лаба_10 / лаб_10_03_4

20.11.2023 14:13:00

FINAL REPORT

Risk Analysis of NGY

TABLE OF CONTENTS

I.Executive Summary

II.Recommendations

Chapter 1 - General Information

1.1Operational Environment and System Configuration

1.1.1The Risk Assessment Team

1.1.2Organizational Details of SpecOrg

1.1.3Physical Plant and Physical Security

1.1.4System Configuration

1.2Terms and Definitions

1.3Risk Analysis Methodology

1.4RiskWatch Parameters and Data Analysis

Chapter 2 - Assets

2.1Summary of Asset Categories

2.2Assets Listed Within Category 2.2.1 Assets Within Category 1

===

2.2.N Assets Within Category N

Chapter 3 - Threats

3.1Summary of Threats

3.2Incidents Involving Each Threats 3.2.1 Incidents Involving Threat 1

===

3.2.N Incidents Involving Threat N

Chapter 4 - Areas of Vulnerability

4.1Summary of Vulnerabilities

4.2Question Report

4.2.1 Question Report For Vulnerability Area 1

===

4.2.N Question Report For Vulnerability Area N

4.3Incidents Linked to Each Vulnerability Area 4.3.1 Incidents Linked To Vulnerability Area 1

===

4.3.N Incidents Linked To Vulnerability Area N

Chapter 5 - Safeguards

5.1Summary of Safeguards

5.2Cost-Benefit Analysis Report

5.2.1Cost-Benefit Analysis Report For Safeguard 1

===

5.2.N Cost-Benefit Analysis Report For Safeguard N

5.3Incidents Affected by Each Safeguard

5.3.1Incidents Affected By Safeguard 1

===

5.3.N Incidents Affected By Safeguard N

Appendixes

Appendix A - Assets

Appendix B - Threats

Appendix C - Vulnerability Areas

Appendix D - Safeguards

Chapter 1 - General Introduction

The development of effective plans is a manager's most important responsibility, and the measurement of the compliance of an organization with these plans is essential. For Automated Information Systems (AIS) facilities, one of the most important categories of planning is security planning because of the catastrophic impact that total shut down of the AIS facility would have on the entire organization.

A quantitative risk analysis is a tool for measuring the compliance of an organization with applicable security requirements and is a standardized methodology which can be used to analyze a system or organization to identify vulnerabilities that could result in losses. This standardized methodology is based on the interrelationships of four key factors:

1.Asset

Any useful or valuable resource;

2.Vulnerability

Weakness or susceptibility of an asset or a collection of assets to losses of various kinds;

3.Threat

An event, process, or act which, when realized, has an adverse effect on one or more assets; and

4.Safeguard

Countermeasure, control, or action taken to decrease the existing level of vulnerability of an asset to one or more threats.

To facilitate the performance of the risk analysis, SpecOrg acquired a risk analysis system called RiskWatch II for Windows. This PC-based software package, which is available on GSA Schedule, was originally developed for the Department of the Navy; it has been redesigned and rewritten to make it a Windows application and it is currently being used by the Department of Defense, NASA, several State and local governments, and private industry.

The scope of the risk analysis was limited to SpecOrg and threats arising from its environment including all telecommunications links to SpecOrg. The purpose of the risk analysis was to identify the vulnerability of the assets of SpecOrg to a variety of threats and to recommend safeguards which could reduce or eliminate the vulnerability of SpecOrg to these threats.

In some instances, applicable safeguards were 100% implemented, but were not being fully employed by the user community. As a general rule, when such noncompliance with policy within the enterprise occurs, it is frequently because there is a lack of awareness of the security issues; this may result from inadequate security training and enforcement of security requirements .

1.1 Operational Environment and System Configuration

The four sections below, numbered 1.1.1 through 1.1.4, provide detailed information about:

1.The team responsible for the management of risks within the enterprise;

2.The organizational details of the enterprise;

3.The physical plant and measures in place to ensure physical security;

4.The configuration of systems that are deemed within the scope of this analysis;

1.1.1 The Risk Assessment Team

[[[

The Risk Analysis Team for the analysis of SpecOrg consisted of NAME, Project Manager; NAME, Assistant Project Manager, and NAME, Senior Security Analyst.

The following individuals provided considerable support to the project by providing advice on risk analysis and internal control review planning, meeting to discuss the progress of the risk analysis effort, and reviewing and commenting on risk analysis deliverables:

]]]

1.1.2 Organization Details of SpecOrg

Organization and Staffing

The Office of Computer Operations, which is headed by [[[NAME]]].

[[[NAME]]], directs the management, operation, and maintenance of all SpecOrg facilities and equipment (see organization chart immediately below). SpecOrg's staffing level is [[[xx]]].

[[[

[[[NAME]]] is the current contractor for the DATA CENTER. [[[NAME]]] is the project manager for the [[[NAME Contract]]] which is responsible for performing tasks assigned by SpecOrg for the operation and maintenance of SpecOrg facilities (see organization chart on page 9). SpecOrg and its subcontractor, [[[NAME]]],

have [[[xx]]] staff assigned to this contract.

]]]

[[[

THE DATA CENTER provides data processing for SpecOrg application systems, program management systems, SpecOrg financial management and other administrative

systems, and decision support systems supporting SpecOrg policy formulation. For the approximate 7,000 Statewide users, the data center processes approximately 50,000 batch jobs and 26,000 individual sessions per month; along with about 150,000 tape mounts. In addition, the data center maintains near 100% availability of the system for its users

]]]

1.1.3 Physical Plant and Physical Security

[[[

Data Center Building

SpecOrg Data Center is a Government-owned, contractor-operated facility housed in the NAME building at ADDRESS which is a 32,000+ square foot facility which consists of the following: computer equipment area, office area, uninterruptible power system area, tape library area, and warehouse.

Physical Security

The NAME Building is a single level building of masonry construction with embedded windows around the perimeter. There are twelve (12) exterior doors leading into the facility. Two (2) doors are secured via a card key system, and six (10) are manually locked at all times. The facility is equipped with an intrusion detection alarm system that is monitored by the local security service.

One of the two entrances controlled by the card system is located in the front of the building facing NAME Road. The other is the visitors' entrance located on the side of the building facing the parking lot. The visitors' entrance is monitored by a security guard twenty-four (24) hours a day, seven (7) days a week. The visitors' entrance card key system is in operation Monday through Friday from 6:00 P.M. to 6:00 A.M. and twenty-four (24) hours a day on weekends and holidays. Although the front door card key system is operational twenty-four (24) hours a day, seven (7) days a week, the exterior door is bolted and key locked from 6:00 P.M. to 6:00 A.M.

The Computer room has four entrances. All four entrances are off a hallway that leads into a raised floor, recessed ceiling environment. Each door has a card key system with different access levels that is in operation twenty-four (24) hours a day, seven (7) days a week.

Fire Detection and Suppression

The fire detection system consists of heat detectors and Ionization-type smoke detectors located above and below the suspended ceiling and under the raised floor. When an alarm sounds, a panel inside the computer room indicates which device detected the problem. The fire alarm system is also monitored by the local security service.

The building contains an automatic fire suppression system consisting of a "total-flooding, wet-pipe system" with sprinkler heads above and below the suspended ceiling.

Energy Management

The data center is environmentally controlled by twelve 20 ton Liebert air conditioning units that compensate for the generated heat load, which varies across the seasons. Heat and air conditioning are provided to office space external to the data center by roof-mounted units and a oil-fired, hot water baseboard heat system. The warehouse area is environmentally controlled by a eight-ton, roof-mounted heat pump.

Electrical power is provided by redundant feeds originating in separate commercial electric power substations. Critical electrical power is provided by two Emmerson Electric automatic transfer switches and two Liebert Uninterruptible Power Systems (UPS), with 15-minute battery backup. One of the two 500 KVA UPS systems is modular in design, with a total capacity of 2,000 kVA.

Off-Site Data Storage

The data center backs-up all data media storage on a daily basis. The data are then transported to the NAME off-site storage facility in ADDRESS. The NAME facility subcontract is managed by the NAME Contractor. NAME meets all Government requirements for an off-site storage facility.

Hot-Site for Disaster Recovery

SpecOrg has a contract with NAME of ADDRESS, for hot-site support. In the event of a total or partial disaster at SpecOrg data center and the decision is made to activate the hot-site, a designated team will travel to the hot site to operate the facility in place of the SpecOrg data center.

]]]

1.1.4 System Configuration

The system consists of the following (see attached floor plan):

Communications

High speed link to SpecOrg, Department Information Management. Exchange System to Regional Offices, Value Added Networks to SpecOrg Sites, Intermediaries, and Contractors

0 IBM Information Network

0 FTS 2000

]]]

1.2 Terms and Definitions

1.2.1Annual Frequency Estimate (AFE):

The Annual Frequency Estimate (AFE) is a factor based on historical data which indicates the approximate number of times a defined threat might occur in a specific environment, system, or location in a given year.

1.2.2Annual Loss Expectancy (ALE):

The sum of the Individual Annual Loss Expectancies (IALE) for all assets, of a specific loss type, and attributed to a specific threat.

1.2.3Annual Loss Expectancy, Individual: Per Asset (IALE)

The Individual Annual Loss Expectancy (IALE) represents the proportion of an individual asset that could be lost as the result of a single instance of a threat event, multiplied by the Annual Frequency Estimate (AFE) of the specific threat.

1.2.4Application Software:

A program or set of programs designed for a specific function such as payroll, accounts payable, inventory control, property management, etc., Both source code and object code ought to be considered..

1.2.5Assets:

Assets are defined as useful or valuable possessions of the enterprise. All assets, including data, residing in a computer system can be properly identified, quantified with respect to one or more evaluative perspectives (such as replacement cost), and classified into one or more of the following distinct categories:

1.2.5a Critical Assets:

Those assets which provide direct support to the organization's ability to sustain its mission. Assets or resources are considered critical if their absence or non-availability would significantly degrade the ability of the organization to carry out its mission, and when the time that the organization can function with out the asset is substantially lower than the time needed to replace the asset. Critical assets can be backed up to reduce their potential impact.

1.2.5b Financial, Controlled, Validated, Certified or Accountable Assets:

Moveable property, cash, inventories, accounting or auditing systems, and automatic money-handling software are financial or accountable. These assets are susceptible to both internal and external fraud.

This category also includes payroll, billings, supply inventories, accounts payable and receivable, other financial assets, small pilfer items, cash, consumable, negotiable instruments and services as well as automated billing systems. (Special attention is required as a result of the report by the U.S. Government Accounting Office directive entitled, `Improvements Needed in Managing Automated Decision-making by Computers Throughout the Federal Government', FGMSD-76-5, April 23, 1976.) This category includes