Основы ИБ. Фан_6363_лаб-7-23.12. Отчет по лабораторной работе 7 по дисциплине Основы информационной безопасности Тема а нализ рисков с использованием программного обеспечения RiskWatch 1
 Скачать 185.49 Kb.
|
|
INITIAL COSTS   MAINTENANCE COSTS    SAFEGUARD DEFINITIONS ACCESS CONTROL - The Access Control safeguard refers to the existence of a verifiable and coordinated access control system. The system can range from simple (key lock systems) to complex (cypher/key card identification systems). APPLICATION CONTROL STANDARDS - Application control refers to a specific system of controls designed by a team of internal auditors to ensure that universal programming standards, data element dictionaries and record association conventions are maintained. AUDIT TRAILS - The safeguard of Audit Trails refers to the organization having a fully implemented audit trail capability so that it is simple to track which user was accessing any system at any point in time. CLASSIFICATION MARKING - The safeguard of Classification Marking refers to having all media and reports containing information which is classified as Classified, Sensitive, or Privacy Act data marked on the top and bottom of each page. CONTINGENCY PLAN - The Contingency Plan is also known as a Continuity of Operations Plans (COOP), or as a Disaster Recovery Plan; and it contains a detailed blueprint of backup procedures to be followed in case of emergency disruption to the ADP facility, as well as a guide to getting the programs operational as quickly as possible. CONTRACT SPECIFICATIONS - The Contract Specification safeguard refers to the practice of requiring each contractor to include as a formal contract deliverable, a plan for including appropriate security controls, addressing of pertinent threats, and possible loss quantification. DATA ENCRYPTION - This safeguard involves the application of encipherment techniques to one or more datasets or to data traveling over communications systems. DETECTION SYSTEM - The Detection System safeguard refers to having a coordinated fire detection/access control violation system which will alert the proper authorities to smoke, heat, water, humidity fluctuations, grounding problems, as well as monitoring any attempt at unauthorized access. DOCUMENTATION - The Documentation safeguard refers to the need for the organization to provide backup documentation for every file, program, and process; including providing hard copies retained in a safe location. ELECTRICAL POWER CONDITIONING - The Electrical Power Conditioning safeguard refers to the establishment of a stable sources of electrical power, including a consideration of a source of uninterruptable power, backup generators, as well as consideration of phase-balancing to prevent power fluctuations. EMERGENCY RESPONSE - The emergency response safeguard deals with a having a detailed guide of how the organization can continue to operate in the event of large scale emergencies, such as chemical spills, civil disobedience, or nuclear mishaps. FILE/PROGRAM CONTROL - The safeguard of File/Program Control refers to the practice of establishing a system of access controls and authorizations for programs and files based on "need to know". FIRE SUPPRESSION SYSTEM - The Fire Suppression safeguard refers to the appropriate combination of water and CO2 which should be installed in any ADP facility. GROUNDING SYSTEM - The Grounding System safeguard refers to provision for proper electrical grounding for all equipment, including lightning arrestors; a separate grounding system for all signal cables. For sites processing classified information, a local low resistance ground is required. INSURANCE - Insurance policies should be considered as a safeguard for situations where other types of safeguards may not be currently available or cost-effective. Financial institutions should consider bonding insurance for key personnel. LIFE CYCLE MANAGEMENT - The safeguard of Life Cycle Management refers to the adoption of a formal, written plan for all systems, including security and audit controls, This plan should address general management, personnel, organizational, system design, data center management, and computer applications controls. MATERIAL SEGREGATION - The Material Segregation safeguard refers to the procedure of separating Classified, Sensitive and Privacy Act data from all other material in order to guard against inadvertent disclosure. MONITOR SYSTEM - The Monitoring System safeguard refers to having an effective system in place which covers checking of remote sites, critical components, operational status of various programs and applications as well as sensitive operational areas. NEW CONSTRUCTION - The New Construction safeguard covers a variety of considerations which should be reviewed for any new facility. These include, but are not limited to, use of fire retardant and low combustion building materials, use of floor-to-ceiling walls, automatic vent closures, inside hinges on doors and windows, and proper drainage. OFFICE OF PRIMARY RESPONSIBILITY (OPR) - An Office of Primary Responsibility (OPR) should be designated for each data base, data file, and removable media containing data or programs, The OPR designation is necessary to ensure integrity of data files and accuracy of their contents. OPERATING PROCEDURES - The safeguard of operating procedures refers to having a monitoring program in place in order to determine the effectiveness and efficiency of the system's operating procedures, as well as a method of monitoring that these procedures are continuously upgraded. ORGANIZATIONAL STRUCTURE - Organizational structure refers to the safeguard of having the organization not only staffed, but also responsive to the need for redundancy of critical job functions and that the necessary guidelines are in place to ensure functional separation of duties. PASSWORDS - The safeguard of Passwords refers to the organization having an effective policy of user passwords which should be fully implemented for every system. PERSONNEL CLEARANCE - The Personnel Clearance safeguard refers to having an organizational policy governing personnel clearance in which each individual must have a security clearance of equal or greater classification than the highest level of data processed in the system they are accessing. This safeguard also includes background investigation of all employees. PERSONNEL CONTROL - The safeguard of Personnel Control refers to the organization having proper procedures for automatic background checks, authority based on "need to know" criteria, as well as timely method for updating personnel records when individuals are reassigned, transferred or discharged. PREVENTIVE MAINTENANCE - The Preventive Maintenance safeguard refers to having an effective maintenance program in place which should include all computer hardware, generators, air conditioning equipment, grounding systems, lightning arrestors, fire systems and structured components such as vent closures, floor plates, doors, etc. PROPERTY MANAGEMENT - The Property Management safeguard refers to the organization having a comprehensive and effective program for property inventory control, allocation and accountability. QUALITY ASSURANCE - The safeguard of Quality Assurance refers to the formal establishment of a program which will regularly monitor (and find ways to improve) programming quality, user error, communication ability, etc. REDUNDANT POWER - The safeguard of Redundant Power refers to having a secondary independent source of electrical power to backup the primary power source. REVIEW OF SENSITIVE APPLICATIONS - The safeguard of Review of Sensitive Applications refers to the need of the organization to conduct a formal risk assessment of each Sensitive Application program on a regular basis. RISK ANALYSIS - The safeguard of Risk Analysis refers to the organization having recently conducted a formal risk assessment of each major system and application program. SECURITY CLASSIFICATION - The Security Classification safeguard requires that each activity have policies in place addressing the proper classification of sensitive materials, including a receipt program, and general handling procedures for all sensitive and classified materials. SECURITY PLAN - The Security Plan refers to the existence of a document which defines the tasks and charges of the security organization; as well as planning the security procedures necessary for the protection of the organization. SECURITY POLICY - Security policy refers to the existence of written, defined guidelines which dictate how the organization manages its resources and protects them from both internal and external threats. SECURITY STAFF - The Security Staff refers to the individuals in the organization who maintain or manage security tasks, as well as addressing full-time security staff, include managers who have part-time security responsibilities for the resources they manage. SYSTEM SECURITY TEST AND EVALUATION (SST&E) - The safeguard of SST&E (System Security Test and Evaluation) refers to the organization having a formal procedure to test each individual safeguard for effectiveness and accuracy. SYSTEM VALIDATION - The System Validation safeguard refers to the practice of ensuring that the operating system contains only approved code; and that changes to the operating system are accounted for, are verified, and are transmitted in a secure and acknowledged mode. TECHNICAL SURVEILLANCE - This safeguard is applicable to Classified environments and refers to a (possibly external) organization that can conduct a survey to identify potential security problems. TEMPEST SURVEY - This safeguard is applicable to Classified environments and refers to the gathering of information, by inspection or survey, about all instrumentation and sites that store or process classified information. TRAINING - The training safeguard refers to the organization having a written implemented program for security training of new employees, and security awareness programs for current employees. VISITOR CONTROL - The visitor control safeguard refers to ensuring that visitors to a facility are monitored twenty- four hours a day, that an audit trail of visitors exists and that this official record is maintained for at least two years. WATER DRAINAGE - The Water Drainage safeguard refers to ensuring that the facility is equipped with a drainage system so that water from broken pipes, water from activated sprinkler systems or water used in fire fighting can be easily and effectively drained from the facility. The section below looks at each safeguard and indicates, for each threat, the ALE before and after the safeguard is implemented. The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. The percentage by which the ALE is reduced by the safeguard is also indicated. The next section contains a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented. Safeguard: Physical Access Control Threat Original ALE ALE with Safeguard Percentage Drop Misuse: Computer $1,428. $1,285. 10.01% Theft of Assets $6,717. $3,358. 50.01% Safeguard: Application Controls Threat Original ALE ALE with Safeguard Percentage Drop Data Destruction $90,594. $81,534. 10.00% Errors, General/All $24,069. $18,051. 25.00% Misuse: Computer $1,428. $1,356. 5.04% Safeguard: Audit Trails Threat Original ALE ALE with Safeguard Percentage Drop Errors, General/All $24,069. $20,458. 15.00% Misuse: Computer $1,428. $1,071. 25.00% Safeguard: Classification Markings Threat Original ALE ALE with Safeguard Percentage Drop Data Disclosure $4,799. $2,880. 39.99% Safeguard: Contingency Plan Threat Original ALE ALE with Safeguard Percentage Drop Data Destruction $90,594. $90,444. 0.17% Fraud/Embezzlement $145. $138. 4.83% Safeguard: Contract Specifications Threat Original ALE ALE with Safeguard Percentage Drop Safeguard: Data Encryption Threat Original ALE ALE with Safeguard Percentage Drop Data Destruction $90,594. $45,297. 50.00% Data Disclosure $4,799. $2,400. 49.99% Fraud/Embezzlement $145. $109. 24.83% Safeguard: Detection System Threat Original ALE ALE with Safeguard Percentage Drop Fire, Major $233. $139. 40.34% Misuse: Computer $1,428. $1,214. 14.99% Vandalism/Rioting $19. $16. 15.79% Safeguard: Documentation Threat Original ALE ALE with Safeguard Percentage Drop Safeguard: Insurance/Bond Threat Original ALE ALE with Safeguard Percentage Drop Data Destruction $90,594. $90,424. 0.19% Fraud/Embezzlement $145. $137. 5.52% Safeguard: Life Cycle Management Threat Original ALE ALE with Safeguard Percentage Drop Errors, General/All $24,069. $19,255. 20.00% Fraud/Embezzlement $145. $138. 4.83% Safeguard: Monitor System Threat Original ALE ALE with Safeguard Percentage Drop Safeguard: New Construction Threat Original ALE ALE with Safeguard Percentage Drop Safeguard: Operating Procedures Threat Original ALE ALE with Safeguard Percentage Drop Data Destruction $90,594. $81,534. 10.00% Errors, General/All $24,069. $21,661. 10.00% Misuse: Computer $1,428. $1,214. 14.99% Safeguard: OPR for each System Threat Original ALE ALE with Safeguard Percentage Drop Safeguard: Organizational Structure Threat Original ALE ALE with Safeguard Percentage Drop Safeguard: Passwords/Authenticaion Threat Original ALE ALE with Safeguard Percentage Drop Fraud/Embezzlement $145. $116. 20.00% Safeguard: Personnel Control Threat Original ALE ALE with Safeguard Percentage Drop Fraud/Embezzlement $145. $138. 4.83% Theft of Data $15,952. $13,559. 15.00% Safeguard: Preventive Maintenance Threat Original ALE ALE with Safeguard Percentage Drop Hardware Failure $19,099,875. $9,549,937. 50.00% Power Loss $975. $731. 25.03% Safeguard: Property Management Threat Original ALE ALE with Safeguard Percentage Drop Fraud/Embezzlement $145. $123. 15.17% Theft of Assets $6,717. $3,358. 50.01% Safeguard: Quality Assurance Threat Original ALE ALE with Safeguard Percentage Drop Errors, General/All $24,069. $19,255. 20.00% Fraud/Embezzlement $145. $131. 9.66% Misuse: Computer $1,428. $1,214. 14.99% Safeguard: Redundant Power Threat Original ALE ALE with Safeguard Percentage Drop Hardware Failure $19,099,875. $15,279,900. 20.00% Power Loss $975. $243. 75.08% Safeguard: Review Sens. Applications Threat Original ALE ALE with Safeguard Percentage Drop Safeguard: Risk Analysis Threat Original ALE ALE with Safeguard Percentage Drop |