Professional Documents
Culture Documents
2004
,
.
. ,
(Abstract)
, . ,
.
, ,
.
,
,
() CRAMM .
............................................................................................................................................................................2
(ABSTRACT).............................................................................................................................................................3
.........................................................................................................................................................................4
A.1. .................................................................7
1.1
1.2
1.3
1.4
.....................................................................................................................................................................7
...........................................................................................................................................7
...........................................................................................9
..........................................................................................................................................................10
...................................................................................................................................................................11
.....................................................................................................................................................................11
BPL ............................................................................................................................................................12
...................................................................................................12
............................................................................................................................15
...............................................................................................................................16
.................................................................................................................................................17
.3
3.1
3.2
3.3
...................................................................................................................................................................20
........................................................................................................................20
........................................................................................................................................................22
.4
4.1
4.2
4.3
4.4
...................................................................................................................................................................23
10 ..........................................................................................................................23
FRAP (FACILITATED RISK ANALYSIS PROCESS).......................................................................................29
OCTAVE (OPERATIONALLY CRITICAL THREAT, ASSET, AND VULNERABILITY EVALUATION)................35
.5 .................................................................................................................41
5.1
5.2
5.3
5.4
5.5
5.6
5.7
...................................................................................................................................................................41
...................................................................................................41
CALLIO SECURA 17799 ..............................................................................................................................................44
COBRA.....................................................................................................................................................................46
CRAMM ...................................................................................................................................................................46
EZRISK .......................................................................................................................................................................47
RISKWATCH FOR INFORMATION SYSTEMS & ISO 17799...........................................................................................47
........................................................................................................................................................................48
.1.
1.1
1.2
1.3
1.4
..................................................................................................................................................................50
............................................................................................................................................50
.........................................................................................................................................50
............................................................................................................................................50
..............................................................................................................................................................50
.2.
CRAMM () ....................................................................................51
.3.
(ASSETS)....................................................................................................................52
3.1
3.2
3.3
3.4
.4.
4.1
4.2
4.3
.5.
5.1
5.2
5.3
.6.
6.1
6.2
6.3
.7.
..........................................................................................................................................................52
.........................................................................................53
..............................................................................................................................................54
................................................................................................56
....................................................................................................................................57
..........................................................................................................................................................57
....................................................................................................................58
...................................................................................63
(RISK)...........................................................................................................65
..........................................................................................................................................................65
...............................................................................................................65
........................................................................................................................67
...............................................................................................................................................................68
..........................................................................................................................................................68
CRAMM .............................................................................68
....................................................................................................69
..................................................................................................................................................................71
A.1.
1.1
,
. H .
, Internet
. ,
. ,
,
, ,
.
,
.
:
, .
, .
1.2
80,
,
. .
90 ,
.
CERT 1988-2003:
160000
140000
120000
100000
80000
60000
40000
20000
2003
2002
2001
2000
1999
1998
1997
1996
1995
1994
1993
1992
1991
1990
1989
1988
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003
132 252 406 773 1334 2340 2412 2573 2134 3734 9859 21756 52658 82094 137529
,
.
, (bugs).
,
.
. ,
,
.
.
CERT 1995-2003:
4500
4000
3500
3000
2500
2000
1500
1000
500
0
1995
1995
171
1996
1996
345
1997
1997
311
1998
1999
1998
262
1999
417
2000
2000
1090
2001
2001
2437
2002
2002
4129
2003
2003
3784
:
.
1.3
. ,
.
.
2002 Computer Security Institute (CSI)
FBI 503 ,
, , , 80%
. 223
$455,848,000.
($170,827,000) ($115,753,000).
2003 $201,797,340,
.
Internet. , 4 ,
(73%) Internet
(36%).
.
. Mydoom
9
38
, ,
, , .
.
1.4
, ,
.
,
.
(, , , )
.
. ,
, .
,
.
(risk analysis).
.
. , ,
,
.
. ,
.
,
,
.
,
.
10
mainframe .
.
.
,
mainframe.
.
,
.
. (risk
analysis).
2.2
:
:
, ,
.
:
,
.
:
.
, ,
4 :
1. ; ()
2. ; ()
3. ; ()
4. 3 ; (
)
11
:
. ,
.
:
,
.
.
.
2.3
BPL
B>P*L
BPL :
=
P =
L =
.
.
.
, .
.
. ,
.
.
,
BPL.
2.4
,
(cost effective)
,
.
.
, .
12
:
.
:
1. :
.
2.
:
,
.
.
13
3.
:
.
,
.
4. :
.
.
:
= x
5. :
. , :
- ( )
-
6. :
3 :
)
)
) ( )
:
- , .
- :
- .
- . , firewall
- , .
- (), . backup
.
7. :
.
. ,
, , .
.
.
14
2.5
.
.
,
.
.
.
.
.
.
.
.
.
. ,
.
.
15
2.6
.
.
: (quantitative) (qualitative).
:
(.
) .
( )
. (
, , ,
, ) .
:
(managers)
/ (cost/benefit) .
(
, )
.
.
:
.
.
,
(knowledge
base).
,
.
. ,
,
.
:
. .
, , .
.
,
.
.
.
16
,
.
.
:
.
:
. ,
.
/ (cost/benefit)
.
.
2.7
.
.
, .
.
.
.
.
() .
.
.
,
.
17
:
: , ,
: , ,
: , , ,
(
) :
, , , ,
, , ,
(. ),
, , .
.
, .
.
.
.
()
1.000
1
1 5
2
5 15
3
15 50
4
50 150
5
150 300
6
300 1
7
1 3
8
3
9
.
:
:
;
: ;
18
2
4
5
6
8
, .
. 5
,
4 .
.
19
.3
(Quantitative Risk Analysis)
3.1
,
.
. ,
.
3.2
() .
:
: 10.000
: 6.000
backup : 4000
backup: 1.000
: 21.000
.
(knowledge bases)
0,9
.
.
0 ( ) 1
( ). 0,3
30% 30%
.
(single loss expectancy) :
SLE = * = 21.000 * 0,3 = 6.300
(Annualized Loss Expectancy):
ALE = SLE * = 6.300 * 0,9 = 5.760
20
:
0,4
= 0
= 1.000
/ :
,
:
ALE = * * = 21.000 * 0,3 * 0,4 = 2.520
To ALE ALE = 5.760 2.520 = 3.240
,
.
RAID
RAID
. ,
,
. RAID
0,08.
= 3.000
= 0
/ :
:
ALE = * * = 21.000 * 0,08 * 0,9 = 1512
To ALE ALE = 5.760 1.512 = 4.248
.
, RAID
.
RAID; RAID
1512
:
ALE = * * = 21.000 * 0,08 * 0,4 = 672
To ALE ALE = 1.512 672 = 840
(1000 )
(840 )
.
21
3.3
.
,
,
.
. ,
.
22
.4
(Qualitative Risk Analysis)
4.1
.
,
.
,
. ,
.
.
4.2
10
.
:
.
.
10 . 10
.
1:
.
.
, ,
(.. ) .
.
. (..
Internet) ,
.
,
23
.
.
.
2:
.
,
.
( ).
,
(.. ).
( )
(management)
. .
,
.
3:
,
.
.
.
(knowledge base).
.
(brainstorming).
.
.
, .
.
1
:
24
4:
,
.
.
2.
3
4
.
.
.
.
.
3.
3
:
1
3
5
25
5:
.
, .
.
.
.
, .
2.
4.
4
:
1
3
5
5
4
3
6:
, 2 10.
,
.
5
:
...
5
3
1
3
4
5
8
7
6
,
.
, ,
.
26
7:
.
.
.
4 :
1. :
2. : ,
3. : ,
4. :
.
4
.
.
.
6
:
27
1.500
10.000
15.000
8: / (cost/benefit)
.
, , .
.
.
.
,
.
.
. /
.
.
9:
/
.
,
.
/ , ,
.
.
10:
. :
.
:
)
.
.
.
)
.
.
28
)
. (, , ).
,
.
)
, .
.
.
, . ,
.
4.3
FRAP
.
.
,
. , ,
,
. FRAP.
, ,
. ,
.
,
. ,
,
, Internet .
29
,
,
/ .
26
.
.
, ,
.
,
project
(project lead)
(action plan).
/
. ,
.
FRAP :
1. , ,
project FRAP.
2. ,
7-15 , 4 50
.
3. FRAP (report), 4-6
FRAP .
4.
.
(pre-FRAP meeting)
, project (project leader) FRAP.
1 :
1.
10 ,
.
.
10 .
2.
,
.
FRAP
.
3. FRAP
FRAP.
30
4.
,
.
5.
(, ,
, , , )
.
.
FRAP
.
. ,
.
,
.
FRAP
FRAP .
(
). FRAP 7
15 . ,
.
, ,
:
-
- (Information Security)
-
-
-
- (Webmasters)
- firewalls
, .
FRAP.
,
. FRAP
.
31
FRAP
FRAP . FRAP :
1.
2.
3. -
4. ,
5.
6. ( )
7.
8. . , ,
9.
10.
11. FRAP
12. ,
FRAP
FRAP 4 .
3 4
FRAP
.
FRAP , ,
, .
, :
1. ()
2. Project (project leader)
3. FRAP
4.
5.
,
. ,
.
,
(brainstorming) ,
, ,
.
. 3
. ,
. ,
.
.
.
32
,
, ( )
. 10-15
.
. ,
.
3 , :
:
.
:
.
: .
.
3
:
:
: ,
:
.
( )
4 , :
, :
B
B
C
C
C
D
. :
1.
.
2. 3-4
.
, . ,
.
, 15 10 C 5
C .
33
3. 10 , , 10
. ,
.
. 26
FRAP
FRAP .
.
.
:
1.
.
2. 3-4
.
.
:
#
1
1,5,8,11
2
D
hardware software
3
2,4,11,17,20,24
4
( )
. 3 6
. , project FRAP
1 2
.
100% .
.
FRAP .
.
FRAP
.
34
FRAP 5
. , , project
(action plan).
(cross-reference sheet).
.
,
. (
), project
.
80%
. ,
. ,
/ .
,
.
4.4
OCTAVE 3 ,
.
(workshops),
.
35
OCTAVE
OCTAVE
OCTAVE :
1.
2.
.
.
.
, .
. ,
,
.
(Preparation)
.
:
:
.
.
.
:
.
36
. ,
.
: ,
.
.
.
:
,
.
, .
: , ,
.
1
.
:
37
1-3:
.
(assets) .
:
1.
2.
3.
4.
:
1. :
2. :
3. : .
4:
.
.
:
- 3
-
-
-
2
OCTAVE
()
(, , ). 2
:
38
5:
.
,
. 5
:
-
-
6:
.
5.
. 6 :
-
-
3
.
.
:
39
7:
.
. 7
:
-
-
-
8:
8 2 .
.
,
. :
- 1-3
- 7
-
-
-
,
.
.
:
-
-
- () ,
-
,
OCTAVE .
40
.5
5.1
. ,
.
,
.
.
.
.
Internet ( ).
5.2
80.
. ,
,
. 90
,
. ,
.
:
.
.
(knowledge bases)
,
.
,
,
.
:
,
. ,
.
.
41
,
.
.
.
:
,
.
.
.
:
.
.
.
:
,
.
.
. ,
.
:
,
.
.
:
, ,
.
.
:
.
, , ,
,
/.
,
.
,
42
.
What If:
. what if.
what if
.
.
:
. .
.
.
rtf, doc .
:
.
:
.
,
.
,
.
.
:
.
web browser
.
. ,
.
.
:
.
.
:
.
43
5.3
44
45
5.4
COBRA
COBRA .
C&A Systems Security Ltd
3. ,
ISO17799/BS7799.
. ,
(knowledge
bases). What if ,
. ,
.
( )
.
MS Windows
interface .
5.5
CRAMM
CRAMM
CCTA (Central Computer and Telecommunications Agency)
1985
. ,
5,
Insight Consulting . CRAMM
, 500 23 ,
NATO. ,
ISO17799/BS7799. :
- (3000 )
. .
- What if
- Business Continuity
-
-
- MS Windows
- (
)
CRAMM ,
. , CRAMM Express
.
46
5.6
Ezrisk
Ezrisk Ezrisk Limited
.
. Ezrisk
, .
,
.
ISO17799/BS7799 .
,
. ,
ISO17799/BS7799, . Ezrisk
.
5.7
,
,
,
,
.
-
-
,
- ROI (Return on Investment). ,
/.
- What if
-
.
.
- (interface) windows
RiskWatch
.
: , , NSA (National
Security Agency), AT&T Vodafone
47
., Risk Analysis and Risk Management: Capabilities and Limitations
. ., ,
Alberts C., Dorofee A., Stevens J. and Woody C., Introduction to the OCTAVE Approach
(pdf), CERT, August 2003
http://www.cert.org/octave/approach_intro.pdf
Alberts C. and Dorofee A., Managing Information Security Risks: The OCTAVE(SM)
Approach, Addison Wesley, July 2002
Ding Tan, Quantitative Risk Analysis Step-By-Step, SANS Institute, December 2002
Krause M. and Tipton H., Handbook of Information Security Management,
http://www.cccure.org/Documents/HISM/ewtoc.html
McCarthy Linda, IT Security: Risking the Corporation, Prentice Hall PTR, February 2003
Meritt James, A Method for Quantitative Risk Analysis, CISSP
Nichols A., A Perspective on Threats in the Risk Analysis Process, SANS Institute, 2002
OCTAVE, CERT
www.cert.org/octave/
Peltier Thomas, Information Security Risk Analysis, Auerbach
Pierce E., The value of Risk Assessment - A Case Study, SANS Institute, 2003
Visintine Vishal, An Introduction to Information Risk Assessment, SANS Institute, 2003
www.callio.com
COBRA
www.riskworld.net
CRAMM
www.cramm.com
Ezrisk
www.ezrisk.co.uk
RiskWatch
www.riskwatch.com
48
()
CRAMM
49
.1.
1.1
.
,
.
1.2
(mission critical),
. ,
. ,
(servers)
.
1.3
CRAMM
,
The CRAMM Manager Insight Consulting,
4. (qualitative) ,
(quantitative) ,
.
.
1.4
. .
,
.
50
.2. CRAMM ()
CRAMM
(assets) ,
, .
(risk) ,
.
, (cost effective)
. ,
.
CRAMM :
-
-
-
-
-
-
-
.
51
.3. (assets)
3.1
CRAMM
:
(Data assets):
,
DNS server.
(End User Services):
.
.
:
, , , .
:
,
5
(software).
.
.
,
.
,
.
.
,
.
, CRAMM
.
, .
,
.
. ,
,
, .
(worst case).
1 10 (guidelines)
.
, ,
.
, , (
52
),
.
3.2
. .
.
.
,
:
Backup:
servers ,
(. )
. ,
backup . ,
.
DNS:
.
dns.
Smart Cards
smart cards
.
( , )
Authentication
(user account information).
,
. ,
mail .
.
AFS
AFS :
1. .
Internet.
2. licensing .
.
.
53
,
, .
( )
:
- 1 Backup Server
- backup server
- 2 DNS Servers ( )
- 1 Database Server smart cards
- 2 Authentication Servers ( , )
- 2 AFS File Servers
- 3 AFS License Servers
:
- Server Room, servers
- Backup Tape Room, backup
3.3
54
Backup
DNS Data
Backup
DNS
DNS
Servers
Backup
Server
Server
Room
Backup
Tapes
Server
Room
Backup
Tape
Room
Smart
Cards
Authentication
Data
Smart Cards
Authentication
Smart Card DB
Server
Authentication
Servers
Server
Room
Server
Room
AFS License
Data
AFS
AFS File
Servers
AFS File
Servers
Server
Room
Server
Room
AFS License
Servers
Server
Room
55
3.4
. .
CRAMM
:
1
2
3
4
5
1.000
1.000 10.000
10.000 30.000
30.000 100.000
100.000 300.000 .
3
3
2
3
2
2
. ,
, ,
.
:
:
DP = backup
DT = backup
I = (insiders)
= (outsiders)
DM =
.
56
.4.
4.1
CRAMM
. CRAMM
. ,
. , ,
:
-
-
-
-
.
:
- (logical infiltration)
- (communications infiltration)
- (failures of equipment)
- (physical threats) . ,
,
.
:
- very low
- low
- medium
- high
- very high
:
- low
- medium
- high
CRAMM .
(rapid risk assessment) .
.
57
, CRAMM
.
, .
(low, high ).
,
,
.
.
(guidelines) . ,
, ,
.
(
).
, ,
.
4.2
.
AFS:
, ,
dynamic licensing. :
Masquerading of User Identity by Insiders / Outsiders:
username password ,
. ,
,
. , administrator
.
Communications Interception:
server
.
Communications Failure:
, .
58
Authentication:
Masquerading of User Identity by Insiders / Outsiders:
username password
,
. , ,
,
.
Communications Interception:
server
.
Communications Failure:
.
Backup:
Masquerading of User Identity by Outsiders:
backup .
,
backup .
backup, .
Communications Interception:
(
backup server .
Communications Failure:
backup,
.
DNS:
Masquerading of User Identity by Insiders / Outsiders:
DNS
,
DNS tables. ,
DNS entry
. , (. www.auth.gr) DNS
(. ),
.
Communications Failure:
,
IP addresses, .
59
Smart Cards:
Masquerading of User Identity by Insiders / Outsiders:
smart cards. smart
cards
.
. ,
.
Communications Interception:
,
smart cards.
Communications Failure:
.
AFS File Server:
Introduction of Damaging or Disruptive Software:
, ,
(worms), . AFS File Server
( backup),
AFS.
Technical Failure of Host:
(hardware).
server
server.
System and Network Software Failure:
server. (accidental)
. : .
Authentication Server:
Introduction of Damaging or Disruptive Software:
, authentication
server.
Technical Failure of Host:
.
System and Network Software Failure:
Authentication.
60
Backup Server:
Introduction of Damaging or Disruptive Software:
backup
backup.
Technical Failure of Host:
backup
.
System and Network Software Failure:
backup,
backup.
DNS Server:
Introduction of Damaging or Disruptive Software:
DNS,
DNS backup DNS entries.
Technical Failure of Host:
DNS
backup.
System and Network Software Failure:
DNS
backup.
Smart Card DB Server:
Introduction of Damaging or Disruptive Software:
smart card,
backup .
Technical Failure of Host:
backup.
System and Network Software Failure:
,
backup
smart cards.
AFS License Server:
Introduction of Damaging or Disruptive Software:
license
information.
61
62
4.3
.
,
. . .
.
.
.
:
- very low, 10.
- low,
3
- medium,
- high,
4
- very high,
. ,
.
.
63
Low
Medium
High
High
Low
Medium
Medium
Low
High
Medium
High
High
Medium
Low
Very Low
Medium
High
Medium
Very Low
Very Low
Low
Medium
Low
Very Low
Communications Interception
!Smart card
!Authentication
!AFS
!Backup
High
High
High
High
Medium
Medium
Medium
Medium
Communications Failure
!DNS
!Smart card
!Authentication
!AFS
!Backup
High
High
High
High
High
Very High
Very High
Very High
Very High
Very High
High
High
High
High
High
High
Low
Medium
Medium
Medium
Medium
Medium
Power Failure
!Server Room
Medium
Very High
High
Medium
High
High
High
High
High
High
Medium
Very High
Very High
Very High
High
High
Fire
!Server Room
!Backup Tape Room
High
High
Low
Low
Water Damage
!Server Room
Medium
Low
Theft by Insiders
!Server Room
!Backup Tape Room
High
High
Low
Low
Theft by Outsiders
!Server Room
!Backup Tape Room
High
High
Low
Low
Low
Very Low
64
.5. (risk)
5.1
CRAMM
.
,
.
CRAMM 1 ( ) 7 (
).
.
:
5.2
CRAMM
, .
.
65
Low
Medium
High
High
Low
Medium
Medium
Low
2
3
3
3
High
Medium
High
High
Medium
Low
Very Low
Medium
High
Medium
3
2
4
4
4
Very Low
Very Low
Low
Low
Very Low
3
2
2
3
2
Communications Interception
!Smart card
!Authentication
!AFS
!Backup
High
High
High
High
Medium
Medium
Medium
Medium
3
4
3
5
Communications Failure
!DNS
!Smart card
!Authentication
!AFS
!Backup
High
High
High
High
High
Very High
Very High
Very High
Very High
Very High
5
4
4
4
3
High
High
High
High
High
Low
Medium
Medium
Medium
Medium
2
2
2
3
3
Power Failure
!Server Room
Medium
Very High
High
Medium
High
High
High
High
Very High
Very High
High
High
3
2
3
2
Fire
!Server Room
!Backup Tape Room
High
High
Low
Low
4
4
Water Damage
!Server Room
Medium
Low
Theft by Insiders
!Server Room
!Backup Tape Room
High
High
Low
Low
4
4
Theft by Outsiders
!Server Room
!Backup Tape Room
High
High
Low
Low
4
4
Low
Very Low
66
5.3
,
. :
-
4 5,
.
. ,
,
.
:
.
.
67
.6.
6.1
CRAMM
.
.
. CRAMM
,
.
.
.
CRAMM
.
. ,
, . ,
.
6.2
CRAMM
CRAMM
.
:
-
Power Protection,
Room Physical Security,
Software Change Controls,
Software Maintenance Controls,
System Administration Controls,
Theft Protection,
Vulnerability Analysis,
Water Protection, .
68
CD , .
( pdf rtf ).
. 2 ,
. ,
.
.
,
.
, .
.
.
6.3
CRAMM
.
.
6.3.2
:
server room , .
.
servers ,
.
backup .
.
server
room .
. ,
.
69
:
server room
.
, .
business continuity planning .
:
.
,
hardware.
: .
:
backup DNS
Authentication. hardware, proprietary
hardware . ,
(servers)
(RAID).
6.3.3
Firewall:
To firewall
.
firewall.
:
.
Backup, Authentication Smart Card
.
Smart card server server .
:
.
redundancy .
NOC
.
6.3.4
:
. .
70
:
(patching)
.
.
(strong passwords):
(
) .
, ,
. 6 .
3 .
.
brute force .
6.3.5
,
.
(Intrusion detection)
(accounting)
. , log
files .
6.3.6
(, worms, ) .
(.
logged in )
.7.
.
,
. .
.
71
.
, ,
.
,
( ). ,
2
.
.
.
:
Policy and Operations of Public Service:
Financial Loss:
(.
)
Loss of Goodwill:
(embarrassment) .
Personal Information:
(. ).
.
Management and business operations:
.
Disruption to Activities:
.
CRAMM V4.0
Type of Data
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
Impacts
Unavailability - less than 15 minutes
Guideline
Policy and Operations of Public
Service
Unavailability - 1 hour
Guideline
Policy and Operations of Public
Service
Unavailability - 3 hours
Guideline
Policy and Operations of Public
Service
Unavailability - 1 day
Guideline
Policy and Operations of Public
Service
Unavailability - 2 weeks
Guideline
Policy and Operations of Public
Service
Guideline
Policy and Operations of Public
Service
Scale
Value
1
Financial
Value
Scale
Value
1
Financial
Value
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
4
Financial
Value
Scale
Value
5
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 1
CRAMM V4.0
Guideline
Scale
Value
Guideline
Scale
Value
5
Financial
Value
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value
Guideline
Financial Loss
Guideline
Financial Loss
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 2
CRAMM V4.0
Type of Data
Personal
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
home directory
AFS
Impacts
Unavailability - 3 hours
Guideline
Scale
Value
1
Financial
Value
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
4
Financial
Value
Guideline
Scale
Value
Financial
Value
Loss of Goodwill
Guideline
Scale
Value
6
Loss of Goodwill
Unavailability - 1 day
Guideline
Loss of Goodwill
Unavailability - 1 week
Guideline
Loss of Goodwill
Guideline
Loss of Goodwill
Loss of Goodwill
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 3
CRAMM V4.0
Guideline
Personal Information
Guideline
Personal Information
Deliberate modification
Guideline
Loss of Goodwill
Scale
Value
1
Financial
Value
Scale
Value
1
Financial
Value
Scale
Value
2
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 4
CRAMM V4.0
Authentication Data
Type of Data
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
(login password)
Impacts
Unavailability - less than 15 minutes
Guideline
Scale
Value
1
Financial
Value
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
4
Financial
Value
Scale
Value
5
Financial
Value
Guideline
Scale
Value
Financial
Value
Guideline
Policy and Operations of Public
Service
Unavailability - 1 day
Guideline
Policy and Operations of Public
Service
Unavailability - 1 week
Guideline
Policy and Operations of Public
Service
Unavailability - 1 month
Guideline
Policy and Operations of Public
Service
Confidential
12-Apr-2004 1:55:14
Page: 5
CRAMM V4.0
Authentication Data
Guideline
Policy and Operations of Public
Service
Guideline
Personal Information
Guideline
Personal Information
Deliberate modification
Guideline
Personal Information
Scale
Value
8
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
5
Financial
Value
Scale
Value
3
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 6
CRAMM V4.0
DNS Data
Type of Data
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
Domain Name data
Impacts
Unavailability - 1 hour
Guideline
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
4
Financial
Value
Scale
Value
5
Financial
Value
Scale
Value
6
Financial
Value
Guideline
Scale
Value
Financial
Value
Guideline
Policy and Operations of Public
Service
Unavailability - 12 hours
Guideline
Policy and Operations of Public
Service
Unavailability - 1 week
Guideline
Policy and Operations of Public
Service
Unavailability - 1 month
Guideline
Policy and Operations of Public
Service
Confidential
12-Apr-2004 1:55:14
Page: 7
CRAMM V4.0
DNS Data
Guideline
Policy and Operations of Public
Service
Deliberate modification
Guideline
Loss of Goodwill
Scale
Value
5
Financial
Value
Scale
Value
3
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 8
CRAMM V4.0
Backup
Type of Data
Personal
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
backup,
Impacts
Unavailability - 1 day
Guideline
Financial
Value
Guideline
Financial
Value
Guideline
Financial
Value
Guideline
Financial
Value
Guideline
Unavailability - 1 week
Unavailability - 1 month
Scale
Value
Management and Business Operation
1
Scale
Value
Management and Business Operation
2
Scale
Value
Management and Business Operation
4
Scale
Value
Management and Business Operation
5
Personal Information
Unauthorized disclosure to outsiders
Guideline
Personal Information
Scale
Value
6
Financial
Value
Scale
Value
6
Financial
Value
Confidential
12-Apr-2004 1:55:15
Page: 9
CRAMM V4.0
Backup
Deliberate modification
Guideline
Personal Information
Scale
Value
3
Financial
Value
Confidential
12-Apr-2004 1:55:15
Page: 10
CRAMM V4.0
smart cards
Type of Data
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
smart cards .
Impacts
Unavailability - 3 hours
Guideline
Scale
Value
1
Financial
Value
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
4
Financial
Value
Guideline
Scale
Value
Financial
Value
Guideline
Scale
Value
2
Loss of Goodwill
Unavailability - 1 day
Guideline
Loss of Goodwill
Unavailability - 1 week
Guideline
Loss of Goodwill
Guideline
Loss of Goodwill
Disruption to Activities
Financial
Value
Confidential
12-Apr-2004 1:55:15
Page: 11
CRAMM V4.0
smart cards
Deliberate modification
Guideline
Financial Loss
Guideline
Financial Loss
Scale
Value
3
Financial
Value
Scale
Value
3
Financial
Value
Confidential
12-Apr-2004 1:55:15
Page: 12
.
, .
. ,
. 4 ,
, , .
Very Low(VL) , Low(L), Medium(M), High(H),
Very High(VH). Low(L), Medium(M), High(H).
1-10 1-7.
3.1 , 4.1 5.1
:
UNAVAIL- = X
DISCL-I =
DISCL-O =
MODIF-DEL= ( )
DESTR-PART= backup
DESTR-FULL= backup
PHYSICAL-DEST=
CRAMM V4
Vulnerability
Impact
MoR
VL
DISCL-I
VL
MODIF-DEL
VL
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DESTR-PART
UNAVAIL-15ML
VH
UNAVAIL-1H
VH
UNAVAIL-3H
VH
UNAVAIL-12H
VH
DISCL-I
DISCL-O
Asset: !AFS
Threat
Vulnerability
Impact
MoR
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
DESTR-PART
DISCL-I
MODIF-DEL
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DISCL-O
MODIF-DEL
DISCL-I
DISCL-O
, 8 2004
Confidential
Page 1 of 7
CRAMM V4
VH
UNAVAIL-1H
VH
UNAVAIL-3H
VH
UNAVAIL-12H
VH
UNAVAIL-1D
VH
UNAVAIL-2D
VH
Threat
Vulnerability
Impact
MoR
DISCL-I
MODIF-DEL
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DESTR-PART
UNAVAIL-15ML
VH
UNAVAIL-1H
VH
UNAVAIL-3H
VH
UNAVAIL-12H
VH
Asset: !Authentication
Threat
Vulnerability
Impact
MoR
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
DESTR-PART
DISCL-I
MODIF-DEL
, 8 2004
Confidential
Page 2 of 7
CRAMM V4
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DISCL-O
MODIF-DEL
DISCL-I
DISCL-O
UNAVAIL-15ML
VH
UNAVAIL-1H
VH
UNAVAIL-3H
VH
UNAVAIL-12H
VH
UNAVAIL-1D
VH
UNAVAIL-2D
VH
Asset: !Backup
Threat
Vulnerability
Impact
MoR
DISCL-I
DISCL-O
UNAVAIL-1D
VH
UNAVAIL-2D
VH
Threat
Vulnerability
Impact
MoR
VL
UNAVAIL-1D
UNAVAIL-2D
UNAVAIL-1W
Threat
Vulnerability
Impact
MoR
Threat: Fire
DESTR-FULL
, 8 2004
Confidential
Page 3 of 7
CRAMM V4
Asset: !DNS
Threat
M
Vulnerability
6
Impact
4
MoR
UNAVAIL-3H
UNAVAIL-12H
DESTR-PART
MODIF-DEL
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
MODIF-DEL
UNAVAIL-1H
VH
UNAVAIL-3H
VH
UNAVAIL-12H
VH
UNAVAIL-1D
VH
UNAVAIL-2D
VH
Threat
Vulnerability
Impact
MoR
MODIF-DEL
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DESTR-PART
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
Threat
Vulnerability
Impact
MoR
VH
UNAVAIL-1H
UNAVAIL-3H
, 8 2004
Confidential
Page 4 of 7
CRAMM V4
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
PHYSICAL-DEST
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
UNAVAIL-1W
UNAVAIL-2W
UNAVAIL-1M
UNAVAIL-2MO
DESTR-PART
PHYSICAL-DEST
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
UNAVAIL-1W
DESTR-PART
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DISCL-O
Threat: Fire
, 8 2004
Confidential
Page 5 of 7
CRAMM V4
VL
UNAVAIL-15ML
VL
UNAVAIL-1H
VL
UNAVAIL-3H
VL
UNAVAIL-12H
VL
UNAVAIL-1D
VL
UNAVAIL-2D
VL
UNAVAIL-1W
VL
UNAVAIL-2W
VL
DESTR-PART
VL
Threat
Vulnerability
Impact
MoR
MODIF-DEL
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DESTR-PART
UNAVAIL-3H
VH
UNAVAIL-12H
VH
Threat
Vulnerability
Impact
MoR
UNAVAIL-12H
DESTR-PART
MODIF-DEL
UNAVAIL-3H
VL
UNAVAIL-12H
VL
UNAVAIL-1D
VL
UNAVAIL-2D
VL
DISCL-O
VL
MODIF-DEL
VL
, 8 2004
Confidential
Page 6 of 7
CRAMM V4
VH
UNAVAIL-12H
VH
UNAVAIL-1D
VH
UNAVAIL-2D
VH
Threat
Vulnerability
Impact
MoR
VL
DISCL-I
VL
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
DISCL-I
VL
DISCL-O
VL
, 8 2004
Confidential
Page 7 of 7