience, or nuclear mishaps.
FILE/PROGRAM CONTROL - The safeguard of File/Program Control refers to the practice of establishing a system of access controls and authorizations for programs and files based on "need to know".
FIRE SUPPRESSION SYSTEM - The Fire Suppression safeguard refers to the appropriate combination of water and CO2 which should be installed in any ADP facility.
GROUNDING SYSTEM - The Grounding System safeguard refers to provision for proper