Основы ИБ. Фан_6363_лаб-7-23.12. Отчет по лабораторной работе 7 по дисциплине Основы информационной безопасности Тема а нализ рисков с использованием программного обеспечения RiskWatch 1
 Скачать 185.49 Kb.
|
|
Safeguard: Security Classification Threat Original ALE ALE with Safeguard Percentage Drop Data Disclosure $4,799. $3,840. 19.98% Safeguard: Security Plan Threat Original ALE ALE with Safeguard Percentage Drop Data Disclosure $4,799. $4,559. 5.00% Safeguard: Security Policy Threat Original ALE ALE with Safeguard Percentage Drop Data Destruction $90,594. $86,064. 5.00% Safeguard: Security Staff Threat Original ALE ALE with Safeguard Percentage Drop Data Destruction $90,594. $72,475. 20.00% Data Disclosure $4,799. $3,840. 19.98% Fraud/Embezzlement $145. $102. 29.66% Misuse: Computer $1,428. $1,285. 10.01% Theft of Assets $6,717. $5,374. 19.99% Theft of Data $15,952. $12,761. 20.00% Safeguard: Safeguard Test & Eval. Threat Original ALE ALE with Safeguard Percentage Drop Data Destruction $90,594. $81,534. 10.00% Data Disclosure $4,799. $4,319. 10.00% Fraud/Embezzlement $145. $131. 9.66% Theft of Assets $6,717. $6,046. 9.99% Theft of Data $15,952. $14,357. 10.00% Safeguard: System Validation Threat Original ALE ALE with Safeguard Percentage Drop Data Destruction $90,594. $77,005. 15.00% Errors, General/All $24,069. $18,051. 25.00% Safeguard: Technical Surveillance Threat Original ALE ALE with Safeguard Percentage Drop Safeguard: Training Threat Original ALE ALE with Safeguard Percentage Drop Safeguard: Visitor Control Threat Original ALE ALE with Safeguard Percentage Drop Theft of Assets $6,717. $4,701. 30.01% The following is a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented (ALE with Safeguard). This table also indicates the difference between the two ALE values. Also shown is a barchart that provides a visual presentation of the difference in ALE for each safeguard. Safeguard Original ALE ALE with Safeguard Difference Physical Access Control $19,401,957. $19,398,456. $3,501. Application Controls $19,401,957. $19,386,809. $15,148. Audit Trails $19,401,957. $19,397,990. $3,967. Classification Markings $19,401,957. $19,400,037. $1,920. Contingency Plan $19,401,957. $19,401,799. $158. Contract Specifications $19,401,957. $19,401,957. $0. Data Encryption $19,401,957. $19,354,224. $47,733. Detection System $19,401,957. $19,401,648. $309. Documentation $19,401,957. $19,401,957. $0. Insurance/Bond $19,401,957. $19,401,778. $179. Life Cycle Management $19,401,957. $19,397,136. $4,821. Monitor System $19,401,957. $19,401,957. $0. New Construction $19,401,957. $19,401,957. $0. Operating Procedures $19,401,957. $19,390,277. $11,680. OPR for each System $19,401,957. $19,401,957. $0. Organizational Structure $19,401,957. $19,401,957. $0. Passwords/Authenticaion $19,401,957. $19,401,928. $29. Personnel Control $19,401,957. $19,399,557. $2,400. Preventive Maintenance $19,401,957. $9,851,776. $9,550,181. Property Management $19,401,957. $19,398,577. $3,380. Quality Assurance $19,401,957. $19,396,915. $5,042. Redundant Power $19,401,957. $15,581,251. $3,820,706. Review Sens. Applications $19,401,957. $19,401,957. $0. Risk Analysis $19,401,957. $19,401,957. $0. Security Classification $19,401,957. $19,400,997. $960. Security Plan $19,401,957. $19,401,717. $240. Security Policy $19,401,957. $19,397,427. $4,530. Security Staff $19,401,957. $19,378,158. $23,799. Safeguard Test & Eval. $19,401,957. $19,390,136. $11,821. System Validation $19,401,957. $19,382,351. $19,606. Technical Surveillance $19,401,957. $19,401,957. $0. Training $19,401,957. $19,401,957. $0. Visitor Control $19,401,957. $19,399,942. $2,015.     RESPONDENT REPORT Legend: * - Below Threshold value: 60 FOR RESPONDENT Auditor 1. ORG 3 - Internal Audit Answer: 50* 2. ACC 3 - Continuous Accountability Answer: 90 3. ACC 4 - Written Accountability Policy Answer: 50* 4. AUD.TR 1 - Maintain Investigation Reports Answer: 80 5. COMPL 2 - Training for Awareness Answer: 30* 6. COMPL 3 - Investigate Incidents Answer: 90 7. C.PLAN 1 - Backup Personnel Answer: Don't Know 8. C.PLAN 3 - Periodic Testing of Plans and Equipment Answer: 100 9. C.PLAN 4 - Existence of Plan Answer: Not Applicable 10. DOC 1 - Security Testing Records Answer: 50* 11. EVAL 1 - Annual Security Audit Answer: 100 12. FIRE 1 - Existence of Fire Control Plan Answer: 100 13. ORG 1 - Centralized Purchasing Authority Answer: 100 14. ACC 2 - Securing Copying Facilities Answer: 0* 15. POL 1 - Life Cycle Management Answer: 90 16. POL 2 - Acquisition of Hardware and Software Answer: 100 17. PRIV.ACT 1 - Confidentiality Policy Answer: 80 18. PROC 1 - Inspection of Goods Answer: 0* 19. TRAIN 1 - Training Budget Answer: 100 20. TRAIN 2 - Technological Training Answer: 70 21. TRAIN 5 - QA and Performance Program Answer: 70 22. ORG 8 - Vacancies Filled Answer: 70 23. ORG 9 Automating Human Resource Management Answer: 70 24. POL 18 - Compensation Packages Answer: 0* 25. PROC 21 - Procedures for Documentation Requirements Answer: 100 26. PROC 22 - Screening Candidates Answer: 70 27. PROC 23 - Procedures to Stop rehiring Previously Terminated (for Cause) Employee Answer: 30* 28. ACC 17 - Data File Accountability Answer: 50* 29. TRAIN - New Employee Orientation Answer: 20* 30. DISC 12 - Protect Network System Files Answer: 20* 31. POL 14 - Written Policy for Backup Answer: 0* 32. PROC Answer: 20* 33. D.INTEG - Moving Data Answer: 20* 34. D.INTEG - Data Verification Answer: 70 35. ADMIN - Reviewing Sensitivity Answer: 50* 36. D.INTEG - Error Checking Software Answer: 100 37. TRAIN - Data Backup Training Answer: 70 38. AC - Restricted User Access Answer: 80 39. C.PLAN - Managers Contingency Plan Participation Answer: 50* 40. POL - Provisions for Data Integrity Answer: 100 41. TRAIN - Periodic Training Answer: 20* 42. ACC 1 - Adequate Accountability Control Answer: 100 43. C.PLAN - Testing Contingency Plan Answer: 0* 44. POL - Protecting Sensitive Information Answer: 100 45. POL - Sensitive Information Storage Answer: 50* 46. DOC - Internal and Security Controls Answer: 20* 47. AUD.TR - Data Modification Reviews Answer: 50* 48. D.INTEG - Testing System Changes Answer: 50* 49. C.PLAN - Data Backed Up Off-Site Answer: 80 50. D.INTEG - Protecting Code Answer: 20* 51. D.INTEG - Protecting Code from Duplication Answer: 20* 52. TRAIN - Administrator Training Answer: 80 53. ACC - Data Ownership Answer: 50* 54. D.INTEG - Periodically Reviewing Data Files Answer: 80 Вывод. При помощи программы «RiskWatch» были построены стохастические оценки эффективности СЗИ, был выбран наиболее эффективный комплекс из набора альтернатив, также был проведен анализ угроз на эталонной риск-модели ПДн и в заключение была оценена результативность стандартных мер защиты ПДн на эталонной риск-модели. |