лаба_10 / лаб_10_03_4

CHAPTER 2. ASSETS

The SpecOrg risk analysis included 12 asset categories. [[[Some of the categories were divided into more descriptive sub-categories. For example, communication consisted of three resource names (Communication Support Hardware, Communication Diagnostic Equipment, and Communication Modem/DSU).]]] The determination of categories and values of assets was accomplished through interviews with [[[NAME and NAME personnel]]]. A review of the assets was performed by the Risk Analysis Team and SpecOrg [[[and

NAME]]] management.

The asset values were determined based on the cost of replacing the particular asset. The largest replacement value was for Accounts Receivable, which is estimated at $50,000. (see Figure 4) and which constitutes 20.8% (see Figures 4 and 6) of the total value of all DATA CENTER assets. The next highest values for replacement cost were for categories Applications and Communications Hardware. The values and percentages of the whole are, respectively, $50,000., at 20.8% and $50,000. at 20.8%.

2.1SUMMARY OF ASSET CATEGORIES

The following table provides a summary of the total replacement costs for each of the asset categories considered in the analysis.

FIGURE 4

This information is presented below as a barchart.

50,000

Acct s Rec

50,000

Applicatns

50,000

Comms H/W

25,000

Comms S/W

25,000

Hardware

12,500

Off Equip

10,000

Document'n

7,500

Databases

7,500

System S/W

2,000

Personnel

1,337

Acct s Pay

5 10 15 20 25 30 35 40 45 50 (x1 ,000)

Dollars

FIGURE 5

The percentage of the total replacement cost for each category is indicated in the following diagram.

6 Others (11.8%)

Acct s Rec (20.8%)

Off Equip (5.2%)

Hardware (10.4%)

Applicatns (20.8%)

Comms S/W (10.4%)

Comms H/W (20.8%

FIGURE 6

VULNERABILITY AREA REPORT

OVERALL COMPLIANCE:

Compliance (1.4%)

Non-Compliance (98.6%)

VULNERABILITY AREA: Access Control

Compliance (5.3%)

Non-Compliance (94.7%)

VULNERABILITY AREA: Accountability

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Administration

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Data Integrity

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Disclosure

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Documentation

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Evaluation

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Policy

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Privacy Act

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Reliability

There is 100% non-compliance in this area of vulnerability.

2.2 ASSETS WITHIN CATEGORY

Assets are identified, by category, by commonly used name; associated with each individual asset there is other related information. Depending on the asset category, other data is also provided for each asset. This will include the level of sensitivity for data, the quantity of a duplicated hardware item, etc.. When the information is available, an indication is included about the basic attribute(s) of each assets that states whether the asset is

critical (in the sense that the mission of the enterprise depends on the correct and timely functioning of this asset), or

financial (with respect to the need to control modification), or sensitive (with respect to disclosure), or

supportive (non of the above).

The definition of each asset category is also provided

The monetary values assigned represent the estimated replacement or purchase cost of the asset, not its current value. For example, the recruitment cost, the training cost, and the staff salaries and benefits were used to determine personnel costs. For leased equipment, replacement cost of obtaining a new lease is used since the organization is responsible for obtaining a replacement resource.

The value of sensitive resources could be greater than the replacement value to account for the loss of future opportunity and the extent of exposure that agencies have resulting from the disclosure of data subject to the Privacy Act; awards of $1,000 to $5,000 per individual record have been assessed by the courts based on the sanctions included in the Privacy Act of 1974.

The sections below deal, in turn, with each of the asset categories included in the analysis.

2.2.1Accounts Payable

Figure 7.1

This information about replacement costs is presented below as a barchart.

1,337

RTG

Dollars

Figure 8.1

2.2.2Accounts Receivable

Figure 7.2

This information about replacement costs is presented below as a barchart.

50,000

321

Dollars

Figure 8.2

2.2.3Applications

Figure 7.3

This information about replacement costs is presented below as a barchart.

50,000

345

Dollars

Figure 8.3

2.2.4Communications Hardware

Figure 7.4

This information about replacement costs is presented below as a barchart.

50,000

Dollars

Figure 8.4

2.2.5Communications Software

Figure 7.5

This information about replacement costs is presented below as a barchart.

25,000

EWQ

Dollars

Figure 8.5

2.2.6Databases

Figure 7.6

This information about replacement costs is presented below as a barchart.

7,500

456

Dollars

Figure 8.6

2.2.7Documentation

Figure 7.7

This information about replacement costs is presented below as a barchart.

10,000

OI

Dollars

Figure 8.7

2.2.8Hardware

Figure 7.8

This information about replacement costs is presented below as a barchart.

25,000

HARD

Dollars

Figure 8.8

2.2.9Office Equipment

Figure 7.9

This information about replacement costs is presented below as a barchart.

7,500

QWE

5,000

QWE

Dollars

Figure 8.9

The percentage of the total replacement cost for this category that is contributed by each asset is indicated in the following diagram.

QWE (40.0%)

QWE (60.0%)

Figure 9.9

2.2.10Personnel

Figure 7.10

This information about replacement costs is presented below as a barchart.

2,000

PERS

Dollars

Figure 8.10

2.2.11System Software

This information about replacement costs is presented below as a barchart.

7,500

LPMEPLEASE

Dollars

Figure 8.11

2.2.12Utilities

Figure 7.12

3.2 INCIDENTS INVOLVING EACH THREAT

Each Incident is defined as triple of the form <threat, loss category, asset category>. By doing things this way it is possible to separate the various forms of loss that a given threat may cause to the enterprise as the result of acting on the same asset category.

The sections below look at each threat and indicate the various incidents that were associated with it in the analysis. For each incident, a table is presented (FIGURES 13.1, 13.2, ...) indicating its SLE and ALE (where the ALE is generated by multiplying the SLE for the incident by the AFE of the threat). The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. This is shown as the total of the third column. The percentage of this total represented by the ALE for each incident is indicated in the fourth column.

Also shown for each threat is a barchart that provides a visual presentation of the relative magnitudes of the ALE for each incident. These are shown as FIGURES 14.1, 14.2, ....

Piecharts are then also provided that indicate the percentage of each threat ALE that is accounted for by each incident that is used in its calculation.

3.2.1Blackmail - AFE: 0.05

The various incident classes associated with this threat are shown in the following table:

20

Direct, Personnel

Dollars

Figure 16.1 Blackmail - SLE's

3.2.2Budget Loss - AFE: 0.50

The various incident classes associated with this threat are shown in the following table:

12,500

Disclosure, Databases

Dollars

Figure 14.2 Budget Loss - ALE's

25,000

Disclosure, Databases

Dollars

Figure 16.2 Budget Loss - SLE's