Основы ИБ. Фан_6363_лаб-7-23.12. Отчет по лабораторной работе 7 по дисциплине Основы информационной безопасности Тема а нализ рисков с использованием программного обеспечения RiskWatch 1
 Скачать 185.49 Kb.
|
|
5.2.23 Review Sens. Applications Lifetime: 2 Implementation Cost: $15,000. Annual Maintenance Cost: $100. Year Benefits Costs Disc. Ben(0.1) Disc. Cost(0.1) DB-DC(0.1) 1 $0. $15,000. $0. $13,636. $-13,636. 2 $0. $100. $0. $82. $-82. Sum of discounted benefits (0.05): $0. Sum of discounted benefits (0.1): $0. Sum of discounted benefits (0.15): $0. Sum of discounted costs (0.05): $14,375. Sum of discounted costs (0.1): $13,718. Sum of discounted costs (0.15): $13,118. Benefit Cost Ratio (0.05): 0.00 Benefit Cost Ratio (0.1): 0.00 Benefit Cost Ratio (0.15): 0.00 Return On Investment (0.05): 0.00 Return On Investment (0.1): 0.00 Return On Investment (0.15): 0.00 Payback period (0.05): 0 Payback period (0.1): 0 Payback period (0.15): 0 5.2.24 Risk Analysis Lifetime: 3 Implementation Cost: $1,000. Annual Maintenance Cost: $30. Year Benefits Costs Disc. Ben(0.1) Disc. Cost(0.1) DB-DC(0.1) 1 $0. $1,000. $0. $909. $-909. 2 $0. $30. $0. $24. $-24. 3 $0. $30. $0. $22. $-22. Sum of discounted benefits (0.05): $0. Sum of discounted benefits (0.1): $0. Sum of discounted benefits (0.15): $0. Sum of discounted costs (0.05): $1,004. Sum of discounted costs (0.1): $955. Sum of discounted costs (0.15): $910. Benefit Cost Ratio (0.05): 0.00 Benefit Cost Ratio (0.1): 0.00 Benefit Cost Ratio (0.15): 0.00 Return On Investment (0.05): 0.00 Return On Investment (0.1): 0.00 Return On Investment (0.15): 0.00 Payback period (0.05): 0 Payback period (0.1): 0 Payback period (0.15): 0 5.2.25 Security Classification Lifetime: 1 Implementation Cost: $1,000. Annual Maintenance Cost: $100. Year Benefits Costs Disc. Ben(0.1) Disc. Cost(0.1) DB-DC(0.1) 1 $960. $1,000. $872. $909. $-36. Sum of discounted benefits (0.05): $914. Sum of discounted benefits (0.1): $872. Sum of discounted benefits (0.15): $834. Sum of discounted costs (0.05): $952. Sum of discounted costs (0.1): $909. Sum of discounted costs (0.15): $869. Benefit Cost Ratio (0.05): 0.96 Benefit Cost Ratio (0.1): 0.96 Benefit Cost Ratio (0.15): 0.96 Return On Investment (0.05): 0.96 Return On Investment (0.1): 0.96 Return On Investment (0.15): 0.96 Payback period (0.05): 0 Payback period (0.1): 0 Payback period (0.15): 0 5.2.26 Security Plan Lifetime: 3 Implementation Cost: $300. Annual Maintenance Cost: $100. Year Benefits Costs Disc. Ben(0.1) Disc. Cost(0.1) DB-DC(0.1) 1 $240. $300. $218. $272. $-54. 2 $240. $100. $198. $82. $115. 3 $240. $100. $180. $75. $105. Sum of discounted benefits (0.05): $652. Sum of discounted benefits (0.1): $596. Sum of discounted benefits (0.15): $546. Sum of discounted costs (0.05): $461. Sum of discounted costs (0.1): $429. Sum of discounted costs (0.15): $400. Benefit Cost Ratio (0.05): 1.41 Benefit Cost Ratio (0.1): 1.39 Benefit Cost Ratio (0.15): 1.36 Return On Investment (0.05): 0.47 Return On Investment (0.1): 0.46 Return On Investment (0.15): 0.45 Payback period (0.05): 2 Payback period (0.1): 2 Payback period (0.15): 2 5.2.27 Security Policy Lifetime: 3 Implementation Cost: $700. Annual Maintenance Cost: $40. Year Benefits Costs Disc. Ben(0.1) Disc. Cost(0.1) DB-DC(0.1) 1 $4,530. $700. $4,117. $636. $3,481. 2 $4,530. $40. $3,743. $33. $3,710. 3 $4,530. $40. $3,403. $30. $3,373. Sum of discounted benefits (0.05): $12,334. Sum of discounted benefits (0.1): $11,263. Sum of discounted benefits (0.15): $10,341. Sum of discounted costs (0.05): $736. Sum of discounted costs (0.1): $699. Sum of discounted costs (0.15): $664. Benefit Cost Ratio (0.05): 16.73 Benefit Cost Ratio (0.1): 16.10 Benefit Cost Ratio (0.15): 15.55 Return On Investment (0.05): 5.58 Return On Investment (0.1): 5.37 Return On Investment (0.15): 5.18 Payback period (0.05): 1 Payback period (0.1): 1 Payback period (0.15): 1 5.2.28 Security Staff Lifetime: 3 Implementation Cost: $500. Annual Maintenance Cost: $100. Year Benefits Costs Disc. Ben(0.1) Disc. Cost(0.1) DB-DC(0.1) 1 $23,799. $500. $21,635. $454. $21,180. 2 $23,799. $100. $19,668. $82. $19,585. 3 $23,799. $100. $17,880. $75. $17,805. Sum of discounted benefits (0.05): $64,809. Sum of discounted benefits (0.1): $59,183. Sum of discounted benefits (0.15): $54,337. Sum of discounted costs (0.05): $652. Sum of discounted costs (0.1): $611. Sum of discounted costs (0.15): $574. Benefit Cost Ratio (0.05): 99.21 Benefit Cost Ratio (0.1): 96.65 Benefit Cost Ratio (0.15): 94.31 Return On Investment (0.05): 33.07 Return On Investment (0.1): 32.22 Return On Investment (0.15): 31.44 Payback period (0.05): 1 Payback period (0.1): 1 Payback period (0.15): 1 5.2.29 Safeguard Test & Eval. Lifetime: 3 Implementation Cost: $5,000. Annual Maintenance Cost: $100. Year Benefits Costs Disc. Ben(0.1) Disc. Cost(0.1) DB-DC(0.1) 1 $11,821. $5,000. $10,746. $4,545. $6,200. 2 $11,821. $100. $9,769. $82. $9,686. 3 $11,821. $100. $8,881. $75. $8,805. Sum of discounted benefits (0.05): $32,189. Sum of discounted benefits (0.1): $29,396. Sum of discounted benefits (0.15): $26,988. Sum of discounted costs (0.05): $4,937. Sum of discounted costs (0.1): $4,702. Sum of discounted costs (0.15): $4,487. Benefit Cost Ratio (0.05): 6.52 Benefit Cost Ratio (0.1): 6.25 Benefit Cost Ratio (0.15): 6.01 Return On Investment (0.05): 2.17 Return On Investment (0.1): 2.08 Return On Investment (0.15): 2.00 Payback period (0.05): 1 Payback period (0.1): 1 Payback period (0.15): 1 5.2.30 System Validation Lifetime: 2 Implementation Cost: $100,000. Annual Maintenance Cost: $500. Year Benefits Costs Disc. Ben(0.1) Disc. Cost(0.1) DB-DC(0.1) 1 $19,606. $100,000. $17,823. $90,909. $-73,085. 2 $19,606. $500. $16,203. $413. $15,790. Sum of discounted benefits (0.05): $36,455. Sum of discounted benefits (0.1): $34,026. Sum of discounted benefits (0.15): $31,873. Sum of discounted costs (0.05): $95,691. Sum of discounted costs (0.1): $91,322. Sum of discounted costs (0.15): $87,334. Benefit Cost Ratio (0.05): 0.38 Benefit Cost Ratio (0.1): 0.37 Benefit Cost Ratio (0.15): 0.36 Return On Investment (0.05): 0.19 Return On Investment (0.1): 0.19 Return On Investment (0.15): 0.18 Payback period (0.05): 0 Payback period (0.1): 0 Payback period (0.15): 0 5.2.31 Technical Surveillance Lifetime: 3 Implementation Cost: $500. Annual Maintenance Cost: $10. Year Benefits Costs Disc. Ben(0.1) Disc. Cost(0.1) DB-DC(0.1) 1 $0. $500. $0. $454. $-454. 2 $0. $10. $0. $8. $-8. 3 $0. $10. $0. $7. $-7. Sum of discounted benefits (0.05): $0. Sum of discounted benefits (0.1): $0. Sum of discounted benefits (0.15): $0. Sum of discounted costs (0.05): $493. Sum of discounted costs (0.1): $469. Sum of discounted costs (0.15): $447. Benefit Cost Ratio (0.05): 0.00 Benefit Cost Ratio (0.1): 0.00 Benefit Cost Ratio (0.15): 0.00 Return On Investment (0.05): 0.00 Return On Investment (0.1): 0.00 Return On Investment (0.15): 0.00 Payback period (0.05): 0 Payback period (0.1): 0 Payback period (0.15): 0 5.2.32 Training Lifetime: 3 Implementation Cost: $1,000. Annual Maintenance Cost: $50. Year Benefits Costs Disc. Ben(0.1) Disc. Cost(0.1) DB-DC(0.1) 1 $0. $1,000. $0. $909. $-909. 2 $0. $50. $0. $41. $-41. 3 $0. $50. $0. $37. $-37. Sum of discounted benefits (0.05): $0. Sum of discounted benefits (0.1): $0. Sum of discounted benefits (0.15): $0. Sum of discounted costs (0.05): $1,040. Sum of discounted costs (0.1): $987. Sum of discounted costs (0.15): $938. Benefit Cost Ratio (0.05): 0.00 Benefit Cost Ratio (0.1): 0.00 Benefit Cost Ratio (0.15): 0.00 Return On Investment (0.05): 0.00 Return On Investment (0.1): 0.00 Return On Investment (0.15): 0.00 Payback period (0.05): 0 Payback period (0.1): 0 Payback period (0.15): 0 5.2.33 Visitor Control Lifetime: 2 Implementation Cost: $1,000. Annual Maintenance Cost: $1,000. Year Benefits Costs Disc. Ben(0.1) Disc. Cost(0.1) DB-DC(0.1) 1 $2,015. $1,000. $1,831. $909. $922. 2 $2,015. $1,000. $1,665. $826. $838. Sum of discounted benefits (0.05): $3,746. Sum of discounted benefits (0.1): $3,496. Sum of discounted benefits (0.15): $3,275. Sum of discounted costs (0.05): $1,859. Sum of discounted costs (0.1): $1,735. Sum of discounted costs (0.15): $1,625. Benefit Cost Ratio (0.05): 2.02 Benefit Cost Ratio (0.1): 2.02 Benefit Cost Ratio (0.15): 2.02 Return On Investment (0.05): 1.01 Return On Investment (0.1): 1.01 Return On Investment (0.15): 1.01 Payback period (0.05): 1 Payback period (0.1): 1 Payback period (0.15): 1 Here is a summary of the Return on Investment (R.O.I) for each safeguard. Safeguard ROI(10%) Percentage of Total Preventive Maintenance 4775.09 95.1% Redundant Power 157.42 3.1% Security Staff 32.22 0.6% Application Controls 23.54 0.5% Data Encryption 6.05 0.1% Property Management 5.76 0.1% Security Policy 5.37 0.1% Classification Markings 2.98 0.1% Life Cycle Management 2.41 0.0% Safeguard Test & Eval. 2.08 0.0% Operating Procedures 1.82 0.0% Audit Trails 1.28 0.0% Visitor Control 1.01 0.0% Personnel Control 1.01 0.0% Security Classification 0.96 0.0% Quality Assurance 0.85 0.0% Security Plan 0.46 0.0% Insurance/Bond 0.36 0.0% System Validation 0.19 0.0% Physical Access Control 0.15 0.0% Contingency Plan 0.13 0.0% Detection System 0.03 0.0% Passwords/Authenticaion 0.02 0.0% Training 0.00 0.0% New Construction 0.00 0.0% Review Sens. Applications 0.00 0.0% Monitor System 0.00 0.0% Organizational Structure 0.00 0.0% Documentation 0.00 0.0% Risk Analysis 0.00 0.0% Technical Surveillance 0.00 0.0% Contract Specifications 0.00 0.0% OPR for each System 0.00 0.0%   CHAPTER 5. SAFEGUARDS The analysis recommends a total of [[[ thirty-six (36) ]]] safeguards out of a possible 42 for use (at the AIS). Figures 16 through 18 reflect the total cost of each safeguard for the life cycle of the safeguard. It is generally taken that safeguards can fall into three categories: (1) those that prevent incidents; (2) those that permit the timely detection of incidents that have not been detected; (3) those that aid in the recovery process after an incident has occurred. The goal of a safeguard is to reduce the Annual Loss Expectancy (ALE) of one or more incidents, thereby reducing the overall ALE for the enterprise. This reduction is calculated by noticing that various safeguards impact the overall system in different ways. Three different forms of impact have been noted: (1) the reduction in certain evaluative parameters for assets (for example the (recovery) safeguard of Insurance can reduce the Replacement Cost of all assets covered by the insurance); (2) the reduction in the level of vulnerability in certain areas (for example the (preventative) safeguard of Data Encryption) can significantly reduce the vulnerability called Disclosure (or Data Disclosure); the (detective) safeguard of Monitor System can act to lessen the difficulty that can arise from the slowly degrading Reliability of hardware components); (3) the reduction in the frequency of a threat (or threat event) (for example, the safeguard called Training is expected to reduce the frequency of the threat of Errors). Not only is a safeguard intended to reduce ALE, but it must do it in a cost-effect way. RiskWatch II for Windows considers all possible safeguards and their impact on the overall system. For each, in turn, a full Cost-Benefit Analysis (CBA) is performed. This analysis uses the reduction in ALE, expected annually, as the benefit and the initial and maintenance costs over the lifetime of the safeguard, and considers three different possible discount rates of 5, 10 and 15% to permit the calculation of the net present value of all projected figures. In the tables below, three figures, one for each discount rate, are provided, for each safeguard, (1) the ratio of Total Benefits over Total Costs; (2) the annualized Rate of Return on Investment obtained by dividing this ratio by the number of years involved; (3) the Pay-back Period - the year in which accumulating benefits overtake the (initially greater) accumulating costs. The degree to which each safeguard may already be implemented can be derived from the responses to the questions, in each area of vulnerability, that pertain to a particular safeguard. 5.1 SUMMARY OF SAFEGUARDS The tables below show information about each of the safeguards considered by RiskWatch. It is sorted on the basis of the annualized Rate of Return on Investment (ROI) using Discount Rate of 10%. The twelve numeric columns are, respectively, 1. the lifetime of the safeguard in years (Lifetime) 2. the initial cost (Initial Cost) 3. the annual maintenance cost (Maint. Cost) 4. the Basic Ratio of Total Benefits to Total Costs for Discount Rate 5% (B/C-5%) 5. the Annualized ROI with Discount Rate 5% (RoI-5%) 6. the Pay-back Period with Discount Rate 5% (PP-5%) 7. the Basic Ratio of Total Benefits to Total Costs for Discount Rate 10% (B/C-10%) 8. the Annualized ROI with Discount Rate 10% (RoI-10%) 9. the Pay-back Period with Discount Rate 10% (PP-10%) 10. the Basic Ratio of Total Benefits to Total Costs for Discount Rate 15% (B/C-15%) 11. the Annualized ROI with Discount Rate 15% (RoI-15%) 12. the Pay-back Period with Discount Rate 15% (PP-15%). Safeguards Lifetime Initial Cost Maint. Cost Preventive Maintenance 1 $2,000. $400. Redundant Power 20 $3,000. $1,000. Security Staff 3 $500. $100. Application Controls 3 $500. $50. Data Encryption 5 $5,000. $500. Property Management 3 $500. $20. Security Policy 3 $700. $40. Classification Markings 3 $500. $50. Life Cycle Management 1 $2,000. $0. Safeguard Test & Eval. 3 $5,000. $100. Operating Procedures 3 $5,000. $500. Audit Trails 5 $1,000. $500. Visitor Control 2 $1,000. $1,000. Personnel Control 3 $2,000. $100. Security Classification 1 $1,000. $100. Quality Assurance 5 $4,000. $300. Security Plan 3 $300. $100. Insurance/Bond 1 $500. $100. System Validation 2 $100,000. $500. Physical Access Control 3 $20,000. $500. Contingency Plan 2 $1,000. $200. Detection System 3 $10,000. $200. Passwords/Authenticaion 5 $400. $200. Training 3 $1,000. $50. New Construction 50 $50,000. $500. Review Sens. Applications 2 $15,000. $100. Monitor System 3 $5,000. $100. Organizational Structure 1 $1,000. $50. Documentation 3 $700. $30. Risk Analysis 3 $1,000. $30. Technical Surveillance 3 $500. $10. Contract Specifications 1 $500. $100. OPR for each System 1 $500. $50. Safeguards B/C-5% ROI-5% PP-5% Preventive Maintenance 4775.09 4775.09 1 Redundant Power 3314.16 165.71 1 Security Staff 99.21 33.07 1 Application Controls 73.05 24.35 1 Data Encryption 32.04 6.41 1 Property Management 17.99 6.00 1 Security Policy 16.73 5.58 1 Classification Markings 9.26 3.09 1 Life Cycle Management 2.41 2.41 1 Safeguard Test & Eval. 6.52 2.17 1 Operating Procedures 5.63 1.88 1 Audit Trails 6.50 1.30 1 Visitor Control 2.02 1.01 1 Personnel Control 3.14 1.05 1 Security Classification 0.96 0.96 0 Quality Assurance 4.53 0.91 1 Security Plan 1.41 0.47 2 Insurance/Bond 0.36 0.36 0 System Validation 0.38 0.19 0 Physical Access Control 0.48 0.16 0 Contingency Plan 0.26 0.13 0 Detection System 0.09 0.03 0 Passwords/Authenticaion 0.12 0.02 0 Training 0.00 0.00 0 New Construction 0.00 0.00 0 Review Sens. Applications 0.00 0.00 0 Monitor System 0.00 0.00 0 Organizational Structure 0.00 0.00 0 Documentation 0.00 0.00 0 Risk Analysis 0.00 0.00 0 Technical Surveillance 0.00 0.00 0 Contract Specifications 0.00 0.00 0 OPR for each System 0.00 0.00 0 Safeguards B/C-10% ROI-10% PP-10% Preventive Maintenance 4775.09 4775.09 1 Redundant Power 3148.34 157.42 1 Security Staff 96.65 32.22 1 Application Controls 70.62 23.54 1 Data Encryption 30.23 6.05 1 Property Management 17.29 5.76 1 Security Policy 16.10 5.37 1 Classification Markings 8.95 2.98 1 Life Cycle Management 2.41 2.41 1 Safeguard Test & Eval. 6.25 2.08 1 Operating Procedures 5.45 1.82 1 Audit Trails 6.40 1.28 1 Visitor Control 2.02 1.01 1 Personnel Control 3.02 1.01 1 Security Classification 0.96 0.96 0 Quality Assurance 4.25 0.85 1 Security Plan 1.39 0.46 2 Insurance/Bond 0.36 0.36 0 System Validation 0.37 0.19 0 Physical Access Control 0.46 0.15 0 Contingency Plan 0.26 0.13 0 Detection System 0.08 0.03 0 Passwords/Authenticaion 0.12 0.02 0 Training 0.00 0.00 0 New Construction 0.00 0.00 0 Review Sens. Applications 0.00 0.00 0 Monitor System 0.00 0.00 0 Organizational Structure 0.00 0.00 0 Documentation 0.00 0.00 0 Risk Analysis 0.00 0.00 0 Technical Surveillance 0.00 0.00 0 Contract Specifications 0.00 0.00 0 OPR for each System 0.00 0.00 0 Safeguards B/C-15% ROI-15% PP-15% Preventive Maintenance 4775.09 4775.09 1 Redundant Power 2989.96 149.50 1 Security Staff 94.31 31.44 1 Application Controls 68.42 22.81 1 Data Encryption 28.63 5.73 1 Property Management 16.67 5.56 1 Security Policy 15.55 5.18 1 Classification Markings 8.67 2.89 1 Life Cycle Management 2.41 2.41 1 Safeguard Test & Eval. 6.01 2.00 1 Operating Procedures 5.28 1.76 1 Audit Trails 6.30 1.26 1 Visitor Control 2.02 1.01 1 Personnel Control 2.91 0.97 1 Security Classification 0.96 0.96 0 Quality Assurance 4.00 0.80 1 Security Plan 1.36 0.45 2 Insurance/Bond 0.36 0.36 0 System Validation 0.36 0.18 0 Physical Access Control 0.44 0.15 0 Contingency Plan 0.25 0.13 0 Detection System 0.08 0.03 0 Passwords/Authenticaion 0.12 0.02 0 Training 0.00 0.00 0 New Construction 0.00 0.00 0 Review Sens. Applications 0.00 0.00 0 Monitor System 0.00 0.00 0 Organizational Structure 0.00 0.00 0 Documentation 0.00 0.00 0 Risk Analysis 0.00 0.00 0 Technical Surveillance 0.00 0.00 0 Contract Specifications 0.00 0.00 0 OPR for each System 0.00 0.00 0 The following table shows the safeguards with the 10 greatest Return on Investment (ROI-10%). Also shown are the Initial and Maintenance Costs of those safeguards. Following the table are barcharts and piecharts of the costs. Safeguards ROI-10% Initial Cost Maint. Cost Preventive Maintenance 4775.09 $2,000. $400. Redundant Power 157.42 $3,000. $1,000. Security Staff 32.22 $500. $100. Application Controls 23.54 $500. $50. Data Encryption 6.05 $5,000. $500. Property Management 5.76 $500. $20. Security Policy 5.37 $700. $40. Classification Markings 2.98 $500. $50. Life Cycle Management 2.41 $2,000. $0. Safeguard Test & Eval. 2.08 $5,000. $100. |