Vous êtes sur la page 1sur 459

CRAMM User Guide

Issue 5.1 July 2005


CRAMM User Guide

Crown Copyright
The CRAMM Risk Analysis and Management Method is
owned, administered and maintained by the Security Service
on behalf of the UK Government.
The intellectual property rights are protected by the
Controller of HMSO acting for and on behalf of the Crown.
Application for reproduction should be made to HMSO via
the Security Service at the address shown below.

First published April 1996

'CRAMM' and the CRAMM motif used on the cover of this


publication are Trademarks.

Acknowledgements
CRAMM has been produced in consultation with the
Security Service and CESG, who are the UK Government
national security authorities.

Further information
Further information can be obtained from:
The CRAMM Manager
Insight Consulting
Churchfield House
5 The Quintet
Churchfield Road
Walton-on-Thames
Surrey, KT12 2TZ
Telephone: 01932-241000

Page 1-2 Issue 1.0


Table of Contents

TABLE OF CONTENTS
1. How to use the guide...............................................................................................................1-1
1.1 Copyright Notice..................................................................................................................1-1
1.2 Objectives of the guide ........................................................................................................1-1
1.3 Target audience ....................................................................................................................1-2
1.4 Structure of the guide ..........................................................................................................1-2
1.5 Conventions ..........................................................................................................................1-3
2. Introduction to CRAMM ........................................................................................................2-1
2.1 Introduction ..........................................................................................................................2-1
2.2 What is CRAMM? ................................................................................................................2-1
2.3 Background to CRAMM......................................................................................................2-1
2.4 What is new in CRAMM Version 5.0 and CRAMM Version 5.1...................................2-1
2.5 When CRAMM reviews should be conducted ................................................................2-3
2.6 The need for CRAMM .........................................................................................................2-3
2.7 The benefits of CRAMM......................................................................................................2-4
2.8 Standards and Source of Information ...............................................................................2-4
2.9 Section summary ..................................................................................................................2-5
3. Overview of risk analysis and management ......................................................................3-1
3.1 Introduction ..........................................................................................................................3-1
3.2 Risk analysis..........................................................................................................................3-1
3.3 Risk management.................................................................................................................3-2
3.4 Overview of CRAMM..........................................................................................................3-3
3.5 Post review ............................................................................................................................3-6
3.6 Section summary ..................................................................................................................3-7
4. Overview of BS 7799................................................................................................................4-1
4.1 Introduction to BS 7799 .......................................................................................................4-1
5. Using the CRAMM software .................................................................................................5-1
5.1 Introduction ..........................................................................................................................5-1
5.2 Installing CRAMM...............................................................................................................5-1
5.3 Initiating and exiting from the software ...........................................................................5-2
5.4 Creating a review .................................................................................................................5-3
5.5 Selecting a review.................................................................................................................5-5
5.6 Security for CRAMM data ..................................................................................................5-7
5.7 Window and screen design.................................................................................................5-8
5.8 Entering data.......................................................................................................................5-12
5.9 Navigating through the CRAMM software....................................................................5-16
5.10 Displaying the status of a review ................................................................................5-19
5.11 Browsing through a reviews assets............................................................................5-21
5.12 Using the keyboard .......................................................................................................5-22
5.13 Printing reports..............................................................................................................5-23
5.14 Structure of Screen in CRAMM...................................................................................5-25
5.15 Error messages...............................................................................................................5-31
5.16 Help .................................................................................................................................5-33
5.17 Section summary ...........................................................................................................5-34
6. Initiation ....................................................................................................................................6-1
6.1 Introduction ..........................................................................................................................6-1
6.2 The role of the reviewer.......................................................................................................6-1
6.3 Management and control of a CRAMM review...............................................................6-2
6.4 CRAMM Expert Opening Screen.......................................................................................6-4
6.5 Initiation Activities...............................................................................................................6-5
6.6 Gathering background information...................................................................................6-6
6.7 Identifying interviewees and scheduling interviews......................................................6-8
6.8 Section summary ................................................................................................................6-13

Issue 1.0 Page 1-3


CRAMM User Guide

7. Identification and valuation of assets..................................................................................7-1


7.1 Introduction ..........................................................................................................................7-1
7.2 Tasks in Identification and Valuation of Assets ..............................................................7-2
7.3 Modelling the system ..........................................................................................................7-3
7.4 Example of an Asset Model ..............................................................................................7-25
7.5 Creating Asset Models.......................................................................................................7-27
7.6 Valuing Assets ....................................................................................................................7-31
7.7 Data asset valuation...........................................................................................................7-31
7.8 Physical asset valuation.....................................................................................................7-39
7.9 Application software asset valuation ..............................................................................7-41
7.10 Printing valuation forms ..............................................................................................7-43
7.11 Reviewing asset values .................................................................................................7-44
7.12 Calculating implied asset values.................................................................................7-44
7.13 Impact Assessment Report...........................................................................................7-46
7.14 Valuation reports...........................................................................................................7-46
7.15 Impact Assessment Chart Wizard...............................................................................7-46
7.16 Data Asset Dependencies .............................................................................................7-47
7.17 Impact Assessment Reports .........................................................................................7-48
7.18 Stage 1 backtrack facility ..............................................................................................7-50
7.19 Section summary ...........................................................................................................7-51
8. Threat and Vulnerability Assessment .................................................................................8-1
8.1 Introduction ..........................................................................................................................8-1
8.2 Pointers and prompts ..........................................................................................................8-2
8.3 Identifying threats to asset groups ....................................................................................8-3
8.4 Automatic creation of asset groups ...................................................................................8-4
8.5 Maintenance of asset groups ..............................................................................................8-5
8.6 Defining threats to asset groups.........................................................................................8-8
8.7 Maintenance of impact applicability ...............................................................................8-11
8.8 Threat and vulnerability assessment - introduction......................................................8-12
8.9 Full risk assessment ...........................................................................................................8-13
8.10 Printing threat and vulnerability questionnaires......................................................8-13
8.11 Gathering information to complete the questionnaires ...........................................8-14
8.12 Entering questionnaire responses to the software ....................................................8-15
8.13 Completing questionnaires relating to future projects or systems under
development..................................................................................................................................8-20
8.14 Rapid risk assessment...................................................................................................8-20
8.15 Threat and Vulnerability Reports ...............................................................................8-23
8.16 Threat Vulnerability Summary....................................................................................8-23
8.17 Threat Chart Wizard .....................................................................................................8-24
8.18 Section summary ...........................................................................................................8-25
9. Risk analysis .............................................................................................................................9-1
9.1 Introduction ..........................................................................................................................9-1
9.2 Calculating measures of risks.............................................................................................9-1
9.3 Reviewing measures of risks ..............................................................................................9-2
9.4 Detailed Measures of Risk Report .....................................................................................9-3
9.5 Summary Measures of Risk report ....................................................................................9-4
9.6 Risk Analysis Reports..........................................................................................................9-4
9.7 Stage 2 backtrack facility .....................................................................................................9-5
9.8 Risk Analysis Report............................................................................................................9-6
9.9 Risk Analysis review meeting ............................................................................................9-7
9.10 Section summary .............................................................................................................9-9
10. Risk management..............................................................................................................10-1
10.1 Introduction....................................................................................................................10-1
10.2 Pointers and prompts....................................................................................................10-2
10.3 Security Checklists ........................................................................................................10-3

Page 1-4 Issue 1.0


Table of Contents

10.4 Countermeasure Library ..............................................................................................10-3


10.5 Printing Countermeasure Library...............................................................................10-9
10.6 Printing Countermeasure Assessment Reports.......................................................10-11
10.7 Identifying existing countermeasures ......................................................................10-12
10.8 Analysing and Making Recommendations .............................................................10-19
10.9 Prioritising countermeasures.....................................................................................10-19
10.10 Entering the cost of countermeasures.......................................................................10-25
10.11 Risk Management Reporting .....................................................................................10-29
10.12 Stage 3 backtrack facility ............................................................................................10-30
10.13 Risk Management Report...........................................................................................10-32
10.14 Stage 3 management review meeting .......................................................................10-33
10.15 Section summary .........................................................................................................10-34
11. BS 7799 ................................................................................................................................11-1
11.1 Introduction....................................................................................................................11-1
11.2 Creating a BS 7799 Review...........................................................................................11-2
11.3 Steps in BS 7799 Assignments......................................................................................11-3
11.4 Initiating a BS 7799 Assignment..................................................................................11-5
11.5 Documenting the Scope of Information Security Management System (ISMS) ...11-6
11.6 Documenting the Management Framework..............................................................11-6
11.7 Entering Interview Details ...........................................................................................11-7
11.8 Register of Documentation...........................................................................................11-8
11.9 Conducting a Gap Analysis .......................................................................................11-10
11.10 Producing an Organisation Information Security Policy.......................................11-11
11.11 Print BS 7799 (Part II) ..................................................................................................11-12
11.12 Enter Status of BS 7799 Controls ...............................................................................11-13
11.13 Print Gap Analysis Report .........................................................................................11-15
11.14 Preparing a security improvement programme......................................................11-17
11.15 Allocate Resources to Controls..................................................................................11-17
11.16 Print Security Improvement Programme.................................................................11-19
11.17 Print Action Lists .........................................................................................................11-20
11.18 Creating a statement of applicability........................................................................11-21
11.19 Preparing Statement of Applicability .......................................................................11-22
11.20 Printing Statement of Applicability ..........................................................................11-23
11.21 The role of CRAMM in supporting BS 7799 ............................................................11-23
11.22 CRAMM Front Screen.................................................................................................11-24
11.23 Requirements for BS 7799 Controls Screen ..............................................................11-25
11.24 BS 7799 Measures of Risk Report ..............................................................................11-26
11.25 Detailed BS 7799 Countermeasures ..........................................................................11-27
11.26 Enter Status of BS 7799 Countermeasures ...............................................................11-28
11.27 Risk Treatment Reports Screen..................................................................................11-30
11.28 Risk Treatment Wizard...............................................................................................11-31
11.29 BS7799 Risk Treatment Wizard .................................................................................11-32
11.30 Summary Risk Treatment Plan..................................................................................11-33
11.31 Detailed Risk Treatment Plan ....................................................................................11-33
12. CRAMM EXPRESS ...........................................................................................................12-1
12.1 Introduction....................................................................................................................12-1
12.2 CRAMM Express Design Aims ...................................................................................12-1
12.3 Creating a CRAMM Express Review..........................................................................12-4
12.4 Steps in CRAMM Express Assignments ....................................................................12-5
12.5 Input Data Values..........................................................................................................12-6
12.6 Select Threats of Interest...............................................................................................12-7
12.7 Set Threat and Vulnerability Levels............................................................................12-8
12.8 Calculate Recommended Countermeasures..............................................................12-9
12.9 Countermeasure Reports............................................................................................12-10
12.10 Enter Installed Status ..................................................................................................12-11

Issue 1.0 Page 1-5


CRAMM User Guide

12.11 Maintain CRAMM Express Countermeasures........................................................12-12


12.12 Exporting Express Reviews to CRAMM Expert .....................................................12-13
12.13 Apply Status Flags to Expert Review .......................................................................12-15
13. Contingency planning......................................................................................................13-1
13.1 Introduction....................................................................................................................13-1
13.2 The role of CRAMM in contingency planning ..........................................................13-3
13.3 Business impact analysis ..............................................................................................13-3
13.4 Steps in Gathering Contingency Planning Information...........................................13-4
13.5 Recovery objectives and minimum requirements ....................................................13-4
13.6 Risk assessment ...........................................................................................................13-12
13.7 Contingency solutions ................................................................................................13-13
13.8 Next actions..................................................................................................................13-14
13.9 Section summary .........................................................................................................13-15
14. Specialist security reports................................................................................................14-1
14.1 Introduction....................................................................................................................14-1
14.2 System Security Policy..................................................................................................14-2
14.3 Security Requirements Reports ...................................................................................14-3
14.4 Countermeasure Summary ..........................................................................................14-3
14.5 Interchange Agreement ................................................................................................14-4
14.6 Producing Security Operating Procedures (SyOPs) .................................................14-5
14.7 Countermeasure Chart Wizard ...................................................................................14-6
14.8 Alternative Countermeasure Chart Wizard ..............................................................14-6
14.9 Section summary ...........................................................................................................14-7
15. Security Resources ............................................................................................................15-1
15.1 Introduction....................................................................................................................15-1
15.2 Enter/Amend Security Resources ..............................................................................15-1
15.3 Back-up and Restore Security Resources ...................................................................15-3
15.4 Merging Security Resources ........................................................................................15-4
15.5 Enter Resources to Countermeasures .........................................................................15-5
15.6 Define Responsibilities .................................................................................................15-6
15.7 Define Compliance ........................................................................................................15-8
15.8 Print Security Resource Reports ................................................................................15-10
15.9 Print Resource Summary Reports .............................................................................15-11
15.10 Print Detailed Compliance Report ............................................................................15-13
16. SECURITY INSPECTIONS.............................................................................................15-1
16.1 Steps in a Security Inspection ......................................................................................15-1
16.2 Print Security Inspection Questionnaire ....................................................................15-2
16.3 Enter Findings from the Security Inspection .............................................................15-3
16.4 Print Security Inspection Summary ............................................................................15-5
16.5 Print Action Lists ...........................................................................................................15-6
16.6 Producing Security Inspection Report........................................................................15-7
17. What if scenarios .............................................................................................................16-1
17.1 Introduction....................................................................................................................16-1
17.2 Carrying out a What If analysis...................................................................................16-1
17.3 Section summary ...........................................................................................................16-3
18. Post review .........................................................................................................................17-1
18.1 Introduction....................................................................................................................17-1
18.2 Scheduling implementation .........................................................................................17-1
18.3 Timing of the next review ............................................................................................17-2
18.4 Tidying up ......................................................................................................................17-4
18.5 Section summary ...........................................................................................................17-4
19. CRAMM software administration facilities ................................................................18-1
19.1 Introduction....................................................................................................................18-1
19.2 General Configuration ..................................................................................................18-1
19.3 Maintain Tool Password...............................................................................................18-2

Page 1-6 Issue 1.0


Table of Contents

19.4 Back-up/Restore/Delete Reviews ..............................................................................18-3


19.5 Copying a review ..........................................................................................................18-5
19.6 Modifying a review password.....................................................................................18-7
19.7 Maintain Impact Applicability ....................................................................................18-8
19.8 Maintain Status Flags....................................................................................................18-9
19.9 Maintain Value Ranges...............................................................................................18-10
19.10 Maintain Default Priority Factors .............................................................................18-11
19.11 Section summary .........................................................................................................18-11
20. Further information about CRAMM .............................................................................19-1
20.1 Introduction....................................................................................................................19-1
20.2 Additional sources of information about CRAMM..................................................19-1
20.3 CRAMM training...........................................................................................................19-2
20.4 CRAMM specialist help and assistance .....................................................................19-2
20.5 CRAMM User Group....................................................................................................19-2
20.6 CRAMM added value and benefits ............................................................................19-3
20.7 Section summary ...........................................................................................................19-3
A Installing the CRAMM software ..........................................................................................0-1
A.1 Hardware requirements .................................................................................................0-1
A.2 Software requirements....................................................................................................0-1
A.3 Installing CRAMM ..........................................................................................................0-2
B. Glossary of terms .....................................................................................................................0-1
C. Checklists ..................................................................................................................................0-1
C.1 Stage 1 checklist ...............................................................................................................0-1
C.2 Stage 2 checklist ...............................................................................................................0-2
C.3 Stage 3 checklist ...............................................................................................................0-2
D. Impact types .........................................................................................................................0-1
D.1 Introduction......................................................................................................................0-1
D.2 The impact types..............................................................................................................0-1
E. Valuation guidelines...............................................................................................................0-4
E.1 Introduction ..........................................................................................................................0-4
Management and Business Operations .......................................................................................0-5
Personal safety ................................................................................................................................0-6
Personal information......................................................................................................................0-8
Legal and regulatory obligations ...............................................................................................0-10
Law enforcement ..........................................................................................................................0-12
Commercial and economic interests ..........................................................................................0-13
Financial loss/ Disruption to activities .....................................................................................0-15
Public order ...................................................................................................................................0-16
International relations..................................................................................................................0-18
Defence...........................................................................................................................................0-19
Security and intelligence .............................................................................................................0-21
Policy and operations of public service.....................................................................................0-22
Loss of goodwill............................................................................................................................0-23
E.2 Table of Data Valuation Guidelines ................................................................................0-24
F. Threats........................................................................................................................................0-1
F.1 Introduction ..........................................................................................................................0-1
F.2 Threats ...................................................................................................................................0-2
F.3 Threat/impact table .............................................................................................................0-9
F.4 Threat/asset group table...................................................................................................0-18
F.5 Default Threat Impact Guidance......................................................................................0-20
G. Risk matrix ................................................................................................................................0-1
G.1 Introduction......................................................................................................................0-1
G.2 Risk matrix table ..............................................................................................................0-2
H. Countermeasure groups and sub-groups ............................................................................0-1
H.1 Introduction......................................................................................................................0-1

Issue 1.0 Page 1-7


CRAMM User Guide

H.2 Countermeasure groups and Clip Art Pictures...........................................................0-1


H.3 Countermeasure groups and sub-groups table.........................................................0-15
I. Threat/countermeasure group tables....................................................................................0-1
I.1 Threat/countermeasure group table .................................................................................0-1
I.2 Countermeasure group / threat table ...............................................................................0-8
J. Errors ..........................................................................................................................................0-1
J.1 Introduction ..........................................................................................................................0-1
J.2 What you should do ............................................................................................................0-1
K. Draft Security Specification...................................................................................................0-2
L. CRAMM reports.......................................................................................................................0-4
L.1 Introduction ..........................................................................................................................0-4
L.2 Table of reports.....................................................................................................................0-5

Page 1-8 Issue 1.0


Chapter 1
How to use the Guide

1. How to use the guide


1.1 Copyright Notice
CRAMM Version 5.0/5.1
Crown Copyright

The CRAMM Risk Analysis and Management Method is owned, administered and
maintained by the Security Service on behalf of the UK Government.
The intellectual property rights are protected by the Controller of HMSO acting for
and on behalf of the Crown. Application for reproduction should be made to HMSO
via the Security Service at the address shown below.

First published April 1996.

CRAMM and the CRAMM motif used on the cover of this publication are
Trademarks.

Acknowledgements
CRAMM has been produced in consultation with the Security Service and CESG,
who are the UK Government national security authorities.

Further information
Further information can be obtained from:
The CRAMM Manager
Insight Consulting
Churchfield House
5 The Quintet
Churchfield Road
Walton-on-Thames
Surrey, K12 2TZ
Telephone: 01932 241000

1.2 Objectives of the guide


This guide describes how to conduct a CRAMM review and how to use its
supporting software.
It is strongly recommended that you should attend a recognised CRAMM training
course before using the method. Details of training courses can be obtained from:
The CRAMM Manager
Insight Consulting
Churchfield House

Issue 1.0 Page 1-1


CRAMM User Guide

5 The Quintet
Churchfield Road
Walton-on-Thames
Surrey, KT12 2TZ
Tel: 01932-241000
Fax: 01932-244590
E-mail: cramm@insight.co.uk

1.3 Target audience


You should read this guide if you will be:
undertaking CRAMM reviews
project managing CRAMM reviews
quality assuring or auditing CRAMM reviews.
A separate document, a Management Guide for CRAMM, provides a management
overview of the method.

1.4 Structure of the guide


The remainder of this guide is structured as follows:
Section 2, Introduction to CRAMM: describes the objectives of CRAMM, and
its background and benefits
Section 3, Overview of risk analysis and management: describes the philosophy
and principles of risk analysis and management and of CRAMM in particular
Section 4, Overview of BS 7799, provides an introduction to BS 7799 (British
Standard for Information Security Management)
Section 5, Using the CRAMM software: provides general guidance on using the
software that supports the CRAMM method
Section 6, Initiation: describes how to set up a CRAMM review
Section 7, Identification and valuation of assets: describes the tasks involved in
modelling an information system and valuing the data and physical assets
that make up the system
Section 8, Threat and Vulnerability Assessment: describes the tasks involved in
assessing the levels of threats to, and vulnerabilities of, information systems
Section 9, Risk analysis: describes the tasks involved in determining the level
of security requirement based on the results of the asset valuation and threat
and vulnerability assessment
Section 10, Risk management: describes the tasks in determining the
countermeasure CRAMM considers appropriate to meet the risks identified
during the risk analysis, and how this information can then be used to
Section 11, Contingency planning: describes how to use CRAMM to look at
contingency planning requirements and options
Section 12, Specialist security reports: describes how to produce various
security reports

Page 1-2 Issue 1.0


Chapter 1
How to use the Guide

Section 13, Security resources: describes how CRAMM can be used to record
how security is actually delivered
Section 14, What If scenarios: describes how to use CRAMM to support change
management or to model different system and security profiles
Section 15, Post review: describes how to close down a CRAMM review and
what to do when the review is complete
Section 16, CRAMM software administration facilities: describes how to carry
out software administration tasks such as taking backups and maintaining
the configuration of the system
Section 17, Further information about CRAMM: lists sources of further
information about CRAMM, such as publications, training and consultancy.
Annexes: provide detailed information to support the above sections.
Sections 6 to 14 describe how to use both the CRAMM method and the software that
supports the method.

1.5 Conventions
The following style and formatting conventions are used in this User Guide:
The reader is assumed to have the role of a CRAMM reviewer, and is
referred to as you throughout the Guide. Any other roles are named, for
example management.
Each section starts with an introduction, which lists the topics that are
covered, and ends with a summary of the section.
The sections covering the CRAMM Stages (sections 6 to 14) contain
descriptions of how to use both the method and the software to carry out
the tasks involved in each stage. For each task, there is a description of the
method, followed by instructions on how to use the software to carry out
the task. The start of the software description is indicated by an
instruction such as the following: to create new data assets or modify
existing data assets:
In the sections covering the CRAMM Stages, each sub-section starts with a
method concept. This describes the basic concepts behind each particular
part of the CRAMM method. They are preceded by the heading Method
Concept.
Where a task consists of a series of steps that must be carried out in order, a
numbered list of steps is used. For other lists of items, or for tasks that can be
carried out in any order, a bulleted list is used.
Bold formatting is used to highlight important points and, in the sections
describing the software tool, for menu and screen names.
Italic formatting is used to highlight items where less emphasis than bold
formatting is required, for example the names of reports or parts of screens. It
is also used, in the sections describing the software tool, for options that you
choose from menus, and parts of the CRAMM screens, such as text boxes, list
boxes, buttons and tables. Examples of these formatting conventions are:
from the Modelling the System screen, choose Identification of Data
Assets. The Create and Maintain Data Assets screen is displayed

Issue 1.0 Page 1-3


CRAMM User Guide

use the Delete button to delete an asset from the review

type text into the Comment for list box.

Keyboard keys that you need to use are enclosed within angle brackets, for
example <Alt> and <Tab>.
Diagrams and tables are numbered in sequence within each section, and have
captions in italic, for example

Figure 4/10: Open an Existing Review screen


Cross-references are to sections or figures, rather than page numbers. For
example, .... as described in section 4.11 and .... as shown in Figure 4/10.
Section 5 provides details on how to use the various parts of the CRAMM screens.

Page 1-4 Issue 1.0


Chapter 2
Introduction to CRAMM

2. Introduction to CRAMM
2.1 Introduction
This section covers the following topics:
what is CRAMM
the background to CRAMM
what is new in CRAMM Version 5.0 and Version 5.1
when CRAMM reviews should be conducted
the need for and benefits of CRAMM
the standards that CRAMM complies with.

2.2 What is CRAMM?


CRAMM (the UK Governments preferred Risk Analysis and Management Method)
is a method developed to assist with the following:
undertaking a risk analysis of information systems and networks
identifying security requirements and possible solutions
identifying contingency requirements and possible solutions.
The method is applicable to all types of information systems and networks and can
be applied at all stages in the information system lifecycle, from planning and
feasibility, through development and implementation, to live operation.
CRAMM is divided into two parts - the method, which provides guidance on
carrying out risk assessment and security reviews, and the supporting software,
which helps you to set up and carry out the reviews.

2.3 Background to CRAMM


CRAMM was originally developed by CCTA in 1985 in response to a growing need
for security in information systems. Since then it has undergone several major
revisions, and now the preferred method for use within UK government departments
and has been adopted by many commercial organisations and other public
administrations throughout the world.

2.4 What is new in CRAMM Version 5.0 and CRAMM Version 5.1
Version 5.0 of CRAMM is a significant upgrade to both the method and the software
support tool. The key features of this new version are:
Introduction of CRAMM Express
Support for BS 7799 (Part 2): 2002
Enhanced coverage of Voice and Wireless LAN security issues.

Version 5.1 provides the following further additions:

Updated mapping of the CRAMM countermeasures to reflect the


BS7799:2005/ ISO27001 controls

Issue 1.0 Page 2-1


CRAMM User Guide

An updated database consisting of over 3,500 security controls covering


all aspects of information security, cross-referenced to the risks they
protect against and the relevant BS7799:2005 control objectives
Graphical reports for countermeasures
The ability to output CRAMM actions directly to Microsoft Outlook
Enhancements to reporting functionality with CRAMM Express
A Copy and Compare tool that allows a user to copy information from
one review to another and to compare the results between the two reviews
Improved support for recording and reporting on Security Resources
Support the construction of Security Operating Procedures (SyOPs)
Additional standard resources, specifically providing advice on how to
implement CRAMMs generic countermeasures within either a Unix or a
Windows XP environment
Support for conducting Security Inspections

2.4.1 CRAMM Express


One common criticism of CRAMM is that it is too heavy. In part this is due to
misconceptions based on previous versions or because people are not using it
correctly, but also because people get overwhelmed with the amount of detail and
the richness of the functionality that CRAMM provides and therefore can get lost in
determining what activities the need to carry out to conduct a high level CRAMM
Review.

2.4.2 CRAMM Version 5.1 Support for BS 7799 (Part 2): 2005
BSI updated BS7799:Part 2 and released this as BS7799/2005 (ISO27001) in October
2005. The new international version of the standard clarifies and strengthens the
requirements of the original British standard, and includes changes to the following
areas:
Risk assessment
Contractual obligations
Scope
Management decisions
Measuring the effectiveness of selected controls

2.4.3 Enhanced coverage of PDA Security Issues


Version 5.0 of CRAMM was updated to cover the security issues to do with both
Voice and Wireless LAN security. CRAMM 5.1 has been updated to reflect PDA
security and to help investigate the topic issues and provide up-to-date guidance on
what controls are necessary. This is due to the fact this area has become an
increasingly hot topic over the last few years.

Page 2-2 Issue 1.0


Chapter 2
Introduction to CRAMM

2.5 When CRAMM reviews should be conducted


CRAMM can be used whenever it is necessary to identify the security and/or
contingency requirements for an information system or network. This may include:
the strategy planning or feasibility study stage, where a high-level risk
analysis may be required to identify broad security and contingency
requirements and the associated budgetary costs
the analysis of business options, where the security and contingency issues
associated with each option need to be investigated or refined
the analysis of technical options, where the technical security and
contingency issues associated with each option may need to be investigated
or refined
prior to live running, to ensure that all required physical, procedural,
personnel and technical security countermeasures have been identified and
implemented
at any point during live running where there are concerns about security or
contingency issues, eg in response to a new or increased threat or following a
security breach
as part of a regular security management programme
as part of a regular internal audit programme
as part of a change management programme.
Since business requirements, system configurations, threats and vulnerabilities can
change, it is recommended that CRAMM reviews are updated at least once a year.
CRAMMs What If facility is a powerful tool which can help assess the implications
of the changes that have taken place, and the effects these changes have on the
requirements for security and contingency.

2.6 The need for CRAMM


The identification of appropriate security and contingency solutions for an
information system or network is a complex issue. This is because:
there are a wide range of threats that could impinge on the security of an
information system or network
the level of threat (the likelihood of an attack or other incident) is very
difficult to measure
vulnerabilities (weaknesses) can be difficult to identify
there are a wide range of possible security and contingency solutions for
different business and technical environments, each with different
implications and costs
the introduction of countermeasures to address one set of risks can introduce
other risks
good security and contingency requires a balanced approach addressing
technical, personnel, physical and procedural issues.
The complexities of information and network security make it difficult for an
individual to be an expert in all of the above areas. Even where a high degree of
experience and expertise exists, the rapid growth and constant change in the use of

Issue 1.0 Page 2-3


CRAMM User Guide

information systems and networks places ever increasing demands on scarce


resources.
Against this background there is a need for a proven method such as CRAMM to
support the information security management process.

2.7 The benefits of CRAMM


CRAMM provides the following benefits:
consistency - CRAMM ensures that similar systems with similar risk profiles
have similar security and contingency solutions proposed
flexibility - can support rapid risk reviews or more detailed investigations
rigour - to ensure that threats and vulnerabilities are identified, risks are
assessed and relevant countermeasures used by CRAMM are considered
efficiency - the advanced software support facilities allow risk and
countermeasures information to be manipulated easily and presented in a
wide range of formats, including export to word processing packages and
spreadsheets
auditability - auditors can check that the method has been applied correctly
and that suitable countermeasures have been identified
awareness - the CRAMM review and reporting process helps to raise
awareness of information security issues.
CRAMM provides a method by which expenditure on security and contingency can
be justified.
Traditional cost/benefit analysis techniques cannot be used for security and
contingency planning due to the intangible nature of risk. For example, it is not
possible to say with any certainty that a particular incident will occur, on average,
once every X years.
Security and contingency solutions put forward by CRAMM represent best available
practice for the system or network taking into account the business and technical
environment and the assessed risks. In the absence of formal cost/benefit techniques,
CRAMM therefore provides a unique benchmark against which organisations can
identify appropriate and justifiable security and contingency solutions.
CRAMM is the only commercial available tool that can provide comprehensive
guidance on suitable security and contingency solutions based on input from a wide
range of government specialist and private sector security experts.

2.8 Standards and Source of Information


Amongst the sources used during the construction of CRAMM are:
BS 7799 (The British Standard on Information Security Management)
Information Technology Security Evaluation Criteria (ITSEC), Trusted
Computer Security Evaluation Criteria (TCSEC) and Common Criteria
HMG Manual of Protective Security, including:
Guide to Physical Security

Page 2-4 Issue 1.0


Chapter 2
Introduction to CRAMM

Guide to Personnel Security

HMG Infosec Standards


Various CESG Memoranda
CISCOs White Paper on Setting up Routers
Fred Cohens paper Protecting against Distributed Denial of Service
Attacks
MS Windows XP Security Guide- (www.microsoft.com)
Unix Security Checklist- (www.auscert.org.au)

2.9 Section summary


This section has described what CRAMM does, the background to the method, what
is new in both Version 5.0 and Version 5.1, when CRAMM reviews should be
conducted, and the need for and benefits of using CRAMM.

Issue 1.0 Page 2-5


Chapter 3
Overview of risk analysis and management

3. Overview of risk analysis and management


3.1 Introduction
The security of information systems and networks has been of major concern for
many years. The rapid expansion in the use of information technology, and a
growing awareness of the associated security risks, has highlighted the need to
ensure that all risks are identified, assessed and managed.
This section provides an overview of risk analysis and management. It also describes
how the CRAMM method can be used to identify, analyse and manage the risks
associated with an information system.

3.2 Risk analysis


Risk is normally defined as the chance or likelihood of damage or loss. In CRAMM
this definition is extended to include the impact of damage or loss. That is, it is a
function of two separate components, the likelihood that an unwanted incident will
occur and the impact that could result from the incident.
Risk Analysis involves identifying and assessing risks to data and the information
system and network which support it. Typical risks include:
data being lost, destroyed or wiped
data being corrupted
data being disclosed without authority.
The processes involved in risk analysis are identifying assets, asset values, threats
and vulnerabilities, and then calculating the risk. These are detailed as follows.
1 Identification of Assets
Assets within an information system or network can be considered under
three categories:
information or data assets

software assets

physical assets, such as file servers, workstations, bridges, routers.

Key assets need to be identified.


0 Valuation of Assets
All assets have a value to the organisation and this can be measured in
terms of the impact that could result if the confidentiality, integrity or
availability of the assets were compromised. The asset valuation process
measures the impacts that could result if:
data assets were disclosed, modified, destroyed or made unavailable
in an unauthorised or unexpected manner

physical assets were damaged or destroyed

software assets were damaged, destroyed, corrupted or, in the case


of sensitive software, disclosed in an unauthorised manner.

Issue 1.0 Page 3-1


CRAMM User Guide

Valuation of assets provides the impact component of the risk assessment.


3 Threat Assessment
A Threat Assessment involves identifying and assessing the level of threat
to the assets of a system. Typical threats include:
deliberate attacks such as hacking, spoofing, insertion of false
messages, introduction of damaging or disruptive software, theft,
wilful damage

disasters such as fire, flood, lightning strike

errors by individuals

technical failures.

The level of threat is a measure of the likelihood of an attack or incident


actually occurring.
4 Vulnerability Assessment
A Vulnerability Assessment involves identifying and assessing the extent
to which the assets are vulnerable to the identified threat. Vulnerability is
a measure of inherent weakness within the system or network.
The threat assessment and vulnerability assessment together provide the
likelihood component of the risk assessment.
5 Risk Assessment
A Risk Assessment involves measuring the level of risk to the system or
network. The level of risk is identified from the value of the assets, the
level of threat and the extent of the vulnerability. If a system contains
highly valuable assets, the level of threat is high, and significant
vulnerabilities exist, then the security risk to the business is considered to
be high. Measures of risk translate directly into measures of security
requirement, so that if there is a high risk there is a high requirement for
security.

3.3 Risk management


Risk Management involves identifying, selecting and adopting justified security and
contingency countermeasures to reduce risks to an acceptable level.
Countermeasures may act in different ways such as:
reducing the likelihood of attacks or incidents occurring
reducing the systems vulnerability
reducing the impact of an attack or incident should it occur
detecting the occurrence of attacks or incidents
facilitating recovery from an attack or incident.

Page 5-2 Issue 1.0


Chapter 3
Overview of risk analysis and management

Figure 3-1 summarises the IT risk analysis and management process.

Assets Threats Vulnerabilities

Analysis

Risks

Management

Countermeasures

Figure 3-1: The IT Risk Analysis and Management Process

3.4 Overview of CRAMM


CRAMM consists of three stages, each supported by objective questionnaires and
guidelines. Each stage sets out to answer one major question:
Stage 1: Is there a need for security above a baseline level?
Stage 2: What and where are the security risks?
Stage 3: How can the risks be managed?
The following sections provide an overview of the three stages of CRAMM, describe
some of CRAMMs additional facilities, and outline the activities that may follow a
CRAMM review.

3.4.1 Stage 1
Stage 1 consists of the following tasks:
preparing a functional description of the system or project and agreeing with
management the boundary of the review
identifying the data, software and physical assets within the scope of the
review and creating an asset model
valuing data assets in terms of the business impacts that could result if they
were disclosed, modified, destroyed or made unavailable in an unauthorised
or unexpected manner. Interviews are held with appropriate members of the
user community, who may be the formal data owners if such an approach is
in existence. CRAMM contains forms to help you structure the interview and
the scenarios described by the interviewee are evaluated against the
guidelines contained in this User Guide

Issue 1.0 Page 3-3


CRAMM User Guide

valuing physical assets in terms of their replacement or reconstruction costs


valuing the software assets held on the system. These can either be valued in
terms of their replacement and/or reconstruction cost only or, if they have an
intrinsic value in their own right, for the impacts of unavailability, disclosure
and modification.

3.4.2 Stage 2
Stage 2 of CRAMM investigates the threats and vulnerabilities to the system or
network. It consists of the following tasks:
identifying the threats that require investigation in relation to particular
assets
assessing the level of each threat (the likelihood of it occurring)
assessing the extent of vulnerability to each threat (the likelihood of damage
or loss combined with the impact that this would cause)
calculating the risks to the organisation caused by the threats to the system or
network (based on the asset valuation, threat assessment and vulnerability
assessment).
Threats and vulnerabilities are assessed using questionnaires produced by the
software tool. The questionnaires contain detailed questions to which a choice of
possible answers are given. As far as possible, existing countermeasures are ignored
during this exercise so that no incorrect assumptions are made as to their
effectiveness.
The calculation of risks is performed by the software tool using the risk matrix
included at Annex H.

3.4.3 Stage 3
Stage 3 of CRAMM is concerned with selecting the appropriate countermeasures to
manage the risks identified in Stage 2. It consists of the following tasks:
identifying countermeasures to address the risks calculated in Stage 2. The
software tool does this
where some countermeasures are already in place, comparing them with
those generated by CRAMM to identify areas of weakness or over-protection
developing recommendations on suitable countermeasures for the system or
network. The software tool can place countermeasures into a suggested
priority list.
The introduction of new countermeasures or changes to existing countermeasures
may have implications in terms of cost, management and staff time, and the
acceptability, usability and ultimately business benefit of the system. You should
therefore discuss countermeasure recommendations with management. Options are
available in the software tool to extract reports and to backtrack to justify the
selection of a recommended countermeasure.
A CRAMM review does not include any detailed review of the effective operation of
countermeasures. Whilst this is an important task, it should be performed as a
separate exercise.

Page 5-4 Issue 1.0


Chapter 3
Overview of risk analysis and management

The final choice of countermeasures to implement is the responsibility of


management and relies upon a number of considerations such as cost and availability
of resources. Therefore, the work to define an actual implementation plan falls
outside of a CRAMM review.

3.4.4 Contingency planning


CRAMM provides a facility to identify contingency planning requirements and
solutions. During asset valuation in Stage 1 of a CRAMM review, additional
information may be collected on:
business impacts
recovery objectives
minimum assets required to support the recovery objectives.
During Stage 3 of the review, CRAMM will identify a set of possible contingency
options, based on the risk assessment, which will allow the recovery objectives to be
met.

3.4.5 Backtrack facility


The CRAMM backtrack facility allows the reviewer to identify the reasons for a
particular countermeasure being recommended. If required, the backtrack facility
will identify all of the threats, vulnerabilities and asset values that led to the
countermeasure being recommended.

3.4.6 Overview of reports


A range of reports are available from each stage of CRAMM. Some of these are
working reports for the reviewer whilst others may be required for presentation to
management, perhaps with some tailoring beforehand. Key reports from each stage
are summarised below. Further details of reports are included in the relevant sections
of this User Guide.
Stage 1 Reports:
Asset Model Report: describes the assets within the scope of the review
and the dependencies between assets

Impact Assessment Report: describes the results of the asset valuation


exercise

Impact Assessment Charts: graphical depicts the results of the impact


assessments.

Stage 2 Reports:
Summary of the Threat and Vulnerability Assessment: shows the threat
and vulnerability ratings relating to the system or network

Measures of Risks Report: describes the calculated risks relating to the


system or network

Risk Analysis Management Report: summarises the findings from


Stages 1 and 2.

Issue 1.0 Page 3-5


CRAMM User Guide

Stage 3 Reports:
Recommended Countermeasures Report: describes the countermeasures
that have been generated by CRAMM in response to the risk
assessment

Countermeasure Cost Report: outlines the capital and running costs of


implementing recommended countermeasures

Prioritisation Report: lists countermeasures in order of priority for


implementation

Risk Management Report: summarises the findings and


recommendations from the review

System Security Policy Report: provides a complete set of security


requirements and principles for the system or network under review.

3.4.7 What If scenarios


The CRAMM What If facility can perform all of the available functions on a copy of
the base review data without permanently changing or losing any information. The
facility enables you to investigate the effects of potential changes to the system or
network and its security profile. An example could be the transfer of high-value data
assets to stand-alone equipment.
The results of the scenarios can be printed and then either discarded or kept in place
of the initial review. The What If facility allows you to selectively re-model the
boundary and assets under consideration, whilst retaining the base review
information.
It is particularly useful at the technical options phase of a new project, allowing you
to quickly explore the security implications of a number of options.

3.5 Post review


Further actions may be necessary following a CRAMM review. Decisions may need
to be taken on:
which countermeasures to install
whether existing countermeasures which are not actually justified can be
removed
the approach to be taken to maintain the risk analysis, including when to
schedule the first update review
where to store the review papers and software back-up copy of the review
database.
These points are discussed in the following sections.

3.5.1 Implementation of countermeasures


For an existing system or network, the final list of countermeasures recommended
from the CRAMM review will, ideally, be implemented. However, in some cases this

Page 5-6 Issue 1.0


Chapter 3
Overview of risk analysis and management

is unrealistic due to factors such as budgetary constraints. It is a management task


(with the reviewers assistance) to decide which countermeasures should be installed
first. CRAMM has facilities to aid this process, for example, it can assign priorities to
countermeasures based on a number of factors. Section 10.9 provides further
information.
For a system or network under development or in the planning stages, the
recommended countermeasures can be incorporated into a specification or statement
of requirement.

3.5.2 Scheduling implementation


When management has decided on the countermeasures that should be installed, and
those that should be removed or replaced, a schedule for implementation should be
defined. At this point the reviewers role in the study is complete. It is managements
responsibility to decide whether compliance testing is required after implementation
and, if so, to arrange for its completion. The Countermeasure Assessment Report,
which shows those countermeasures to be implemented, will help in this process.

3.5.3 Timing of the next review


Security is never static and should be kept under consideration throughout the
lifecycle of the project or system. The timing of the next review could be dictated by
changing technology, additional systems, changing business requirements or at
intervals advised by a security authority, or in accordance with security policy. In
many cases it should be possible to perform follow-up reviews a great deal faster
than the initial review, by making use of details already documented within the
software and in the reports produced for previous reviews.

3.5.4 Storage of review papers and database


Once the CRAMM review is completed, you should back-up both the review data
and the software that supports the review to some form of removable media (such as
diskette or tape). You should store this material with hard copies of the final version
of the management reports issued during the review. You should consider whether
it is necessary to store the back-ups at some location sufficiently distant from the
machine holding the original information to make unlikely that both could be
affected by a single incident.

3.6 Section summary


This section has provided an overview of risk analysis and risk management and
described how CRAMM is used in these processes.

Issue 1.0 Page 3-7


Chapter 4
Overview of BS 7799

4. Overview of BS 7799
4.1 Introduction to BS 7799
The standard is intended for use by managers and employees who are responsible for
initiating, implementing and maintaining information security. It is intended that the
standard should provide a comprehensive set of controls setting out the best
information security practices in current use. The guidance is intended to serve as a
single reference point for identifying the range of controls needed for most situations
where information systems are used and therefore can be applied to a wide range of
organisations, large, medium or small.
With increasing electronic networking between organisations there is a clear benefit
in having a common reference document for information security management. It
enables mutual trust to be established between the different organisations and
provides a basis for management of these systems between users and service
providers.
Not all of the controls described in BS 7799 will be relevant to every situation. It
cannot take account of local system, environmental or technical constraints or be
presented in a form that suits every potential user in an organisation. Consequently
the controls need to be reviewed in order to identify their applicability to the specific
environment under review.
The standard does not purport to include all the necessary provisions of a contract.
Users of the standard are warned that they are responsible for its correct application.
Compliance with a British Standard does not of itself confer immunity from legal
obligations.
The following diagram show the steps involved in complying with BS 7799 (as
defined in BS 7799 Part II).

Step 1 Policy document


Define the policy

Step 2 Define the scope Scope of the ISMS


of the ISMS

Information assets
Step 3 Threats, Undertake a Risk assessment
Vulnerabilities,
Risk Assessment
Impacts
Results and conclusions
Organisations approach
Step 4 to risk management Manage the
risk
Degree of assurance
required
Selected controls options
Step 5 Select control
BS 7799 control objectives
and controls objectives and
Additional controls controls to be
not in BS 7799 implemented
Selected control objectives and controls
Step 6 Prepare a statement Statement of applicability
of applicability

Figure 4-2: Steps in BS 7799 Assessments

Issue 1.0 Page 5-1


Chapter 5
Using the CRAMM software

5. Using the CRAMM software


5.1 Introduction
This section provides general information on using the CRAMM software. It
describes:
how to install, initiate and exit from the CRAMM software (sections 5.2 and
0)
access control to the CRAMM software tool (section 5.6)
the parts of a typical CRAMM screen (section 5.7)
how to enter data into the CRAMM software tool (section 5.8)
how to move between the screens (section 5.9)
how to check the status of the review (section 5.10)
how to browse through the screens (section 5.11)
how to use the keyboard to carry out actions (section 5.12)
how to print reports (section 5.13)
the structure of the CRAMM menus (section 5.14)
error messages (section 5.15)
how to obtain help in CRAMM (section 5.16).
This guide assumes that you have a basic knowledge of Microsoft Windows. If you
need further information about Windows, refer to the Microsoft Windows Users
Guide for the version of Windows that you are using.

5.2 Installing CRAMM


Instructions for installing the CRAMM software on your PC are given in Annex A.
After the CRAMM V5.1 software has been installed, a shortcut will appear on your
desktop which can then be used to start up the CRAMM software in the future.

The desktop would look something like the following image:

Issue 1.0 Page 5-1


CRAMM User Guide

Figure 5-3: Desktop with CRAMM Icon

You can uninstall the CRAMM software using the add/remove programs option from
the Control Panel. You will need to uninstall by the Centura component of the
CRAMM software and the Access component of the CRAMM software separately.
Once you have removed all these components you will find that the CRAMM51
directory still remains because the uninstall program will not delete the Access
databases that contain some of the information you entered during the review. If you
no longer require these databases it is safe to delete the CRAMM v51 Access
Database directory.

5.3 Initiating and exiting from the software


5.3.1 Initiating the software
Once the software has been installed on your PC, there will be a shortcut on your
desktop called CRAMM 5.1.
To initiate the CRAMM software:
Step
1 Open the application that you require by double-clicking on the CRAMM
5.1 icon (as shown in Figure 5-3).
2 If a password has been set up for the system, the Tool Authentication
screen is displayed, into which you need to type the CRAMM password.
This screen is shown in Figure 5-4.

Page 5-2 Issue 1.0


Chapter 5
Using the CRAMM software

Figure 5-4: Tool Authentication screen


3 No password is set when CRAMM is first installed, but you can set one
by following the instructions in section 19.3.) Press the OK button in this
screen.
4 The Review window is then displayed.

Exiting from the software


To exit from the CRAMM software, choose Exit from the Review menu. You are
returned to the desktop.

5.4 Creating a review


A review can be created from scratch with no initial contents, or by copying some or
all of the contents of an existing review.

5.4.1 To create a CRAMM review


The New Review screen allows new reviews to be created. The types of review that
users can create are:
CRAMM Expert

CRAMM Express

BS 7799

Each of these types of review provides different functions which are capable of
supporting a users needs to produce different security deliverables.
An overview of CRAMM Expert can be found in Section 2.2.
An overview of BS 7799 can be found in Section 4.
An overview of CRAMM Express can be found in Section 12.
To create a review from scratch:
Step
1 Open the Review application by double-clicking on the CRAMM 5.1 icon.
Once you have entered the tool password (as described in section 5.6), the
Review application window is displayed, as shown in Figure 5-10.
2 From the Review menu, choose New. The Create Review screen is
displayed, as shown in Figure 5-5.

Issue 1.0 Page 5-3


CRAMM User Guide

Figure 5-5: Create Review screen


This screen allows you to enter details of the review you wish to create, as
follows.
3 Use the Name text box to enter a name for the review.
4 Use the Type of Review combo box to select the type of review that you
wish to conduct. The options are either CRAMM or BS 7799.
5 Use the Protective Marking text box to enter the protective marking for the
review.
6 Use the Description text box to enter a description of the review.
7 Use the Report Header text box to enter the header to be used in reports
produced by the review.
8 The Existing Reviews text box lists the names of existing reviews which
you have created to enable you to select an appropriate, unique name for
the review.
9 When you are satisfied with the details for the review, press the Create
Review button. The Enter New Review Password screen is displayed, as
shown in Figure 5-6.

Page 5-4 Issue 1.0


Chapter 5
Using the CRAMM software

Figure 5-6: Enter New Review Password screen


If you want to set up a password for the review, type it into the New
Password text box. The password can be up to eight characters long. Type
it again into the Confirm New Password text box and press the OK button.
If you do not want to set up a password, select the Do not password protect
check box.
10 A screen is displayed when the review is being created that contains a
mobile activity indicator and a Cancel button. When the review has been
created, the Main process flow screen is displayed.
11 If you decide not to create a new review after all, simply press the Close
button to return to the Review application window.

5.5 Selecting a review


To select a review:
Step
1 Open the Review application by double-clicking on the CRAMM 5.1 icon.
Once you have entered the tool password, the Review application
window is displayed, as shown in Figure 5-10.
2 From the Review menu, choose Open. The Open an Existing Review
screen is displayed, as shown in Figure 5-7.

Issue 1.0 Page 5-5


CRAMM User Guide

Figure 5-7: Open an Existing Review screen


This screen displays a list of the reviews which exist on the PC on which
the CRAMM software is running.
3 Select the review you wish to open and press the Open button.
4 The Review Authentication screen is displayed, in which you need to
type your review password and press the OK button. (This screen is not
displayed if a password has not been set up for the review.) This screen is
shown in Figure 5-8.

Figure 5-8: Review Authentication screen


5 If you have chosen to open a CRAMM Expert review (as opposed to a
BS 7799 review or a CRAMM Express review), the Open an Existing
Review screen is then closed and replaced by the Top Level Process Flow
diagram, shown below. (Please note: The screens that would be
displayed if you have chosen to open a BS 7799 review are described in
Section 11, whilst the screens that would be display if you have chosen to
open a CRAMM Express review are described in Section 12.)

Page 5-6 Issue 1.0


Chapter 5
Using the CRAMM software

Figure 5-9: CRAMM Front Screen

You cannot have two reviews open at the same time - before opening a new review,
you need to close the current one.

5.5.1 Exiting from the software


To exit from the CRAMM software, choose Exit from the Review menu. You are
returned to the desktop.

5.6 Security for CRAMM data


The information collected when carrying out a CRAMM review is often sensitive.
The level of sensitivity varies depending on the system or project under review, and
thus the measures required to protect the information also vary. The level of
sensitivity of the review should be considered at each of the stage management
review meetings.
Access control
Password protection: CRAMM allows you to set up a password for access to the
system, and a further password for each review (sections 19.3 and 5.6 describe how
to set these up). Both types of password are optional, allowing you to use CRAMM
without a password, for example when using it for training or demonstration
purposes. However, reviews should normally be protected to ensure that there is no
unauthorised access to the review data.
As a minimum, you can set up a system password to reduce the risk of unauthorised
access to the data. For a system which is likely to have other than low value data, you
should add further protection.
Dongle protection: CRAMM is supplied with a hardware dongle. You must ensure
that the dongle is connected to the parallel printer port or the USB port (depending

Issue 1.0 Page 5-7


CRAMM User Guide

on the type of dongle) before attempting to run the software. Removing the dongle
during CRAMM operation will cause the CRAMM software to terminate.

Additional protection
Where additional protection is required, you should consider using removable media
or storing the PC containing review information in a secure cabinet. Where this is not
possible, an alternative is to use hardware encryption of the information. Further
advice can be obtained from your CRAMM supplier.
CRAMM also provides sensitivity markings on all hardcopy output. The sensitivity
marking for a review is defined when you create a review, using the Protective
Marking field in the Create Review screen (see section 5.4). You can change the
marking for an existing review using the Protective Marking field in the Maintain
Review Textual Information screen (see section 19.2).

Backup of data
The data should also be regularly backed up to removable media and the backups
stored in a location separate from that housing the PC. If a power failure or other
incident occurs whilst using the software, it should not be necessary to restore from a
back-up unless the contents of the hard disk have been lost, as the software has in-
built recovery features that will handle most interruptions to processing.

5.7 Window and screen design


5.7.1 Application windows
An application window is a window that contains a running application. Figure 5-10
shows the Review application window.
title bar
menu bar

status line

Figure 5-10: Review application window

Page 5-8 Issue 1.0


Chapter 5
Using the CRAMM software

As shown in Figure 5-10, the CRAMM application windows have:


a title bar
a menu bar, which contains the menus for the appropriate stage of the review
a status line, which displays messages to help you with the task you are
performing.
One of the CRAMM application windows is always displayed when you are using
the CRAMM software.

5.7.2 Application screens


An application screen is displayed when you choose an option from one of the
CRAMM application window menus. (These screens are often called document
windows in other Microsoft Windows documentation). The screen is displayed inside
the application window, and you can have more than one screen open at a time.
Figure 5-11 shows an example screen, the Countermeasure Assessment Reports
screen.
Check Box:

Title Bar:

Group Box:

Drop Down Box:

Option Button:

Buttons:

Figure 5-11: An example screen


This typical screen has the following fields or components:
title bar: this displays the name of the screen, in this case Print Security
Checklists
list box: this displays a list of choices from which you can select. If there are
more items than can fit in the box, horizontal and vertical scroll bars are
provided. An example on this screen is the Countermeasure Groups list box

Issue 1.0 Page 5-9


CRAMM User Guide

drop-down list box: this appears initially as a text box (see below) which
displays the current selection, or is blank if nothing is currently selected.
When you select the down arrow at the right of the box, a list of choices
appears. If there are more items than can fit in the box, vertical scroll bars are
provided. An example on this screen is the Countermeasure Set drop-down list
box
text box: this is a rectangular box into which you can type information. In
some cases, it has an associated drop-down list box (see above). You type
and edit text in a text box using the standard Windows keys and key
combinations. Different text boxes require different input from you: free text,
multi-line free text, a name or a numeric value, depending on the screen.
Your input is validated by the software, and an error message is displayed if
you enter the wrong type of information.
group box: this is a box that groups together related fields. An example on this
screen is the Select group box. The fields within this group box are used to
select the type of report to be generated
button: this is a rectangular item that you press (click with the mouse) to
carry out an action. An example on this screen are the Preview Report button
(looks like a magnifying glass.
dialog box: this is a box that appears when you need to supply additional
information to carry out a task. An example on this screen is the Save Report
As dialog box which opens when you press the Specify File button.
option buttons: these are a group of buttons that are mutually exclusive. You
can select only one option at a time; if you already have an option selected, it
is replaced by your new selection. Examples of option buttons in this screen
are those contained in the Report Type group box.
Fields in a screen that are not available for you to use are shown in grey. Examples in
Figure 5-11 are the Assets and Status flag groups when the Security Checklist option
is selected.
Figure 5-12 shows part of another screen, the Countermeasure Assessment Reports
screen. This illustrates the use of check boxes.

Page 5-10 Issue 1.0


Chapter 5
Using the CRAMM software

Figure 5-12: Check boxes


Check boxes allow you to choose non-exclusive options - you can select as many
options as you like. When a check box is selected, a tick appears inside it. In this
example, you can select to include dependent assets or assets that are depended on,
or both, by selecting one or both check boxes.
Figure 5-13 shows part of the Value Application Software Assets screen. This
illustrates the use of a table.

Figure 5-13: A Table


A table is a set of rows and columns into which you can type text or select items from
a list.

Issue 1.0 Page 5-11


CRAMM User Guide

5.7.3 Message screens


There are two types of screens containing a message that can be displayed, as
follows:
error messages: these are displayed when you have tried to carry out an action
that CRAMM will not let you complete for some reason. An example is if you
try to define a class for a physical asset, but do not define it to a detailed
enough level (see section 7.3.3). Error message screens contain the message
and an OK button - press the button to close the screen. You can then remedy
the problem, and try the action again. More detail on error messages is
provided in section 5.15
confirmation messages: these are displayed to check that you really want to
carry out an action. One set of these messages appears when CRAMM is in
Novice mode (see section 19.2). An example of a Novice mode message is
shown in Figure 5-14.

Figure 5-14: Novice mode message


There is also a message that appears when you try to delete something. An example
is shown in Figure 5-15.

Figure 5-15: Delete confirmation message


The Novice mode messages and the Delete confirmation message can be separately
turned on or off as described in section 19.2. Confirmation message screens have
buttons that allow you to accept or reject the action; these can be OK and Cancel or
Yes and No.

5.8 Entering data


This section describes the ways in which you enter data into the CRAMM software.

5.8.1 Selecting from list boxes


To select an item from a list box:
Step
1 if necessary, use the scroll bars to bring the required item into view
2 click on the item to select it.

Page 5-12 Issue 1.0


Chapter 5
Using the CRAMM software

Most screens only allow you to select one item at a time. However, a few screens do
allow you to select more than one item. Do this as follows:
Step
1 if necessary, use the scroll bars to bring the required items into view
2 click on each item to select it
3 to deselect a selected item, click on it again.

5.8.2 Selecting from drop-down list boxes


To select an item from a drop-down list box:
Step
1 click on the down arrow at the right of the list boxs text box
2 the drop-down list appears beneath the text box
3 if necessary, use the scroll bars to bring the required item into view
4 click on the item to select it.

5.8.3 Typing into text boxes


To type into an empty text box:
Step
1 click in the text box - an insertion point (a flashing vertical bar) appears
2 type in your text, using the standard Windows keys and key
combinations.
To type into a text box that already contains text:
Step
1 click in the text box - an insertion point appears as described above - and
edit the text using the standard Windows keys and key combinations
or
2 if you have moved to the text box using the <Tab> key (see section 5.12),
the existing text will be highlighted. You can then type straight over this
text, delete it using the <Del> or <Backspace> key, or use the arrow keys
to move to a position in the text and edit it.
Note that where space on the screen permits, a text box will be big enough to show
the whole of the field should its maximum size be used. However, because a
proportional font is used, the maximum number of characters may not occupy the
whole of the physical space occupied by the field. Once you have typed the
maximum number of characters for the field, you will not be allowed to type in any
more. This is particularly noticeable with the Review Information text boxes in the
Create Review and Maintain Review Textual Information screens (see section 5.4).
Some text boxes contain Cut, Copy, Paste and Undo buttons. The standard Windows
key combinations for these functions are also available.

Issue 1.0 Page 5-13


CRAMM User Guide

5.8.4 Using tables


There are several ways that you can enter data into tables in CRAMM screens,
depending on the types of column within the table:
fixed text columns: cells in these columns contain text which is fixed, that is it
is permanently contained in the software and you cannot edit it. These
columns are used to set the context for the associated row in the table. An
example in Figure 5-13 is the Impact column
text columns: cells in these columns are like text boxes - you click in the cell,
an insertion point appears and you can type or edit text in the cell. An
example in Figure 5-13 is the Scale column
drop-down list columns: the cells of these columns are like drop-down list
boxes - when you click in the middle of the cell, a down arrow appears at the
right side of the cell. Select the arrow and a drop-down list is displayed, from
which you can select an item. An example in Figure 5-13 is the Guideline
column
note columns: when you click in a cell in a note column, a small screen
appears into which you can type descriptive text. When you have finished
typing, click elsewhere in the table, and your text will appear in the cell. An
example in Figure 5-13 is the Scenario Description column. You can also use
the Note button to enter a description (see section 7.7.5).
Some tables have a Set Many buttons. This allows you to select several items in the
table and apply the same value or comment to all of the items in one operation.
There are several ways that you can move around and select parts of a table, using
the mouse or the keyboard, as follows:
to select a row:
using the mouse, click in a fixed text column - the whole row is then
highlighted

or, in tables with a Set Many button:


use the arrow keys to move to the required row, and press the
<Spacebar> to select it.

You can select several rows at once in tables with a Set Many button. Do this as
follows:
to select several adjacent rows:
using the mouse, select the first row and drag the mouse over the
other rows that you wish to select

or

select the first row, then hold down the <Shift> key and use the up or
down arrow key to move to the last row you wish to select - this will
select all of the rows that you move through

to select several non-adjacent rows:


using the mouse, select the first row, hold down the <Shift> key, and
click in the other row(s) that you wish to select

Page 5-14 Issue 1.0


Chapter 5
Using the CRAMM software

or

select the first row, then hold down the <Ctrl> key and use the up or
down arrow key to move to the second row you wish to select - press
the <Spacebar> to select the second row

to move forwards through the cells in a table, use the <Tab> key. To move
backwards, hold down the <Shift> key and press the <Tab> key.
Alternatively, use the mouse to click in the cell that you require.

5.8.5 The Class Selection list box


This is a special type of list box, which appears on several screens. An example is
shown in Figure 5-16.

Figure 5-16: Class Selection list box


The Class Selection list box allows you to select the class of an asset. It displays the
assets in a hierarchical tree form, as follows:
the trunk class is at the top, in this case Physical
the branch classes are displayed next - an example in this case is Storage
Facility
the leaf classes are the bottom level to be displayed - an example in this case
is Magnetic Disk Device.
When you first display a screen that contains a class selection list box, it is collapsed
to the branch level. This means that only the trunk and branch levels of class are
displayed. These levels are indicated by black diamonds.

Issue 1.0 Page 5-15


CRAMM User Guide

To expand the display to see lower levels, double-click on the class that you wish to
expand, or select the class and press the <+> key on the keyboard number pad. There
may be more than one level of branch class. Leaf classes are indicated by white
diamonds. Double clicking on a leaf class will cause the class to be added to the
classification of the asset shown at the time. It is also possible to add a class by
dragging and dropping the class from the class selection list into the Assets Class
box.
To collapse the display again, double-click on the branch class that you wish to
collapse or select it and press the <-> key on the keyboard number pad. You can
collapse to the top level by double-clicking on the trunk class at the top of the list
box. All lower classes disappear from the display. Double-click again on the trunk
class, and the display is returned to showing only the trunk and branch classes.
5.8.6 Note screens
Some screens contain a Note button which, when pressed, opens a Note screen. An
example of a Note button is shown in Figure 5-13. In most cases double clicking a
field where the note can be entered will cause the note screen to be automatically
displayed.
Note screens contain a text box into which you can type descriptive text about an
asset, and four editing buttons - Cut, Copy, Paste and Undo. There are also OK and
Cancel buttons.
Before you type any text into the note screen, the Note button is marked as Empty.
Once you have entered some text, this changes to Note, to let you know that a
comment has been written about the asset. You can edit the text as often as you like.

5.9 Navigating through the CRAMM software


5.9.1 Process Flow Screens
CRAMM Version 5.1 a process flow style of interface. This means that the steps in
the risk assessment are represented in graphical form with a clear indication of what
step needs to be completed next.
When you have selected a CRAMM review the first screen that you are presented
with shown below:

Page 5-16 Issue 1.0


Chapter 5
Using the CRAMM software

Figure 5-17: CRAMM Main Screen

This opening screen shows the basic steps in completing a Risk Assessment, and the
order in which the steps need to be completed. Note: the Identification and
Valuation of Assets are shown to run in parallel with Threat and Vulnerability
Assessment but both tasks need to be completed before it is possible to carry out the
activities in the risk analysis stage.
Selecting any of the options will show how each of these tasks is divided up into
further sub-tasks. The complete list of all of the forms contained in CRAMM is
shown in Section 5.14.
The process flow style can also show where a task is optional. For example the
following diagram shows that completing the contingency planning aspects of the
CRAMM review is optional.

Issue 1.0 Page 5-17


CRAMM User Guide

Figure 5-18: Identification and Valuation of Assets Screen

5.9.2 Status Flag Boxes


In order to assist users in remembering where they are in each review that they have
completed, each process box has an associated status flag box. This is provided so
that you can tick which tasks you have completed and are therefore able to see which
tasks you have yet to complete.
These check boxes are not ticked automatically by the software. Rather they are
ticked by you to indicate that you are satisfied that you have completed a particular
task.

Page 5-18 Issue 1.0


Chapter 5
Using the CRAMM software

5.10 Displaying the status of a review


CRAMM provides two methods of displaying the current status of review.
To display the status of calculations in the current review:
Step
1 In the CRAMM 5.1 application, from the Review menu choose Review
Status. The Review Status screen is displayed, as shown in Figure 5-19.

Figure 5-19: Review Status screen


2 This identifies the type of the review as CRAMM, BS 7799, or What If. The
screen also shows which of the review calculations have been carried out
and not invalidated by a subsequent action. The calculation states are:
dependencies calculated from the asset model

implied values calculated

automatic asset groups created

some measures of risks calculated

all measures of risks calculated

countermeasures calculated for selected threats but Finish


Calculation not performed

countermeasures calculated for selected threats and Finish


Calculation performed.

The alternative method of seeing the current status of the review

Issue 1.0 Page 5-19


CRAMM User Guide

Step
1 In the CRAMM 5.1 application, from the Review menu choose Review
Status. The Review Status screen is displayed, as shown in Figure 5-20.

Figure 5-20: Review Status screen


2 If you wish to get a status report, click on the Status Report button to
display information about the review, including:
No. of assets and locations investigated

No. of threats and vulnerabilities investigated

No. of countermeasures recommended

Status of each calculation

Page 5-20 Issue 1.0


Chapter 5
Using the CRAMM software

5.11 Browsing through a reviews assets


To browse through the assets in a review:
Step
1 In the CRAMM 5.1 application, from the Review menu, choose Browse
Assets. The Browse Assets screen is displayed, as shown in Figure 5-21.

Figure 5-21: Browse Assets screen


2 To look at assets within a particular asset class, select the class from the
Asset Classes drop-down list box. The assets in that class are then
displayed in the Assets list box.
3 To look at assets that belong to a particular asset group, select the group
from the Asset Groups drop-down list box. The assets in that group are
then displayed in the Group Members list box.

Issue 1.0 Page 5-21


CRAMM User Guide

5.12 Using the keyboard


The CRAMM software uses the standard Microsoft Windows keyboard facilities. In
particular, you can do the following:
select an item from a drop-down list box by typing the first letter of the item.
If there are several items beginning with this letter, the first one is selected. If
you type the letter again, the second one is selected and so on
move between fields in a screen using the <Tab> key. This moves through
the fields that are available to you in the order top left to bottom right. If you
move to a field this way that contains text, the text is automatically
highlighted, and you can type over it or delete it
move between columns in a table using the <Tab> key. This moves through
the columns from left to right, cell by cell. If the column is a drop-down list
column or a note column, the drop-down list or note screen is displayed
when you tab into the appropriate cell.

Page 5-22 Issue 1.0


Chapter 5
Using the CRAMM software

5.13 Printing reports


There are many reports that you can print using the CRAMM software. They are
described in the appropriate sections of this Guide.
CRAMM supports two basic types of report:
Centura Reports
Access Reports
Centura Reports
At the bottom of the screens that you use to produce the Centura reports, there is a
group box called Output to. This contains the following fields:
Printer option button: use this to print the report on the printer currently
specified for your PC
Screen option button: use this to display the report on your PC screen
ASCII Format File option button: use this to produce the report as an ASCII
text file (sometimes referred to as a plain text file)
Rich Text Format File option button: use this to produce the report as a Rich
Text Format (RTF) file
CSV Format File option button: use this to produce the report as a Comma
Separated Values (CSV) text file. This option is available for some tabular
reports so that they can be exported to a spreadsheet, word processor or
other compatible application.
If you press one of the last three buttons, the Filename text box and Specify File button
become available. You need to specify a name for the file that the report will be saved
into. You can do this either by typing into the Filename text box, or by pressing the
Specify File button, and selecting from the Save Report As window that opens. This is
a standard Windows file browse facility.
Note that if you do not specify a full pathname for the file, it will be automatically
saved in the current home directory set up for your PC (this is usually the directory
in which CRAMM is installed).
Access Reports
The Access Reports can also be output in a variety of formats. When an Access
report is being displayed to the screen, you can select the File menu. This provides
the following options:
Page Set up
Selecting this option allows you to alter the Margins, page settings or the printer
used for printing the report.
Publish It with MS Word
Selecting this option will output the report in an RTF format, and then open that
RTF file up using MS Word to allow further editing to take place.
Analyze It with MS Excel
Selecting this option will output the report in an Excel format, and then the file
using MS Excel to allow editing or analysis to take place.
Close

Issue 1.0 Page 5-23


CRAMM User Guide

This will close the report.


Note: A common fault observed on some machines is that when print or previewing
Access reports there is a blank sheet following each page of output. This can be
overcome by using the Page Set up Margins option, and reducing the size of the left
and right margins. This procedure would have to be repeated each time the report is
produced.

Page 5-24 Issue 1.0


Chapter 5
Using the CRAMM software

5.14 Structure of Screen in CRAMM


The following diagrams show the structure of all of the screens contained in the CRAMM software.

Issue 1.0 Page 5-25


CRAMM User Guide

Page 5-26 Issue 1.0


Chapter 5
Using the CRAMM software

Issue 1.0 Page 5-27


CRAMM User Guide

Page 5-28 Issue 1.0


Chapter 5
Using the CRAMM software

Issue 1.0 Page 5-29


CRAMM User Guide

Page 5-30 Issue 1.0


Chapter 5
Using the CRAMM software

5.15 Error messages


There are two types of error message that can be displayed in CRAMM: system
errors and internal CRAMM errors.

5.15.1 System errors


When a system error occurs, CRAMM stops and a CRAMM Error screen appears as
shown in Figure 5-22.

Figure 5-22: A CRAMM Error screen


This type of error indicates an internal problem with the CRAMM system and is non-
recoverable.
If you need more information about the error, press the More button in this screen.
The Database Error screen is displayed which contains more information about the
error. This is shown in Figure 5-23.

Figure 5-23: Database Error screen

5.15.2 CRAMM errors


CRAMM error messages describe problems in data entry or processing. They are
described in Appendix J. Further information can also be displayed by pressing the
<F1> function key, which provides help on the particular screen that is open.

5.15.3 How to report errors


Annex K provides information on possible causes of system errors that you should
investigate before reporting the error to your support contact. If however the error
persists after you have carried out these investigations, you should record the

Issue 1.0 Page 5-31


CRAMM User Guide

information given in the system error message, along with the CRAMM function
being executed when the error occurred.
If you have a problem with either the method or the software, you need to contact
your CRAMM supplier or CRAMM support desk. You should provide them with the
following information:
the date and time of failure
the version number of the software (which you can find by choosing About
CRAMM from the Help menu)
the nature of the problem, including:
error messages

function being used

data peculiarities

the hardware and software being used to run CRAMM.

Page 5-32 Issue 1.0


Chapter 5
Using the CRAMM software

5.16 Help
CRAMMs help facilities are available to you at any stage of a review to provide
context-specific help or more general information. If this is insufficient, contact your
CRAMM supplier for further information.
To obtain help on CRAMM from within Windows:
double click on the CRAMM Help file found in both c:\program files\cramm
50 directory and the c:\programme files\cramm v5 access database.
To obtain help on CRAMM from within the CRAMM software:
choose Contents or Search from the Help menu. These are standard Windows
Help facilities
within Contents there is an item, Process View. If you choose this item, a top-
level process diagram of the CRAMM method is displayed. If you double
click on one of the process boxes, a diagram of the sub-processes of that
process is displayed. You can double click on process boxes to see lower and
lower levels of process flow until you reach a process which has no sub-
processes. At this point you are shown the description of the process
CRAMM also provides context-sensitive help for each CRAMM screen. To
use this, press the <F1> function key in the screen on which you want help. A
CRAMM help screen appears containing software help for the currently
displayed screen. At the top of this help screen is a hotspot (some text in a
different colour) that, when selected, displays a screen containing method
help for the currently displayed CRAMM screen.

Issue 1.0 Page 5-33


CRAMM User Guide

5.17 Section summary


This section provided general information on using the CRAMM software. It
described how to initiate the CRAMM software and the access controls built into the
software, the CRAMM screens, how to enter data into them and how to move
between them, how to obtain help on the software and what to do if an error message
appears, and how to print reports.

Page 5-34 Issue 1.0


Chapter 6
Initiation

6. Initiation
6.1 Introduction
CRAMM is a comprehensive method that can be used to tackle a variety of security
related problems. Being comprehensive, however, can cause problems. If clearly
defined objectives are not set, time may be wasted investigating areas that are of little
or no interest to management, or alternatively the review may not explore crucial
areas in sufficient detail.
It is therefore essential that when setting up a CRAMM review, management clearly
defines its objectives and the required scope and deliverables from the review. You
will then be in a strong position to plan the review accurately.
This section covers the following topics:
the role of the reviewer (section 6.2)
management and control of a CRAMM review (section 6.3)
creating, selecting and closing a review (sections 5.4and 5.5)
gathering background information on the review (section 6.6)
identifying interviewees and scheduling interviews (section 6.7).

6.2 The role of the reviewer


CRAMM Expert is a tool to assist in the analysis and management of risks rather
than a prescriptive method that must be followed precisely. For a CRAMM Expert
review to be successful, reviewers must have a clear understanding of their
responsibilities and the degree to which CRAMM can assist in meeting these
responsibilities. The reviewers main responsibilities are to:
conduct interviews, review documentation and carry out physical
inspections to gather relevant information
interpret and document the findings
input the relevant information into the CRAMM software
produce the deliverables defined by management
check the quality of the deliverables
keep management informed of progress and any problems that occur during
the course of the review
present the deliverables to management.

6.2.1 Skills profile for a CRAMM reviewer


All reviewers should have attended a CRAMM training course, and it is desirable
that at least one member of the review team should have previous experience in
conducting a CRAMM review. Reviewers should have a good understanding of
information systems and associated technology and a knowledge of information
security risks and solutions. Reviewers also need to have good interviewing,
analytical, report writing and presentation skills.

Issue 1.0 Page 6-1


CRAMM User Guide

6.3 Management and control of a CRAMM review


Like any project, CRAMM reviews need to be managed and controlled. For all but
the smallest reviews, you should use a project management method such as PRINCE.
You only need to use those parts of PRINCE which are applicable to CRAMM
reviews.

6.3.1 Pointers and prompts


The following pointers and prompts are provided for you to consider before you
start work on the CRAMM Expert review:
are there any alternative review boundaries which would optimise the
review in terms of available resources and coverage?
have any key components of the system been placed outside the review
boundary that are an essential element of the basic system?
can any of the identified assets be classed or grouped together to reduce the
amount of time taken for interviews and asset valuation?
how many interviews are required? Should they all be recorded in the
software tool? Is there scope for interviewing a group of users by means of a
workshop, for example?
what is the best schedule for interviews to minimise travelling and interview
time?
how should each of the interviews be conducted to get the most complete
and accurate answers from interviewees?
will any of the interviewees require careful and tactful questioning? If so, are
there any questions that require re-phrasing to help obtain complete and
accurate answers?

6.3.2 Initial meeting


The first activity in a CRAMM Expert review is an initial meeting between the
reviewer and management to agree the objectives and terms of reference of the
review and how it will be managed and controlled.
The reviewer should prepare for the initial meeting by reading any terms of reference
or other documentation that can provide information on the objectives and
requirements of the review. If possible, the reviewer should also gather background
information on the system to be reviewed prior to the initial meeting. Section 6.6
provides guidance on the background information required.
CRAMM Expert is a powerful and flexible method that can be used in a variety of
different situations, including:
when specifying new information systems
when out-sourcing a service to a third party
as part of a business continuity review
when moving to a new location
when it is necessary to demonstrate to outside bodies that security has
been properly considered

Page 6-2 Issue 1.0


Chapter 6
Initiation

as part of demonstrating compliance with BS 7799 or any other


information security standard.
Managers commissioning a CRAMM Expert review must make it clear to the
reviewers what has lead to the review being started and what they hope to get out of
the review. This includes ensuring that the reviewers are aware of any other pieces
of work that could impinge on the CRAMM review, such as changes in organisation.
The boundary of the review should be established at the initial meeting and
documented within a Project Initiation Document (described in section 6.3.3),
together with a note of any items which have been specifically excluded from the
review.
If you set the boundary too wide, it can lead to an extremely long and complex
review. On the other hand, a tightly enclosed boundary may be inappropriate to the
security needs of a widely distributed system. Perhaps worst of all is a loosely
defined boundary which leads to confusion, changes in scope, project delays and
general dissatisfaction.
It is important that:
the objectives for the review are clearly stated
the boundary is stated unambiguously
there are no components outside the boundary which are crucial to the
successful functioning of the system
the review does not include unnecessary assets or elements of the system that
could be regarded as peripheral or inconsequential to the running of the
system.
You should define the boundary in terms of the:
physical, software and data assets to be covered
locations to be covered
threats to be addressed
security aspects to be addressed.
For initial planning purposes, a broad description of the assets to be included will
suffice.

6.3.3 Project Initiation Document


Following the initial meeting, you should produce a Project Initiation Document
(PID) for the review. This should describe:
the objectives of the review
the terms of reference
the management and control structure, including members of the review
board
the deliverables to be produced
any assumptions or risks
the project and resource schedules (described in section 6.3.4)
a quality review plan and quality criteria for all the deliverables

Issue 1.0 Page 6-3


CRAMM User Guide

a preliminary list of the people who are to be interviewed.


The document needs to be kept up-to-date as the review progresses.
You need to seek managements authorisation to undertake the review - this is
usually in the form of documented acceptance of the PID.
Note that CRAMM does not provide any automated support for the production of a
PID.

6.3.4 Project Schedule


You should produce a Project Schedule for each review, which details the timescales
and resources required for the review. This document should be included in the PID
and updated as necessary throughout the course of the review.
The level of resource required to complete a CRAMM Expert review depends on
several factors including:
the number of data assets to be reviewed
the number of sites that need to be visited and their location
the level of detail required of the analysis
the number of threats to be covered
the experience of the reviewers.
Other factors that may influence the timescales include possible difficulties in
arranging interviews, lack of system documentation (for example, configuration
diagrams, asset registers), and the time it would take to develop other deliverables
(such as Security Operating Procedures and System Security Policies).
Further information can be found on the planning and management of a CRAMM
Expert review in the document entitled Managing CRAMM Reviews Using PRINCE
which is available for download from www.cramm.com.

6.4 CRAMM Expert Opening Screen


Method Concept: The CRAMM Expert Front Screen shows the basic steps in
conducting a risk assessment if following the method embodied within CRAMM
Expert.
The basic steps are:
Initiation

Identification and Valuation of Assets

Threat and Vulnerability Assessment

Risk Analysis

Risk Management

Each of these steps will be broken down into further steps in later sections.

Page 6-4 Issue 1.0


Chapter 6
Initiation

The following diagram depicts the steps involved in gathering that information.

6.5 Initiation Activities


6.5.1 Introduction
Method Concept: The CRAMM reviewer needs to gather some basic information
about the system and the organisation prior to starting the review itself to help
ensure that nothing critical is left out of the review and that the review can be
organised in an efficient manner.
The following diagram depicts the steps involved in gathering that information.

Figure 6-24: Initiation Screen

Issue 1.0 Page 6-5


CRAMM User Guide

6.6 Gathering background information


When starting a review, the reviewer may not know very much about the system or
network that is to be reviewed. You should aim to gather the background you need
to help understand the work of the organisation, and the way in which the system
supports this work, as quickly as possible.
You need to gather the following information.
An overview of the user and support organisations: It can be useful to document the user
and support organisations. One way of doing this is by producing an organisation
chart. Where such a chart is already available, you can include a copy in the reviews
working files.
Details of the function of the system or network: You should document how the system or
network serves the users. You need to identify the main applications that run on the
system or network and how many people use each application. In describing the
function of the system, gather as many details as are necessary to understand its
operation.
Diagrams showing the configuration of the system or network: It can be very valuable to
document the configuration of the system or network, particularly where it is
complex. The best way of doing this is by producing diagrams. You should ensure
that the diagrams show the physical locations of the main items of hardware. Where
such diagrams already exist, you can include a copy in the reviews working files.
If one of the objectives of the review is to construct a System Security Policy, you can
gather much of the information for that document at this stage. Section 14.2 contains
guidance on how to write a System Security Policy.
Once you have gathered the background information that you require, you need to
enter this into the CRAMM software.

To input initial information about the review:


Step
1 From the Initiation screen, choose Background Information. The
Background Information screen is displayed, as shown in Figure 6-25.

Page 6-6 Issue 1.0


Chapter 6
Initiation

Figure 6-25: Background Information screen


2 Use this window to input the information collected about the system
being reviewed under the following headings:
User Organisation
System Function
System Configuration
Supporting Organisation
Review Boundary.

3 Select the option button for the description you wish to create or edit. If
you have already created the description it will be displayed in the
Description Text text box, otherwise this will be blank. You can type into
the Description Text text box and use the Cut, Copy, Paste and Undo buttons
to create and edit the description.
4 If you wish to produce a report on the background information, press the
Background Information Report button. The Review Information Report
screen is displayed, as shown in Figure 6-26.

Issue 1.0 Page 6-7


CRAMM User Guide

Figure 6-26: Review Information Reports screen


5 Use the Output to controls to select the destination of your report, then
press the Generate Report button to produce the report.

6.7 Identifying interviewees and scheduling interviews


6.7.1 Identifying interviewees
Once the boundary to the review has been set and agreed, the next step in planning
the review is to identify the people who are going to be interviewed. These people
fall into two categories:
data owners, who will be interviewed to complete the data valuation
support personnel, who will be interviewed to gather information about the
technical environment and to complete the threat and vulnerability
assessment.
Data owners
A data owner is a person who can speak authoritatively about the data and the use
the business makes of that data. This person is normally drawn from the user area.
The data owners should be nominated by management, normally at the initial
meeting.
It is possible that a particular data asset may be used by many different parts of an
organisation, each of which has different requirements for confidentiality, integrity
and availability. In these cases more than one person can be nominated as the data
owner.

Page 6-8 Issue 1.0


Chapter 6
Initiation

The ideal data owner is someone with day-to-day responsibility for overseeing the
work of a particular business function and who is able to describe accurately the
consequences should the data be either:
unavailable
destroyed
disclosed or
modified.
Support personnel
Information on the threats, vulnerabilities and countermeasures relating to physical
and software assets and specific locations can usually be obtained from the following
support personnel:
hardware: System Administrator, Operations Manager, or Network
Administrator
application software: Application Programming or Application Support
Manager
communications: Network Administrator
physical and environmental systems and services: Accommodation Officer or
Operations Manager.
It may prove useful to send a briefing note to the interviewees prior to the interview,
to outline the terms of reference of the review, explain the purpose of the interview
and detail any preparation that may be required.
Once you have decided who is to be interviewed, you need to input this information
into the CRAMM software.

To set up information about interviews:


From the Initiation screen, choose Identifying Interviewees and Interviewers . The
Identifying Interviewees and Interviewers screen is displayed, as shown in Figure
6-27.

Issue 1.0 Page 6-9


CRAMM User Guide

Figure 6-27: Create and Maintain Interviews screen

Page 6-10 Issue 1.0


Chapter 6
Initiation

To create or edit the names of the people carrying out the interviews:
Step
1 Select the Interviewers option button.
2 The names of the interviewers already defined will be displayed in the
Interviewer Name table.
3 To add a new interviewer, press the New button, then type the name into
the row added to the end of the table. You can only add one name per
row.
4 To remove an interviewer, select the appropriate row in the table and
press the Delete button.
5 To edit the name of an interviewer, select the appropriate row in the table
and type in the alterations.

To create or edit the names of the people who will be interviewed to supply
valuation details of data and application software assets:
Step
1 Select the Interviewees option button.
2 The names of the interviewees already defined will be displayed in the
Interviewee Name table.
3 Add, remove or alter the names of interviewees in the same way as
described for interviewers.

6.7.2 Scheduling interviews


A useful technique for scheduling interviews is to complete an interview matrix. The
interview matrix should be split into two parts:
details about the data valuation interviews
details about the threats, vulnerabilities and existing countermeasures
interviews.
The interview matrix is also a useful document for management because it shows at a
glance how many interviews are planned, how many have been completed, and how
many are left to conduct.
An example of an interview matrix is shown in Tables 5/1 and 5/2.
Note that CRAMM does not provide any automated support for interview
scheduling.

Issue 1.0 Page 6-11


CRAMM User Guide

Name Data Group Date/ Bldg/ Section Status


Time Room
Eleanor Policy Work 12.11.92 HQ MSD Written up
Lennon 10:00 Rm 305
John Research and 12.11.92 HQ MSD Interview
Harrison Development 2:30 Rm 217 carried out
George Personnel 16.11.92 Regional Personnel Arranged
Lennox 10:00 Office
Annie TSAR system 10.11.92 HQ Finance Comments
Rigby 2:30 Rm 207 returned

Table 6-1: User Interviews

Name Section Date/ Bldg/ Threats Countermeasure Groups Status


Time Room
James System 17.11.92 HQ Masquerading by insiders Identification and authentication Arranged
Wells Administrator 10:00 Rm 201 Masquerading by outsiders Identification by token or biometric
Mis-use of resources Logical access control
Technical Failure of Accounting
Network Host Audit
Technical Failure of Storage Object re-use
Facility System testing
Technical Failure of Print Software integrity
Facility Software change control
Operations Error System input/output control
Operations control
Security administration controls
Recovery options for Hosts
Back-up of data
Capacity planning
Equipment failure protection
Alan Operations 18.11.92 HQ Fire - Comp. Room Fire protection - Comp. room Arranged
Wade Manager 10:00 Rm 201 Water damage Comp. Power protection
Room Air conditioning protection
Power failure Operator controls
Air conditioning failure Media control
Operator error Hardware maintenance controls
Staff shortage
Hardware Maintenance
error

Table 6-2: Technical Interviews

Page 6-12 Issue 1.0


Chapter 6
Initiation

6.8 Section summary


At this point you will have done the following:
obtained management authorisation and commitment to the review
defined the overall project schedule
established the boundary of the review
created and/or selected a review in the CRAMM software
entered the review boundary into CRAMM
identified the data owners for interviewing
entered the names of interviewers and interviewees into the CRAMM
software
created a Project Initiation Document (PID)
obtained approval for the PID from management.
See Annex C for a complete checklist of all activities.

Issue 1.0 Page 6-13


Chapter 7
Identification and valuation of assets

7. Identification and valuation of assets


7.1 Introduction
Method Concept: Within CRAMM an information system is considered to be
constructed from three types of asset - data assets, application software assets and
physical assets.
These assets are considered to have a value to the organisation that uses the system.
A key factor in determining the level of security required for an information system
is the value of its assets.
To carry out a risk assessment, you need first to model the system or network that
will be reviewed. This involves identifying the data, software and physical assets
which comprise the system, and the relationships between these assets. Where
appropriate, you also need to define the locations of physical assets. The process of
identifying assets is described in section 7.3.
All assets have a value to the organisation and you need to understand these values
before you can identify suitable countermeasures within CRAMM. The process of
valuing assets is described in sections 6.3 to 6.7.
The objectives of the Identification and Valuation of Assets stage are:
to model the information that is under review
determine the value of the assets that makes up the information, in
particular to value the data assets in terms of their requirements for:
Confidentiality

Integrity

Availability

This section covers:


modelling the system (section 7.3)
valuing data assets (section 7.7)
valuing physical assets (section 7.8)
valuing software assets (section 7.9)
printing valuation forms (section 7.10)
reviewing asset values (section 7.11)
carrying out Stage 1 backtracking (section 7.18)

Issue 1.0 Page 7-1


CRAMM User Guide

7.2 Tasks in Identification and Valuation of Assets


The Identification and Valuation of Assets screen is shown below:

Figure 7-28: Identification and Valuation of Assets Screen

Page 7-2 Issue 1.0


Chapter 7
Identification and valuation of assets

7.3 Modelling the system


Method Concept: Data assets, application software assets and physical assets are
related to each other. For example, data assets are processed by application software
assets which, in turn, are supported by physical assets such as host servers and
network components.
In order to protect data, the application software assets and physical assets on which
the data is supported also need to be protected. The way in which different types of
asset relate to each other is defined in CRAMM through the creation of asset
models.
The Modelling the System screen is shown below:

Figure 7-29: Modelling the System screen


Following initiation, the first step in the identification and valuation of assets is to
create a model of the system under review. This involves the following steps:
identifying data assets
identifying end user services
identifying the physical assets that support each data asset
identifying the locations of certain physical assets
identifying the software assets that support each data asset
creating asset models which describe how data assets, physical assets,
locations and software assets inter-relate.
See section 7.5 for guidance on creating an asset model.

Issue 1.0 Page 7-3


CRAMM User Guide

7.3.1 Identifying data assets


Method Concept: Data assets are central to a CRAMM review and the value of
data assets is a key component in determining levels of risk and requirements for
security.
If you have exported from an Express review you should ensure that the data asset
that has been created has been properly classified and if appropriate you may
wish to create further data assets.
A data asset is a collection of data that may conveniently be considered together for
the purposes of valuing that data. Data is valued in terms of the business impacts
that could result from a breach of security, disaster or other incident, as described in
section 6.3.
The length of time taken to carry out a CRAMM review depends on, amongst other
things, the number of data assets to be valued. You need to specify enough data
assets to allow you to distinguish between the relative values of different types of
data, whilst at the same time keeping the number of different assets to a minimum.
As a starting point, you should consider creating a separate data asset for data
relating to each application within the scope of the review. For example, if the
boundary covers payroll, personnel, management information and electronic mail
applications, your initial list of data assets could be:
Payroll Data
Personnel Data
Management Information Data
Electronic Mail Data.
You may then wish to amend this list depending on the following:
if different users rely on the data associated with an application in
different ways, or have a different perception of its value, then you should
break down the data asset into two or more assets
if different applications make use of the same data, or if users have a
similar perception of the value of data associated with two or more
applications, then you should combine two or more data assets into a
single data asset.
In the above example, you may decide that the payroll and personnel applications
make use of the same database of personal information and so these data assets could
be combined together. You may also decide that the value of operational electronic
mail differs from that of administrative electronic mail and so the electronic mail data
asset could be sub-divided. The selected data groups could therefore be:
Payroll and Personnel Data
Management Information Data
Operational Electronic Mail
Administrative Electronic Mail.
Once identified, you need to enter data assets into the software tool, as follows.

Page 7-4 Issue 1.0


Chapter 7
Identification and valuation of assets

To create new data assets or modify existing data assets:


Step
1 From the Modelling Assets screen, choose Identification of Data Assets
button. The Create and Maintain Data Assets screen is displayed, as
shown in Figure 7-28.

Figure 7-30: Create and Maintain Data Assets Screen


2 Use the Name text box to either:
type the name of a new asset to be added to the review

or

display the name of an asset already defined for the review by


selecting from the drop-down list.

When an existing asset name is displayed you can change it by typing into the
text box. If you want to define a new asset when an existing asset name is
displayed, press the New button. This will clear the existing asset detail
from this and other fields. You can then type the name of the new asset
into the Name text box.
3 Use the Comment for <Asset Name> text box to add or modify descriptive
information about the asset. (If you are defining a new asset, this text box
is called Comment for new asset.) You can type text into the Comment for
text box and modify your typing using the standard Windows keys and
key combinations.

Issue 1.0 Page 7-5


CRAMM User Guide

4 Use the Class Selection list box to select a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Add button.
Your selection appears in the Class list box.
5 If the asset has more than one class defined for it, the legend Multi
Function Asset will appear below the list box.
6 Use the Delete button to delete an asset from the review. Do this by
selecting it in the Name text box and pressing the Delete button. You
cannot delete an asset if it is linked into an asset model. To do this, you
first have to remove the asset from the model (see section 7.3.6).
7.3.2 Identifying End User Services
Method Concept: An important consideration in assessing risk and determining
security requirements is the type of service provided to the end user (where the end
user can be either a human being or an automated process). For example, the risks
and security requirements for a system that allows interactive access to a database
by human users will be different to those for a system that only allows messaging
between computer applications.
If you have exported from an Express review you will need to create end user
services which represent the way in which the data is being handled.
End User Services is a concept embedded with CRAMM as a way of modelling the
fact that the same data can be held, processed or transmitted in a variety of different
ways. These differences can lead to significant variances in terms of the types of
assets employed, the requirements for security and the types of number of
countermeasures that would be considered appropriate. For example, many
technical controls apply to the exchange of data over data communications links, but
would not be applicable if the same data were being transmitted by voice.
The end-user services defined in CRAMM are as follows:
Electronic Mail;
Application to Application Messaging;
Electronic Document Interchange;
Ad-hoc File Transfer;
Interactive Session;
Web Browsing
Batch Processing;
Voice;
Video;
Other End User Service.
Since they are fundamental to the selection of many technical controls, CRAMM
enforces a rule that Asset Models cannot be created without an End User Service.
However, the end-user service can be a multi-function asset.

Page 7-6 Issue 1.0


Chapter 7
Identification and valuation of assets

To create new end user service or modify existing end user services:
Step
1 From the Modelling Assets screen, choose Identification of End User
Services button. The Create and Maintain End User Services screen is
displayed, as shown in Figure 7-31.

Figure 7-31: Create and Maintain End-User Services screen

2 Use the Name text box to either:


type the name of a new asset to be added to the review

or

display the name of an asset already defined for the review by


selecting from the drop-down list.

If an existing asset name is displayed you can change it by typing into the text
box. If you want to define a new asset when an existing asset name is
displayed, press the New button. This will clear the existing asset detail
from this and other fields. You can then type the name of the new asset
into the Name text box.
3 Press the Note button next to the Comment field to add or modify
descriptive information about the asset. This displays a screen in which
you can type and modify text. When you are satisfied with the
description, press the OK button in this screen.

Issue 1.0 Page 7-7


CRAMM User Guide

4 Use the Class Selection list box to select a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Add button.
Your selection appears in the Class list box.
5 If the asset has more than one class defined for it, the legend Multi
Function Asset will appear below the list box.
Note: The primary asset, in a Multi Function Asset, must be an allowable
Physical to Software asset link
6 Use the Remove button to remove a class from the asset. Do this by
selecting the class in the Class list box and pressing the Remove button.
7 Use the Delete button to delete an asset from the review. Do this by
selecting the asset in the Name drop-down list box and pressing the Delete
button.
You cannot delete an asset if it is linked into an asset model. To do this,
you first have to remove the asset from the model (see section 7.3.6).

7.3.3 Identifying physical assets


Method Concept: Data assets are processed by application software assets and
supported by physical assets. Within CRAMM, the term Physical Asset is used to
cover all components of an information system that cannot otherwise be classified as
data assets, end user services or application software assets. CRAMM reviewers
should be aware that this definition includes some components that may not
normally be considered to be physical, for example communications protocols.
If you have exported from an Express review you will need to create physical
assets which support the data asset defined in the Express review. You should
identify the physical assets that relate to the asset groups you defined when
investigating threats during the Express review.
Having identified data assets, the next step is to identify the physical and software
assets upon which each data asset depends. You need to give each physical and
application software asset a name, and classify it by referring to Tables 6/1 and 6/2.
System and network software does not need to be defined separately since its
existence is implicit in the physical asset definitions.
One of the strengths of CRAMM is that it has the flexibility to support a variety of
different requirements from high-level overview risk analysis to very detailed
investigations of complex systems. The type of analysis required will influence the
approach that you take to defining physical and application software assets.
You should aim to specify the minimum number of physical and application
software assets necessary to meet the requirements of the analysis. Too broad a
definition of assets will result in broad generalisations about security requirements
without perhaps the degree of granularity required. Too many assets will result in
good granularity but at the expense of a disproportionately long analysis exercise for
the requirements of the review. Where you are unsure about the number of assets to
define, you should initially limit the number. If necessary, you can add further assets
later and analyse them using the CRAMM What If facility.
Assets are classified by a multi-level description of their function, as shown in Tables
6/1 and 6/2. These levels are known, in descending order, as the trunk, branch
and leaf levels. When classifying an asset, you need to define it down to the leaf
level of classification.

Page 7-8 Issue 1.0


Chapter 7
Identification and valuation of assets

In defining physical and application software assets, you should consider the
following guidelines:
only assets that are within the boundary of the review need to be defined
some assets may be within the boundary of the review (perhaps because a
broad description of the boundary has been used) but will not be of
interest from a security perspective - assets of this type need not be
defined
where multiple assets of the same type are used, and are likely to be
subject to similar risks, these may be grouped together and only defined
once to the software tool. For example, fifty workstations of the same type
in the same location could be defined as a single instance of a physical
asset (workstation) rather than fifty instances
where assets carry out multiple functions, they can be classified as multi-
function assets. For example, a single PC may be defined as a workstation,
server and gateway.
During Stage 3 of the review the CRAMM software tool will select countermeasures
which protect against the defined asset classes. If no assets of a particular asset class
have been defined, countermeasures for that asset class will not be put forward for
consideration.

To create new physical assets or modify existing physical assets:


Step
1 From the Modelling the system screen, choose Identification of Physical
Assets Option. The Create and Maintain Physical Assets screen is
displayed, as shown in Figure 7-32.

Issue 1.0 Page 7-9


CRAMM User Guide

Figure 7-32: Create and Maintain Physical Assets screen


2 Use the Name text box to either:
type the name of a new asset to be added to the review

or

display the name of an asset already defined for the review by


selecting from the drop-down list.

If an existing asset name is displayed you can change it by typing into the
text box. If you want to define a new asset when an existing asset name is
displayed, press the New button. This will clear the existing asset detail
from this and other fields. You can then type the name of the new asset
into the Name text box.
3 Use the Quantity text box to alter the number of units for the asset. You
can alter the number by typing directly into the text box or by using the
increment/decrement controls of the text box.
4 Press the Note button next to the Comment field to add or modify
descriptive information about the asset. This displays a screen in which
you can type and modify text. When you are satisfied with the
description, press the OK button in this screen.
5 Use the Class Selection list box to select a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Add button.
Your selection appears in the Class list box.
6 If the asset has more than one class defined for it, the legend Multi
Function Asset will appear below the list box.
Note: The primary asset, in a Multi Function Asset, must be an allowable
Physical to Software asset link
7 Use the Remove button to remove a class from the asset. Do this by
selecting the class in the Class list box and pressing the Remove button.
8 Use the Delete button to delete an asset from the review. Do this by
selecting the asset in the Name drop-down list box and pressing the Delete
button.
You cannot delete an asset if it is linked into an asset model. To do this,
you first have to remove the asset from the model (see section 7.3.6).
Table 7/1 lists the physical asset classes.

Page 7-10 Issue 1.0


Chapter 7
Identification and valuation of assets

Level 1 Asset Class Level 2 Asset Class Level 3 Asset Class


Host
(Defined as a computer system File Server
which holds user data and/or Database Server
supports application software. Application Server
The Hosts (file server, database General Purpose Host
servers, etc.) may be connected Other Host
and be inter-working in a
variety of configurations, for
example remote login access,
client-server etc.)
Workstation
(Defined as a device which is Fixed Location Intelligent Workstation
primarily used as a single-user Fixed Location Dumb Terminal
system for providing access to Portable
one or more remote network or Personal Digital Assistant
end-user services for example Other Workstation
networked PC.)
Storage Device
(Defined as a storage device Magnetic Disk Device
which is connected to a network Magnetic Tape Device
and is accessible to the served Optical Disk Device
host systems as a network node. Other Storage Device
This device is distinct from a
file server in that it provides
storage services only to host
systems, not directly to users or
applications. An example would
be an optical juke-box used as a
remote electronic vault. The
device is typically situated in a
different physical location from
the served host systems.)
Print Facilities
(Defined as a print device Print Server
which is either connected Printer
directly to a host system or to a Other Print Facilities
network and is accessible to the
served host systems as a
network node. This device may
be situated in a different
physical location from the
served host systems.)

Issue 1.0 Page 7-11


CRAMM User Guide

Level 1 Asset Class Level 2 Asset Class Level 3 Asset Class


Network Distribution
Component
(Defined as an IT entity which Bridge
performs essential network Router
functions that do not include Hub/Repeater
storage of user data or support Layer 2 Switch
application software except in Layer 3 Switch
inaccessible, transient forms.) Repeater
Modem
Multiplexor
Network Termination Component
ATM Switch Node
X25 Switch Node
Microwave Transceiver
Infra-Red Transceiver
Wireless Transceiver Access Point
Laser Transceiver
Ethernet/Gigabit Switch
Satellite Ground Station
VSAT Station
PABX/PBX
Automatic Call Distribution (ACD)
Firewall/Security Gateway
Message Translation Gateway
Address Translation Gateway
Protocol Converter
Encryption Unit
Universal Serial Bus (USB) Hub
Other Network Distribution
Component
Network Management/
Service Host
(Defined as a computer system Directory Management System
that provides any aspect of a Message Store/Handling System
service which is required or Network User Authentication System
offered by a network) Dial-up User Authentication System
Firewall Management System
Network Management System
Encryption Management System
TTP/CA/PKI Management System
Other Network Management/Service
System
Network Interface
(Defined as the method by which a Permanent Connection (PVC)
connection between a remote Switched Connection (SVC)
network host and the nearest Wireless Connection
Network Switch is achieved.) Infra-Red Connection
Laser Connection
Microwave Connection
Packet Radio Interface (GPRS)
Other Network Interface
Communications Protocol
(Defined as the method by which High Level Communications Protocol HTTP

Page 7-12 Issue 1.0


Chapter 7
Identification and valuation of assets

Level 1 Asset Class Level 2 Asset Class Level 3 Asset Class


data is packaged, formatted, NNTP
addressed and moved across RPC
network links. A variety of protocols FSP
may be used in a single network WAP
environment.) FTP
TFTP
(where High Level = ISO WAIS
Layers 4 to 7, and Low Level Telnet
= ISO Layers 1 to 3) RIP
Archie
Gopher
XDR
OSPF
NTP
X.400
X.500
LDAP
SMTP
SNMP
DNS
WINS
DHCP
POP3
IMAP
SNA Higher Level
Other Higher Level
Protocol

Low Level Communication Protocol Character Asynchronous


Character Synchronous
X.25
BSC(IBM Bisync)
SNA Lower level
VIP(Bull)
TCP/IP
IGMP
RARP
EGP
ARP
IPX
UDP
Appletalk
LAPB
BDMP(Bridges)
LAT (DEC)
BGP4
ICMP
Ethernet
Token Ring
CLNP
ARCNET
SONET
SDH

Issue 1.0 Page 7-13


CRAMM User Guide

Level 1 Asset Class Level 2 Asset Class Level 3 Asset Class


SDLC
HDLC
Other Low Level Protocol
Network Cabling
(Defined as the physical UTP (Unshielded twisted pair)
connection between the host STP (Shielded twisted pair)
and the network devices) Coaxial
Fibre
Patch Panels
Wiring Frames
Termination Cabinets
Wall Sockets
Other Network Cabling

Page 7-14 Issue 1.0


Chapter 7
Identification and valuation of assets

Level 1 Asset Class Level 2 Asset Class Level 3 Asset Class


Externally Provided
Network Service
(Defined as network facilities which Data Frame Relay
complement or assist the Internet
management or function of end-user SMDS
services, where these are provided Message Relay
by a PTO or third-party service Dial-up
provider. Service providers and Megastream
PTOs will use their own switches, Kilostream
etc. to provide these services PSTN
these device should not be defined ISDN
separately as assets. ATM
TDM
Satellite
SDH
Dark Fibre
TTP/CA/PKI Service
Payments
Credit Checking
Other Procurement Service
EDI
DNS
ADSL
Broadband
Other Externally Provided
Data Service

Voice Permanent - Analogue


Permanent - Digital
Mobile - Analogue
Mobile - Digital
Mobile - Cordless
Voice over IP
Radio
Other Externally Provided
Voice Service

Audio Video TV
Video Telephone
Video-Conferencing
Other Externally Provided
Video Service

Issue 1.0 Page 7-15


CRAMM User Guide

Level 1 Asset Class Level 2 Asset Class Level 3 Asset Class


Internally Provided Data Frame Relay
Network Service Internet
SMDS
Message Relay
Dial-up
Megastream
Kilostream
PSTN
ISDN
ATM
TDM
Satellite
SDH
Dark Fibre
TTP/CA/PKI Service
Payments
Credit Checking
Other Procurement Service
EDI
DNS
ADSL
Broadband
Other Externally Provided
Data Service

Voice Permanent - Analogue


Permanent - Digital
Mobile - Analogue
Mobile - Digital
Mobile - Cordless
Voice over IP
Radio
Other Externally Provided
Voice Service

Audio Video TV
Video Telephone
Video-Conferencing
Other Externally Provided
Video Service

(Defined as network facilities which


complement or assist the
management or function of end-user
services, where these are provided
by the organisation itself.
Media
(Defined as any material used for Non-Electronic Input
the permanent or temporary storage Output
of information, for the preparation of Vital Records
information for communication or Microfiche
transfer, or for the presentation of Other

Page 7-16 Issue 1.0


Chapter 7
Identification and valuation of assets

Level 1 Asset Class Level 2 Asset Class Level 3 Asset Class


information for input or output from
computer systems. Includes both Electronic Tapes
electronic and non-electronic forms Magnetic Disks
of information.) Optical Disks
Other

Table 7-1: Physical Asset Classes


7.3.4 Identifying software assets
Method Concept: Within CRAMM, the term Software Asset is used to cover
specifically application software assets. There is no need to specifically define
system, networking or database software.
If you have exported from an Express review you will need to create software
assets which support the data asset defined in the Express review. You should
identify the software assets that relate to the asset groups you defined when
investigating threats during the Express review.
To create new application software assets or modify existing application software
assets:
Step
1 From the Modelling the System screen, choose Identification of Software
Assets option. The Create and Maintain Application Software Assets
screen is displayed, as shown in Figure 7-33.

Figure 7-33: Create and Maintain Application Software Assets screen

Issue 1.0 Page 7-17


CRAMM User Guide

2 Use the Name text box to either:


type the name of a new asset to be added to the review

or

display the name of an asset already defined for the review by


selecting from the drop-down list.

When an existing asset name is displayed you can change it by typing into
the text box. If you want to define a new asset when an existing asset
name is displayed, press the New button. This will clear the existing asset
detail from this and other text boxes. You can then type the name of the
new asset into this text box.
3 Press the Note button next to the Comment field to add or modify
descriptive information about the asset. This displays a screen in which
you can type and modify text. When you are satisfied with the
description, press the OK button in this window.
4 Use the Class Selection list box to define a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Select button.
Your selection appears in the Class list box.
An application software asset can only have one class defined for it. To
change the class, simply make another selection from the Class Selection
list box and press the Select button again.
5 Use the Delete button to delete an asset from the review. Do this by
selecting the asset in the Name text box and pressing the Delete button.
You cannot delete an asset if it is linked into an asset model. To do this,
you first have to remove the asset from the model (see section 7.3.6).

Page 7-18 Issue 1.0


Chapter 7
Identification and valuation of assets

Level 1 Asset Class Level 2 Asset Class Level 3 Asset Class


Application Software Funds Transfer Bespoke Sensitive
(Defined as an application which (Defined as any application
manipulates or stores information.) which transfers funds.)
Bespoke Non-sensitive
Package
Financial Bespoke Sensitive
(Defined as any application
which manipulates records
of financial transactions and
the record of current
financial holdings or
position.)
Bespoke Non-sensitive
Packaged
Safety Critical Bespoke Sensitive
(Defined as any application
which directly controls or
mediates a process which
affects the safety of human
beings.)
Bespoke Non-sensitive
Packaged
Personal Information Bespoke Sensitive
(Defined as any application
which manipulates or stores
information relating directly
to identified individuals,
other than information
deemed to be in the public
domain.)
Bespoke Non-sensitive
Packaged
General Bespoke Sensitive
(Defined as any other form Bespoke Non-sensitive
of application.)
Packaged

Table 7-2: Application Software Asset Classes


The Level 3 asset class distinguishes between bespoke and packaged software. For
bespoke software a further distinction is made between software which is sensitive
(and for which a degree of confidentiality will be required) and software which is
non-sensitive. Packaged software, by definition, is considered to be non-sensitive. In
most cases, application software will only need to be valued if it has been classified
as bespoke sensitive. Valuation of application software assets is covered in section
7.9.

Issue 1.0 Page 7-19


CRAMM User Guide

7.3.5 Identifying locations


Method Concept: Certain types of physical asset can be considered to reside in a
particular location, for example host servers, gateways, workstations. Identification
of locations allows certain threats to be investigated against locations, for example
the threat of fire to a computer room. Based on the information about which
locations house which assets, CRAMM is able to report on the countermeasures
required for individual locations. CRAMM Version 4 has extended the concept of
locations to include the concept of an organisation. Before defining the locations,
the user can define the organisations that are covered by the review. This enables
CRAMM to make determine whether certain countermeasures which would best be
implemented at the organisational level should be implemented or not.
If you have exported from an Express review you will need to create locations
and organisations which support the data asset defined in the Express review.
You should identify the locations and organisations that relate to the asset groups
you defined when investigating threats during the Express review.
For certain physical asset classes (as described in Table 6/1) you have the option of
defining the assets location. You should do this if you wish to consider the physical
and environmental risks and countermeasure requirements for the location.
Otherwise, you do not need to define locations.
Where locations are defined, you have the following options. You can:
define a room, in which case you must also define the building in which
the room resides, and you may optionally define the site in which the
building resides
define a building, in which case you may optionally define the site in
which the building resides. Also you may optionally define the
organisation for which the people in that building work
define a site, in which case you may optionally define the site in which the
building resides. Also you may optionally define the organisation for
which the people on that site work
define an organisation.
Some physical and environmental countermeasures apply on a site-wide basis, others
to a building and some to a room. In deciding the level at which to specify a location
remember that in Stage 3 of the review, countermeasures are only selected to protect
against those locations that have been defined. Hence, if a room and building have
been defined but not a site, countermeasures applying at the room and building level
will be put forward for consideration but not those that apply at the site level.

Page 7-20 Issue 1.0


Chapter 7
Identification and valuation of assets

To create new locations or modify existing locations:


Step
1 From the Modelling Assets screen, choose Identification of Locations button.
The Create and Maintain Locations screen is displayed, as shown in
Figure 7-34.

Figure 7-34: Create and Maintain Locations screen

The Locations list box shows the sites, buildings and rooms defined for the
review. They are displayed in a horizontal, four-level, hierarchic form
(that is organisations linked to sites, which are in turn linked to buildings
and then to rooms).
2 To add a new location, carry out this step and steps 3 to 5:
for an organisation, select (Add New Organisation) in the Locations
list, or

for a site without an organisation, select (No Organisation) in the


Locations list box, or

for a site, select (Add New Site) in the Locations list box, or

for a building without a site, select (No Site) in the Locations list box,
or

for a building on a site, select the name of the site in the Locations list
box, or

Issue 1.0 Page 7-21


CRAMM User Guide

for a room, select the name of its building in the Locations list box.

3 Type the name of the new location into the New Location text box
4 Press the Note button next to the Comment field in the New Location group
box if you wish to add descriptive information about the location. This
displays the Description for location screen in which you can type and
modify text. When you are satisfied with the description, press the OK
button in this screen.
5 Press the New button.
The name that you typed into the New Location text box is displayed in the
Locations list box.
6 To edit the name of an existing location, select the location in the Locations
list box, and type the new name into the Existing Location text box. Note
that the new name is not displayed in the Locations list box until you select
it.
7 To add or modify descriptive information about an existing location,
select the location in the Locations list box and type into the Comment text
box in the Existing Location group box. You can modify text within this
list box using the standard Windows keys and key combinations. (Note
that you can also enter descriptive information for a new location as
described in step 4 above.)
8 To remove a location from the review, select it in the Locations list box, and
press the Delete button. If you select a site, all of the buildings on the site
and rooms in those buildings will be removed. If you a select a building,
all of the rooms in the building will be removed. Note that the delete
action will not be allowed if any of the locations which would be removed
is linked into an asset model, that is if a physical asset has been linked to
the location.

7.3.6 Creating an asset model


Method Concept: An asset model defines the dependencies between different types
of asset, and allows suitable countermeasures to be identified for data assets,
physical assets, application software assets and locations. Separate asset models are
required for each data asset/end-user service combination. The concept of end-user
service is a key feature of CRAMM since the risks and solutions relating to one type
of end-user service (for example, interactive session) can be quite different to those
relating to another (for example, electronic mail), even where the same data is
involved.
If you have exported from an Express review you will need to create asset model(s)
which should show the relationships between the data asset created in the Express
review and other assets (i.e. End User Services, Physical and Software Assets, and
Locations) that support that data asset.
Asset models are created in the following way. For each data asset, carry out the
following steps.
Step
1 Identify the end-user services which support the data asset

Page 7-22 Issue 1.0


Chapter 7
Identification and valuation of assets

2 Define separate asset models for each pairing of data asset and end-user
service. For each asset model, the data asset should have a link to one and
only one end-user service.
3 Identify the links from the end-user service to those physical assets which
support the data asset/end-user service pairing

4 Identify the links from physical assets to locations (only where you wish
to investigate physical and environmental risks to those locations).
5 Identify the links from the data asset to those application software assets
which support the data asset/end-user service pairing. (Only where you
wish to investigate controls that apply to application software.)
6 Identify the links from these application software assets to the physical
asset on which each resides
7 Identify the links from the data asset to those media assets which support
the data asset/end-user service pairing. (Only where you wish to
investigate controls that apply to media assets.)
8 Repeat for the next data asset/end-user service asset pairing for the same
data asset.
9 Repeat for the next data asset.

Figure 7-35 describes a generic asset model. This shows that asset models are created
for each data asset/end-user service combination by:
linking all physical assets (except those classified as media) that support
the data asset/end-user service combination to the end-user service
linking application software assets that support the data asset directly to
the data asset
linking each application software assets to the host or workstations on
which it resides
linking media items that support the data asset directly to the data asset.

Issue 1.0 Page 7-23


CRAMM User Guide

Data Asset

End User Service


Host Location

Workstation Location
Storage Device Location

Print Facility Location


Network Distribution Component Location
Network Management/Service Host Location
Network Interface Location
Internal Network Service Location

External Network Service Location


Network Cabling Location
Communications Protocols Location

Application Software

Host(s) and / or Workstation(s) Location

Media Location

Figure 7-35: Generic Asset Model

Page 7-24 Issue 1.0


Chapter 7
Identification and valuation of assets

7.4 Example of an Asset Model


The following diagram shows a typical Local Area Network, supporting two groups
of users. Group A handles routine information with only minimal requirements for
confidentiality, whilst Group B handles highly sensitive information with very high
requirements for confidentiality.

XXX
H ouse
FDDI Ring

W orkstations Local printers

Group A

Group B

File Servers
(Basem ent)

LAN Equipm ent

Figure 7-36: Example Local Area Network

Issue 1.0 Page 7-25


CRAMM User Guide

This could be modelled in CRAMM by creating the following two asset models:
Model 1

Group As Information

Using Group As Information (Interactive)

Group As Workstations (Workstation)


Second Floor
Group As Printers (Network Printer)
Second Floor
Local Area Network (Multi-Function Asset)
XXX House
Shared File Servers (Host Server)
Basement

Figure 7-37: Asset Model for Routine Information


Model 2

Group Bs Information

Using Group Bs Information (Interactive)

Group Bs Workstations (Workstation)


First Floor
Group Bs Printers (Printer)
First Floor
Local Area Network (Multi-Function Asset)
XXX House
Shared File Servers (Host Server)
Basement

Figure 7-38: Asset Model for Sensitive Information

Page 7-26 Issue 1.0


Chapter 7
Identification and valuation of assets

7.5 Creating Asset Models


To create new asset models or modify existing asset models:
Step
1 From the Modelling the system screen, choose Creating Asset Models. The
Create and Maintain Asset Models screen is displayed, as shown in
Figure 7-39.

Figure 7-39: Create and Maintain Asset Models screen

2 To create a new asset model, do the following:


press the New button

use the Data Asset drop-down list box to select a data asset for which
you wish to create an asset model

use the End User Service drop-down list box to select an end-user
service asset for which you wish to create an asset model with the
data asset in Data Asset. Only those end-user services that are not
already in an asset model will be displayed.

3 To modify an existing asset model, do the following:


use the Data Asset drop-down list box to select a data asset for which
one or more asset models have been defined

use the End User Service drop-down list box to select an end-user
service asset for which an asset model has been defined with the data
asset selected in the Data Asset drop-down list box.

Issue 1.0 Page 7-27


CRAMM User Guide

The remaining steps apply whether you are creating or modifying an


asset model.
4 Use the Asset Class drop-down list box to select the class of asset which
you wish to add to the asset model. The assets which belong to this class
are then listed in the Assets list box.
5 Use the Assets list box to select the asset that you wish to add to the
model.
6 Use the Asset Model list box to indicate where in the model you wish to
add the asset selected in the Assets list box. The asset model you selected
in the Data Asset and End User Service text boxes is displayed in this list
box. The model is displayed in a horizontal, multi-level, hierarchic form.
The data asset is at the top of the model with a link to the end-user service
at the next level.
7 Use the Link button to link the asset selected in the Assets list box to the
asset selected in the Asset Model list box. If the asset is already linked to
another asset in the same model, then any existing linkages will be
included in this linkage. If the asset is linked to a location in any asset
model then that link will be automatically included. Also, if the asset is an
application software asset which is already linked to a physical asset in
any asset model, this link is automatically included.
8 To link an application software asset to the physical asset that supports it,
select the software asset in the Asset Model list box, display the possible
physical assets in the Assets list box, select the appropriate asset and press
the Link button.
9 Use the Unlink button to remove an asset from the model. Do this by
selecting it in the Asset Model list box and then pressing the Unlink button.
10 Use the Refresh button to refresh the display in the Asset Model list box. Do
this if you add an asset to the model in more than one place and want to
see the hierarchy below it repeated for each occurrence.
11 Use the Delete button to remove the asset model from the review currently
displayed in the screen.
12 Use the Copy button to create or update an asset model by basing it on a
previous model that you have already created.

Page 7-28 Issue 1.0


Chapter 7
Identification and valuation of assets

To produce a report on an asset model:


Step
1 When Copy button is pressed the Copy Asset Model Report screen is
displayed, as shown in Figure 7-40.

Figure 7-40: Copy Asset Models screen


2 Using the Data Asset and End User Service combo boxes within the Source
group, select the asset model that you wish to base the new asset model
upon.
3 To create a new asset model, do the following:
press the New button

use the Data Asset drop-down list box to select a data asset for which
you wish to create an asset model

use the End User Service drop-down list box to select an end-user
service asset for which you wish to create an asset model with the
data asset in Data Asset. Only those end-user services that are not
already in an asset model will be displayed.

4 To modify an existing asset model, do the following:


use the Data Asset drop-down list box to select a data asset for which
one or more asset models have been defined

use the End User Service drop-down list box to select an end-user
service asset for which an asset model has been defined with the data
asset selected in the Data Asset drop-down list box.

Issue 1.0 Page 7-29


CRAMM User Guide

The remaining steps apply whether you are creating or modifying an asset
model.
5 Either double click on the asset shown in the source asset model that you
wish to be added or select the asset and press the Copy button.

To produce a report on an asset model:


Step
1 When Asset Model report button is pressed the Asset Model Report screen
is displayed, as shown in Figure 7-41.

Figure 7-41: Asset Model Report screen


2 Select the asset model for which you want to produce a report.
3 Use the Output to controls to select the destination of the report, then press
the Generate Report button to produce the report. You can send a plain text
(ASCII) version to the printer or to a file, or you can send a formatted
version to an RTF file for use with a word processor.

Page 7-30 Issue 1.0


Chapter 7
Identification and valuation of assets

7.6 Valuing Assets


Method Concept: The extent of security required fundamentally depends on the
value place on the assets that are being protected. CRAMM provides guidance on
how to value the assets that have been identified when modelling the system.
The following figure shows the Valuing Assets Screen:

Figure 7-42: Valuing Assets screen

7.7 Data asset valuation


Method Concept: The objective of valuing data assets is to determine their
importance of that data to the organisation. The value of data is one of the key
elements in assessing the requirement for security. The valuation of the data is
based on the consequences of the data being impacted in a variety of different ways,
including its unavailability, destruction, disclosure and modification.
If you have exported from an Express review you will need to review the data asset
valuations and the guidelines used in particular.
In CRAMM, you determine the value of a data asset by conducting structured
interviews with the people who were identified as data owners (see section 7.3.1).
During these interviews, you ask the users to outline the possible consequences of
the data being unavailable, destroyed, disclosed or modified. These are known as
impacts. You then compare the scenarios described by the interviewees with a series
of guidelines provided by CRAMM to derive an objective assessment of the severity
of each impact.
Data asset valuation interviews have two distinct parts. The first part concentrates on
gathering information about the data asset, whilst the second explores the

Issue 1.0 Page 7-31


CRAMM User Guide

consequences should the data suffer a breach of confidentiality or integrity, or a loss


of availability. These two parts are described in sections 7.7.1 and 7.7.3.

7.7.1 Gathering information about the data asset


Method Concept: Certain background information on the data asset is required to
enable an accurate valuation of the data to be performed.
Before carrying out a data valuation interview, you need to print a blank Data Asset
Valuation form which you will use to record the findings of the interview. Section 6.6
describes how to print out this form.
During the first part of the data valuation interview, you are gathering information
about the data asset, and entering it into the Description of Data section of the Data
Asset Valuation form. The precise information that you collect will vary depending
on the nature of the asset, but you can use the following list as guidance:
a description of the data asset, including the purpose of the data (for
example, financial forecasting or making payments)
the responsibilities of the interviewee, including their position within
the organisation and their specific responsibilities with regard to the data
asset
the origin of the data, for example, whether the information is received
from members of the public, from other parts of the organisation or from
another application. It may also prove useful to document the form in
which the data is received, for example on paper, via magnetic media or
by automatic updates
the processing carried out on the data, for example, creation of
management or statistical reports, production of payable orders, database
enquiries
the physical assets on which the data is stored.
Collection of this information is optional, but it will help you to understand the data
and its use, prior to valuation of the data.
Once you have gathered information about the data asset, you need to enter it into
the CRAMM software, as described in section 7.7.2.

7.7.2 Entering data asset valuation details


Enter the information recorded in the Description of Data section of the valuation
form using the Create and Maintain Data Assets screen. You add the information to
the Comment for <Asset Name> text box.

7.7.3 Assessing data values


Method Concept: Data assets are valued by discussing the worst scenarios that
could reasonably be expected to occur with the data owner or representative user(s)
of the data.
The first part of the interview helped you understand how the data is used and
where it is stored. The second part concentrates on determining what could happen if
an unwanted incident were to occur. In this part of the interview, you are looking at
the four impacts: unavailability, destruction, disclosure and modification.

Page 7-32 Issue 1.0


Chapter 7
Identification and valuation of assets

You need to ask the interviewee to describe the worst case scenarios which could
reasonably be expected to occur for each impact. Examples of such scenarios could
be modification of air traffic control data which might lead to two aircraft entering
the same air space and possibly colliding, or the unavailability of some particular
medical history data which might result in a patient being treated with an unsuitable
drug.
Existing countermeasures should not been taken into account. This prevents you
from making any false assumptions about the effectiveness of these countermeasures,
and also enables CRAMM to determine whether they are truly justified. However,
you may take into consideration the existence of alternative manual processes, or
other automated systems outside the boundary of the review.
The objective when assessing data values is to determine the severity of the impact,
not the possible causes of an impact, nor the likelihood of such an event occurring.
These issues will be explored during the threat and vulnerability assessment in Stage
2 of CRAMM.
For each data asset, you need to discuss with the interviewee the effect of the
following impacts.
Unavailability
The consequences resulting from data being unavailable may vary depending on the
length of the loss of service. CRAMM allows you to investigate these consequences
against the following timeframes:
less than 15 minutes
1 hour
3 hours
12 hours
1 day
2 days
1 week
2 weeks
1 month
2 months and over.

You do not need to assess the consequences of loss of service for all of these
timeframes - you should select those that are appropriate to the data asset. You
should, however, use a minimum of three time periods. CRAMM will make
assumptions about the time periods for which no asset value has been specified.
If one of the primary purposes of the review is to identify contingency planning
options, you should assign values to most or all of the time periods so that you
obtain a good understanding of the changing nature of the impact.
Destruction
This impact investigates the consequences that could result from:
loss of data since the last successful back-up
total loss of data including back-ups.
You need to find out how often back-ups are taken and where they are stored when
looking at this impact.
Disclosure
This impact is investigated in terms of:

Issue 1.0 Page 7-33


CRAMM User Guide

disclosure to insiders (those people working for the organisation, but who
are not authorised to see the data)
disclosure to contracted service providers (staff of third party
organisations who may have legitimate access to the system or network,
but not necessarily to the data - examples include those organisations
running outsourced IT services or virtual private networks)
disclosure to outsiders (all other individuals).
Modification
The issues to explore when examining this impact vary according to the end-user
service that the data is using, as follows.
For interactive and batch processing end-user services, look at:
small scale errors (for example, keying errors, duplication of input)
widespread errors (for example, caused by a programming error)
deliberate modification (of stored data).
For voice and video end-user services, look at:
small-scale errors (in data transmission)
widespread errors (in data transmission)
deliberate modification (of data in transmission).
For electronic mail, application to application messaging, electronic data interchange
or web browsing end-user services, you should also look at the consequences of
small-scale, widespread and deliberate modification as appropriate. In addition, you
may investigate the consequences of:
insertion of false messages (for example, inserting an unauthorised
request for a payment)
repudiation of origin (for example, the sender of a message denying they
had actually sent the message)
repudiation of receipt (for example, the recipient of a message denying
they had actually received the message)
non-delivery (for example, an authorised request for payment failing to be
delivered, either accidentally or deliberately)
replay (for example, the accidental or deliberate duplication of an
authorised request for a payment)
mis-routing (for example, accidental or deliberate alteration of the
destination address so that data is sent to an unauthorised recipient)
traffic monitoring (for example, disclosing the volume of data being
transmitted, or the fact that two parties were communicating with each
other, but not the actual contents of the messages being passed)
out of sequence (for example, accidental or deliberate delivery of
authorised messages in the wrong order).
You need only investigate those impacts about which there is a particular concern.

Page 7-34 Issue 1.0


Chapter 7
Identification and valuation of assets

7.7.4 Assessing the severity of impacts


Method Concept: CRAMM provides a set of guidelines to allow the worst case
scenarios to be translated into scale values of 1 - 10, where 1 is a very low value and
10 very high. The scale values are used later by CRAMM in the calculation of
measures of risks for the system under review.
Having investigated the impacts which could occur and the possible consequences
for the organisation if an impact did occur, use the CRAMM Valuation Guidelines to
assess the severity of the impacts. The guidelines cover the following areas:
personal safety
personal information
legal and regulatory obligations
law enforcement
commercial and economic interests
financial loss
disruption to activities
public order
international relations
defence
security and intelligence
policy and operations of public service
management and operations of organisation
loss of goodwill.
The guidelines are reproduced in Annex E.
Please note that these are guidelines, and therefore it is acceptable to vary from these
guidelines where you believe it necessary, but you should try to adhere as closely to
the guidelines as possible to ensure the appropriateness of the recommendations
when the countermeasures are calculated in Stage 3.
To use the guidelines to assess the severity of impacts, carry out the following steps.
Enter your findings into the Potential Impact Scenario section of the Data Asset
Valuation form.

Issue 1.0 Page 7-35


CRAMM User Guide

Step
1 Compare the scenarios outlined by the interviewee(s) against the
guidelines to identify which guideline corresponds most closely to the
scenario that has been described. Enter the guideline in the Guideline
section of the form.
2 Using the descriptions contained in the guidelines, decide on the data
valuation for each impact. For financial loss scenarios, you can enter the
actual financial loss in the Financial value section of the form. For other
scenarios, enter the asset value indicated by the guidelines into the Scale
value section of the form.
You need to gather enough information to quantify the severity of the
impact. For example, if an interviewee states that deliberate modification
could lead to financial loss, gather sufficient information to determine the
likely extent of the loss. You should not, however, show the guidelines to
the interviewee because this removes some of the objectivity required in
this activity.
Within the guidelines, descriptions are not always provided for every
scale value. You may select a scale value for which no description is
provided if you feel that it most accurately represents the potential
impact.
3 Record the reasoning behind your valuation in the Valuation Scenario
section of the form. An example of what you might enter in this section is
where an impact could result in an effect in terms of two or more criteria
(for example, an unauthorised disclosure resulting in financial loss and a
breach of personal privacy). In this case, you need to record a separate
data value for each effect. Only the highest value will be subsequently
input to the CRAMM software, but it is important to have a complete
picture.
4 Where more than one interviewee is consulted about the valuation of a
single data asset, you should record the valuations separately and then
consolidate them into a single valuation for the asset. The consolidated
valuation will be input into the CRAMM software.
Once you have completed the Data Asset Valuation form for the asset, you need to
enter the information into the CRAMM software. This is described in section 7.7.5.

Page 7-36 Issue 1.0


Chapter 7
Identification and valuation of assets

7.7.5 Entering data asset values


Method Concept: Information on the data asset valuation, including scale values,
should be entered into the software. In addition to scale values, where a financial
impact has been identified the actual financial loss can be entered in terms of
pounds. Scale values only are used in the calculation of measures of risks and the
subsequent selection of countermeasures, but an accurate knowledge of possible
financial losses is often important when evaluating countermeasure
recommendations. Financial figures are particularly useful during the evaluation of
contingency planning options.
To create or modify valuation details for data assets:
Step
1 From the Valuation of assets screen, choose Value Data Assets option. The
Value Data Assets screen is displayed, as shown in Figure 7-43.

Figure 7-43: Value Data Assets screen


2 Use the Select Asset drop-down list box to select the asset for which you
want to enter or modify valuation details.
3 Once you have selected an asset, the text boxes in the Assign Value group
box become available for you to use, as follows.
4 Use the Interviewer drop-down list box to select the name of the person
who carried out the valuation interviews for the asset. The list of
interviewers is defined using the Create and Maintain Interviews screen
(see section 6.7.1).
5 The Interviewees list box shows the names of the people who were
interviewed about the valuation of the asset. To add a person to the list,
select from the Interviewee Selection drop-down list box and press the Add
button. The list of interviewees is defined using the Create and Maintain
Interviews screen. To remove the selected name, press the Remove button.

Issue 1.0 Page 7-37


CRAMM User Guide

6 You can use the Status text box to remind yourself of the status of the
valuation of the asset. Type a short message into the text box such as:
not started
in progress
completed.

This text box is for your own use and you do not have to use it. It is not
used by any of the CRAMM method processes.
7 You can use the Date text box to enter the date of the valuation interview.
8 Use the table in the Assign Value group box to define the impact values.
This table has several columns which show the impact values of the asset.
Use these columns as follows:
Impact: This column contains an entry for every impact which can
apply to a data asset. The impact will appear whether a value has
been assigned to it or not. The list of impact types is given in Annex
D

Guideline: Use this column to select the valuation guideline for the
Scale and Impact in the same row. Do this by selecting from the
columns drop-down list

Scale: Use this column to enter the value on a scale of 1 to 10 for the
Impact and Guideline in the same row. If you set this to 0, it means
that this asset has no value for the impact

Cost: Use this column to enter the financial value for the Impact in
the row. This is only used by the CRAMM method for Unavailability
and Physical Destruction impacts. You cannot define a financial
value which translates to a value greater than that in Scale for the
row. If the value in Scale is zero, then it will be reset to the value
translated from Cost

Scenario Description: You can create, view or alter the description of


the valuation in the row by selecting any field in the row and
pressing the Note button. A screen is then displayed into which you
can type or edit the description. When you are satisfied with the
description, press the Close button in this screen, and your
description appears in the Scenario Description column. Alternatively,
double click in the Scenario Description column, and a pop-up screen
appears into which you can type your description.

9 To clear an impact value, select (No Valuation) in the Guideline cell for that
impact.
10 If you want to define a scale value for an impact and a lower financial
value to be used for contingency planning purposes you can do this. You
should detail why the two are different in the Scenario Description column.
11 If you define a financial value for an impact which translates to a higher
scale value than the one currently defined, a warning message will be
displayed when you try to move out of the row for the impact. You
should clear the warning by either:

Page 7-38 Issue 1.0


Chapter 7
Identification and valuation of assets

setting the value in the Scale column to zero so that the software will
calculate the scale value from the financial value, or

setting the scale value to a value higher than or equal to the value
which would result from the financial value.

Once you have entered the information into the software, you can print a completed
Data Asset Valuation form. See section 7.14 for details.

7.8 Physical asset valuation


Method Concept: Whilst the value of data assets is often of more importance in
assessing risk, physical assets also have a value to the organisation. Physical asset
values contribute to the measures of risks calculations and the subsequent selection
of countermeasures.
If you have exported from an Express review you will need to assign replacement
costs to the physical assets you have created since exporting from the Express
review.
Physical assets are simply valued in terms of their replacement or reconstruction
cost.

7.8.1 Gathering information about physical assets


Method Concept: Information about the value of physical assets is collected from
the Installation or Project Manager, or other people as appropriate.
To value physical assets, do the following.
Step
1 Print a blank Physical Asset Valuation form, which you will use to record
the valuations. Section 7.14 describes how to print out this form.
2 Talk to the Installation or Project Manager to gather information on
physical asset valuations. You may also need to talk to other staff
members for the valuation of particular assets.
3 Record the valuations on the form.
Once you have completed the Physical Asset Valuation form, you need to enter the
information into the CRAMM software. This is described in the following section.

Issue 1.0 Page 7-39


CRAMM User Guide

7.8.2 Entering physical asset values


Method Concept: Information on physical asset values should be entered into the
software. Physical assets are always valued in terms of actual financial loss.
CRAMM will automatically translate this figure to a scale value of 1 - 10.
To create or modify valuation details for physical assets:
Step
1 From the Valuation of Assets screen, choose Value Physical Assets option.
The Value Physical Assets screen is displayed, as shown in Figure 7-44.

Figure 7-44: Value Physical Assets screen


2 Use the Asset drop-down list box to select the asset whose valuation
details you wish to enter or modify. The Class list box then displays the
assets classification. When appropriate, the legend Multi Function Asset
will appear alongside the list box.
3 Use the controls in the Assign Value group box as follows:
Quantity: This text box displays the number of units in this asset,
which you will have defined in the Create and Maintain Physical
Assets screen (see section 7.3.3). You cannot edit the information in
this text box

Unit Cost: Use this text box to enter the financial replacement cost of
a unit of the asset

Total Replacement Cost: This text box displays the financial value
derived from Quantity and Unit Cost. You cannot edit the
information in this text box

Page 7-40 Issue 1.0


Chapter 7
Identification and valuation of assets

Scale Value: This text box displays the value for the asset on a scale of
1 to 10. This is based upon its replacement and reconstruction cost,
using the financial loss guidelines included in Annex E. You cannot
edit the information in this text box

Comment: Use this text box to create or modify a description of the


valuation shown in the screen.

Once you have entered the information into the software, you can print a completed
Physical Asset Valuation form. See section 7.14 for details.

7.9 Application software asset valuation


Method Concept: Application software can also have a value to the organisation.
Values for application software assets contribute to the measures of risks
calculations and the subsequent selection of countermeasures.
In most cases it is sufficient to value application software assets in the same way as
physical assets, that is in terms of replacement or reconstruction costs. In this case,
you only need to input a financial value for physical destruction.
Occasionally, the application software may have its own intrinsic requirements for
confidentiality or integrity (for example if source code is itself commercially
confidential). In these cases, you need to value the application software asset in the
same way as a data asset.

7.9.1 Gathering information about application software assets


Method Concept: Information about the value of application software assets is
collected from the Installation or Project Manager, or other people as appropriate.
To value application software assets, do the following.
Step
1 Print a blank Application Software Asset Valuation form which you will
use to record the valuation. Section 7.10 describes how to print out this
form.
2 Identify and talk to a person who can speak authoritatively about the
asset and the potential impacts should the software be affected in any
way.
3 Record your findings on the Application Software Asset Valuation form.
Once you have filled in the form, you need to enter the details and values for the
asset into the CRAMM software. This is described in sections 7.9.2 and 7.9.3.

7.9.2 Entering application software asset valuation details


Enter the information recorded in the Description of Data section of the Application
Software Asset Valuation form using the Create and Maintain Application Software
Assets screen (see section 7.3.3). You add the information using the Comment button.

Issue 1.0 Page 7-41


CRAMM User Guide

7.9.3 Entering application software asset values


Method Concept: Information on application software asset values should be
entered into the software. Where application software assets are valued in terms of
financial loss, CRAMM will automatically translate this figure to a scale value of 1
- 10. Where other guidelines are used, the reviewer will need to enter scale values in
the same way as for data asset valuation.
To create or modify valuation details for application software assets:
From the Valuation of Assets screen, choose Value Software Assets. The Value
Application Software Assets screen is displayed, as shown in Figure 7-45.

Figure 7-45: Value Application Software Assets screen

This screen contains the same controls as the Value Data Assets screen (see section
7.7.2) with the addition of a list box which displays the classification of the asset
alongside its name. The impacts displayed are those which can affect application
software.
Once you have entered the information into the software, you can print a completed
Application Software Asset Valuation form. See section 7.10 for details.

Page 7-42 Issue 1.0


Chapter 7
Identification and valuation of assets

7.10 Printing valuation forms


To produce a valuation form:
Step
1 From any of the Identification of Assets screen, choose Report option. The
Valuation Reports screen is displayed, as shown in Figure 7-46.

Figure 7-46: Valuation Reports screen

You can produce the following reports on the valuation of assets:


Physical Asset Valuation form (blank or completed)

Application Software Asset Valuation form (blank or completed)

Data Asset Valuation form (blank or completed).

2 Select the Physical, Application Software or Data option button depending


on the type of asset.
3 If you pressed the Data or Application Software button, the Report on Asset
drop-down list box will contain the names of the assets of the type
selected. Select the asset for which you want to generate the form. The
Physical Asset Valuation form applies to all physical assets so you do not
need to select an asset.

Issue 1.0 Page 7-43


CRAMM User Guide

4 Select either the Blank Valuation Form or the Completed Valuation Form
option button, depending on whether you want to produce a form with
the name of the asset and all other fields blank, or a form containing the
information input using the appropriate Value Assets screen (see sections
7.7, 7.8and 7.9).

7.11 Reviewing asset values


Method Concept: Asset valuations are a critical element of the risk analysis and
will have a direct influence on the selection of countermeasures. It is important that
asset values are correct before proceeding with the remainder of the review.
It is essential that asset values are gathered correctly and are neither over or
underestimated. To make sure of this, you need to review the valuations for a system
before deciding how to proceed with the review. Do this as follows.
Step
1 Print out the completed Data, Software and Physical Asset Valuation
forms for the system. Section 7.10 describes how to do this.
2 Check the scenarios and associated scores. In particular, you should
examine the scenarios that led to the highest data valuations, because it is
these scenarios that will drive the requirements for security during the
risk management phase of the review.
3 The approach to the remainder of the review depends upon the values
assigned to the data, software and physical assets:
if all of these values are less than or equal to two, they are deemed to
be very low, and a detailed investigation of the threats and
vulnerabilities is not justified

if asset values are high, a more detailed investigation of threats and


vulnerabilities will need to be carried out.

This approach ensures that time is not wasted on rigorously investigating a system or
network that only requires a low level of protection.

7.12 Calculating implied asset values


Method Concept: In order to protect valuable data and application software assets,
the physical assets on which they depend need to be protected. For example, if data
has a high requirement for confidentiality, protection needs to be applied to the host
nodes and workstations on which it is accessed, processed and stored,
communications services over which it is transported, removable media, printed
output and so on.
Physical assets therefore acquire a value which is implied by the value of the data
and application software assets that they support. Similarly, locations acquire a
value which is implied by the value of the physical assets within the location.
Implied values are calculated by the CRAMM software.
Figure 7-47 and Figure 7-48 show an example of the process by which asset values
are associated with physical assets and locations. Figure 7-47 shows two data assets
that are dependent on one machine. One of the data assets has a high requirement for
availability, whilst the other has a high requirement for confidentiality. Therefore, the

Page 7-44 Issue 1.0


Chapter 7
Identification and valuation of assets

machine on which both depend has a high requirement for both availability and
confidentiality.
Implied asset values can be reviewed by producing the Impact Assessment Report.
This is described later in this section.

High Availability Requirement

High Availability
and Confidentiality
Requirement
High Confidentiality Requirement

Figure 7-47: Implied Asset Values (1)


The way that this would be shown in a CRAMM review is illustrated in Figure 6/21.

Data with
high availablity
requirements
Availability Conf Integrity
56 7 0 0 0 0
Physical
Asset

Availability Conf Integrity

4 5 6 7 6 7 1 1 Data with high


confidentiality
requirements
Replacement cost
of Physical Asset
Availability Conf Integrity
11 2 6 7 1 1

Figure 7-48: Implied Asset Values (2)


The requirements for availability, confidentiality and integrity associated with each
of the physical assets and locations that make up the system can be seen on the
impact assessment reports. These are described below.
To calculate implied asset values:
From the Identification and Valuation of Assets screen, choose Calculate Implied
Value option. Whilst the calculation is taking place, a dialog box is displayed with a

Issue 1.0 Page 7-45


CRAMM User Guide

mobile activity indicator and a Cancel button. If you press the Cancel button the
calculation stops and the partial results are discarded.

7.13 Impact Assessment Report


Method Concept: Having calculated the implied values the Impact Assessment
Reports provide an opportunity to review the results of this calculation in a variety
of formats.
The Impact Assessment Screen is shown below:

Figure 7-49: Impact Assessment Reports

7.14 Valuation reports


The valuation reports are the completed versions of the blank reports used to gather
information. Section 7.10 describes how these reports can be generated.

7.15 Impact Assessment Chart Wizard


Selecting this option will initiate a Wizard that will take users through the process of
generating an Impact Assessment chart.
The screens in the Wizard are as follows:
Screen 1 Select the type of report
This screen gives the user the opportunity to choose which type of report
they wish to create. The types that can be selected include:
Unavailability
Disclosure

Page 7-46 Issue 1.0


Chapter 7
Identification and valuation of assets

Modification

Screen 2 Select the style of report


This screen gives the user the opportunity to choose which style of report
they wish to create. The styles that can be selected include:
Bar Chart
3 D Bar
Column
3 D Column
Area
3 D Area

Screen 3 Save/Print/Export report


This screen allows users to either preview the report, print the report or to
export it into MS Word format for further editing.

7.16 Data Asset Dependencies


You can review which Data Assets each physical asset supports by printing an Data
Asset Dependencies report. Do this as follows.
To produce a Data Asset Dependencies Report:
Step
1 The Data Asset Dependencies Reports screen is displayed, as shown in
Figure 7-50.

Figure 7-50: Dependent Asset Reports screen

Issue 1.0 Page 7-47


CRAMM User Guide

2 Select from the assets that you wish to appear in the report.
3 When you are satisfied that you have selected the content of the report
correctly, then press either the Preview button to see the report on screen
or the Print button to print the report directly.

7.17 Impact Assessment Reports


You can review implied values by printing an Impact Assessment report. Do this as
follows.
To produce an Impact Assessment Report:
Step
1 From the Impact Assessment Reports screen, choose Impact Assessment
report option. The Impact Assessment Reports screen is displayed, as
shown in Figure 7-51.

Figure 7-51: Impact Assessment Reports screen

2 Select from the Report Type drop-down list box. Your choice determines
how you will select the assets whose calculated impact values will be
included in the report, as follows:
if you select Locations and components, the list box in the Select group
box is labelled Locations and components and shows the locations and
the assets in those locations that are defined for the review. For each
location to be included in the report, select it and press the Add
button. The locations are added to the Report On list box

Page 7-48 Issue 1.0


Chapter 7
Identification and valuation of assets

if you select Asset Groups, the list box in the Select group box is
labelled Asset Groups and shows the asset groups defined for the
review. For each group to be included in the report, select it and
press the Add button. The groups are added to the Report On list box.
The report produced is of the calculated impact values of the
component assets of each group. This option is not relevant in Stage
1 where asset groups will not have been created. However, the
reports can also be produced in Stage 2, when this option will be
relevant

if you select Asset Classes, the list box in the Select group box is
labelled Asset Classes and shows the asset class hierarchy. Make a
selection from the Asset Type drop-down list box. For each class to be
included in the report, select it and press the Add button. The classes
are added to the Report On list box. The report produced is of the
calculated impact values of the assets of each class

if you select Assets, the list box in the Select group box is labelled
Assets. Make a selection from the Asset Type drop-down list box. The
assets of the type selected are displayed in the Assets list box. For
each asset to be included in the report, select it and press the Add
button. The assets are added to the Report On list box. The report
produced is of the calculated impact values of the assets selected.

3 When you have selected the assets to be included in the report, use the
Impacts drop-down list box to select the set of impacts to report on.
Choose one of:
Unavailability

Destruction and Unavailability

Disclosure and Modification.

4 Use the Value Type drop-down list box to select the type of value which
you want the report to include: either Scale, that is 1 to 10, or Financial.
5 If you chose Scale in the Value Type list box, use the Value Level text box to
type in a scale value. Only impact values equal to or above this value will
be included in the report.
6 If you wish to remove an item from the report, select it in the Report on list
box and press the Remove button.
7 When you are satisfied that you have selected the content of the report
correctly, use the Output to controls to select the destination of your
report, then press the Generate Report button to produce the report.

Issue 1.0 Page 7-49


CRAMM User Guide

7.18 Stage 1 backtrack facility


Method Concept: An important design feature of CRAMM is that there is no
hidden logic in any part of the method. The backtrack facility is a powerful tool for
identifying the factors that led to particular conclusions or recommendations. The
Stage 1 backtrack facility allows you to identify the individual data, physical and
application software asset valuations that contributed to the implied values for
selected assets.
The Stage 1 backtrack facility enables you to investigate the reasoning behind
particular asset valuations.
You can produce a backtrack report on:
locations
physical assets
application software assets
data assets.
To perform a Stage 1 backtrack and produce the associated report:
Step
1 From the Value Assets screen, choose Stage 1 Backtrack option. The Stage 1
Backtrack Report screen is displayed, as shown in Figure 7-52.

Figure 7-52: Stage 1 Backtrack Report screen

2 Select the option button in the Asset Type group box to select the type of
asset on which you want to perform a backtrack.

Page 7-50 Issue 1.0


Chapter 7
Identification and valuation of assets

3 Use the Report on Asset drop-down list box to select the asset for which
you want to perform the backtrack. Only assets of the type selected in the
Asset Type group box are displayed.
4 When you are satisfied that you have selected the content of the report
correctly, use the Output to controls to select the destination of your
report, then press the Generate Report button to produce the report. The
report will contain details of all the associated data and application
software asset valuations that led to asset values being associated with the
selected asset.

7.19 Section summary


At this point you will have done the following:
identified the physical assets
identified the data assets
identified the application software assets
identified the locations
modelled the interrelationships between the data, application software
and physical assets, and the locations
printed the Data Asset Valuation forms
interviewed appropriate staff using these forms
entered the interview results into the CRAMM software
if your review has included contingency planning (see section 13):
printed the Recovery Objectives form

completed the form through interviews with users and support staff

entered the information into the CRAMM software

produced reports from the CRAMM software on recovery


requirements for users, support staff and assets

printed the Physical Asset Valuation forms


interviewed the appropriate staff using these forms
entered the interview results into CRAMM
if required:
printed the Application Software Valuation forms

interviewed appropriate staff using these forms

entered the results into CRAMM

produced Impact Assessment Reports and reviewed the asset valuations


for errors and omissions
if required, produced a Stage 1 Management Report and reviewed it with
management

Issue 1.0 Page 7-51


CRAMM User Guide

documented the results of the management review.


Annex C contains a complete checklist.

Page 7-52 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

8. Threat and Vulnerability Assessment


8.1 Introduction
Method Concept: In addition to asset values, the other two key components of a
CRAMM risk analysis are levels of threat and levels of vulnerability. Asset values,
threat levels and vulnerability levels combine together to give measures of risks
which are then used to select appropriate countermeasures.
The objective of Threat and Vulnerability stage of CRAMM is to make an assessment
of the extent of the threats and vulnerabilities facing the system/network.
The topics covered in this section are:
identifying threats to assets (section 8.3 to 8.7)
carrying out a threat and vulnerability assessment (sections 8.8 to 8.17)
The Threat and Vulnerability screen is shown below:

Figure 8-53: Threat and Vulnerability screen

Issue 1.0 Page 8-1


CRAMM User Guide

8.2 Pointers and prompts


The following pointers and prompts are provided for you to consider prior to
commencing work on Threat and Vulnerability Assessment:
how many threat and vulnerability questionnaires are needed and who
should be interviewed against each questionnaire? You should also limit
the number of people to whom you distribute questionnaires, as a large
number could provide a range of differing and potentially unqualified
opinions
what is the best schedule for interviews to minimise travelling and
interview time?
are there any questions that require re-phrasing to ensure that:
they relate more closely to the system or network type or
environment?

accurate scores can be derived for input to the CRAMM software


tool?

any review-specific issues that are not adequately addressed by the


questions are considered?

interviewees should not be given questionnaires to fill in alone since it is


then impossible for the reviewer to ensure that the interviewee has filled
in the questionnaires correctly.

Page 8-2 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

8.3 Identifying threats to asset groups


Method Concept: If threats were to be investigated individually against every
single asset identified during Identification and Valuation of Assets, CRAMM
reviews would take an inordinate amount of time to complete. Assets can therefore
be grouped together for the purpose of the threat and vulnerability assessment.
Threats and vulnerabilities are investigated in relation to one or more asset groups.
The Identifying Threats to Asset Groups screen is shown below:

Figure 8-54: Identifying Threats to Asset Groups screen

The first activity in Threat and Vulnerability Assessment is to define the threats that
require investigation.
Similar assets are gathered together into asset groups. This is so that threats can be
investigated against several assets at once, rather than individually.
The following steps are required to define the threat/asset combinations which will
be investigated during Stage 2:
creation of asset groups
maintenance of asset groups
definition of threats to asset groups
confirmation of the impacts that could result from the threats to assets.
These steps are described in the following sections.

Issue 1.0 Page 8-3


CRAMM User Guide

8.4 Automatic creation of asset groups


Method Concept: Most asset groups that are likely to be required during a
CRAMM review can be generated automatically by the CRAMM software.
If you have exported from an Express review you will find that some asset groups
have been created which represent the asset groups you defined when recording
the threat and vulnerability assessment. You can use the Auto Group function to
create further Asset Groups that contain the physical and other assets that you
have created since exporting the Express review.
Since Auto Group will create an Asset Group for the Data Asset exported from the
Express Review, but the Export process will have also created a similar Asset
Group, you are advised to delete the Asset Group created by Auto Group, which
will have an exclamation mark in front of the name of the Data Asset to avoid any
confusion.
The CRAMM method recommends that separate asset groups are created for each
instance of the following:
data asset
software asset
physical asset
location (organisation, site, building or room).
Asset groups will be created for each instance of all physical assets with the
exception of media assets.
Asset groups are not created automatically for these assets because it is felt unlikely
that reviewers would wish to explore threats and vulnerability to this level of detail.
If, however, you do wish to carry out a threat and vulnerability assessment to this
level of detail you can create further asset groups containing these assets yourself.
This is described in section 8.5.
Automatic creation of asset groups will create a large number of possible groups for
you to select from. It is not intended that all groups should be used, and you should
only select those which are required to satisfy the objectives of the review.
To create the asset groups recommended by the CRAMM method:
From the Identifying Threats to Assets Groups screen, choose Auto Group. Whilst
the calculation is taking place, a dialog box is displayed with a mobile activity
indicator and a Cancel button. If you press the Cancel button, the calculation stops and
the partial results are discarded.
The name of each automatically created asset group is prefixed by an exclamation
mark to distinguish it from groups that you create yourself.
Note that choosing Auto Group will delete any previously created auto groups for
that review.
Warning!! If the system crashes whilst automatic group creation is taking place, it is
likely that not all of the groups will have been created. You should re-perform the
process before you carry out any other actions using the software.

Page 8-4 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

8.5 Maintenance of asset groups


Method Concept: You must create manually any required asset groups which have
not been created automatically by the CRAMM software.
If you have exported from an Express review you will find that some asset groups
have been created which represent the asset groups you defined when recording
the threat and vulnerability assessment. These asset groups will be initially
empty. It is essential that you populate these asset groups with the relevant assets
you created during the Identification and Valuation Stages of the review.
In the case of the asset group with the same name as the data asset, it is still
essential to include the data asset within this asset group.
If you feel that the list of automatically-generated asset groups is insufficient, you can
create additional groups. This allows you to investigate threats against other groups
of assets.
You should only do this if you feel that the threats and vulnerabilities relating to all
assets within the group will be similar and can therefore be investigated together. For
example, if a computer room and a communications room are located alongside each
other, it may make sense to combine them into an asset group and investigate threats
to the single asset group rather than to the two rooms individually. Although there
are no restrictions on the assets that can be included together within a group, you
should avoid grouping assets of different asset classes.
You may also decide to delete some of the generated groups because you do not wish
to investigate threats to them.

To create new asset groups or modify existing asset groups:


Step
1 From the Identifying Threats to Asset Groups screen, choose Maintain
Groups. The Create and Maintain Asset Groups screen is displayed, as
shown in Figure 8-55.

Issue 1.0 Page 8-5


CRAMM User Guide

Figure 8-55: Create and Maintain Asset Groups screen


2 Use the Asset Groups text box to either:
type the name of a new asset group to be added to the review

or

display the name of an asset already defined by selecting from the


drop-down list box.

3 If an existing asset group name is displayed you can change it by typing


into the text box. If you want to define a new asset group when an
existing group name is displayed, press the New button. This will clear the
existing groups details from this and other fields. You can then type the
name of the new asset group into the Name text box.
4 If you want to modify an asset group created by the software you should
change its name to remove the exclamation mark. This is to prevent it
from being restored to its original state if the Auto Group option is used
again.
5 Use the Asset Classes drop-down list box to select the type of asset which
you wish to add to the asset group. The assets of the type which have
been defined in the review are then displayed in the Assets list box.
6 Use the Assets list box to select an asset which you wish to add to the asset
group, and press the Add button. The name of the asset then appears in
the Group Members list box.
7 If you wish to remove an asset from the group, select it in the Group
Members list box and press the Remove button.

Page 8-6 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

8 Use the Delete button to remove an asset group from the review. Do this
by selecting it from the Asset Groups drop-down list box and pressing the
Delete button.
Once created, you can review the components of asset groups by producing an Asset
Group Component Report. Do this as follows.

To print an Asset Group Component Report:


Step
1 From the Create and Maintain Asset Groups screen, choose Asset Group
Reports option. The Asset Group Reports screen is displayed, as shown in
Figure 8-56.

Figure 8-56: Asset Group Reports screen


2 Select the Asset Group Component option button in the Report Type group
box.
3 Select one or both of the check boxes in the Report Contents group box if
you want to include assets which have dependencies with the
components of the asset groups.
4 Use the Output to controls to select the destination of your report, then
press the Generate Report button to produce the report.

Issue 1.0 Page 8-7


CRAMM User Guide

8.6 Defining threats to asset groups


Method Concept: Threats to be addressed by the review will be investigated
against selected asset groups. The boundary for the review will indicate the threats
to be covered. Threats should be linked to the asset groups that they will be
investigated against.
If you have exported from an Express review you will find that the relationship
between the threats and asset groups you defined in the Express review has been
copied over. However, you will need to set up the relationships to any new asset
groups that you have defined.
Having created asset groups, the next step is to define the threats that will be
investigated in relation to each group.
Annex F describes the threats covered by CRAMM and the asset groups that they
typically relate to.
Certain threats can be investigated in relation to the different threat source of insiders,
outsiders and contracted service providers. These are defined as follows:
an insider is a member of staff or other person (such as a cleaner or temporary
member of staff) with access to areas containing system or network assets
a contracted service provider is a third party that provides services in relation to
the system or network under review, for example network management or
system operation
an outsider is anybody else who is not covered by either of the above
descriptions.
You should be selective in deciding which threats to investigate. Only look at those
threats covered within the scope of the review and about which there is a particular
concern. It is possible to investigate a wide range of threats to a wide range of assets,
for example the threat of technical failure could be investigated for every piece of
hardware within the review and the threat of fire could be investigated for every
single room. Such detailed investigation will take some time and may not highlight
significant differences in requirements. You should therefore concentrate initially on
investigating those threats of greatest interest. If necessary, assets can be grouped
together for the purpose of the threat and vulnerability assessment, as described in
section 8.5.
Where you are unsure about the number of threats and asset groups requiring
investigation, you should examine a small number initially and cover more at a later
stage if necessary.

To create relationships between the threats and asset groups in the review:
Step
1 From the Identifying Threats to Asset Groups screen, choose Relate
Threats to Groups. The Relate Threats to Asset Groups screen is displayed,
as shown in Figure 8-57 and Figure 8-58.
2 For ease of use, CRAMM allows you to either relate a selected threat to
several asset groups (for example, the threat of fire to the computer room,
communications room and user accommodation) or several threats to a
selected asset group (for example, the threats of masquerading by
outsiders, masquerading by insiders and communications infiltration to
the order Entry end-user service).

Page 8-8 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

3 Decide which of these two approaches is most convenient (you can mix
and match for different threats and asset groups) and select the
appropriate one of the two option buttons at the top of the window. The
fields in the window have different names depending on your choice, as
shown in Figures 7/4 and 7/5.
Figure 8-57 shows the screen if you select the Relate a Threat to One or More Asset
Groups option button.

Figure 8-57: Relate Threats to Asset Groups screen (1)

Issue 1.0 Page 8-9


CRAMM User Guide

Figure 8-58 shows the screen if you select the Relate an Asset Group to One or More
Threats option button.

Figure 8-58: Relate Threats to Asset Groups screen (2)

4 Select a threat or an asset group from the Threat Type/Asset Group drop-
down list box. The Related Asset Groups/Related Threat Types and Available
Asset Groups/Available Threat Types list boxes will show the appropriate
details for the selection.
5 To create an association, select from the Available Asset Groups/Available
Threat Types list box and press the Add button. The selection will appear in
the Related Asset Groups/Related Threat Types list box.
6 To delete an association, select it from the Related Asset Groups/Related
Threat Types list box and press the Remove button.

To print a report detailing the threat to asset group relationships:


Step
1 Select the Threats to Asset Groups option
2 Use the Output to controls to select the destination of your report, then
press the Generate Report button to produce the report.

Page 8-10 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

8.7 Maintenance of impact applicability


Method Concept: If a threat was to materialise into an incident in relation to a
particular asset group, certain impacts may result (for example, unavailability for
less than 15 minutes, physical destruction, deliberate modification). To enable
measures of risks to be calculated accurately, CRAMM needs to know the impacts
that could result in relation to each threat/asset group combination.
The CRAMM method has defaults for the impacts that could be caused by each
threat. These defaults are illustrated in Annex F.
Depending on the asset groups that have been defined, you may need to adjust the
default impact settings. To do this, generate the Threats to Asset Groups Report as
described in section 8.6. You can use this report to review the impact types shown for
each threat. If you feel that either more or fewer impacts could result from the threat
to the asset, use the Maintain Impact Applicability screen to change the values (this
screen is described below).
You need to make sure that only the impacts of concern are addressed.
To modify the applicability of impacts to a threat/asset group association:
Step
1 From the Identifying Threats to Asset Groups screen, choose Edit
Threat/Asset Group Impact Applicability. The Maintain Impact
Applicability screen is displayed, as shown in Figure 8-59.

Figure 8-59: Maintain Impact Applicability screen


2 Select the threat from the Threat Type drop-down list box.
3 Select the asset group from the Asset Group drop-down list box.
4 The Impact Applicability table has the following columns:

Issue 1.0 Page 8-11


CRAMM User Guide

Impact - lists all impacts

Guide - gives the CRAMM method guidance on the applicability


of the impact to the threat asset group. Yes means the impact is
applicable, No means it is not

Applicable - initially has the same setting as the Guide value of the
row.

5 Alter the values in the Applicable column as required, by selecting Yes or


No from the drop-down list box which appears when you select a cell in
the column.

8.8 Threat and vulnerability assessment - introduction


Method Concept: In order to calculate the extent of the requirement for security, it
is necessary to make an assessment about both the level of threats to the assets, and
the extent of the assets vulnerability to these threats. CRAMM provides two ways
of determining these assessments but in either case the levels of threat and
vulnerability must be stated on the same scales. Threat levels are assessed in
CRAMM on a five point scale of Very Low, Low, Medium, High or Very High.
Vulnerability levels are assessed on a scale of Low, Medium or High.
The Assessing Threats and Vulnerabilities screen is shown below:

Figure 8-60: Assessing Threats and Vulnerabilities screen

Page 8-12 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

Threats and vulnerabilities can be assessed in two ways depending on whether a


full or rapid risk assessment is required.
For a full risk assessment, each threat and vulnerability to be covered is investigated
using a structured questionnaire. Questionnaire responses are input to the software
which then calculates:
levels of threat on a scale of very low, low, medium, high or very high
levels of vulnerability on a scale of low, medium or high.
For a rapid risk assessment, you input threat and vulnerability ratings directly
without the need to answer the questionnaires. Guidance on how to determine threat
and vulnerability levels for rapid risk assessments is contained in section 8.14.
The software tool is flexible and you may, if required, elect to undertake full
investigations of some threats and rapid assessments for others.

8.9 Full risk assessment


Method Concept: During a full risk assessment, all of the contributory factors that
could indicate particular levels of threat or vulnerability are investigated through a
series of structured questionnaires.
The following sections describe the sequence of activities that are involved in a full
risk assessment. They are:
printing threat and vulnerability questionnaires (section 8.10)
gathering information to complete the questionnaires (section 8.11)
entering questionnaire responses into the software (section 8.12):
selecting the questionnaire to input answers to

inputting the answers

reviewing the completeness of the questionnaire

printing reports on the threat vulnerability assessment (section 8.13).

8.10 Printing threat and vulnerability questionnaires


You need to print a questionnaire for each threat and vulnerability to be investigated.
To print or view a Threat or Vulnerability questionnaire:
Step
1 From the Assessing Threats and Vulnerabilities screen, choose Print
Questionnaire. The Print Questionnaires screen is displayed, as shown in
Figure 8-61.

Issue 1.0 Page 8-13


CRAMM User Guide

Figure 8-61: Print Questionnaires screen

2 Select the threat(s) that you want to print questionnaires for in the
Threat Type list box.
3 Select one of the option buttons in the Questionnaire Type group box.
4 Select one of the option buttons in the Contents group box. A completed
questionnaire will contain details of all answers you have input so far. A
blank questionnaire will contain no answers even if you have input some.
5 Use the Output to controls to select the destination of the questionnaire(s)
selected, then press the Generate Report button to produce the report.

8.11 Gathering information to complete the questionnaires


Method Concept: Information on threat and vulnerability factors can be collected
from a variety of sources. For each question on a threat/vulnerability questionnaire
there are two or more choices of answer, each with different weightings assigned.
When all questions for a particular questionnaire have been completed and entered
into the software, CRAMM will calculate the overall weighting for the
questionnaire and determine the level of threat or vulnerability by comparing the
weighting against a pre-defined metric.
Information to complete the questionnaires is gathered from interviews with
appropriate people, physical inspections and, if necessary, reviews of documentation.
As a broad guide, the following people may be able to provide information on
threats and vulnerabilities:
physical and environmental threats such as fire, flood, terrorist attack,
failures of power and environmental systems:

Page 8-14 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

Accommodation Officer/Office Services Manager

Security Officer/Manager

logical threats such as masquerading, communications infiltration,


unauthorised use of applications, misuse of system resources:
System Manager/Administrator

Network Manager/Administrator

Security Officer/Manager

User Management

technical failures:
System Manager/Administrator

Network Manager/Administrator

application software failures:


Development Manager

human errors:
System Manager/Administrator

Network Manager/Administrator

Development Manager

User Management

staff shortage:
Personnel Manager.

To allow threat and vulnerability assessments to be substantiated at a later time, you


should record any explanatory comments or observations from the information
gathering activity.
The above people may also be able to provide information on existing
countermeasures at the same time as the threat/vulnerability assessment. If possible,
this should be covered to make best use of time with the interviewee. To do this, you
need to take appropriate sections of the countermeasure library to the meeting.
Section 10.7 provides guidance on investigating existing countermeasures.

8.12 Entering questionnaire responses to the software


Answers to threat and vulnerability questionnaires must be added to the software.
The software then calculates a threat or vulnerability rating for each impact type that
could result from the threat. Depending on the questionnaire responses, different
threat and vulnerability levels may be calculated for each impact type. You can

Issue 1.0 Page 8-15


CRAMM User Guide

amend the calculated threat and vulnerability levels by using the rapid risk function,
which is effectively an over-ride facility (see section 8.14).
Any comments or observations recorded during information gathering can also be
recorded in the software. It is strongly recommended that you record the rationale
for any adjustment to the calculated threat and vulnerability levels.
Some of the questions in the questionnaires only apply to some of the impacts that
the threat may cause.
Questionnaires may be partially completed, and marked as such, and then further
information can be added as it is obtained from interviews. The questionnaire must
not be marked as complete in the software until all the data has been entered.

To select a Threat or Vulnerability Questionnaire to input answers to:


Step
1 From the Assessing Threats and Vulnerabilities screen, choose Answer
Questionnaires. The Complete Threat and Vulnerability Questionnaires
screen is displayed, as shown in Figure 8-62.

Figure 8-62: Complete Threat and Vulnerability Questionnaires screen

2 Select the threat type from the Threat Type drop-down list box.
The table shows the current state of the threat/vulnerability analysis for
the chosen threat. This helps you to keep track of your progress in
completing the questionnaire and allows you to indicate to the software
when the questionnaire is complete. The section below describes how to
use this table.

Page 8-16 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

3 Select the questionnaire you wish to complete by pressing the Threat...


button or the Vulnerability... button. This displays the Threat
Questionnaire or Vulnerability Questionnaire screen, depending on
which button you selected. Figure 8-63 shows the Threat Questionnaire
screen.

Figure 8-63: Threat Questionnaire screen

The screen initially displays the first question in the questionnaire.

To input answers to a selected Threat or Vulnerability questionnaire:


Step
1 Use the Next and Previous buttons to move through the questionnaire one
question at a time.
2 To select an answer for an asset group either:
click in the Chosen Answer column in the appropriate row of the
table, and select the letter for your chosen answer from the columns
drop-down list box

or

select one or more rows in the table and double click on an answer in
the list box below the question. The Chosen Answer cell will be
changed to the letter for the chosen answer.

Issue 1.0 Page 8-17


CRAMM User Guide

3 You can create, view or alter a comment which qualifies the chosen
answer for an asset group by selecting any field in the appropriate row
and pressing the Note button. A screen is then displayed into which you
can type or edit the comment. When you are satisfied with the comment,
press the OK button in this screen, and your description appears in the
Comments column. Alternatively, click in the Comments column, and a
small text box appears into which you can type text.
4 Use the Goto button if you want to move directly to a specific question.
The Go To Question screen is displayed, as shown in Figure 8-64.

Figure 8-64: Go To Question screen


5 Choose the question you want to answer by selecting the row in the table
for that question. The Status column displays Complete if answers to the
question have been chosen for all asset groups related to the threat.
Otherwise it is blank.
6 Press the OK button to return to the Threat Questionnaire or
Vulnerability Questionnaire screen, which will now contain the selected
question, or press the Cancel button to return to the screen without
changing the displayed question.
7 When you have supplied all of the answers you wish to in this session,
press the Close button. This causes the threat or vulnerability levels to be
recalculated for the threat and related groups. Whilst the calculation is
taking place, a dialog box is displayed with a mobile activity indicator
and a Cancel button. If you press the Cancel button the calculation stops
and you are returned to the Threat Questionnaire or Vulnerability
Questionnaire screen.
8 Once the calculation is complete, you are returned to the Complete
Threat and Vulnerability Questionnaires screen, where the calculated
levels are displayed in the Threat Level or Vuln Level column, as
appropriate.

Page 8-18 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

9 You can then either leave the Complete Threat and Vulnerability
Questionnaires screen using the Next Screens button or the Close button,
or you can choose another questionnaire to answer and continue as
described above.

To review the completeness of a Threat or Vulnerability Questionnaire:


The table in the Complete Threat and Vulnerability Questionnaires screen shows
the current state of the threat/vulnerability analysis for the chosen threat, as follows:
the Asset Group column has entries for the groups which have been
associated with the threat
the Impact (if specific) column shows the impacts for which specific threat and
vulnerability levels are calculated from the questionnaire answers. If the
entry in this column is blank, then the levels shown in this row apply for all
impacts applicable to the threat and group, apart from those, if any, with
specific rows in this table
the Threat Level column shows the value calculated on the basis of the
questions in the threat questionnaire answered so far
the Vuln Level column shows the value calculated on the basis of the
questions in the vulnerability questionnaire answered so far
the Threat Level and Vuln Level values are displayed in red if they have been
overridden using the Rapid Risk Assessment screen (see section 8.14). Note
that the values shown in this screen are the original values calculated from
the questionnaire answers, not the new values supplied to the Create and
Maintain Override Levels screen
if the Threat Level or Vuln Level value is displayed as Invalid it means that the
system crashed whilst questions in the appropriate questionnaire were being
answered. To recover, you should perform step 3 above and complete the
questionnaire. If you had already supplied all of the answers and the crash
occurred when the software was calculating the level, you should re-set one
of the answers to the value it already has. The software will assume that a
change has been made and calculate the level.
The Threat / Vulnerability columns will be automatically set to complete once all the
questions have been answered. You can use the Threat / Vulnerability Complete
columns to indicate that you wish to review the assessment or gather further
information.
If either the Threat Complete or Vuln Complete columns are set to No, then measures of
risks will not be calculated for the threat and group (see section 9.2).
Once threat and vulnerability questionnaires are complete, you can print a Threat
Vulnerability Assessment Result Report.

Issue 1.0 Page 8-19


CRAMM User Guide

8.13 Completing questionnaires relating to future projects or systems under


development
Method Concept: Where future projects are being planned or new systems are
under development, some of the information required to assess and manage future
risks will be unknown. CRAMM can still be used in these circumstances.
Assumptions can be made where information is unavailable and the risk assessment
updated as more information becomes known.
The threat and vulnerability questionnaire may also be used for the consideration of
a future project or system under development. You should obtain answers to every
question on all relevant questionnaires. This may involve making assumptions or
estimates of details of the proposed system, but it is important not to ignore
questions (except where specifically stated in the text of the question), as this may
lead to threats and vulnerabilities being assessed as too low. In some cases the text of
the question itself gives guidance and in many cases unknown is a valid answer.
Where necessary, questions should be considered as being in the future rather than
the present tense.

8.14 Rapid risk assessment


Method Concept: Reviewers can undertake a rapid risk assessment by bypassing
the threat and vulnerability questionnaires and entering threat and vulnerability
levels directly. This screen can also be used by reviewers to over-ride the results of
the full threat and vulnerability assessments.
If you have exported from an Express review you will find that the threat and
vulnerability assessment you recorded has been copied over. These threat and
vulnerability assessments can be amended, or extended to cover the additional
threats / asset groups that you wish to cover during the Expert review. Please note
that if you wish to assess the threat and vulnerability using the Full
Questionnaires, you should set the Rapid Risk levels to None.
Where a rapid risk assessment is undertaken, you simply input threat and
vulnerability levels direct to the software using the override facility. Since these
levels may vary for each impact type, you have the option to:
input a single threat or vulnerability rating to apply to all impact types that
can be caused by the threat
input individual ratings for different impact types.
The following broad guidance can be used to set threat and vulnerability levels
during a rapid risk assessment:
Threat Rating Guide
Very Low An incident is expected to occur, on average, no more than once in
every 10 years.
Low An incident is expected to occur, on average, once in every 3 years.
Medium An incident is expected to occur, on average, once a year.
High An incident is expected to occur, on average, once in every 4
months.
Very High An incident is expected to occur, on average, once a month.

Table 8-1: Guidance on Threats Levels for Rapid Risk Assessment

Page 8-20 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

Vulnerability Guide
Rating
Low If an incident were to occur, there would be no more than a
33% chance of the worst case scenario (assessed during asset
valuation) being realised.
Medium If an incident were to occur, there would be a 33% to 66%
chance of the worst case scenario (assessed during asset
valuation) being realised.
High If an incident were to occur, there would be a higher then 66%
chance of the worst case scenario (assessed during asset
valuation) being realised.

Table 8-2: Guidance on Vulnerability Levels for Rapid Risk Assessment

Once ratings have been input, you can produce a Threat Vulnerability Assessment
Result Report, as described in section 8.15.

To set Threat and Vulnerability levels directly or override the levels calculated
from questionnaire answers:
Step
1 From the Assessing Threats and Vulnerabilities screen, choose Rapid
Risk Assessment option. The Rapid Risk Assessment screen is displayed,
as shown in Figure 8-65.

Issue 1.0 Page 8-21


CRAMM User Guide

Figure 8-65: Rapid Risk screen


2 Select the threat from the Threat Type drop-down list box.
3 The table shows the current threat/vulnerability override levels set for the
chosen threat:
the Asset Group column has entries for the groups which have
been associated with the threat

the Impact column shows the impacts that this threat can cause.

use the Threat Level column to set an override threat level. Do this
by selecting the appropriate cell then selecting the required level
from its drop-down list box

use the Vuln Level column to set an override vulnerability level.


Do this by selecting the appropriate cell then selecting the
required level from its drop-down list box.

Note: You can set these values for individual impacts if necessary

you can create, view or alter a comment which qualifies the


chosen override levels for an asset group by selecting any field in
the appropriate row and pressing the Note button. A screen is
then displayed into which you can type or edit the comment.
When you are satisfied with the comment, press the OK button in
this screen, and your description appears in the Comment column.
Alternatively, click in the Comment column, and a small text box
appears into which you can type text.

Page 8-22 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

8.15 Threat and Vulnerability Reports


Method Concept: The threats and vulnerabilities need to be summarised in order
that they can be discussed and agreed with the management board.
The Threat and Vulnerability Reports screen is shown below:

Figure 8-66: Assessing Threats and Vulnerabilities screen


The steps in the Assessing Threats and Vulnerabilities are as follows:
Producing a Threat and Vulnerability Summary
Producing Threat and Vulnerability Charts
These steps are defined in detail in the following sections.

8.16 Threat Vulnerability Summary


Method Concept: The threats and vulnerabilities need to be summarised in order
that they can be discussed and agreed with the management board.
Selecting this option generates a report automatically. The report summarises the
levels of threats and vulnerabilities. If the level of threat varies according to the
impact that it can cause the report selects the highest level that the threat reaches.
Similarly, if the level of vulnerability varies according to the impact under
consideration the report shows the highest level that the vulnerability reaches.
The report shows both the results of the Full Threat and Vulnerability Assessment,
and the Rapid Risk Assessment. The levels input using the Rapid Risk Assessment
screen are shown in the columns labelled Over-ride Levels.

Issue 1.0 Page 8-23


CRAMM User Guide

The following figure shows a sample of the Threat and Vulnerability Summary
report:

Figure 8-67: Assessing Threats and Vulnerabilities screen

8.17 Threat Chart Wizard


Selecting this option will initiate a Wizard that will take users through the process of
generating a range of charts.
Selecting this option will initiate a Wizard that will take users through the process of
generating an Impact Assessment chart.
The screens in the Wizard are as follows:
Screen 1 Select the type of report
This screen gives the user the opportunity to choose what sort of information
they wish to chart and what range of threats they wish to base the chart
upon. The types of information that can be charted includes:
Measures of Risk
Threat Level
Vulnerability Level
Impact Level

The range of threats that can be selected include:


Logical
Communications
Failures of Equipment
Human Errors
Environmental
Physical

Page 8-24 Issue 1.0


Chapter 8
Threat and Vulnerability Assessment

Screen 2 Select the style of report


This screen gives the user the opportunity to choose which style of report
they wish to create. The styles that can be selected include:
Bar Chart
3 D Bar
Column
3 D Column
Area
3 D Area

Screen 3 Save/Print/Export report


This screen allows users to either preview the report, print the report or to
export it into MS Word format for further editing.

8.18 Section summary


At this point you will have done the following:
generated asset groups automatically and, if necessary, created additional
groups
linked threats to asset groups
reviewed and, if necessary, adjusted the impacts that could result from each
threat/asset group pairing
undertaken a full or rapid risk assessment

Issue 1.0 Page 8-25


Chapter 9
Risk analysis

9. Risk analysis
9.1 Introduction
Method Concept: Asset values, threat levels and vulnerability levels combine
together to give measures of risks (or security requirements) which are then used
to select appropriate countermeasures.
The objective of risk analysis is to determine the level of requirement for security
relating to the system or network.
The topics covered in this section are:
calculating measures of risks (section 9.2)
reviewing measures of risks (section 9.3)
carrying out a stage 2 backtrack (section 9.7)
producing a Risk Analysis report (section 9.8)
holding a Risk Analysis review meeting (section 9.9).
The Risk Analysis screen is shown below:

Figure 9-68: Risk Analysis screen

9.2 Calculating measures of risks


Method Concept: Measures of risks are calculated by comparing asset values,
threat levels and vulnerability levels. Measures of risks represent security
requirements, since a high risk indicates a high requirement for security.
Once all the necessary asset valuations, threat ratings and vulnerability ratings have
been input, you need to use CRAMM to calculate the measures of risks needed to
protect each asset group against the threats to which it is vulnerable.
Measures of risks are calculated on a scale of 1 to 7 using the risk matrix contained in
Annex G. On this scale, 1 indicates a low level baseline security requirement and 7
indicates a very high security requirement.

Issue 1.0 Page 9-1


CRAMM User Guide

For each threat, measures of risks are calculated for:


all assets within the asset group for which the threat has been investigated
all assets which depend on, or are depended on by, the assets in the group
all impact types that could result from the threat and for which the asset has
been valued.
Measures of risks for the assets in the group, and for assets which depend on assets
in the group, are calculated using the value of the asset itself.
Measures of risks for an asset outside the group, which is depended on by assets in
the group, are calculated using the highest impact value of those assets within the
group that depend on it.
This level of calculation is necessary to ensure that suitable countermeasures are
selected to protect against the calculated risks. Because of its thoroughness and
complexity it may take some time to complete.
To calculate measures of risks:
From the Risk Analysis screen, choose Calculate Measures of Risks option. Whilst the
calculation is taking place a dialog box is displayed with a mobile activity indicator
and a Cancel button. If you press the Cancel button the calculation stops and the
partial results are discarded.
Note that Measures of risks will only be calculated for those threats which have the
Threat Complete and Vuln Complete columns set to Yes for all groups in the Complete
Threat and Vulnerability Questionnaires screen, or have had override levels set for
all groups.

9.3 Reviewing measures of risks


Method Concept: Measures of risks are a critical element of the risk analysis and
will have a direct influence on the selection of countermeasures. It is important that
measures of risks are correct before proceeding with the remainder of the review.
The measures of risks are the pivotal links between the risk analysis and the risk
management parts of a CRAMM review. Countermeasures will be selected based on
the measures of risks calculation. Because of this, you should review the Measures of
Risks report to ensure that there are no anomalies, for example measures of risks
which are much higher or lower than expected.
The Review Measures of Risk Screen is shown below:

Figure 9-69: Review Measures of Risk screen

Page 9-2 Issue 1.0


Chapter 9
Risk analysis

As the screen shows it is possible to produce either a detailed or summary measures


of risk report.

9.4 Detailed Measures of Risk Report


The Detailed Measures of Risk Report screen is shown below:

Figure 9-70: Detailed Measures of Risk Report screen


To print a Measures of Risks report:
Step
1 From the Reviewing Measures of Risk screen, choose Detailed Measures of
Risk option. The Detailed Measures of Risk screen is displayed, as shown
in Figure 9-70.
2 Use the fields on the Detailed Measure of Risk screen to define the contents
of the report, as follows:
choose way in which you want the report ordered (either by
Threat or by Asset Group)

If you have chosen to order the report by threat select the


category threats you want to include from the Threat Type list box,
or select the All Threats check box

If you have chosen to order the report by asset group select the
asset group you want to include from the Asset Groups combo
box, or select the All Asset Groups check box.

3 Use the Output to controls to select the destination of your report, then
press the Generate Report button to produce the report.

Issue 1.0 Page 9-3


CRAMM User Guide

9.5 Summary Measures of Risk report

Figure 9-71: Measures of Risk Summary Report

9.6 Risk Analysis Reports


Method Concept: It is important to explain to management the findings that have
been determined during the Identification and Valuation of Assets, Threat and
Vulnerability Assessment and Risk Analysis stages, so that a measure of agreement
can be reached on this analysis before proceeding to the Risk Management stages.
The Risk Analysis screen is shown below:

Figure 9-72: Risk Analysis Reports screen

Page 9-4 Issue 1.0


Chapter 9
Risk analysis

9.7 Stage 2 backtrack facility


Method Concept: An important design feature of CRAMM is that there is no
hidden logic in any part of the method. The backtrack facility is a powerful tool for
identifying the factors that led to particular conclusions or recommendations. The
Stage 2 backtrack facility allows you to identify the individual asset values, threat
levels and vulnerability levels upon which measures of risks were calculated.
The Stage 2 backtrack facility enables you to determine the reasons behind the
calculation of particular measures of risks.
If you enter the details of a threat/asset group pair, the Stage 2 backtrack facility
produces a report that highlights the threat ratings, vulnerability ratings and asset
valuations that contributed to the measures of risks calculation. You can decide to
continue the backtrack through Stage 1 if desired.
If you enter the details of a threat/asset pair, a report is produced that highlights the
threat and vulnerability ratings and asset values that contributed to the measures of
risks ratings for that particular asset. Again, you can continue the backtrack through
Stage 1 if you wish.
The Stage 2 Backtrack Report contains details of:
the asset group, its components and related assets
threat and vulnerability ratings
asset values for each impact.
To carry out a backtrack on the calculated Measures of Risks:
Step
1 From the Risk Analysis Reports screen, choose Stage 2 Backtrack option.
The Stage 2 Backtrack Report screen is displayed, as shown in Figure
9-73.

Issue 1.0 Page 9-5


CRAMM User Guide

Figure 9-73: Stage 2 Backtrack Report screen


2 Define whether you want to backtrack on a threat-asset group or a
threat-asset combination by selecting the appropriate option button in
the Include group box.
3 If you want the associated Stage 1 backtrack report to be produced, select
the Perform Related Stage 1 Backtrack check box.
4 Select the threat and asset or asset group for the backtrack from the Threat
Type and the Assets or Asset Groups list boxes.
5 Use the Output to controls to select the destination of your report, then
press the Generate Report button to produce the report.
6 If you selected the Perform Related Stage 1 Backtrack check box in step 3, a
separate report will be produced for the Stage 2 backtrack and each
associated backtrack.
The Stage 1 Backtrack Report screen appears for each related report. You
should select the output for the report, or not perform the specific backtrack as
required. You can also abandon the backtrack sequence at any point.

9.8 Risk Analysis Report


The objective of the Risk Analysis Report is to present
the findings of the asset valuation conducted during the identification and
valuation of assets.
the findings of the threat and vulnerability assessment
conclusions on the levels of risk relating to the system under review.

Page 9-6 Issue 1.0


Chapter 9
Risk analysis

To generate a Risk Analysis report:


Step
1 From the Risk Analysis Reports screen, choose Risk Analysis Wizard
option. Selecting this option will initiate a Wizard that will take users
through the process of writing a Risk Analysis Report. The screens in the
Wizard are as follows:
Screen 1 Select Name of Report
This screen allows users to create new reports or to open a report that
they have already been working on.
Screen 2 Select Sections to appear in report
This screen gives the user to opportunity to choose which sections of the
standard report they wish to include in their report. One section is
mandatory; Data Asset and Threat and Vulnerabilities
Screen 3 Select Data Asset information to appear in report
This screen gives the user to opportunity to choose which data assets and
which impact descriptions they wish to include in their report.
Screen 4 Select Threat information to appear in report
This screen gives the user to opportunity to choose which threats they
wish to include in their report.
Screen 5 Report Tree for editing information in the report
This screen allows users to edit the standard words that are contained in
the normal template (such as key issues, main finding, etc), or the words
that have been pulled through from the data asset scenarios, or the factors
behind the assessment of threats and vulnerabilities.
Screen 6 Save/Print/Export report
This screen allows users to specify which appendices they wish to include
in their report, and then to either preview the report, print the report or to
export it into MS Word format for further editing.

You should supply the Risk Analysis Report to the project board a week before the
meeting to allow them to consult and draw their conclusions. The focus of such a
report should be on the business issues and not on the numerical values that
CRAMM employs.

9.9 Risk Analysis review meeting


Method Concept: The purpose of the Risk Analysis review meeting is to ensure
that the objectives of Risk Analysis have been achieved so far and to review and
agree the findings before proceeding to the Risk Management phase of the review.
As well as providing a formal review of Risk Analysis and approval to proceed to
the Risk Management phase, the review meeting provides an opportunity for you to
seek input and guidance on issues of particular importance or concern. It is also an
opportunity to maintain or raise awareness and commitment from management.
The results of identification and valuation of assets, and in particular the valuations
of the data assets, need to be presented to management to obtain formal agreement

Issue 1.0 Page 9-7


CRAMM User Guide

that they are correct. This agreement is critical to the accuracy, efficiency and
acceptability of the review as a whole. The countermeasure recommendations are
largely dependent upon these data assets values.
Management in this context would normally be a project board where all interested
parties are represented. The membership should ideally be more senior than the
interviewees from Stage 1. At the very least, you need a senior user to agree to the
data values.

9.9.1 Preparing for the review meeting


Method Concept: Where a formal Risk Analysis review meeting is to be held, a
range of reports can be generated from CRAMM to assist you to prepare for the
meeting.
The following reports can be used to prepare for the meeting:
Data Asset Valuation forms (completed)
Application Software Asset Valuation forms (completed)
Physical Asset Valuation forms (completed)
Impact Assessment report
Threat and Vulnerability Summary
Summary Measures of Risks Report
Risk Analysis Management report.
Instructions for producing the valuation forms and impact assessment report are
given in sections 7.10 and 7.17 respectively. The Risk Analysis Report is described in
section 6.9.
It may also be useful to print backtrack reports for any contentious physical assets or
application software assets.
You should supply the Risk Analysis Report to the project board a week before the
meeting to allow them to consult and draw their conclusions. The focus of such a
report should be on the business issues and not upon the numerical values that
CRAMM employs.
The following agenda is suggested for the meeting:
introduction
summary of the scope of the review and specific exclusions
overview of the CRAMM process and Risk Analysis activities
values of physical and software assets (possibly totals only)
values obtained for data assets (summary and discussion for each asset)
values needing additional consideration and explicit approval (both
higher and lower than the norm)
findings from the threat and vulnerability assessment
threats and vulnerabilities needing specific additional consideration and
explicit agreement (high values and unexpected low values)
likely implications of the findings for the rest of the review

Page 9-8 Issue 1.0


Chapter 9
Risk analysis

overview of Risk Management activities.


Formal minutes of the meeting should be made.
When reviewing asset values with management, it may be worth adopting a risk
avoidance or risk transfer strategy to reduce the asset values.
A risk avoidance strategy involves avoiding the problem in the first place. For
example, it may be that only a few records in a database are considered to be highly
sensitive and the risk could be avoided by storing the sensitive records somewhere
else. This type of solution can be very effective and inexpensive, however it is often
only practical to implement if the system or network is still in the design stage.
A risk transfer strategy reduces the requirements for security by transferring the
risks outside the organisation, or elsewhere within the organisation. For example, if
the management of a system or network was outsourced under a contract that
defined required service levels with penalties for non-compliance, certain risks may
be considered to have been transferred from the customer to the service provider.
Such a strategy may, of course, introduce additional risks that need to be managed,
such as failure of the service provider.
Formal minutes of the meeting should be made.
The review meeting should concentrate on agreeing on the major findings resulting
from the risk assessment, in particular the high or medium threat/vulnerability
ratings.
It is a management task to consider the accuracy and completeness of this
information and to justify any alteration necessary. Also, management must be
satisfied that all the information gathered so far is correct. (Correcting errors at this
stage is relatively quick and inexpensive, but becomes progressively slower and
more expensive as the review progresses through the Risk Management phase.)

9.10 Section summary


At this point you will have done the following:
calculated the measures of risks using CRAMM
reviewed the measures of risks for anomalies
prepared and reviewed reports with management.
Annex C contains a complete checklist.

Issue 1.0 Page 9-9


Chapter 10
Risk management

10. Risk management


10.1 Introduction
Method Concept: Based on the findings of the risk analysis, CRAMM will produce
a recommended security profile for the system or network under review. This will be
in the form of a set of countermeasures which are considered necessary to manage
the identified risks and which are applicable to the system or network. Options and
alternatives are clearly identified in the security profile. For existing systems, the
recommended security profile can be compared against current installed
countermeasures to identify areas of weakness or over-provision. For projects at the
planning stage or systems under development, the security profile provides an
initial recommended set of security requirements. The recommended security profile
generated from CRAMM will always need to be considered against the available
budget and practical implementation issues.
The Risk Management screen is shown below:

Figure 10-74: Risk Management screen

The Risk Analysis phase of CRAMM dealt with establishing asset values and levels
of threat and vulnerability in order to determine the risks to the system or network.
The risk management is concerned with managing those risks. The objective of the
risk management phase is to identify an appropriate and justified set of security
countermeasure recommendations for the system or network under review.
The steps in the Stage 3 are as follows.
Identifying, from an extensive countermeasure library, those
countermeasures which meet the risks that have been assessed.
Identifying countermeasures that are already installed or for which plans
to install already exist.
Investigating the differences between the countermeasures recommended
by CRAMM and the countermeasures that are in place.

Issue 1.0 Page 8-1


CRAMM User Guide

Producing recommendations on the way in which security should be


improved or, for a new system, on the countermeasures that are required.
The topics covered in this section are:
selecting countermeasures (section 0)
identifying existing countermeasures (section 10.7)
making recommendations (section 10.8)
prioritising countermeasures (section 10.9)
entering the cost of countermeasures (section 10.10)
performing a Stage 3 backtrack (section 10.12)
producing a Risk Management report (section 10.13)
holding a Risk Management review meeting (section 10.14).

10.2 Pointers and prompts


The following pointers and prompts are provided for you to consider prior to
commencing work on stage 3:
appropriate people should be consulted when considering whether
additional countermeasures should be recommended. These people may
include:
IT Security Officers
Systems/Networks Specialists
Fire Officers
Building/Office Managers
Users
Physical Security Co-ordinators
Personnel Managers

The consultation should cover the following questions:


does a particular countermeasure already exist and, if so, does it
provide adequate and cost-effective protection?

if the countermeasure does not exist, would it be practical and cost-


effective to implement and operate?

the requirement for some countermeasures may require further discussion


with security specialists before a decision can be made about their suitability
the costs and practicalities of implementing certain countermeasures must be
considered carefully. Where the nature of the system or network
environment makes it inappropriate to implement certain countermeasures,
these should be marked as not applicable
when the process of investigating countermeasures has been completed the
status of the investigated countermeasures should be entered into the
CRAMM software.

Page 8-2 Issue 1.0


Chapter 10
Risk management

10.3 Security Checklists


Method Concept: CRAMM provides reports that allows the reviewer to either
print out all of the countermeasures included in CRAMMs countermeasure library
irrespective of whether the countermeasure calculation has been run or not, or to
print out those countermeasures that have been identified as recommended by
CRAMM on the basis of the risks identified during the risk assessment.
The Security Checklists screen is shown below:

Figure 10-75: Security Checklists screen


The Countermeasure Library option provides a variety of reports based on the
contents of CRAMMs countermeasure library. The Countermeasure Assessment
Reports allows you to print out which countermeasures have been recommended by
CRAMM.

10.4 Countermeasure Library


Method Concept: CRAMM contains a very large database of countermeasures
known as the Countermeasure Library. This contains countermeasures to protect
against all of the threats covered in Threat and Vulnerability Stage of the method.
You can use the CRAMM software to automatically identify all those
countermeasures that meet the risks identified during Risk Analysis phase. It selects
these from its large library of countermeasures. Countermeasures which fulfil a
broadly similar purpose are collected together in countermeasure groups.
Annex I shows the countermeasure groups and the threats that they protect against.
This shows, for example, that the countermeasure groups of Capacity Planning,
Audit and Accounting provide protection against the threat of mis-use of system
resources.
Each countermeasure group is divided into countermeasure sub-groups. All the
countermeasures that perform a common function, for example fire detection, are
contained in a single sub-group.
All the countermeasures within a sub-group should have the same security aspect
which indicates the type of measure being described. The seven possible security
aspects are:

Issue 1.0 Page 8-3


CRAMM User Guide

Hardware
Software
Communications
Procedural
Physical
Personnel
Environment.
The countermeasure sub-groups contain detailed, but generic countermeasure
descriptions. Examples of these are shown in Table 8/1.
Countermeasures in each sub-group are arranged in a hierarchical structure, with all
countermeasures being assigned to one of three possible categories:
category 1: security objectives - a high-level statement
category 2: a detailed description of the security functions that help to
achieve the security objectives
category 3: examples of how the functions can be implemented.
Countermeasures have the following numbering system. Numbering begins at 1 for
the first Category 1 countermeasure in each sub-group. Any Category 2
countermeasures that support that objective are numbered as 1.# (for example, 1.1).
Category 3 countermeasures that support the Category 2 countermeasures are
numbered as 1.#.# (for example 1.1.1).
Table 8/1 illustrates the structure of the countermeasure library. Some
countermeasures are alternatives to each other and are presented as such when
selected. The Security Level is the lowest Measure of Risk value which an asset must
have for a particular threat which will result in the countermeasure being selected to
protect the asset.

Page 8-4 Issue 1.0


Chapter 10
Risk management

Category 1 Countermeasures Category 2 Countermeasures Category 3 Countermeasures


Security
(Security Objectives) (Functions) (Examples)
Level

1. All users should be allocated an identifier 1.1 The user id may be shared between a group
1 (user id). of users
or
1.2 A register of service users should be maintained

1.3 Each user ID should be for the sole use of an


2 individual.

1.4 Old accounts should be locked or deleted.

1.5 The use of Guest accounts should be strictly


controlled.

4 1.6 Users should only be allowed one current session.

1.7 Inactive accounts to be suspended or 1.7.1 All accounts that had not been
used for more than 60 days should be
5
suspended.
1.8 Users IDs should not give any indication 1.8.1 The User ID should not indicate
of the users privilege the users job.

2. The system should maintain the 2.1 Access to information should be consistent with
7 clearances and authorisation granted to users. users clearances and privileges.

Issue 1.0 Page 8-5


CRAMM User Guide

Table 10-1: Structure of the Countermeasure Library

Page 8-6 Issue 1.0


Chapter 10
Risk management

10.4.1 How CRAMM selects countermeasures


Method Concept: Each countermeasure in the CRAMM library is marked with the
security level, or range of security levels, that it provides on a scale of 1 (Very Low)
to 7 (Very High). For example, countermeasures may be marked as providing
security levels of 1 only, 2 to 5, 6 to 7 and so on. CRAMM selects countermeasures
by comparing the measures of risks that have been calculated for each threat against
the security levels assigned to each countermeasure. Countermeasures will be
selected as recommended where the measure of risk falls within the range of security
levels provided by the countermeasure, provided that the countermeasure is
considered by CRAMM to be applicable to the types of asset that are under review.
You can select to calculate recommended countermeasures for a sub-set of threats or
for all threats. Countermeasures can be selected and reported on based on the
following parameters:
asset
countermeasure group
security aspect
category level.
You should prioritise the order in which you report on and review recommended
countermeasures. Concentrate on those assets and countermeasures of most interest
first, possibly just reporting on Category 1 countermeasures. You can then investigate
particular countermeasure areas in more detail. Avoid simply generating all
countermeasures for all threats and assets as this produces a lot of data to be looked
at, which is very time-consuming.

10.4.2 Calculating countermeasures


Note that you cannot calculate countermeasures until you have calculated measures
of risks for the review.

Issue 1.0 Page 8-7


CRAMM User Guide

To calculate the countermeasure recommendations for the review:


Step
From the Risk Management screen, choose Calculate Recommended
Countermeasures. The Generate Recommended Countermeasures screen
is displayed, as shown in Figure 10-76.

Figure 10-76: Generate Recommended Countermeasures screen


Select the threats for which you wish to generate countermeasures from
the Threats for which Countermeasures have yet to be generated list box.
Warning!! This calculation is very complicated and can take considerable
time even on the most powerful processors.
When you have selected the threats, press the Generate button. Whilst the
calculation is taking place a dialog box is displayed with a mobile activity
indicator and a Cancel button. If you press the Cancel button the
calculation stops and the partial results are discarded. (The effect of this is
further explained in step 4.)
When the calculation finishes, the threats for which countermeasures have
been calculated will appear in the Threats for which Countermeasures have
already been generated list box. If you terminated the calculation by
pressing the Cancel button in the dialog box described in step 3 only the
threats for which the calculation was fully completed will appear in this
list box. This means that if you do need to cancel a calculation because it is
taking longer than you expected, you will not lose completed
recommendations.

Page 8-8 Issue 1.0


Chapter 10
Risk management

If you want to examine the recommendations (using the Maintain


Countermeasure Implementation State or Countermeasure Assessment
Reports screen) before you have calculated for all of the threats, press the
Finish Calc button. This will tidy the partial recommendations. If you do
not do this, you will not be able to use the relevant screens until the
recommendations have been calculated for all threats.
Warning!! Note that if the system crashes whilst the calculation is taking place, you
should re-perform the calculation for the threat which was being processed when the
crash occurred. You need to do this before you carry out any other actions using the
software. Any threats for which recommendations were complete will be in the
Threats for which Countermeasures have already been generated list box. The threat that
was being processed when the crash occurred will still be in the Threats for which
Countermeasures have yet to be generated list box.

10.5 Printing Countermeasure Library


Method Concept: It is possible to print out the countermeasure contained in
CRAMMs countermeasure library before calculating recommended
countermeasures. This enables you to use the list of countermeasures to gather
information about which countermeasures are installed whilst conducting activities,
such as the threat and vulnerability assessment, in the Risk Analysis Phase

To produce reports on the contents of the countermeasure library:


Step
From the Security Checklist screen, choose Countermeasure Library. The
Countermeasure Library Reports screen is displayed, as shown in Figure
10-75.

Issue 1.0 Page 8-9


CRAMM User Guide

Figure 10-77: Countermeasure Library Reports screen


Select the appropriate option button in the Report Type group box. Security
Threshold is a report showing, for the countermeasures included, the
lowest measures of risks level for each impact that would result in the
countermeasure being selected for an asset. Asset Applicability is a report
showing, for the countermeasures included, the type, the cost and
effectiveness ratings, and the classes of asset(s) to which the
countermeasure applies.
Indicate which Countermeasure Groups you want to be included in the
report by either selecting the All Countermeasure Groups check box, or by
clearing it and making selections in the Countermeasure Groups list box.
If you only want to include countermeasures in the report that apply to a
particular asset class, use the Asset Classes group box fields as follows:
select the type from the drop-down list box

if you selected Application Software, Location or Physical, the


hierarchy diagram for the type will be displayed in the list box.
Select the class you require in this list box. You can select a class
from any level in the hierarchy, including all classes of the
selected type.

Select the security aspect and category of the countermeasures you wish
to include in the report from the Security Aspect and Category drop-down
list boxes.
Use the Output to controls to select the destination of the report, then
press the Generate Report button to produce the report.

Page 8-10 Issue 1.0


Chapter 10
Risk management

10.6 Printing Countermeasure Assessment Reports


Method Concept: Once the recommended countermeasures have been calculated it
is possible to print out a report showing which countermeasures have been
recommended. This report can also be used after details of the status of these
recommendations have been recorded to selectively print countermeasures which are
not installed.
To produce the countermeasure assessment report :
Step
From the Security Checklist screen, choose Countermeasure Assessment.
The Countermeasure Assessment Reports screen is displayed, as shown
in Figure 10-78.

Figure 10-78: Countermeasure Assessment Reports screen


Select the appropriate option button in the Report Type group box.
Countermeasure Status is a report showing, for the countermeasures which
countermeasures have been recommended for which assets.
Countermeasure Costs is a report showing the costs and timescales entered
when using the Costs and Timescales screen which is part of analysing
the recommended countermeasures.
Indicate which Countermeasure Groups you want to be included in the
report by either selecting the All Countermeasure Groups check box, or by
clearing it and making selections in the Countermeasure Groups list box.
If you only want to include countermeasures in the report that apply to a
particular asset, use the Asset box fields as follows:

Issue 1.0 Page 8-11


CRAMM User Guide

Select the asset you require in this list box. You can select a single
asset or a number of assets

If you only want to include countermeasures in the report that have a


particular status, use the status box fields as follows:
Select the status flags you require in this list box. You can select a
single status flag or a number of status flag

Use the Output to controls to select the destination of the report, then
press the Generate Report button to produce the report.

10.7 Identifying existing countermeasures


Method Concept: The recommended security profile produced by CRAMM
represents an initial set of countermeasure recommendations. For an existing
system, the recommended countermeasures need to be compared against those that
are already in place to identify weaknesses or areas of over-provision.
The Identifying existing countermeasure screen is shown below:

Figure 10-79: Identifying Existing Countermeasures

You need to identify and record any countermeasures that are already in place. You
can do this either before or after you have derived the recommended
countermeasures from CRAMM. Do this as follows.
Talk to people who can provide information on installed countermeasures. Examples
of such people are:
system manager/administrator
network manager
development manager
operations manager

Page 8-12 Issue 1.0


Chapter 10
Risk management

user management
accommodation officer
personnel manager.
These people are often the same as those interviewed during the threat and
vulnerability assessment and so, if required, you can carry out this process at the
same time. If you decide to do this, you should prepare a pack for each interview that
contains the countermeasures to be examined during the interview. You can produce
this using the Countermeasure Library - Other Information report (see section 10.5).
You can use the countermeasure packs as check-lists, simply identifying which
countermeasures are in place and which are not.
Where a high-level or rapid CRAMM review is being undertaken you may elect to
investigate only Category 1 countermeasures. However, because the Category 1
countermeasures are policy statements, it is often difficult to know whether a policy
is being achieved without examining which of the functions that support the policy
are actually in place. You may therefore wish to review the Category 2
countermeasures for selected sub-groups during a high-level or rapid review.
When discussing the countermeasures with the interviewee you need to record:
the status of the countermeasure
any comments that the interviewee makes about it, such as future plans that
could affect the countermeasure or weaknesses in the way it is currently
implemented.
There are three statuses that you can allocate to a countermeasure at this stage, as
follows:
if an existing or planned countermeasure fully meets the requirements laid
out in the countermeasure description, record it as Installed. All
countermeasures that are currently installed should be recorded, not just
those which have been, or may be, recommended on the basis of the risk
analysis. This enables CRAMM to print a list of countermeasures currently in
place which could not be justified on the basis of the risks determined during
the risk analysis. Countermeasures of any of the three categories can be
marked as installed. In practice, the most important requirement is to know
that the security functionality has been provided, that is that Category 2
countermeasures have been investigated and marked accordingly. Category
3 countermeasures are examples and are normally only used if further
information is required on what is meant by a particular Category 2
countermeasure
if the countermeasure is not installed, or if the current implementation of a
countermeasure is weak in some respect, record its status as Under Discussion
if a countermeasure is not appropriate to the asset it has been recommended
for, record it as Not Applicable. For example, if the countermeasure rotate
shifts is recommended for operators of a particular system, but there is only
one shift of operators, you should mark the countermeasure as Not Applicable.
Only do this when a countermeasure could not be applied, not just when it
would be difficult to implement.
Once all the interviews have been completed, check that you have covered all
appropriate countermeasure groups and gathered all the required information.

Issue 1.0 Page 8-13


CRAMM User Guide

Enter the status of the countermeasures into the CRAMM software using the either of
the three options shown on the Identifying Existing Countermeasure screen. The
reason for providing three options is to accommodate different ways of working:
Enter Installed Countermeasure By Countermeasures
This option allows you to see all of the assets for which a countermeasure
has been recommended, and to record the status of that countermeasure
with respect to those assets
Enter Installed Countermeasure By Asset
This option allows you to see all of the countermeasures in a sub group
and the status of these countermeasure with respect to a particular asset
Display Countermeasure Tree
This option represents the countermeasure library as a tree structure,
allowing you to explore the countermeasure groups in a more flexible
manner and to see graphically how the hierarchical structure contained in
the countermeasure library
Table 8/2 describes the statuses that can be associated with a countermeasure.

Installed The countermeasure is already in place.


To be implemented It is a measure that you would recommend to
management, but has yet to be implemented.
Implementing Recommendation Work has commenced on implementing the
countermeasure, but has not yet been completed.
Implemented Recommendation The recommendation to implement the
countermeasure has been accepted and it is now in
place.
Already covered This countermeasure is not recommended because
other countermeasures already exist which
adequately protect the assets against the identified
threats.
Accept level of risk It has been decided that although the countermeasure
has been recommended by CRAMM, it will not be
implemented and risk will be accepted.
Under discussion A decision has yet to be taken on whether or not to
implement the countermeasure.
Not applicable The countermeasure is not applicable to a particular
asset.
Not installed A countermeasure has been investigated and
determined not to be in place

Table 10-2: Countermeasure Statuses

Page 8-14 Issue 1.0


Chapter 10
Risk management

10.7.1 Enter Installed Countermeasure By Countermeasure


Step
From the Identifying Existing Countermeasures screen, choose Entering
Installed Status By Countermeasure. The Entering Installed Status By
Countermeasure screen is displayed, as shown in Figure 10-80.

Figure 10-80: Maintain Countermeasure Implementation State By


Countermeasure screen

Select the countermeasure group, security aspect, category and sub group
of the countermeasures you wish to view from the appropriate drop-
down list boxes. A description of the first countermeasure satisfying your
selections is displayed in the Countermeasure list box, along with its
number.
Use the Next and Previous buttons to move through the countermeasures
which satisfy the selections made in step 2.
The assets for which the countermeasure displayed in the Countermeasure
list box has been recommended will be listed in the Countermeasure Use
table. These assets have an R displayed in the Rec column of the table.
For each asset, select the status which reflects your decision from the
drop-down list box in the appropriate cell in the Implementation Status
column. Table 8/2 describes each status.

Issue 1.0 Page 8-15


CRAMM User Guide

You can create, view or alter a comment which qualifies the


implementation status for an asset by selecting any field in the
appropriate row and pressing the Note button. A screen is then displayed
into which you can type or edit the comment. When you are satisfied with
the comment, press the OK button in this screen, and your description
appears in the Comment column. Alternatively, click in the Comment
column, and a small text box appears into which you can type text.
If you wish to set the implementation status for an asset for which the
countermeasure has not been recommended, press the New button. This
displays the Select Assets screen. Use this screen to select a list of assets.
When you close this screen, the list is displayed in a set of new rows in the
Countermeasure Use table.
Assets for which the countermeasure has not been recommended do not
have an R displayed in the Rec column of the table.
Once you have returned to the Maintain Countermeasure
Implementation State screen you can then set the implementation status
for the new rows as described in steps 5, 6 and 7, as appropriate.
To remove a countermeasure use that you have created, select the
appropriate row and press the Delete button. Note that you cannot delete
an entry which was recommended by the software, only one which you
have created yourself.
Once you have decided on the status of the various countermeasures, you can print
them out using the Countermeasure Status report, produced using the
Countermeasure Assessment Reports screen (see section 10.6).

Page 8-16 Issue 1.0


Chapter 10
Risk management

10.7.2 Enter Installed Countermeasure By Asset


Step
From the Identifying Existing Countermeasures screen, choose Entering
Installed Status By Asset. The Entering Installed Status By Asset screen is
displayed, as shown in Figure 10-81.

Figure 10-81: Maintain Countermeasure Implementation State By Asset screen

Issue 1.0 Page 8-17


CRAMM User Guide

10.7.3 Display Countermeasure Tree


Step
From the Identifying Existing Countermeasures screen, choose Display
Countermeasure Tree option. The Countermeasure Tree screen is displayed, as
shown in Figure 10-82.

Figure 10-82: Countermeasure Tree


By using either the mouse or the arrow on the keypad it is possible to navigate
through all of CRAMMs countermeasure library.
If a countermeasure is selected the lower part of the screen will show if that
countermeasure has been recommended for any particular asset, what the current
status of that countermeasure.
It is possible to update the status of the countermeasure for either a specific asset or
for all assets that the countermeasure has been recommended for by using the Set
Status for all asset combo box.

Page 8-18 Issue 1.0


Chapter 10
Risk management

10.8 Analysing and Making Recommendations


The Analysing and Making Recommendations screen is shown below:

Figure 10-83: Analysing and Making Recommendations

10.9 Prioritising countermeasures


Method Concept: Certain countermeasure recommendations will have a higher
priority for implementation than others, and management will wish to understand
the recommended priority order. CRAMM provides an automated facility to assist
with prioritisation of countermeasures.
Once you have decided which countermeasures to implement, you need to prioritise
them. You can use CRAMM to do this automatically for you. It only provides a first
pass at prioritisation, but it does help focus attention on key countermeasures.
CRAMM gives a higher priority to a countermeasure if:
it protects against several threats
it is required to protect a high risk system
there are no alternative countermeasures already installed.
In addition, the prioritisation function takes account of the following factors:
cost
effectiveness
the type of protection provided by the countermeasure.
Sections 10.9.1 to 10.9.6 describe how CRAMM deals with these factors.

Issue 1.0 Page 8-19


CRAMM User Guide

10.9.1 Cost rating


Method Concept: Countermeasures which are inexpensive to implement are more
attractive than those which are expensive. All other factors being equal, the lower
the cost of a countermeasure, the higher its priority for implementation.
The CRAMM prioritisation function includes a broad indication of the cost of each
countermeasure. This is stated on a scale of:
low
medium
high.
CRAMM cannot determine the exact cost of implementing any particular
countermeasure because this will vary according to the size and complexity of the
system or network under review. However, it does provide an estimate of the costs
associated with each countermeasure. It does this as follows:
an estimate was made of the cost of installing the countermeasure for a
fictitious general purpose system, located on a single site, and supporting
approximately 50 users. Since capital and running costs can be difficult to
compare the cost is based on an estimate of the annualised cost of
implementing each of the countermeasures
for countermeasures that involve capital expenditure, the costs were
assumed to be written off over five years. For countermeasures that
involve the expenditure of staff time, a 250 per diem rate was assumed
the costs were then assigned on the following basis:
low 0 to 500
medium 500 to 2,000
high More than 2,000
If you want to record more accurate costs that apply directly to the system or
network under review, use the Maintain Countermeasure Costs screen (see section
10.10).

10.9.2 Effectiveness rating


Method Concept: Countermeasures which are effective at achieving their objectives
are more attractive than those that are ineffective. All other factors being equal, the
higher the effectiveness of a countermeasure, the higher its priority for
implementation.
CRAMM includes a broad indication of the effectiveness of each countermeasure.
This is stated on a scale of:
low
medium
high.
The effectiveness rating is defined as the degree to which a countermeasure meets
the objectives of the sub-group that it is contained in.
For example, the sub group Fire Detection includes the following three
countermeasures:

Page 8-20 Issue 1.0


Chapter 10
Risk management

manual fire alarm


smoke detector
very sensitive smoke detecting equipment.
The effectiveness rating is an indication of how effective each of these
countermeasures is at meeting the aim of the Fire Detection sub-group.

10.9.3 Type of countermeasure


Method Concept: Although it is important to implement a balanced set of
countermeasures, those that prevent an incident occurring are considered to have a
higher priority than those that detect or facilitate recovery from an incident.
The way in which a countermeasure works is indicated by the Type of
Countermeasure value in CRAMM. Each countermeasure is identified as working in
one of the following ways:
RT - Reduce Threat
RV - Reduce Vulnerability
RI - Reduce Impact
D - Detect
R - Recover.
These types are listed in descending order of effectiveness in providing protection
against a threat - it is better to introduce countermeasures that reduce the threat than
those that only help recovery from an incident. However, you should always
implement a balanced set of protection, in order to provide protection in depth.
The points covered in these sections are not comprehensive, but they do cover some
of the most important issues. Even using these factors there is no universal
agreement over the relative importance of each individual factor. CRAMM
overcomes this by allowing you to alter the weightings associated with each factor, as
described in section 10.9.5.

10.9.4 How CRAMM calculates priorities


Method Concept: For each recommended countermeasure, CRAMM considers the
various factors that influence priority and, on the basis of this, calculates an overall
priority rating.
The steps involved in calculating the priority of the individual countermeasures are
as follows:
separate priority ratings are calculated for each countermeasure that has
been recommended for an asset
priority ratings are not calculated for countermeasures that are currently
installed
for each countermeasure/asset combination, separate priority factors are
awarded based on:
the cost rating

the effectiveness rating

Issue 1.0 Page 8-21


CRAMM User Guide

the number of threats that the countermeasure protects against

the type of protection provided by the countermeasure (such as


reduce threat or reduce vulnerability)

the highest measure of risk that led to the countermeasure being


recommended for that asset

the overall priority rating for each countermeasure/asset combination is


then reduced by a set percentage if an alternative countermeasure is
already in place.
Table 10-3 shows the default weightings for each of these factors.
Factor Possible Value Weightings
Cost Indicator associated L 10
with countermeasure M 6
H 2
Effectiveness Rating L 2
M 6
H 10
Additional score for each threat 2
that the countermeasure combats
Type of Countermeasure T 10
RT 10
RV 8
RI 6
D 4
R 2
Highest Measure of Risk 1 2
that led to the 2 4
countermeasure being 3 6
Recommended for that asset 4 8
5 10
6 12
7 14
Percentage reduction for 50%
existence of alternative
countermeasures
Table 10-3: Weightings for Priority Factors

Page 8-22 Issue 1.0


Chapter 10
Risk management

10.9.5 Tailoring the CRAMM prioritisation function


Method Concept: The weightings given to different priority factors can be tailored
to meet the requirements of the organisation or the specific system under review.
To change the default weightings used to prioritise countermeasure
recommendations:
Step
From the Analysing and Making Recommendations screen, choose
Maintain Priority Factors. The Maintain Priority Factors screen is
displayed, as shown in Figure 10-84.

Figure 10-84: Maintain Priority Factors screen


This screen contains a table with the columns Factor, Value and Weighting.
Initially this will contain the values in Table 8/3. To change any of the
weightings, select the appropriate cell in the Weighting column and type
the new value into it.

Issue 1.0 Page 8-23


CRAMM User Guide

10.9.6 Calculating the prioritisation and printing the results


To calculate the priority levels for the countermeasure recommendations and print
the results and their derivation:
Step
From the Analysing and Making Recommendations screen, choose
Generate Priorities Report. The Countermeasure Priorities Report screen is
displayed, as shown in Figure 10-85.

Figure 10-85: Countermeasure Priorities Report screen

Indicate which countermeasure groups you want to include in the report


by either selecting the All Countermeasure Groups check box, or by clearing
it and making selections in the Countermeasure Groups list box.
Indicate which assets you want to include in the report by either selecting
the All Assets check box, or by clearing it and pressing the Select Assets
button. This displays the Select Assets screen, in which you can create a
list of assets
When you close the Select Assets screen the list of assets that you selected
is displayed in the Assets list box in the Countermeasure Priorities Report
screen.
Select the security aspect and category of the countermeasures you wish
to include in the report from the appropriate drop-down list boxes.
Use the Output to controls to select the destination of the report, then
press the Generate Report button to produce the report.

Page 8-24 Issue 1.0


Chapter 10
Risk management

10.10 Entering the cost of countermeasures


Method Concept: The estimated cost of implementing each recommended
countermeasure for the particular system or network under review can be recorded
in CRAMM and then reported on.
The next step is to enter the installation and running costs of any recommended
countermeasures. There are two steps involved:
determining the cost bands to be used
entering the costs into CRAMM.

10.10.1 Determining cost bands


Method Concept: Since it is often difficult to estimate implementation costs
accurately, bands are used to record installation and running costs.
You should define two sets of bands, one representing installation costs and the other
on-going running costs. Examples are as follows:
Installation Costs Running Costs
< 1,000 < 1 day per annum
< 5,000 < 5 days per annum
< 15,000 < 15 days per annum
> 15,000 > 15 days per annum

Table 10-4: Example Cost Bands


You can alter the bands both in number and ranges covered to suit the needs of each
specific review.

Issue 1.0 Page 8-25


CRAMM User Guide

To create cost bands for installation and running of countermeasures:


Step
From the Analysing and Making Recommendations screen, choose
Maintain Cost Bands. The Maintain Countermeasure Cost and Timescale
Bands screen is displayed, as shown in Figure 10-86.

Figure 10-86: Maintain Countermeasure Cost Bands screen

Select the Installation, Running or Timescale option button depending on


the type of costs/timescales you wish to view or define.
The Cost Band table will display the cost bands of the selected type that
you have already defined.
You can edit the definition of an existing cost band by selecting its row in
the Cost Band table and typing into it using the normal Windows keys and
key combinations.
You can define a new cost band by pressing the New button. This will
create a new row in the Cost Band table after any existing rows. You then
type the description of the new cost band into this row.
If you wish to delete an existing cost band select it in the Cost Band table
and press the Delete button.

Page 8-26 Issue 1.0


Chapter 10
Risk management

10.10.2 Entering costs and timescales into CRAMM


Having defined the bands, you need to estimate the costs of installing each
countermeasure using the Maintain Countermeasure Costs screen.
To record the costs of countermeasure recommendations:
Step
From the Analysing and Making Recommendations screen, choose
Countermeasure Cost option. The Maintain Countermeasure Costs screen
is displayed, as shown in Figure 10-87.

Figure 10-87: Maintain Countermeasure Costs screen


Select the countermeasure group, security aspect, category and subgroup
of the countermeasures you wish to view from the appropriate drop-
down list boxes. A description of the first countermeasure satisfying your
selections is displayed in the Countermeasure list box, along with its
number.
Use the Next and Previous buttons to move through the countermeasures
which satisfy the selections made in step 2.
The assets for which the countermeasure displayed in the Countermeasure
list box has been recommended will be listed in the table.
Select the installation and running costs for a specific asset from the drop-
down list box in the appropriate cells in the Installation Cost Band and
Running Cost Band columns.
Once you have recorded the costs of all the recommendations, you can print out cost
information using the Countermeasure Assessment Reports screen.

Issue 1.0 Page 8-27


CRAMM User Guide

To print details of the countermeasure costs you have recorded:


Step
From the Security Checklists screen, choose Countermeasure Assessment.
The Countermeasure Assessment Reports screen is displayed, as shown
in Figure 10-77.
Select the Countermeasure Costs option button.
Select the contents of the report as described in section 10.6. Note that the
Installation Status and Recommended Countermeasures Only fields are not
available for this report.

10.10.3 Making your decisions


Method Concept: For an existing system, some differences will be identified when
the recommended security profile is compared against those countermeasures
already installed. Decisions on how best to address these differences need to be made.
Options range from confirming the requirement for additional countermeasures to
be implemented, to accepting the level of risk.
The next task is to make decisions about the countermeasures recommended by
CRAMM but not currently installed.
The tasks in the CRAMM review up to this point have been fairly methodical, but
this task cannot be structured to the same degree. It requires judgement and
experience of CRAMM and IT security management. If you have not carried out this
type of exercise before, it is often helpful to involve someone who does have previous
experience.
CRAMM will identify an ideal security profile for the system or network based on
the risk analysis. The profile will be a balanced set of security countermeasures
covering all aspects of security (hardware, software, procedural, document, physical,
communications and personnel). However, since every environment is different, you
need to consider how the countermeasures would fit into the business and technical
environment.
Consider the following factors:
key point security: You may decide to focus on implementing security at key
points, rather than at all levels. For example, it may be more effective to
improve physical security rather than implement complex technical security
the existing environment: You should examine how countermeasures would
be implemented within the environment. Certain countermeasures can be
implemented in different ways, for example, identification and
authentication of users could be provided via the host system, a network
authentication service, the application or a combination of all three
additional factors: The priority that you place on a particular
countermeasure may be affected by other factors that are not directly related
to the risk analysis. Examples are:
the impact the countermeasure would have on the smooth running
of the organisation

any plans that exist for upgrading a system or network

the budget available for implementing recommendations

Page 8-28 Issue 1.0


Chapter 10
Risk management

pressure from other parties, such as external auditors or clients, to


implement specific solutions

alternative methods of implementing similar levels of protection

the views of management

indications that a threat may be increasing or decreasing

physical security: HM Government users must ensure that they comply with
minimum baseline measures for physical security described in the Manual of
Protective Security (MPS). (These measures are described in chapter 3,
section 1 Guide to Physical Security of the MPS Framework and Guide.)
This list is not comprehensive, but it does indicate the complexity of the decision
making process. It is part of the reviewers responsibility to consider all of the factors
that could influence the decision when making recommendations.

10.10.4 Entering your decisions


The Identifying Existing Countermeasures options can be used to record which
countermeasures you consider should be implemented, and which you would
recommend do not need to be implemented and that the risk can be accepted.

10.11 Risk Management Reporting


The Risk Management Reporting screen is shown below:

Figure 10-88: Risk Management Reporting screen

Issue 1.0 Page 8-29


CRAMM User Guide

10.12 Stage 3 backtrack facility


Method Concept: An important design feature of CRAMM is that there is no
hidden logic in any part of the method. The backtrack facility is a powerful tool for
identifying the factors that led to particular conclusions or recommendations. The
Stage 3 backtrack facility enables you to look at the reasons behind the selection and
recommendation of a particular countermeasure.
Using the details of a countermeasure and the asset for which it has been
recommended, the Stage 3 backtrack facility produces a report highlighting the
threats that caused the countermeasure to be recommended. You can then decide to
continue the backtrack through Stage 2 and even through Stage 1, if desired.
The Stage 3 backtrack report contains details of:
the countermeasure selected
the assets that the countermeasure has been recommended for
the threat(s) that the countermeasure protects against
the measure(s) of risk that led to the countermeasure being recommended.
If a countermeasure is likely to require significant expenditure or effort to implement,
a backtrack analysis will help you to prepare a case for its implementation.

Page 8-30 Issue 1.0


Chapter 10
Risk management

To produce a backtrack report on the recommendation of a particular


countermeasure for an asset:
Step
From the Risk Management Reporting screen, choose Stage 3 Backtrack
option. The Stage 3 Backtrack Report screen is displayed, as shown in
Figure 10-89.

Figure 10-89: Stage 3 Backtrack Report screen

Select the countermeasure group, security aspect, category and sub group
of the countermeasures you wish to view from the appropriate drop-
down list boxes. The description of the first countermeasure satisfying the
selections will be displayed in the Countermeasure list box along with its
number.
Use the Next and Previous buttons to move through the countermeasures
which satisfy the selections made in step 2.
The assets for which the countermeasure you selected has been
recommended are displayed in the Report on Asset drop-down list box.
Select the asset you wish to produce the backtrack report for in the Report
on Asset drop-down list box.
If you want to produce the associated Stage 2 backtrack reports, select the
Perform Related Stage 2 Backtrack check box.
You can also produce the associated Stage 1 backtrack reports by selecting
the Perform Related Stage 1 Backtrack check box in the Stage 2 Backtrack
Report screen.

Issue 1.0 Page 8-31


CRAMM User Guide

Use the Output to controls to select the destination of your report, then
press the Generate Report button to produce the report.
If you selected the Perform Related Stage 2 Backtrack check box in step 6, a
separate report will be produced for the Stage 2 backtrack and each
associated backtrack.
The Stage 2 Backtrack Report screen appears for each associated report. You
should select the output for the report, or not perform the specific
backtrack as required. You can also abandon the backtrack sequence at
any point.

10.13 Risk Management Report


Method Concept: Presenting a report to management showing the recommended
countermeasures is a vital part of the risk assessment activities.
The objective of the Risk Management Report is to present the overall findings,
conclusions and recommendations from the review. The report should set out the
recommendations made as a result of the review, and include a summary of the
findings and conclusions from Risk Analysis. It should also explain why these
recommendations have been made and provide a broad indication of the priority and
costs involved in implementing the recommendations.
Selecting this option will initiate a Wizard that will take users through the process of
writing a Risk Management Report.
The screens in the Wizard are as follows:
Screen 1 Select Name of Report
This screen allows users to create new reports or to open a report that they
have already been working on.
Screen 2 Select Sections to appear in report
This screen gives the user to opportunity to choose which sections of the
standard report they wish to include in their report. One section, Threat and
Vulnerabilities, is mandatory.
Screen 3 Select Threats to appear in report
This screen gives the user to opportunity to choose which threats they wish
to include in their report.
Screen 4 Select Countermeasure Groups that combat the threats select
This screen gives the user to opportunity to choose which countermeasure
groups they wish to discuss in relation to each threat. A countermeasure
group can only appear against one threat
Screen 5 Report Tree for editing information in the report
This screen allows users to edit the standard words that are contained in the
normal template, or the words that have been pulled through from the data
asset scenarios, or the factors behind the assessment of threats and
vulnerabilities.
Screen 6 Save/Print/Export report
This screen allows users to specify which appendices they wish to include in
their report, and then to either preview the report, print the report or to
export it into MS Word format for further editing.

Page 8-32 Issue 1.0


Chapter 10
Risk management

The objective of the Risk Management Report is to present the overall findings,
conclusions and recommendations from the review. The report should set out the
recommendations made as a result of the review, and include a summary of the
findings and conclusions from Risk Analysis. It should also explain why these
recommendations have been made and provide a broad indication of the priority and
costs involved in implementing the recommendations.

10.14 Stage 3 management review meeting


Method Concept: The purpose of the Stage 3 review is to ensure that the objectives
of the review have been achieved and to review and agree conclusions and
recommendations.
At the end of Stage 3, management consider the recommendations, and either
endorse or reject those recommendations. This usually takes place at a Stage 3
management review meeting.

10.14.1 Preparing for the review meeting


Method Concept: A range of reports can be generated from the CRAMM software
to assist you to prepare for the Risk Management meeting.
Prior to the meeting you need to prepare a report or a series of reports that set out the
recommended countermeasures, their costs and priorities.
You can use the Risk Management reporting facility for producing first drafts of
these reports, but they will need tailoring to comply with the needs of the audience
and any documentation standards that apply within your organisation.
It may prove useful to include a management summary containing:
an overview of the system or network and the risks it faces
an overview of the current status of security within the system or network
a summary of the major recommendations made during the review and
the costs involved.
The report(s) should be distributed in advance of the management review meeting
and will form the basis for the discussions that take place at the meeting.

10.14.2 The review meeting


Method Concept: As well as providing a formal review of the overall risk
assessment and, in particular, the recommendations, the review meeting provides an
opportunity for you to maintain or raise awareness and commitment from
management.
The purpose of the Risk Management meeting is for management to agree:
the countermeasures to be implemented, enhanced or, possibly, removed
an outline implementation plan
the timing of the next review.
You should concentrate on describing the recommendations that you feel are most
important and/or those that will lead to significant expenditure in terms of either
capital or running costs. You should also highlight any possibly contentious
recommendations.

Issue 1.0 Page 8-33


CRAMM User Guide

Following the meeting, report(s) should be updated as necessary and final versions
distributed.

10.15 Section summary


At this point, you will have done the following:
identified, using CRAMM, the countermeasures to protect against the
threats and vulnerabilities
printed the countermeasure lists
identified all existing countermeasures
entered the existing countermeasures into the CRAMM software
entered those countermeasures deemed not applicable into the CRAMM
software
printed the countermeasure recommendation listings
defined the priorities that you would place on the individual
recommendations. You can use the prioritisation, What If and backtrack
facilities provided by the CRAMM software to assist you in this task. (The
What If facility is described in Section 17)
produced a report or reports covering specific topics for review by
interested representatives from the project board
produced a management summary report
held a Risk Management review meeting
produced and issued the final management report.
Annex C contains a complete checklist.

Page 8-34 Issue 1.0


Chapter 11
BS 7799

11. BS 7799
11.1 Introduction
Method Concept: The full title of BS 7799 is BS 7799: Code of Practice for
Information Security Management. The standard is intended for use by managers
and employees who are responsible for initiating, implementing and maintaining
information security. One of the key requirements of BS 7799 is the need to
complete a risk assessment, therefore CRAMM is ideally placed to help
organisations demonstrate their compliance with the standard. CRAMM provides a
complete range of support for all of the BS 7799 tasks, including conducting a gap
analysis and preparing a statement of applicability.
CRAMM assists organisations demonstrate their compliance with BS 7799. In
particularly, it contains:
ability to produce organisational information security policies, scope of
Information Security Management Structure (ISMS), security management
framework documents
a fully worked through risk assessment with the results related directly to the
sections contained in BS 7799
ability to record managements views on the need for particular controls
ability to record what resources deliver those controls
facilities to help prepare a security improvement programme
facilities to help prepare a statement of applicability
This section covers the following topics:
steps in BS 7799 assignment (Section 11.3)
initiating a BS 7799 assignment (Section 11.4)
conducting a gap analysis (Section 5)
preparing a security improvement program (Section 0)
preparing a statement of applicability (Section 0)
the role of CRAMM in supporting BS 7799 (Section 0)

Issue 1.0 Page 11-1


CRAMM User Guide

11.2 Creating a BS 7799 Review


Method Concept: When creating a review, you have to specify whether you wish
to create a BS 7799 review or a CRAMM review. If you chose to create a BS 7799
review you can access a series of the screens and reports designed to help users
complete BS 7799 assignments. You are still able to access all of the CRAMM
screens, and their reports.
To create a review from scratch:
Step
1 Open the Review application by double-clicking on the CRAMM 5.1 icon.
Once you have entered the tool password (as described in section 5.6), the
Review application window is displayed, as shown in Figure 5-10.
2 From the Review menu, choose New. The Create Review screen is
displayed, as shown in Figure 5-5.

Figure 11-90: Create Review screen


This screen allows you to enter details of the review you wish to create, as
follows.
3 Use the Name text box to enter a name for the review.
4 Use the Type of Review combo box to select the type of review that you
wish to conduct. TheoptionsareeitherCRAMMExpert,CRAMM
ExpressoraBS7799review. .
5 Use the Protective Marking text box to enter the protective marking for the
review.
6 Use the Description text box to enter a description of the review.
7 Use the Report Header text box to enter the header to be used in reports
produced by the review.

Page 11-2 Issue 1.0


Chapter 11
BS 7799

8 The Existing Reviews text box lists the names of existing reviews which
you have created to enable you to select an appropriate, unique name for
the review.
9 When you are satisfied with the details for the review, press the Create
Review button. The Enter New Review Password screen is displayed, as
shown in Figure 5-6.
If you want to set up a password for the review, type it into the New
Password text box. The password can be up to eight characters long. Type
it again into the Confirm New Password text box and press the OK button.
If you do not want to set up a password, select the Do not password protect
check box.
10 A screen is displayed when the review is being created that contains a
mobile activity indicator and a Cancel button. When the review has been
created, the Main BS 7799 screen process flow screen is displayed.
11 If you decide not to create a new review after all, simply press the Close
button to return to the Review application window.

11.3 Steps in BS 7799 Assignments


Method Concept: BS 7799 assignments are projects in themselves and require
planning and control. The basic steps involved in such assignments are to agree the
scope of the work, conduct a gap analysis against the standard, prepare a security
improvement programme, construct a statement of applicability based on the work
conducted. The results of the risk assessment can be feed into the gap analysis, the
security improvement programme and the statement of applicability.
CRAMM does not limit its support for BS 7799 to those aspects directly related to the
risk assessment. Instead, it provides support for all the steps of BS 7799 assignment.

Issue 1.0 Page 11-3


CRAMM User Guide

On opening a BS 7799 review, you are presented with the main BS 7799 form which is
shown below:

Figure 11-91: Main BS 7799 Screen


The right hand panel shows a graphical representation of the all steps involved in a
BS 7799 assignment and the status of each step. If a step has been marked as
complete a green tick is shown next to the step, if it has yet to be marked as complete,
then a red cross appears next to the step.
It is possible to navigate to each step in BS 7799 either by pressing the relevant button
to show the lower level steps, or by double clicking on a step in the status panel on
the right hand side of the Main BS 7799 Screen

Page 11-4 Issue 1.0


Chapter 11
BS 7799

11.4 Initiating a BS 7799 Assignment


Method Concept: It is important that a BS 7799 assignment is set-up and
managed in an effective manner, so that everyone involved in the assignment is
aware of the activities that are being planned, and their responsibilities during their
assignment.
The BS 7799 Initiation screen is shown below

Figure 11-92: Initiation Screen

The steps in the Initiation stage of a BS 7799 assignment are as follows:


Documenting the Scope of the Information Security Management System
(ISMS)
Documenting the Security Management Framework that operates within the
organisation
Recording the interviewers and interviewees that will take part in the BS
7799 assignment
Recording the security related documentation that sets out how an
organisation delivers the security
These steps are defined in detail in the following sections.

Issue 1.0 Page 11-5


CRAMM User Guide

11.5 Documenting the Scope of Information Security Management System (ISMS)


Method Concept: A key document in a BS 7799 is the Scope of the Information
Security Management (ISMS). This document makes it clear to all involved what
aspects of the organisation are considered to fall within the scope of the ISMS and
what are outside. If an organisation is seeking certification against BS 7799, it is
vital to provide this information to the auditors so that there is an agreed boundary
for the certification. CRAMM provides a facility that will take users to through the
process of producing such a document.
Selecting this option will initiate a Wizard that will take users through the process of
documenting the Scope of Information Security Management System.

The screens in the Wizard are as follows:


Screen 1 Select Name of Report
This screen allows users to create new reports or to open a report that they
have already been working on.
Screen 2 Select Sections to appear in report
This screen gives the user to opportunity to choose which sections of the
standard report they wish to include in their report.
Screen 3 Report Tree for editing information in the report
This screen provides Tree view structure that allows users to edit the
standard words that are contained in the normal template.
Screen 4 Save/Print/Export report
This screen allows users to specify which appendices they wish to include in
their report, and then to either preview the report, print the report or to
export it into MS Word format for further editing.

11.6 Documenting the Management Framework


Method Concept: One of the key elements of BS 7799 that is often overlooked is
that for an organisation to comply with the standard it must have an appropriate
security management infrastructure. CRAMM provides a facility that enables the
reviewer to record how Security Management Framework that exists within the
organisation.
Selecting this option will initiate a Wizard that will take users through the process of
documenting the Management Framework.
The screens in the Wizard are as follows:
Screen 1 Select Name of Report
This screen allows users to create new reports or to open a report that they
have already been working on.
Screen 2 Select Sections to appear in report
This screen gives the user to opportunity to choose which sections of the
standard report they wish to include in their report.
Screen 3 Report Tree for editing information in the report
This screen provides Tree view structure that allows users to edit the
standard words that are contained in the normal template.

Page 11-6 Issue 1.0


Chapter 11
BS 7799

Screen 4 Save/Print/Export report


This screen allows users to specify which appendices they wish to include in
their report, and then to either preview the report, print the report or to
export it into MS Word format for further editing.

11.7 Entering Interview Details


Method Concept: During the course of a BS 7799 assignment a number of people
are going to be interviewed in order to gather information about how security is
managed within the organisation. CRAMM provides a facility that allows the
reviewer to record the details of all those people who are to be interviewed, and all
those people who are to conduct the interviews
When planning your interviews it is worth ensuring that you have covered all the
section of BS 7799. In summary these are:
Management System Requirements
Security Policy
Security Organisation
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Communications and Operations Management
Access Control
System Development and Maintenance
Business Continuity Management
Compliance

Issue 1.0 Page 11-7


CRAMM User Guide

To record interviewee or interview:


Step
1 Use the combo box labelled Select Person Type to select either
Interviewee or Interviewer as appropriate.
2 To add a new Interviewee/Interviewer press the Add button at the
bottom of the screen.
3 To add a note about an interview, press the Note button to the right of the
right screen. This opens a pop-up form that you can then use to record
those notes.
The Enter Interview screen is shown below

Figure 11-93: Interview Screen


4 To delete an Interviewee/Interviewer press the Delete button at the
button right of the screen.

11.8 Register of Documentation


Method Concept: A large part of demonstrating compliance with BS 7799 involves
indicating where the procedures that define how security is delivered within the
organisation are recorded. CRAMM provides a function that allows reviewers to
record all of the documentation that contains this information. These details can
then be used later to indicate which procedures are covered in which document.
Please note, this is the same screen that is used to record other security resources,
such as Products or People that also deliver security functionality.
The Security Resource Screen is shown below

Page 11-8 Issue 1.0


Chapter 11
BS 7799

Figure 11-94: Enter Security Resource Screen

To enter Security Resource:


Step
1 If you wish to modify an existing Security Resource/Product or
Document then use the combo box at the type of the screen to select the
relevant Security Resource/Product or Document.
2 To add a new Security Resource/Product or Document press the Add
button at the bottom of the screen.
3 Type in the name of the Security Resource into the field labelled
Product/Resource/Document
4 Specify the type of Security Resource. The allowable types are:
Documentation
Hardware
Owner (i.e. someone who is responsible for a particular area or
system)
Person (i.e. someone who actually carries out a security role)
Physical
Software
Information

Issue 1.0 Page 11-9


CRAMM User Guide

5 If appropriate, the Security Resource can be given reference number. This


is particularly applicable to documentation
6 If appropriate, the Security Resource can be given a version/issue no.
This is particularly applicable to documentation and software resources
7 If appropriate, the Security Resource can be given a date. This particular
applicable to documentation, hardware and software resources.
8 Record any notes that you wish about the Security Resource
9 To obtain a report showing all the security resources defined in the review
press the Preview Report button at the bottom left of the screen

11.9 Conducting a Gap Analysis


Method Concept: Once the BS 7799 assignment has been set up, the next step is
record the current status of the organisation against the standard so that gaps in its
analysis can be completed.
The Gap Analysis screen is shown below

Figure 11-95: Gap Analysis Screen

The steps in the Gap Analysis stage of a BS 7799 assignment are as follows:
Production of an Organisation Information Security Policy
Print BS 7799 (Part II)
Record the status of the BS 7799 Controls
Produce a Gap Analysis Report
These steps are defined in detail in the following sections.

Page 11-10 Issue 1.0


Chapter 11
BS 7799

11.10 Producing an Organisation Information Security Policy


Method Concept: BS 7799 makes it clear that Security must have the backing of
senior management if it is to be effective. One way in which this backing can be
demonstrated is for the organisation to issue an Information Security Policy that
has the specific endorsement of the senior management. Many organisations may
already have such a policy. However, for those organisations who do not, this
facility is provided to assist in drafting such document.
Selecting this option will initiate a Wizard that will take users through the process of
writing the Organisational Information Security Policy.
If the organisation already has an Organisational Information Security Policy then
this step can be skipped, but the details of the Policy document should be recorded in
the Register of Documentation (See Section 4).
The screens in the Wizard are as follows:
Screen 1 Select Name of Report
This screen allows users to create new reports or to open a report that they
have already been working on.
Screen 2 Select Sections to appear in report
This screen gives the user the opportunity to choose which sections of the
standard report they wish to include in their report.
Screen 3 Define Organisation specific variables
This screen gives the user to opportunity to enter:
The full name of the organisation

The organisations acronym

The title of the most senior person in the organisation (e.g., chief
executive, permanent secretary).

Screen 4 Report Tree for editing information in the report


This screen provides Tree view structure that allows users to edit the
standard words that are contained in the normal template.
Screen 5 Save/Print/Export report
This screen allows users to specify which appendices they wish to include in
their report, and then to either preview the report, print the report or to
export it into MS Word format for further editing.

Issue 1.0 Page 11-11


CRAMM User Guide

11.11 Print BS 7799 (Part II)


Method Concept: In order to complete a gap analysis against BS 7799 it is
necessary to have a copy of the standard. CRAMM provides an option to print off
this standard. Please note, CRAMM has concentrated on Part II rather than Part I
because it is this aspect of the standard that is used as the specification of the
standard when organisations are seeking to be certified against the standard.

Please Note: A royalty fee has been paid to BSI for the rights to reproduce
BS 7799 (Part II) in the CRAMM software. However, this only entitles the
user to use this material in conjunction with their use of the CRAMM
software. The report must not be further reproduced or distributed without
the written permission of BSI.
Once the BS 7799 Report has been printed, it can be used as the basis of a series of
interviews with members of the organisations staff to find out the current status of
the organisation against the standard.
The Print BS 7799 screen is shown below

Figure 11-96: Print BS 7799 Part II Screen

Page 11-12 Issue 1.0


Chapter 11
BS 7799

To enter Print BS 7799 (Part II):


Step
1 Select the Section of BS 7799 that you wish to print out. If you wish to
print all the section tick the Include all box
2 To preview the report press the Preview Report button.
3 To obtain a printed version of the report press the Print button.

11.12 Enter Status of BS 7799 Controls


Method Concept: Using the printed copy of the BS 7799 (Part II) the reviewer
should gather information about the organisations current status with respect to
the standard.
The gathering of information about the current status of the organisation against BS
7799 is a staged approach. The steps involved as follows:
Arrange a series of interviews with individuals identified during the
Initiation phase
Record the findings from those interviews
Analyse those findings and record the analysis in the tool
Where the analysis has indicated that there is a need for actions to be taken,
record those actions.
The Gap Analysis screen is shown below

Figure 11-97: Gap Analysis Screen

Issue 1.0 Page 11-13


CRAMM User Guide

To enter Gap Analysis:


Step
1 Use the tree view control to navigate to specific controls of the standard.
Once you have highlighted a detailed control the Findings, Analysis and
Action sub-forms will be enabled
2 For the selected control record the findings and analysis
3 To record an action against the selected control click on the new action
button on the bottom of the Actions Sub Form. This will open a pop-up
shown in the Section 11.12.1 that allows the details of the action to be
recorded.
4 If you want to open up the allocate resources to sections screen click on
the Open the Allocate Resources to Sections Screen button
11.12.1 Recording an Action
Method Concept: Actions are recorded when conducting the Gap Analysis,
allocating Resources to Controls, constructing the Statement of Applicability.
These will form the basis of the Security Improvement programme, indicating what
requires to be done in order to bring the
The Action screen is shown below

Figure 11-98: Recording an Action Screen

Page 11-14 Issue 1.0


Chapter 11
BS 7799

To Record an Action
Step
1 Type in a brief description of the action
2 Record the status of the action. Allowable statuses are:
Not Assigned
Assigned
Underway
Complete
Under Review

3 If the person who is to carry out the action has already been defined,
select their name from the drop down list. If the person who is to carry
out the action has not been already defined type their name in, and you
will be prompted if you wish to create that person as a security resource.
4 Type in an estimate of how much effort will be required to complete the
action
5 Record any notes you wish about the action that you have just created
6 Enter a timescale by which you would like the action completed by.
7 To save the action, click on the Save Action button. The Action form
remains open so that you can create further actions if you require.

11.13 Print Gap Analysis Report


Method Concept: Having recorded the organisations current status against the
standard, CRAMM provides a report that allows the reviewer to print out that
information.
The Gap Analysis screen is shown below

Issue 1.0 Page 11-15


CRAMM User Guide

Figure 11-99: Printing Gap Analysis Screen


To Print the Gap Analysis Report:
Step
1 Select the Section of BS 7799 that you wish to print out. If you wish to
print all the section tick the Include all box
2 If you wish to print the report without showing the actions that you have
defined deselect the Include actions on report box
3 To preview the report press the Preview Report button.
4 To obtain a printed version of the report press the Print button.

Print BS 7799 Summary


Method Concept: When recording the Findings and Analysis during the
Gap Analysis exercise, the reviewer is able to record the overall status of
that control on a Red, Amber, Green scale, CRAMM provides a report that
allows the reviewer to print out that information.

The BS 7799 Summary screen is shown below

Figure 11-100: Printing BS 7799 Summary Screen

To Print the BS 7799 Summary Report:


Step
1 Select the Section of BS 7799 that you wish to print out. If you wish to
print all the section tick the Include all box
2 To preview the report press the Preview Report button.

Page 11-16 Issue 1.0


Chapter 11
BS 7799

To obtain a printed version of the report press the Print button

11.14 Preparing a security improvement programme


Method Concept: In almost every circumstance, the gap analysis will have
indicated that there is some need for an organisation to take some actions before it
can be said to have complied with BS 7799. It is therefore part of almost every BS
7799 assignment that a security improvement programme should be undertaken to
address the weakness observed during the gap analysis.

The Security Improvement programme screen is shown below

Figure 11-101: Preparing Security Improvement Programme Screen


The steps in the Security Improvement stage of a BS 7799 assignment are as follows:
Allocate Resources to Controls
Print Security Improvement Programme
Print Action Lists
These steps are defined in detail in the following sections.

11.15 Allocate Resources to Controls


Method Concept: The gap analysis concentrated on what actions an organisation
needs to take to implement the detailed controls set out in BS 7799. However, to
demonstrate full compliance with BS 7799, it is also necessary to show that the
organisation has clearly identified who is responsible for each area of security, and
has provided written documentation setting out precisely how the necessary
controls should be delivered.
This section follows on from the gap analysis and the register of documentation set
up in the Initiation phase of the BS 7799 assignment.
You should use this screen to record, for each control in BS 7799:

Issue 1.0 Page 11-17


CRAMM User Guide

who is responsible (i.e. who is the owner) for that control


who carries out the control
where the detailed instructions about the actions those people should be
following are recorded
If during this process you identify that further actions are required, such as updating
a particular document, or ensuring that some is made responsible for a particular
control, these actions can be recorded using this screen.
The Allocate Resources to BS 7799 Controls screen is shown below

Figure 11-102: Allocate Resources to Controls Screen

Page 11-18 Issue 1.0


Chapter 11
BS 7799

To Allocate Resources to BS 7799 Controls


Step
1 Select the Section of BS 7799 that you are interested in
2 Select the Sub-Section of BS 7799 that you are interested in
3 Highlight the specific control in BS 7799 that you are interested in. The
Resources and Action sub forms will become enabled
4 To record that a resource or a series of resources is relevant to a particular
control, highlight each of the relevant resources using either the mouse or
the space bar, and then select Assigned from the Mark Selected
resource(s) combo box
5 To remove a reference that a particular resource is relevant to a particular
control, highlight each of the relevant resources using either the mouse or
the space bar, and then select Unassigned from the Mark Selected
resource(s) combo box
6 To create an action click on the Add Action button on the bottom right of
the screen, and follow the instructions in Section 11.12.1

11.16 Print Security Improvement Programme


Method Concept: Having recorded who is responsible for each control in the
standard and where the details are recorded, CRAMM provides a report that allows
the reviewer to print out that information .

The Print Security Improvement Programme screen is shown below

Figure 11-103: Print Security Improvement Screen

Issue 1.0 Page 11-19


CRAMM User Guide

To Print the Security Improvement Programme


Step
1 Select the sections of BS 7799 that you wish to print out. If you wish to
print all the section tick the Include all box
2 If you wish to print the report without showing the actions that you have
defined deselect the Include actions on report box
3 To preview the report press the Preview Report button.
4 To obtain a printed version of the report press the Print button.

11.17 Print Action Lists


Method Concept: During Both the Gap Analysis and Allocate Resources to
Controls tasks, CRAMM provided facilities to allow the reviewer to record actions
necessary to bring the organisation in line with the standard. This report allows
those actions to be printed out in a variety of different orders which can be used
during the Security Improvement Programme.
The Print Action Lists screen allows the actions to be printed in the following
different orders:
Section Order
Priority Order
Status Order
Person Order
The Print Action List screen is shown below

Figure 11-104: Print Action Lists Screen

Page 11-20 Issue 1.0


Chapter 11
BS 7799

To Print the Action Lists:


Step
1 Select the Section of BS 7799 that you wish to print out. If you wish to
print all the section tick the Include all box
2 Select the Resource that you wish to print out. If you wish to print all the
resource tick the Include all box
3 Select the report sort order that fits your requirements most closely
4 To preview the report press the Preview Report button.
5 To obtain a printed version of the report press the Print button.

11.18 Creating a statement of applicability


Method Concept: The method by which an organisation demonstrates its
compliance with BS 7799 is by preparing a statement of applicability. This pulls in
information from many of the previous sections, but is presented to the auditors in
such a fashion that it clearly demonstrates what actions have been taken to comply
with the standard.

The Statement of Applicability screen is shown below

Figure 11-105: Statement of Applicability Screen


The steps in the Statement of Applicability stage of a BS 7799 assignment are as
follows:
Prepare a Statement of Applicability
Print the Statement of Applicability
These steps are defined in detail in the following sections.

Issue 1.0 Page 11-21


CRAMM User Guide

11.19 Preparing Statement of Applicability


Method Concept: The Statement of Applicability should draw information from
the original finding and analysis, but these should be updated to reflect the actions
that have been taken during the Security Improvement programme. In addition, the
Statement of Applicability should reflect the allocation of responsibilities for specific
controls that was recorded during the Security Improvement programme.

The Preparing of the Statement of Applicability screen is shown below

Figure 11-106: Statement of Applicability Screen


To prepare a Statement of Applicability screen:
Step
1 Use the tree view control to navigate to specific controls within the
standard. Once you have highlighted a detailed control the Findings,
Analysis, Action, Interpretation and Resource sub-forms will be enabled
2 For the selected control review the findings, analysis and actions and
record the interpretation that you wish to appear in the Statement of
Applicability
3 To record an action against the selected control click on the new action
button on the bottom of the Actions Sub Form. This will open a pop-up
shown in the Section 11.12.1 that allows the details of the action to be
recorded.
4 Once the desired action has been recorded, a user has the ability to output
a CRAMM action directly to Microsoft Outlook by clicking on the yellow
bell button on the right under the Action tab..

Page 11-22 Issue 1.0


Chapter 11
BS 7799

5 If you want to open up the allocate resources to sections screen click on


the Open the Allocate Resources to Sections Screen button

11.20 Printing Statement of Applicability


Method Concept: Having recorded the interpretation of the control that you
which include in the Statement of Applicability, CRAMM provides a report that
allows the reviewer to print out that information .

The Print Statement of Applicability Report screen is shown below

Figure 11-107: Statement of Applicability Screen


To Print the Security Improvement Programme
Step
1 Select the sections of BS 7799 that you wish to print out. If you wish to
print all the section tick the Include all box
2 To preview the report press the Preview Report button.
3 To obtain a printed version of the report press the Print button.

11.21 The role of CRAMM in supporting BS 7799


Method Concept: The preceding steps have all be deliberately designed to be
independent of CRAMM to give user the freedom of using them and the choosing to
conduct their risk assessment in a different manner. However, should users select
to conduct a CRAMM analysis as part of their BS 7799 assignment, the two tasks
can be combined together in such a fashion that it avoid duplication of effort and
allows users to print off a range of reports directly relevant to the individual
assignments.

Issue 1.0 Page 11-23


CRAMM User Guide

The Risk Assessment screen is shown below

Figure 11-108: Risk Assessment Screen

The steps in the Risk Management stage of a BS 7799 assignment are as follows:
Conduct a CRAMM review
Print a range of reports based on the findings of the CRAMM review in a
form that is directly relevant to BS 7799
These steps are defined in detail in the following sections.

11.22 CRAMM Front Screen


Method Concept: Having selected to conduct a BS 7799 review, the user can still
access all of the functions contained in CRAMM by progressing through this route.
This opens the CRAMM main screen which would be normally the first screen that
the user sees if they have opened a CRAMM review. From here it is possible to
navigate to each section of CRAMM.
The CRAMM Front screen is shown below

Page 11-24 Issue 1.0


Chapter 11
BS 7799

Figure 11-109: CRAMM Front Screen


This is the same screen as described in Section 5.5.

11.23 Requirements for BS 7799 Controls Screen


Method Concept: Having completed the CRAMM review, the reviewer can print
out a series of reports that contain information derived from the CRAMM review
but in a format that is directly relevant to BS 7799.

The Requirements for BS 7799 Control screen is shown below

Figure 11-110: Requirements for BS 7799 Controls Screen

Issue 1.0 Page 11-25


CRAMM User Guide

The steps in the Requirements for BS 7799 Controls stage of a BS 7799 assignment are
as follows:
Print BS 7799 Measures of Risk Report
Print Detailed BS 7799 Countermeasures
Enter Status of BS 7799 Countermeasures
These steps are defined in detail in the following sections.

11.24 BS 7799 Measures of Risk Report


Method Concept: One of the documents that BS 7799 encourages reviewers to
produce is a report showing the risks facing the information system, and how these
risks relate to the business processes that are supported on that information system.
CRAMM has completed a detailed assessment of the levels of risk facing information
system. Any of those reports can be used to provide evidence to auditor seeking to
check on the compliance with BS 7799. However, a further report has been provided
via this function that specifically shows the relationship between the threats that have
been investigated and the data assets that were defined during the CRAMM review.
The Print BS 7799 Measures of Risk Report screen is shown below

Figure 11-111: Print BS 7799 Measures of Risk Report Screen

Page 11-26 Issue 1.0


Chapter 11
BS 7799

To Print the BS 7799 Measures of Risk Report:


Step
1 Select the threats that you wish to include in the print out. If you wish to
print all the threats tick the Include all box. If you wish to include a
specific range of threats, such as logical threats, then select that range by
using the Filter threats by category combo box
2 To preview the report press the Preview Report button.
3 To obtain a printed version of the report press the Print button.

11.25 Detailed BS 7799 Countermeasures


Method Concept: The CRAMM countermeasures have been cross-referenced
against the BS 7799 controls. This means that it is possible to print out the relevant
countermeasures from CRAMM under the BS 7799 Control headings, allowing
reviewers to explore issues in more depth and to see whether the detailed
countermeasures were recommended or not during the CRAMM assessment.
This screen provides the ability to produce three different reports:
a list of all the detailed CRAMM countermeasures under each of the BS 7799
control headings
details about how those CRAMM countermeasures are implemented, as
recorded using the Enter Status of BS 7799 screen (Section 11.26) or using the
Enter Resources to Countermeasure screen (Section 0)
details about which of those CRAMM countermeasures are recommended on
the basis of the CRAMM assessment, and the current status of those
recommendation, as recorded using the Enter Status of BS 7799 screen
(Section 11.26) or using the Enter Installed Status screens (Section 10.7)
The Detailed BS 7799 Countermeasure Report screen is shown below

Figure 11-112: Detailed BS 7799 Countermeasure Report Screen

Issue 1.0 Page 11-27


CRAMM User Guide

To Print the Checklist of BS 7799 Countermeasures:


Step
1 Select Checklist of BS 7799 Countermeasures in the Select Report group
box
2 Select the Sections that you wish to include in the print out. If you wish to
print all the Sections tick the Include all box.
3 To preview the report press the Preview Report button.
4 To obtain a printed version of the report press the Print button.
To Print the Checklist of BS 7799 Countermeasures and Resources:
Step
1 Select Countermeasures and Resource in the Select Report group box.
The resource list box should now be enabled
2 Select the Sections that you wish to include in the print out. If you wish to
print all the Sections tick the Include all box.
3 Select the Resources that you wish to include in the print out. If you wish
to print all the resources tick the Include all box.
4 To preview the report press the Preview Report button.
5 To obtain a printed version of the report press the Print button.
To Print the Checklist of BS 7799 Countermeasures and Asset:
Step
1 Select Countermeasures and Asset in the Select Report group box. The
assets list box should now be enabled
2 Select the Sections that you wish to include in the print out. If you wish to
print all the Sections tick the Include all box.
3 Select the Assets that you wish to include in the print out. If you wish to
print all the resources tick the Include all box.
4 To preview the report press the Preview Report button.
5 To obtain a printed version of the report press the Print button.

11.26 Enter Status of BS 7799 Countermeasures


Method Concept: Having cross-referenced the CRAMM countermeasures to the
BS 7799 controls it is possible to examine the detailed countermeasures that are
contained in CRAMM but go through them in the order presented in BS 7799.
The Enter Status of BS 7799 Countermeasures screen allows you to record:
the resources used to deliver a countermeasure
the status of the recommendations with respect to the assets that the
countermeasure has been recommended for based on the CRAMM risk
assessment.

Page 11-28 Issue 1.0


Chapter 11
BS 7799

The Enter Status of BS 7799 Countermeasures screen is shown below

Figure 11-113: The Allocate Resources to, and Enter Status of BS 7799
Countermeasures Screen

Issue 1.0 Page 11-29


CRAMM User Guide

To Allocate Resources to BS 7799 Controls


Step
1 Select the Section of BS 7799 that you are interested in
2 Select the Sub-Section of BS 7799 that you are interested in
3 Select the Area of BS 7799 that you are interested in
4 Highlight the specific countermeasure that you are interested in. The
Resources and Asset sub forms will become enabled
5 To record that a resource or a series of resources is relevant to a particular
countermeasure, highlight each of the relevant resources using either the
mouse or the space bar, and then select Assigned from the Mark Selected
resource(s) combo box
6 To remove a reference that a particular resource is relevant to a particular
control, highlight each of the relevant resources using either the mouse or
the space bar, and then select Unassigned from the Mark Selected
resource(s) combo box
7 To record that the status of a recommendation with respect to a specific
asset or a series of asset, highlight each of the relevant asset using either
the mouse or the space bar, and then select Assigned from the Mark
Selected asset(s) combo box.

11.27 Risk Treatment Reports Screen


Method Concept: One of the significant changes that BSI has introduced with the
latest version of BS 7799 (i.e. BS 7799 Part 2: (2002)) is the concept of a Risk
Treatment plan.
The risk treatment plan is defined as:
A co-ordination document defining the actions to reduce unacceptable risks and
implement the required controls to protect information.
The Risk Treatment Reports screen is shown below

Figure 11-114: Risk Treatment Reports Screen

Page 11-30 Issue 1.0


Chapter 11
BS 7799

The steps in the Risk Treatment Reports Screen are as follows:


Print Risk Treatment Wizard
Print BS 7799 Risk Treatment Wizard
Print Risk Treatment Summary
Print Detailed Risk Treatment Plans
BS 7799 Countermeasure Summary
These steps are defined in detail in the following sections.

11.28 Risk Treatment Wizard


Method Concept: One of the documents that BS 7799 encourages reviewers to
produce is a report showing the risks facing the information system, and how these
risks relate to the business processes that are supported on that information system.
The Risk Treatment Plan Wizard is similar to Report writing Wizards that already
exist in other parts of CRAMM. In particular it shares a number of common features
with the existing Risk Analysis Report Wizard.
The intention is that this Wizard will take the user through the basic steps need to
create a draft Risk Treatment Plan suitable for presentation to management and
BS 7799 Auditors.
It consists of four screens, which carry out the following functions:
The screens in the Wizard are as follows:
Screen 1 Select Name of Report
This screen allows users to create new reports or to open a report that they
have already been working on.
Screen 2 Select Sections to appear in report
This screen gives the user to opportunity to choose which sections of the
standard report they wish to include in their report.
There is one mandatory Sub section, Asset Groups, when you select this
sub-section, the user will see all the asset groups defined in the CRAMM
review, and choose which of those they wish to include in the report
Screen 3 Report Tree for editing information in the report
This screen allows users to edit the standard words that are contained in
the normal template, or the words that have been pulled through from the
comments about the factors behind the assessment of threats and
vulnerabilities.
Screen 4 Save/Print/Export report
This screen allows users to specify which appendices they wish to include
in their report, and then to either preview the report, print the report or to
export it into MS Word format for further editing.

Issue 1.0 Page 11-31


CRAMM User Guide

11.29 BS7799 Risk Treatment Wizard


Method Concept: The BS 7799 Risk Treatment Plan Wizard summarises the
recommendations made in the CRAMM Review but under BS 7799 Headings.
The intention is that this Wizard will take the user through the basic steps need to
create a draft BS 7799 Risk Treatment Plan suitable for presentation to management
and BS 7799 Auditors.
It consists of four screens, which carry out the following functions:
The screens in the Wizard are as follows:
Screen 1 Select Name of Report
This screen allows users to create new reports or to open a report that they
have already been working on.
Screen 2 Select Sections to appear in report
This screen gives the user to opportunity to choose which BS 7799
sections, sub-sections and controls they wish to include in their report.
It also provides the option to select whether the user wishes to pull
through the findings, analysis or the interpretations that they entered
when creating the gap analysis and producing the Statement of
Applicability.
Screen 3 Report Tree for editing information in the report
This screen allows users to edit the words that have been pulled through
from the finding, analysis and interpretation about the BS 7799 controls.
Screen 4 Save/Print/Export report
This screen allows users to either preview the report, print the report or to
export it into MS Word format for further editing.

Page 11-32 Issue 1.0


Chapter 11
BS 7799

11.30 Summary Risk Treatment Plan


Method Concept: This screen is allied to the Risk Treatment Wizard (See Section
11.28.) It allows the user to select the asset groups that they are interested in and
see the threats that have been related to those asset groups, the countermeasure
groups that protect against those threats and the numbers of countermeasures in
each group that are installed, to be installed, etc.
The Summary Risk Treatment Report screen is shown below

Figure 11-115: Summary Risk Treatment Report Screen

11.31 Detailed Risk Treatment Plan


Method Concept: BS 7799 Part 2 (2002) states When setting the acceptable level
of risk the strength and cost of controls should be compared to the potential cost of
an incident. This reporting option provides a flexible reporting facility for
examining the costs associated with the recommendations recorded using the
CRAMM software.
This screen provides the ability to produce combine together three different reports:
A summary of the CRAMM countermeasures recommended;
The Actions recorded against the BS 7799 Controls, and the costs recorded
against those Actions;
The detailed countermeasures recommended for each of the BS 7799 controls,
the current status of those countermeasures and either the costs entered
using the Maintain Cost and Timescales facility (See Section 10.10.2)

Issue 1.0 Page 11-33


CRAMM User Guide

The Detailed Risk Treatment Plan screen is shown below

Figure 11-116: Detailed BS 7799 Countermeasure Report Screen

To Print the Detailed Risk Treatment Plan:


Step
1 If you wish to see the number of CRAMM countermeasures relevant to
the selected BS 7799 controls that are marked as Installed, or any of the
other status flags, you should select the Countermeasure Summary
option.
2 If you wish to see the BS 7799 actions relevant to the selected BS 7799
controls, you should select the Countermeasure Summary option.
3 If you wish to see the details of CRAMM countermeasures relevant to the
selected BS 7799, you should select the CRAMM Countermeasure option.
When you select CRAMM Countermeasures, you also given the further
choice of printing either the cost flags recorded in the CRAMM Profile, or
the Cost information that you entered using the Maintain
Countermeasure Cost screen.
4 You must select at least one option, but you can chose to combine together
any of the three options.
5 To preview the report select the Screen option.
6 To obtain a printed version of the report select the Printer Option.
7 To output the report to Word, select the Word option
8 To output the report to Excel, select the Excel option
9 To generate the report, press the Generate Report button

Page 11-34 Issue 1.0


Chapter 12
CRAMM Express

12. CRAMM EXPRESS


12.1 Introduction
CRAMM Express is a new module contained in the CRAMM software to enable the
user to record some basic data about their system, and direct them to the appropriate
countermeasures. The method that existing users of the software remains unaffected.
To distinguish it from a CRAMM Express review, it is now referred to as a CRAMM
Expert review.
The following diagram depicts the division between different types of risk that
organisations face, and the levels of detail in which it is possible to explore these
areas. It shows that for Information Security risks, a CRAMM Expert review is
considered to cover the area of information security very thoroughly, but at a
significant level of detail. The introduction of CRAMM Express aims provide an
alternative, but compatible, approach which allows information security risks to be
studied at a very high level, but still make meaningful statements about the need for
security.

CRAMM Express

BS 7799
Info
rma
isks

Other Types of Ris


i sk

tion
sR

Project R
i n es

Sec

CRAMM Expert
Bus

uri
ty R
k

is k

Figure 117 - Scope of CRAMM Express

12.2 CRAMM Express Design Aims


The basic design aims for CRAMM Express are:
It should be simple enough that someone who has never used CRAMM
before can complete a risk assessment;
It should be possible for a novice user to complete a CRAMM Express
assessment in half a day or less;

Issue 1.0 Page 2-1


CRAMM User Guide

CRAMM Express should not replace or operate separately from CRAMM


Expert;
It should use broadly similar, but simplified, screens and reports to CRAMM
Expert;
The process should be compatible with CRAMM Expert so that it is possible
to expand on any work done using this process and make it into a CRAMM
Expert review if required;
Clear guidance should be provided as to the circumstances when a CRAMM
Express review can be completed, and when a CRAMM Expert review is
required.
The approach taken to achieving the design aims has been to complete the same basic
steps that Full CRAMM takes in completing a risk assessment but to ensure that each
step has been kept as simple as possible.
To ensure consistency with CRAMM Expert, but reduce the number of
countermeasures that need to be explored, CRAMM Express has been initially
limited to Category 1 countermeasures only. This reduces the number of
countermeasures that need to be considered from about 3300 to about 400.

Page 12-2 Issue 1.0


Chapter 12
CRAMM Express

In order that it is clear which items would be included in CRAMM Express and what
would not, the following figure shows a countermeasure sub group and the different
components of the sub group

Countermeasure Group
Group: Identification and Authentication

Sub-Group: User Identifiers Sub Group


Security Procedural
Policy Statement
Policy User IDs should ensure that activities can be traced to individuals.

No: Description
1. All users should be allocated an identifier (user ID) Category 1 CMs
1.1 User ID may be shared between a group of users
1.2 A register of service users to be maintained Category 2 CMs

1.3 Each user ID to be for the sole use of an individual


1.4 Old accounts to be locked or deleted
1.5 Use of Guest accounts to be strictly controlled
1.6 Users to be allowed only one current session
1.7 Inactive accounts to be suspended or deleted
1.7.1 All accounts that have not been used for more than 60 Category 3 CMs
days to be suspended

1.8 User IDs not to give any indication of the user's privilege level
1.8.1 The User ID not to indicate the user's job
1.8.2 The User ID not to indicate the user's level of authority
2. The system should maintain the clearances and authorisations granted
to users

2.1 Access to information to be consistent with user's clearances and privileges

Figure 118 - Structure of Countermeasure Library

This has several advantages:


It reduces the amount of work required to complete a CRAMM Express
assessment;
It makes the reports shorter and therefore easier to present;
It ensures that the calculations that need to take place in the background can
be conducted quickly;
It means that anyone wishing to information in more depth will have to
expand the review into a CRAMM Expert review.
The disadvantage of limiting the countermeasures to the Category 1 countermeasures
only is that most of these countermeasures are statements of principle rather than

Issue 1.0 Page 2-3


CRAMM User Guide

specific instructions on actions to take. It therefore can be difficult to see whether


these principles are being complied with or not. If you wish to explore only a few
issues to greater depth, it is possible to add additional controls to be explored still
within the CRAMM Express review.

12.3 Creating a CRAMM Express Review


Method Concept: When creating a review, you have to specify whether you wish
to create a BS 7799 review, a CRAMM Expert review or a CRAMM Express
review. If you chose to create a CRAMM Express review you can access a series of
the screens and reports designed to help users complete a high level risk
assessment.
To create a review from scratch:
Step
1 Open the Review application by double-clicking on the CRAMM 5.1 icon.
Once you have entered the tool password , the Review application
window is displayed.
2 From the Review menu, choose New. The Create Review screen is
displayed, as shown below.

Figure 12-119: Create Review screen

This screen allows you to enter details of the review you wish to create, as follows.
1 Use the Name text box to enter a name for the review.
2 Use the Type of Review combo box to select the type of review that you
wish to conduct. The options are either CRAMM Expert, CRAMM
Express or BS 7799. To create a CRAMM Express review select CRAMM
Express.

Page 12-4 Issue 1.0


Chapter 12
CRAMM Express

3 Use the Protective Marking text box to enter the protective marking for the
review.
4 Use the Description text box to enter a description of the review.
5 Use the Report Header text box to enter the header to be used in reports
produced by the review.
6 The Existing Reviews text box lists the names of existing reviews which
you have created to enable you to select an appropriate, unique name for
the review.
7 When you are satisfied with the details for the review, press the Create
Review button. The Enter New Review Password screen is displayed, as
shown in Figure 5-6.
If you want to set up a password for the review, type it into the New
Password text box. The password can be up to eight characters long. Type
it again into the Confirm New Password text box and press the OK button.
If you do not want to set up a password, select the Do not password protect
check box.
8 A screen is displayed when the review is being created that contains a
mobile activity indicator and a Cancel button. When the review has been
created, the Main CRAMM Express screen process flow screen is
displayed.
9 If you decide not to create a new review after all, simply press the Close
button to return to the Review application window.

12.4 Steps in CRAMM Express Assignments


Method Concept: CRAMM Express reviews are based on the same basic concepts
as a CRAMM Expert review, but the whole approach has been simplified to ensure
that it can be done in a very straight-forward manner, thus significantly reducing
the amount of time it should take to complete the assessment.
On opening a CRAMM Express review, you are presented with the main CRAMM
Express form which is shown below:

Issue 1.0 Page 2-5


CRAMM User Guide

Figure 12-120: Main CRAMM Express Screen


It is possible to navigate to each step in CRAMM Express by pressing the relevant
button to show the lower level steps.

12.5 Input Data Values


Method Concept: As in a CRAMM Expert review one of the critical steps in
determining the requirements for security is determining the value of the data. In
CRAMM Express, data is valued on the same scale 1-10 that would be used in a
CRAMM Expert review, but it is only possible to record Data Asset Valuation
against a single Data Asset.
The differences between a CRAMM Express and CRAMM Expert Review in respect
to Data Valuation are:
The Data Asset valuation is conducted against a single data asset;
There is no ability to record details about who was interviewed;
There is no facility to record the guideline(s) used.
The CRAMM Express Data Valuation screen is shown below

Figure 12-121: CRAMM Express Data Valuation Screen

Page 12-6 Issue 1.0


Chapter 12
CRAMM Express

To Value Data in CRAMM Express


Step
1 Over type the name of the data asset with the name the information that
you are interested in
2 Type in a brief description of the data in the comments box. If you double
click on the comments box, it will expand to a large text entry box to allow
you to record your comments.
3 Select the Data Valuation score on a scale (1-10) for each of the impacts
that you are interested in. The score should correspond to the same
guidelines as used in CRAMM Expert. Please see Appendix E-
VALUATION GUIDELINES.
4 Type in a brief description of the scenario that lead to the valuation being
arrived at. If you double click on the comments box, it will expand to a
large text entry box to allow you to record the scenario more easily.

12.6 Select Threats of Interest


Method Concept: As in a CRAMM Expert review it is not necessary to
investigate all of the threats that CRAMM can cover. It may be that your review is
focused on a particular aspect of security, and that you there wish to limit your
investigation to a sub-set of the threats. This screen can be used to indicate which
threats you wish to investigate during the CRAMM Express review.
The CRAMM Express Select Threats screen is shown below

Figure 12-122: CRAMM Express Select Threats Screen

Issue 1.0 Page 2-7


CRAMM User Guide

To Select Threats in CRAMM Express


Step
1 If you want to investigate all of the threats that CRAMM covers, then click
on the box labelled All threats
2 If you want to investigate all of the threats of a particular type, such
logical, communications or physical then select the appropriate type
from the box labelled Group of Threats. All of the threats of that type
will then be automatically ticked for you in the List of Threats box. This
list can then be modified by ticking or unticking these threats.
3 If you wish to select you own range of threats simply tick the threats of
interest.

12.7 Set Threat and Vulnerability Levels


Method Concept: Having selected the threats of interest, in order to complete the
assessment of risks it is necessary to assess the levels of threat and vulnerability.
The screen is similar to the Rapid Risk screen in CRAMM Expert but has been
significantly simplified. The areas where the process has been simplified are as
follows:
All the threats can be seen on a single screen;
It is not possible to vary the assessment of threats or vulnerabilities according
to impacts;
It is not possible to record different levels of threat and vulnerabilities for
different parts of the information system.
The CRAMM Express Set Threat and Vulnerability Levels screen is shown below

Figure 12-123: CRAMM Express Set Threat and Vulnerability Levels Screen

Page 12-8 Issue 1.0


Chapter 12
CRAMM Express

To Set Threat and Vulnerability Levels in CRAMM Express


Step
1 Either type in the name of the asset that you wish to investigate the threat
against, or select the name of the asset if it has already been created.
2 For details of the types of asset that it is suggested each type of threat
should be applied to please see Appendix F3 -Threat/asset group table.
3 If you type in the name of new asset, CRAMM will open a screen where
you can confirm that you wish to create this entry as an asset, change the
name of an existing asset, or delete an existing asset. Similarly double
clicking on the asset box, opens this same screen.
4 Select the level of threat that you have assessed applies. Threats are
assessed on a five point scale which ranges from:
Very Low
Low
Medium
High
Very High
5 Select the level of vulnerability that you have assessed applies.
Vulnerabilities are assessed on a three point scale which ranges from:
Low
Medium
High
6 Type in any comments that explain why you have assessed the threats
and vulnerabilities in the manner in which you have. If you double click
on the comments box, a text box will appear in which it is easier to type
such comments.
7 When you have assessed the threats and vulnerabilities, you can choose to
examine the Measure of Risk report. The measures of risk have been
calculated using the same risk matrix that would be used in CRAMM
Expert (See Appendix G - RISK MATRIX)

12.8 Calculate Recommended Countermeasures


Method Concept: Once you have entered the Data Valuations and the Threat and
Vulnerability Levels, the software can calculate the measures of risks automatically.
In theory, it could also calculate the recommended countermeasures automatically
as well, but because of the amount of time such a calculation would take, this second
calculation has been separated out, and has to be initiated by the user.
When you click on the button to calculate the recommended countermeasures no
screen will be displayed. Instead the software will calculate the recommended
countermeasures using a similar but significantly simplified approach to that
adopted in CRAMM Expert.
The major differences between the two methods are:
CRAMM Express does not attempt to determine what type of assets the
individual countermeasures are appropriate for;

Issue 1.0 Page 2-9


CRAMM User Guide

In CRAMM Express, countermeasures are either recommended or not. They


are not recommended for specific assets;
CRAMM Express does not have the concept of a maximum security
threshold for countermeasures to which there is an alternative stronger
recommended countermeasure.
Once the calculation has completed the software will tick the status box to indicate
that the process has been completed.

12.9 Countermeasure Reports


Method Concept: Having calculated the recommended countermeasures, CRAMM
Express allows you print out reports showing the how the countermeasures have
been recommended and details of the countermeasures that have been recommended
The CRAMM Express Countermeasure Report screen is shown below

Figure 12-124: CRAMM Express Countermeasure Report Screen

The Countermeasure Report screen allows you produce three types of report:
Measure of Risk Report
Summary Report
Detailed Report
The measures of risk report shows the results of the threat and vulnerability
assessment, the highest impact that the threats can cause and the measures of risk
that have been determined by combining these factors together using the risk matrix.

Page 12-10 Issue 1.0


Chapter 12
CRAMM Express

The summary report shows which threats have lead to which countermeasure groups
being recommended, and the measures of risk associated with these threats.
The Detailed Report allows the user to print out details of the countermeasures that
have been recommended on the basis of the assessments of risk.

To Print the Detailed Countermeasures in CRAMM Express


Step
1 Either click the box labelled All Groups to select all groups that have
recommended countermeasure in them, select a Set of Countermeasure
Groups if you want to build a report based on a range of countermeasure
groups, or select the individual countermeasure groups of interest.
2 Either click on the box labelled All Status to select all status flags, or
select the individual status flags of interest.
3 Select the destination for the report, which will be either:
Screen
Printer
Word File
Excel File

4 Click on the Generate Report button to create the report.

12.10 Enter Installed Status


Method Concept: After CRAMM Express has displayed which countermeasures
are recommended, it is possible to record which of those measures are in place, which
are not in place and which could be considered for implementation.
The CRAMM Express Enter Installed Status screen is shown below

Issue 1.0 Page 2-11


CRAMM User Guide

Figure 12-125: CRAMM Express Enter Installed Status Screen

The column on the right hand of the screen shows the Category of the
countermeasure. The default is that CRAMM Express only contains Category 1
countermeasures but it is possible to add further more detailed countermeasures
using the Maintain CRAMM Express Countermeasures facility.
To Enter Installed Status in CRAMM Express
Step
1 Select the Countermeasure Group of interest
2 Either select a Status Flag from the box labelled Status for all
Countermeasures to apply one status flag to all the recommended
countermeasures in that group.
3 Alternatively select the appropriate Status Flag for each countermeasure
individually.
4 You can record comments about the countermeasure in the comments
box. If you double click on the box a larger text box will appear which
will make it easier to enter lengthy comments.
Having entered the status flags and comments, the information that you have entered
will appear on the Detailed Countermeasure Reports shown previously.

12.11 Maintain CRAMM Express Countermeasures


Method Concept: As a default, CRAMM Express is limited to exploring Category
1 (i.e. Security Policy type statements). However, a facility has been provided that
allows you to choose to include more detailed measures if you wish. It has been
deliberately designed so that if you wish to consider more than a few detailed
countermeasures, you would be advised to expand the review into a CRAMM
Expert review.
The Maintain CRAMM Express Countermeasures screen is shown below

Figure 12-126: CRAMM Express Maintain Express Countermeasures Screen


The window on the right hand of the screen shows the countermeasures in CRAMM
Express. The window on the left shows all the countermeasures in CRAMM Expert.

Page 12-12 Issue 1.0


Chapter 12
CRAMM Express

To Maintain CRAMM Express Countermeasures


Step
1 To add a countermeasure for consideration in CRAMM Express, use the
tree in the right hand window to find the countermeasure of interest, and
then press the Add button
2 To remove a countermeasure from consideration in CRAMM Express, use
the tree in the left hand window to find the countermeasure of interest,
and then press the Remove button. Please note, it only possible to remove
countermeasures that you have previously added. It is not possible to
remove Category 1 countermeasures.

12.12 Exporting Express Reviews to CRAMM Expert


Method Concept: Once you have explored the security requirements for a
system/network at a high level using CRAMM Express, you may wish to explore
the issues that it has highlighted in more detail using CRAMM Expert. The
CRAMM Express utility contains a function that allows you to create a CRAMM
Expert Review and populate that review with the information that you have
recorded during the CRAMM Express Review.
The Export Express to Expert screen is shown below

Figure 12-127: CRAMM Express Export Express Screen

To Export CRAMM Express information


Step
1 Enter the name of the Expert review that you wish to create
2 Press the button labelled Export
This will create an Expert review, which will contain the following information:
A data asset
The data asset valuations associated with that data asset
The relationships between the threats and the asset groups that were created
in CRAMM Express

Issue 1.0 Page 2-13


CRAMM User Guide

The levels of threats and vulnerabilities that were recorded in CRAMM


Express. These are recorded as Rapid Risk Assessments.
The Export to Expert screen does not transfer across the information about the status
of the countermeasures. That information can however be transferred to the Expert
review once that review has completed the risk analysis steps and calculated the
recommended countermeasures. Please see Section 12.13 for details about how to
apply this status information to a complete Expert Review.
Once the Expert review has been created, it will need to be opened and the steps that
are contained in CRAMM Expert, but are not present in CRAMM Express will need
to be completed.
In summary, the basic steps in completing the CRAMM Expert review are as follows:
1. Fill in any background information about the review that is required. Please
see Section 6.6.
2. Examine and update if necessary the Data Assets, including changing the
classification of the existing Data Asset and creating further Data Assets if
appropriate. Please see Section 7.3.1.
3. Create details of the end user services that support the Data Assets. Please
see Section 7.3.2
4. Create details of the physical assets that support the Data Assets. Please see
Section 7.3.3.
5. Create details of the software assets that support the Data Assets. Please see
Section 7.3.4
6. Create details of the organisations / locations that support the Data Assets.
Please see Section 7.3.5
7. Build an asset model that shows the relationships between the Data Assets /
end users services and the physical, software assets and their locations.
Please see Section 7.5.
8. Review and update if necessary the Data Asset Valuations, including
updating the Data Valuation guidelines. Please see Section 7.7
9. Calculate implied values. Please see Section 7.12.
10. Modify the Asset Groups that have been created using CRAMM Express.
Please note. All of the Asset Groups created by exporting process are
initially empty. It is essential that you populate these groups with the data
assets, end user services, locations, physical or software assets that you have
created above. Please see Section 8.5
11. Check the relationships between the Threat and Asset Groups. Please see
Section 8.6.
12. Modify, if necessary, the threat and vulnerability assessments brought over
from the CRAMM Express review. Please see Section 8.14.
13. Calculate measures of risk. Please see Section 9.2.
14. Calculate recommended countermeasures. Please see Section 10.4.2.
At this stage you can transfer the information about the status of the
countermeasures explored during the CRAMM Express review to the CRAMM
Expert review using the Apply Status Flag Facility.

Page 12-14 Issue 1.0


Chapter 12
CRAMM Express

12.13 Apply Status Flags to Expert Review


Method Concept: Once you have completed the risk analysis using CRAMM
Expert you may wish to copy in the results of the investigation about these
countermeasures that you recorded during the initial CRAMM Express Review.
The Apply Status Flags screen is shown below

Figure 12-128: CRAMM Express Apply Status Flag Screen

To Apply Status Flag information


Step
1 Using the drop down box, select the name of the Expert review that you
wish to apply the status flags to
2 Press the button labelled Apply Status Flags
This will apply the status recorded against the countermeasures in the CRAMM
Express review to each of the assets that this countermeasure has been recommended
for in the CRAMM Expert review.

Issue 1.0 Page 2-15


Chapter 13
Contingency Planning

13. Contingency planning


13.1 Introduction
Method Concept: Contingency planning is an important part of an overall
strategy for the management of information systems and, in particular, the
management of information security.
A business impact analysis and risk assessment are critical early activities in
contingency planning and CRAMM is, therefore, ideally placed to support the
contingency planning process.
Contingency planning for information systems or networks is part of the overall
process of Business Continuity Management (BCM). Business continuity
management is concerned with managing risks to ensure that, at all times, an
organisation can continue operating to at least a pre-determined minimum level.
Business Continuity Management consists of a number of processes structured into
four distinct stages as illustrated in Figure 13-129. They are:
Stage 1 - Initiation, which sets policy for BCM, ensures that it is integrated
with other business and technical policies and establishes the BCM initiative
Stage 2 - Requirements and Strategy, which assesses the potential business
impacts and risks, identifies and evaluates options for reducing risk and
recovering business processes, and develops a cost effective strategy
Stage 3 - Implementation, which establishes a programme by which
business continuity will be achieved, implements the stand-by facilities and
risk reduction measures specified within the BCM strategy, develops the
requisite business recovery plans and procedures, and undertakes initial
testing
Stage 4 - Operational Management, which ensures that the business
continuity strategy, plans and procedures continue to be tested, reviewed
and maintained on an on-going basis and that suitable training and
awareness programmes are put in place.
Whilst BCM focuses on critical business processes, information systems or networks
are often key components of these business processes. CRAMM provides facilities to
support contingency planning for information systems or networks.
Further information on business continuity management can be found in the
following two CCTA guides:
An Introduction to Business Continuity Management
A Guide to Business Continuity Management.
CRAMM has been specifically designed to be consistent with the approaches
recommended in these guides.

Issue 1.0 Page 2-1


CRAMM User Guide

Stage 1
Initiate BCM
Initiation

Business Impact
Stage 2 Analysis
Requirements
& Strategy Risk Assessment

Business Continuity
Strategy

Organisation and
Stage 3 Implementation
Implementation Planning
Implement Develop Implement
Stand-by Business Recovery Risk Reduction
Arrangements Plans Measures

Develop Procedures

Initial Testing

Testing Change
Review
Control
Education
and Awareness Training

Assurance

Stage 4
Operational
Management

Figure 13-129: Process Model for Business Continuity Management


This section covers the following topics:
the role of CRAMM in contingency planning (section 13.2)
performing a business impact analysis (section 13.3)
identifying, recovery objectives and minimum requirements (section 13.5)
performing a risk assessment (section 13.6)
identifying contingency solutions (section 13.7)
next actions (section 13.8).

Page 12-2 Issue 1.0


Chapter 13
Contingency Planning

13.2 The role of CRAMM in contingency planning


Method Concept: CRAMM supports early parts of the contingency planning
process and will assist you to assess requirements and options for contingency
planning.
CRAMM provides support to the Requirements and Strategy stage of the business
continuity management lifecycle and helps you to identify contingency requirements
and options for:
information systems and networks
telecommunications equipment and services
the accommodation used to house equipment and users of information
systems or networks
critical paper records relating to information systems, such as printed output.
CRAMM provides the following support to the contingency planning process:
analysis of the business impacts that could result from disruption to
information systems or networks and telecommunications
identification of recovery objectives and the minimum assets required to
allow recovery objectives to be achieved
identification of dependencies between data assets and between application
software assets
assessment of threat and vulnerability levels and calculation of overall levels
of risk
on the basis of the risk assessment, identification of recovery and risk
reduction options.
CRAMM does not provide support for the preparation of business recovery plans.

13.3 Business impact analysis


Method Concept: As with security management in general, a critical first step in
contingency planning is to gain an understanding of potential business impacts.
The purpose of a CRAMM business impact analysis for contingency planning is to
identify:
the potential damage or loss that may be caused to the organisation as a
result of a disruption to the information system or network
the form that the damage or loss may take, for example financial loss, risk to
personal safety, breach of legal or regulatory obligations
how the degree of damage or loss is likely to escalate with time in the
aftermath of an incident.
This information is gathered through the CRAMM asset valuation process for data,
application software and physical assets as described in sections 7.3. to 7.11.
When undertaking asset valuation for contingency planning purposes, remember the
following points:
the impact types of greatest interest for contingency planning are those
relating to unavailability and destruction

Issue 1.0 Page 2-3


CRAMM User Guide

potential impacts should be investigated for most or all of the ten


unavailability time periods to determine how the impact will increase with
time
wherever possible, actual financial losses should be estimated and added
into the software.
By producing an Impact Assessment report (for unavailability impacts), you can see
how the impacts escalate over time. If required, this report can be exported to a
spreadsheet for graphical representation.
Section 7.17 describes how to produce the Impact Assessment report.

13.4 Steps in Gathering Contingency Planning Information

Figure 13-130: Contingency Planning screen

13.5 Recovery objectives and minimum requirements


Method Concept: Additional information needs to be collected in Stage 1 of a
CRAMM review to support the contingency planning process.
In addition to potential business impacts, the following information is also required
for contingency planning purposes:
recovery objectives: the time within which different groups of users (referred to
as user groups) must be recovered. Typically, a small core team of users may
need to be recovered quickly with a phased recovery of other users over a
longer period of time
the minimum assets required by user groups to enable recovery objectives to be
achieved
dependencies between data assets: any requirements for recovery of certain data
assets before others

Page 12-4 Issue 1.0


Chapter 13
Contingency Planning

dependencies between application software assets: any requirements for recovery


of certain application software assets before others.
This information will assist you to set priorities for recovery and to evaluate
alternative recovery options (in Stage 3 of CRAMM).
You should be able to collect most of this information from interviewers during data
asset valuation although, in some cases, you may need to consult other people.

13.5.1 Gathering information on recovery objectives, minimum requirements and


dependencies
Information on recovery objectives, minimum requirements and dependencies
should be gathered as follows.
Step
1 Print out a blank Recovery Objectives form. The Data Recovery Reports
screen is displayed, as shown in Figure 13-131.

Figure 13-131: Data Recovery Reports screen


1 During data asset valuation interviews, or if necessary alternative
discussions with appropriate people, identify the user groups that will
need to be recovered. Separate user groups should be identified for each
group of users requiring recovery at different times or with different
minimum requirements. Typically, user groups will relate to core and
non-core teams from different business areas, for example there could be
separate user groups for Customer Services Core Team, Finance Core
Team, Customer Services Non-Core, Finance Non-core.
2 During these same interviews or discussions, gather the following
information for each data asset and enter it on the form:

Issue 1.0 Page 2-5


CRAMM User Guide

the minimum numbers of users that need to be recovered following a


disruption to the system or network

the time within which these users need to be recovered

the minimum assets required by these users

minimum service levels for the assets

descriptions of the minimum numbers of support staff that will be


needed to assist with recovery of the above assets

any other requirements.

3 Investigate and record (on a separate piece of paper) any data assets that
must be recovered before the data asset in question, and the relative
priority of these.
4 Investigate and record (on a separate piece of paper) any application
software assets that must be recovered before the application software
asset that supports the data asset in question, and the relative priority of
these.
Once you have gathered your information, you need to enter it into the CRAMM
software. This is described in the section below.

13.5.2 Entering recovery objectives, minimum requirements and dependencies


To enter recovery objectives, minimum requirements and dependencies:
Step
1 From the Contingency Planning screen, choose Enter Data Recovery Details
option. The Create and Maintain Data Recovery Details screen is
displayed, as shown in Figure 13-132.

Page 12-6 Issue 1.0


Chapter 13
Contingency Planning

Figure 13-132: Create and Maintain Data Recovery Details screen


2 Use the Data Asset drop-down list box to select the data asset for which
you wish to create or maintain recovery details.
3 Press the Note button next to the Recovery Details field to view, create or
edit a description of the data and application software assets which must
be recovered before the selected asset can be recovered. The Data Asset
Recovery Details screen is displayed, as shown in Figure 13-133.

Issue 1.0 Page 2-7


CRAMM User Guide

Figure 13-133: Data Asset Recovery Details screen


Type into the text box in the Data Asset Recovery Details screen. When you are
satisfied with the description, press the OK button in this screen.
4 To create and maintain details of groups of users, press the Maintain User
Groups button in the User Details group box in the Create and Maintain
Data Recovery Details screen. The Maintain User Groups screen is
displayed, as shown in Figure 13-134.

Figure 13-134: Maintain User Groups screen


Use this screen as follows:
to maintain details of an existing user group, select its name from the
Name drop-down list box

Page 12-8 Issue 1.0


Chapter 13
Contingency Planning

to create a new user group, press the New button and type the name
into the Name text box. Type the number of users in the user group in
the Number of Users text box

to delete a user group, select it from the Name drop-down list box,
and press the Delete button. Note that a user group can only be
deleted if it has no relationship to a data asset. If any relationships
exist you must remove them using the controls in the User Details
group box in the Create and Maintain Data Recovery Details
screen, before deleting the user group (this is described in step 5).

5 The table in the User Details group box displays the user groups related to
the selected asset, and the maximum time period in which the asset must
be recovered for each group. You can do the following in this group box:
to create a new relationship between a user group and the selected
asset, press the New button. The User Details screen is displayed, as
shown in Figure 13-135

Figure 13-135: User Details screen


select the required details from the Select a User Group and Recover
within list boxes in this screen and press the OK button

to remove a relationship, select the appropriate row in the table in


the User Details group box of the Create and Maintain Data
Recovery Details screen and press the Delete button.

Issue 1.0 Page 2-9


CRAMM User Guide

6 Select a row in the User Details table and use the table in the Physical and
Software Assets Supporting Selected Data and Users group box to view, create
or edit the physical and software assets which support the data and user
group selected in the Data Asset drop-down list box and User Details table.
type the number of assets into the Num Assets column in the table in
the Physical and Software Assets Supporting Selected Data and Users
group box in the Create and Maintain Data Recovery Details screen

the Service Level Description, Other Requirements and Staff Description


columns are descriptions. To create or edit one of the descriptions,
position the mouse cursor in the appropriate row, then press the Note
button at the bottom of the screen. This displays the Supporting
Details screen in which you can view, create and edit the
descriptions. This screen is shown in Figure 13-136

Figure 13-136: Supporting Details screen


type the number of staff required to support the asset into the Num
Staff column

if the value entered into the Num Assets or Num Staff column
represents a resource which is shared with a different user group,
this can be indicated by typing an asterisk after the number. This will
be reproduced on the reports produced from this information.

To remove an entry from the table, select the row and press the Delete
Support Asset button.

Once you have entered the information into the CRAMM software, you can produce
a range of reports. Section 13.5.3 describes how to do this.

Page 12-10 Issue 1.0


Chapter 13
Contingency Planning

13.5.3 Reporting on recovery objectives, minimum requirements and dependencies


Information gathered on recovery objectives, minimum requirements and
dependencies can be reported on in the following ways:
by printing a completed Recovery Objectives form
by producing a Recovery Requirements for Users and Support Staff report
- this shows the priority order for recovery of users, and the support staff
that are required to assist with this
by producing a Recovery Requirements for Assets report - this shows the
assets which need to be recovered within each time period
by producing a Recovery Dependencies report - this shows the information
input on the relative priorities for recovery of data assets or application
software assets.
To produce these reports:
Step
1 From the Contingency Planning screen, choose Print Data Recovery
reports. The Data Recovery Reports screen is displayed, as shown in
Figure 13-137.

Figure 13-137: Data Recovery Reports screen


2 Select the option button in the Report Type group box for the type of report
you wish to produce. Your choice determines how you select the assets to
be included in the report, as follows:

Issue 1.0 Page 2-11


CRAMM User Guide

if you select Blank Recovery Objectives, Completed Recovery Objectives or


Recovery Dependencies, the list box in the middle of the screen on the
right is labelled Data Assets. For each asset to be reported on, select it
and press the Add button. The assets are added to the Report on list
box

if you select Recovery Requirements for, select from the adjacent drop-
down list box:

users and support staff

assets in a list

assets in a group

assets in a location

assets in the physical class

assets in the software class.

The name of the list box in the middle of the screen on the right changes
according to the selection you make. For each asset to be reported on,
select it and press the Add button. The assets are added to the Report
on list box.

3 If you wish to remove an item from the report, select it in the Report on list
box and press the Remove button.
4 When you are satisfied that you have selected the content of the report
correctly, use the Output to controls to select the destination of your
report, then press the Generate Report button to produce the report.
These reports show different views of the recovery objectives and minimum
requirements. They can be used in the costing and evaluation of recovery options for
contingency planning which are identified in the Risk Management Stage of
CRAMM.

13.6 Risk assessment


Method Concept: The risk assessment for contingency planning purposes will
concentrate on those threats that could cause unavailability or destruction of critical
assets.
Having undertaken a business impact analysis and identified recovery objectives,
minimum requirements and dependencies, the remainder of the CRAMM review
will follow the steps required for a standard review.
If the review is being conducted solely for the purposes of contingency planning, you
are likely to want to concentrate on those threats that could cause the impacts of
unavailability or destruction. Where the scope of the review covers security as well as
contingency requirements, then a wider selection of threats can be investigated.
Depending on the requirements of the review, either a full or rapid risk assessment
can be undertaken. See section 8 for guidance on how to complete a threat and
vulnerability assessment during Stage 2 of CRAMM.

Page 12-12 Issue 1.0


Chapter 13
Contingency Planning

13.7 Contingency solutions


Method Concept: CRAMM can assist in identifying a balanced set of recovery and
risk reduction measures which will allow recovery objectives to be met.
The CRAMM countermeasure library contains the following countermeasure groups
which relate directly to contingency planning:
Recovery Options for Hosts
Recovery Options for Network Interfaces
Recovery Options for Network Services
Recovery Options for Accommodation
Recovery Options for Media
Business Continuity Planning
Back-up of Data.
A range of other countermeasure groups contain risk reduction measures (measures
which, for example, reduce threat or vulnerability as opposed to facilitating
recovery). Examples of these include Fire Protection, Water Protection, Site/Building
Physical Security, Equipment Failure Protection.
Countermeasures should be calculated and selected as described in Section 10. When
considering recovery options, remember that these are only options which need to be
considered in relation to the recovery objectives and minimum requirements
identified in Stage 1 of the CRAMM review. In assessing recovery options and other
countermeasures for contingency planning, the following approach is recommended.
Step
1 Print the Countermeasure Assessment report for the recovery options
countermeasure groups and any others of interest. This is described in
section 10.5.
2 For each recommended recovery option, do the following:
consider whether it could assist in achieving recovery objectives

check whether it is applicable to the system or network under


review, for example mobile recovery services for host systems or
accommodation will not be applicable if there is nowhere for mobile
units to be sited

check that the option can support the minimum requirements and
dependencies that were identified in Stage 1.

Note: If recovery objectives cannot be supported, the countermeasure should not


necessarily be rejected immediately since, if no options are able to support
the recovery objectives, the objectives themselves may need to be
adjusted.
3 Evaluate each recovery option that satisfies the above requirements in
terms of:
its ability to meet recovery objectives and support minimum
requirements and dependencies

Issue 1.0 Page 2-13


CRAMM User Guide

the likely reduction in potential impact

the cost of setting up the option

the cost of maintaining, testing and invoking the option

any technical, organisational, cultural and administrative


implications

against the risk of disruption and the potential impact if no action is


taken.
4 The following reports will assist with the evaluation of options:
Recovery Objectives report

Recovery Requirements for Users and Support Staff report

Recovery Requirements for Assets report

Recovery Dependencies report.

Section 13.5.3 describes how to produce these reports.


Recommendations on countermeasures relating to recovery options can be recorded
within the software as described in section 10.7.
Risk reduction measures should be evaluated in line with the guidance in section 10.7
and in parallel with consideration of recovery options to allow a suitable balance to
be drawn between recovery and risk reduction measures.
The CCTA Guide to Business Continuity Management provides further guidance on
how to evaluate recovery and risk reduction options.

13.8 Next actions


Method Concept: CRAMM only supports part of the contingency planning
process. Further actions will be required to agree, implement and maintain an
effective contingency strategy.
The following contingency planning actions are recommended on completion of the
CRAMM review.
Step
1 Prepare a contingency strategy report describing the potential impacts
and risks, recovery objectives, minimum requirements and dependencies
and the recommended recovery and risk reduction options. This may be a
separate stand-alone document or incorporated as part of a CRAMM
Stage 3 Management Report.
2 Review and gain acceptance of the contingency strategy.
3 Move into the implementation stage of business continuity management
as illustrated in Figure 13-129.
The CCTA Guide to Business Continuity Management provides detailed guidance on
the typical contents of a strategy report and the actions involved in implementing a
strategy and setting up the ongoing management, testing and change management
processes.

Page 12-14 Issue 1.0


Chapter 13
Contingency Planning

13.9 Section summary


This section has described how to use CRAMM to assist in the identification of
contingency requirements and the development of a contingency strategy. A range
of functions and reports are included within CRAMM to support the contingency
planning process.
The CRAMM approach to contingency planning is fully compliant with the processes
recommended in the CCTA Guide to Business Continuity Management.

Issue 1.0 Page 2-15


Chapter 14
Specialist security reports

14. Specialist security reports


14.1 Introduction
Method Concept: The security documentation for a system or project is typically
produced in a range of formats. In addition to producing the recommended security
profile for a system, CRAMM provides a series of specialist security reports.
The Security Reports screen is shown below:

Figure 14-138: Security Reports

CRAMM provides facilities to produce the following specialist security reports:


System Security Policy
Security Requirements
Countermeasure Summary
Interchange Agreement
Note: It is also possible to produce Security Operating Procedures by using the
Security Resources concept covered in Section 15.
The topics covered in this section are:
producing a System Security Policy (section 14.2)
producing Security Requirements Reports (section 14.3)
producing a Countermeasure Summary (section 14.4)
producing an Interchange Agreement (section 14.5)

Issue 1.0 Page 3-1


CRAMM User Guide

14.2 System Security Policy


Method Concept: A System Security Policy (SSP) describes responsibilities for
security and the security measures required for a particular system or network.
Where responsibility for the management or operation of systems is outsourced,
either in part or in total, the security countermeasures to be implemented by the
service provider need to be documented and communicated to the service provider.
The System Security Policy provides a mechanism for achieving this.
CRAMM provides a facility to support the production of SSPs, based on the findings
of the risk assessment.
14.2.1 Producing a System Security Policy
Selecting this option will initiate a Wizard that will take users through the process of
writing a System Security Policy.
The screens in the Wizard are as follows:
Screen 1 Select Name of Report
This screen allows users to create new reports or to open a report that they
have already been working on.
Screen 2 Select Sections to appear in report
This screen gives the user to opportunity to choose which sections of the
standard report they wish to include in their report.
Screen 3 Select Countermeasure Groups
This screen gives the user to opportunity to choose which countermeasure
groups they wish to include in their SSP.
Screen 4 Report Tree for editing information in the report
This screen provides Tree view structure that allows users to edit the
standard words that are contained in the normal template, or the words
that have been pulled through from the data asset scenarios, or the factors
behind the assessment of threats and vulnerabilities.
Screen 5 Save/Print/Export report
This screen allows users to specify which appendices they wish to include
in their report, and then to either preview the report, print the report or to
export it into MS Word format for further editing.

Page 13-2 Issue 1.0


Chapter 14
Specialist security reports

14.3 Security Requirements Reports


Method Concept: The Security Specification Report can acts as a supplement to
the System Security Policy by expanding on the security objectives set out in the
System Security Policy with further detail about the detailed countermeasures that
are considered to meet these objectives, and the current status of those
countermeasures.

Figure 14-139: Security Requirements Report screen

14.4 Countermeasure Summary


Method Concept: The large number of countermeasures can make it difficult to
obtain an overall impression of how many countermeasures are already installed,
and how many require action. The Countermeasure Summary report provides a
simple tabular summary of the numbers of countermeasures that have been
recommended and the statuses of those recommendations.

Issue 1.0 Page 3-3


CRAMM User Guide

Figure 14-140: The IT Risk Analysis and Management Process

14.5 Interchange Agreement


Method Concept: An Interchange Agreement should be produced whether valuable
information is being exchanged between two organisations. It should set out the
responsibilities for the data before, during and after its transmission, and the
security controls that will be implemented to protect the information.
CRAMM provides a facility to support the production of an Interchange Agreement.
Selecting this option will initiate a Wizard that will take users through the process of
writing an Interchange Agreement.
The screens in the Wizard are as follows:
Screen 1 Select Name of Report
This screen allows users to create new reports or to open a report that they
have already been working on.
Screen 2 Select Sections to appear in report
This screen gives the user to opportunity to choose which sections of the
standard report they wish to include in their report.
Screen 3 Select Countermeasure Groups
This screen gives the user to opportunity to choose which countermeasure
groups they wish to include in their Interchange Agreement.
Screen 4 Report Tree for editing information in the report
This screen provides Tree view structure that allows users to edit the
standard words that are contained in the normal template, or the words

Page 13-4 Issue 1.0


Chapter 14
Specialist security reports

that have been pulled through from the data asset scenarios, or the factors
behind the assessment of threats and vulnerabilities.
Screen 5 Save/Print/Export report
This screen allows users to specify which appendices they wish to include
in their report, and then to either preview the report, print the report or to
export it into MS Word format for further editing.

14.6 Producing Security Operating Procedures (SyOPs)


Selecting this option will initiate a Wizard that will take users through the process of
writing a Security Operating Procedure (SyOP).
The screens in the Wizard are as follows:
Screen 1 Select Name of Report
This screen allows users to create new reports or to open a report that they
have already been working on.
Screen 2 Enter Basic Information about Report
This screen allows users to enter the basic details about the procedure,
including:
The Classification / Protective Marking of the Procedure
The name of the system that the procedure relates to
Document Reference No
Version No
Screen 3 Select Sections to appear in report
This screen gives the user to opportunity to choose which sections of the
standard report they wish to include in their report.
Screen 4 Select Resources
This screen gives the user to opportunity to choose which resources they
wish to include in this procedure. You should have created or restored
details about the security resources that you wish to cover prior to starting
SyOPs wizard. You should have used the reports in that section to
indicate the procedures that each security resource is responsible for
carrying out.
This screen also provides an opportunity to make a couple of global
changes to the countermeasures descriptions. Generally speaking
Category 1 countermeasures take a form similar to the following example:
All users should be allocated an identifier (User ID)
By filling in the Change should to box the software will change each
instance of the word should. For example you could enter the word
must in the box, and the countermeasure shown above would now
appear as:
All users must be allocated an identifier (User ID)
Similarly many Category 2 countermeasures take a form similar to the
following example:
A register of service users to be maintained

Issue 1.0 Page 3-5


CRAMM User Guide

By filling in the Change to be to box the software will change each


instance of the words to be. For example you could enter the words
must be in the box, and the countermeasure shown above would now
appear as:
A register of service users must be maintained
Screen 5 Report Tree for editing information in the report
This screen provides Tree view structure that allows users to edit the
standard words that are contained in the normal template. It is possible to
further edit the countermeasure descriptions by double-clicking the
countermeasure description
Screen 6 Save/Print/Export report
This screen allows users to specify which appendices they wish to include
in their report, and then to either preview the report, print the report or to
export it into MS Word format for further editing.

14.7 Countermeasure Chart Wizard


Selecting this option will initiate a Wizard that will take users through the process of
generating a Countermeasure chart.
The screens in the Wizard are as follows:
Screen 1 Select the type of report
This screen gives the user the opportunity to choose which type of report
they wish to create. The types that can be selected include:
IT Security
Network Security
Physical Security
Environmental Security
Administrative Security
All
It is also possible to select the level of detail that the countermeasures
have been explored to by using the Select Category combo box.
Screen 2 Select the style of report
This screen gives the user the opportunity to choose which style of report
they wish to create. The styles that can be selected include:
Bar Chart
3 D Bar
Column
3 D Column
Area
3 D Area

Screen 3 Save/Print/Export report


This screen allows users to either preview the report, print the report or to
export it into MS Word format for further editing.

14.8 Alternative Countermeasure Chart Wizard


Selecting this option will initiate a Wizard that will take users through the process of
generating a different Countermeasure chart. This chart allows the user to group the

Page 13-6 Issue 1.0


Chapter 14
Specialist security reports

status flags together to produce a report showing the extent to which risks are
treated or untreated
The screens in the Wizard are as follows:
Screen 1 Select the type of report
This screen gives the user the opportunity to choose which type of report
they wish to create. The types that can be selected include:
IT Security
Network Security
Physical Security
Environmental Security
Administrative Security
All
It is also possible to select the level of detail that the countermeasures
have been explored to by using the Select Category combo box.
Screen 2 Select the style of report
This screen gives the user the opportunity to identify which
countermeasure status flags they wish to regarded as
Treated Risks
Untreated Risk
Accepted Risks

Screen 3 Select the style of report


This screen gives the user the opportunity to choose which style of report
they wish to create. The styles that can be selected include:
Bar Chart
3 D Bar
Column
3 D Column
Area
3 D Area

Screen 4 Save/Print/Export report


This screen allows users to either preview the report, print the report or to
export it into MS Word format for further editing.

14.9 Section summary


This section has described how CRAMM can assist with the preparation of specialist
security documentation for a system or network. The following reports have been
described: System Security Policy (SSP), Interchange Agreements, Security
Requirements, Security Operating Procedures, Countermeasure Summaries and
Countermeasure Charts.

Issue 1.0 Page 3-7


Chapter 15
Security resources

15. Security Resources


15.1 Introduction
Method Concept: When CRAMM calculates its recommended countermeasures it
identifies which specific assets require protection. Security Resources allows the
reviewer to record how that protection is actually delivered.
Security Resources can be of many different types including:
Documentation
Hardware
Software
Physical
People
Information
The Security Resources screen is shown below:

Figure 15-141: Security Resources screen

15.2 Enter/Amend Security Resources


Method Concept: A Security Resource is either a document, a piece of hardware,
software, information, a person or a physical item. CRAMM provides a facility to
record all the security resources that play a roll in providing the protection required
by the system/network.

Issue 1.0 Page 14-1


CRAMM User Guide

Figure 15-142: Security Resources screen


To enter Security Resource:
Step
10 If you wish to modify an existing Security Resource/Product or
Document then use the combo box at the type of the screen to select the
relevant Security Resource/Product or Document.
11 To add a new Security Resource/Product or Document press the Add
button at the bottom of the screen.
12 Type in the name of the Security Resource into the field labelled
Product/Resource/Document
13 Specify the type of Security Resource. The allowable types are:
Documentation
Hardware
Owner (i.e. someone who is responsible for a particular area or
system)
Person (i.e. someone who actually carries out a security role)
Physical
Software
Information

Page 14-2 Issue 1.0


Chapter 15
Security resources

14 If appropriate, the Security Resource can be given reference number. This


is particularly applicable to documentation
15 If appropriate, the Security Resource can be given a version/issue no.
This is particularly applicable to documentation and software resources
16 If appropriate, the Security Resource can be given a date. This particular
applicable to documentation, hardware and software resources.
17 Record any notes that you wish about the Security Resource
18 To obtain a report showing all the security resources defined in the review
press the Preview Report button at the bottom left of the screen

15.3 Back-up and Restore Security Resources


Method Concept: It can be a time consuming process documenting precisely how
the security required by a system is delivered, but much of the information recorded
may prove valuable in other reviews that may be conducted in the future. The Back-
up and Restore Security Resources screen not only allows you to ensure that the
information recorded about a security product is protected against loss or
corruption, but that information can be re-used in future reviews.
When CRAMM is first installed the list of resource that can be restored is not empty.
CRAMM provides you with a list of standard roles. Each of these roles has been
allocated as carrying out specific procedures, or responsible for various BS 7799
controls. It is therefore possible to use these roles to assist in producing Security
Operating Procedures.
The Restore Resources Screen is shown below:

Figure 15-143: Security Resources screen

Issue 1.0 Page 14-3


CRAMM User Guide

To backup Security Resources:


Step
1 Using either the mouse or keyboard select the resources that you wish to
backup
2 Click on the backup button
3 Please note, the back-up utility will not back-up resources that are already
backed-up. If you wish the resource to be backed up, you should delete
the resource from the backup database first
To restore Security Resources:
Step
1 Using either the mouse or keyboard select the resources that you wish to
restore
2 Click on the restore button
3 Please note, the back-up utility will not restore resources that are already
exist. If you wish the resource to be restored, you should delete the
resource from the review first

15.4 Merging Security Resources


Method Concept: In some organisations, a single person may carry out a number of
roles. In such situations it may be desirable to restore several of the detailed roles
defined in the Back-up security resource database, and use the Merge Security
Resource Function to combine these roles into a single, new role.
The Merge Resources Screen is shown below:

Page 14-4 Issue 1.0


Chapter 15
Security resources

Figure 15-144: Merge Security Resources screen


To backup Security Resources:
Step
1 Type in the name of the new role that you wish to create
2 Using either the mouse or keyboard select the resources that you wish to
merge
3 Click on the Merge button
4 Please note, if you now wish to delete the more detailed roles which are
now longer relevant you should use the Enter/Amend Security Resources
screen

15.5 Enter Resources to Countermeasures


Method Concept: Having defined the security resources that exist, the next step is
to identify what functions each security resource provides. Entering information
about resources can also be used when conducting BS 7799 assignments as a way of
demonstrating how the organisation delivers the requirements set out under that
standard.
This section follows on from the Entering Security Resources phase of the
assignment.
You can use this screen to record, for each countermeasure:

Issue 1.0 Page 14-5


CRAMM User Guide

who is responsible (i.e. who is the owner) for that control


who carries out the control
where the detailed instructions about the actions those people should be
following are recorded
The Entering Resources to Countermeasures screen is shown below

Figure 15-145: Entering Resources to Countermeasures


To Allocate Resources to BS 7799 Controls
Step
1 Select the Countermeasure Group that you are interested in
2 Select the Countermeasure Sub Group that you are interested in
3 Highlight the specific countermeasure that you are interested in. The
Resources and Action sub forms will become enabled
4 To record that a resource or a series of resources is relevant to a particular
countermeasure, highlight each of the relevant resources using either the
mouse or the space bar, and then select Assigned from the Mark Selected
resource(s) combo box
5 To remove a reference that a particular resource is relevant to a particular
control, highlight each of the relevant resources using either the mouse or
the space bar, and then select Unassigned from the Mark Selected
resource(s) combo box

15.6 Define Responsibilities


Method Concept: The Define Responsibilities provides an alternative method for
identifying what functions each security resource provides. It is easier to use this
screen when you are focusing a single resource, and that resourcess responsibilities.
This section follows on from the Entering Security Resources phase of the
assignment.

Page 14-6 Issue 1.0


Chapter 15
Security resources

You can use this screen to record, for each countermeasure:


who is responsible (i.e. who is the owner) for that control
who carries out the control
where the detailed instructions about the actions those people should be
following are recorded
The Define Responsibilities screen is shown below

Figure 15-146: Define Responsibilities

Issue 1.0 Page 14-7


CRAMM User Guide

To Define Responsibilities for Countermeasures


Step
1 Select the Countermeasure Group that you are interested in
2 Select the Countermeasure Sub Group that you are interested in
3 Select the Resource that you are interested in
4 Highlight the specific countermeasure that you are interested in. The
Resources and Action sub forms will become enabled
5 To indicate that the resource is responsible for carrying out all the
countermeasure in that sub-group, select Assigned from the combo box
labelled Mark all countermeasures as
6 To record that a resource is relevant to a particular countermeasure,
highlight each of the relevant countermeasure using either the mouse or
the space bar, and then select Assigned from the Mark Selected
countermeasure combo box
7 To remove a reference that a particular resource is relevant to a particular
control, highlight each of the relevant resources using either the mouse or
the space bar, and then select Unassigned from the Mark Selected
resource(s) combo box

15.7 Define Compliance


Method Concept: The Define Compliance screen provides a method for recording
the status of the status of the countermeasures that have been defined using the
previous screen are the responsibility of a particular individual. It is easier to use
this screen when you are focusing a single resource, and the status of that resources
compliance with his/her responsibilities.
This section follows on from the Entering Security Resources phase of the
assignment.
You can use this screen to record, for each countermeasure:
which asset(s) this countermeasure applies to
what is the status of the countermeasure with respect to each of the assets

Page 14-8 Issue 1.0


Chapter 15
Security resources

The Define Compliance screen is shown below

Figure 15-147: Define Compliance

Issue 1.0 Page 14-9


CRAMM User Guide

To Define Compliance status of a particular Countermeasure


Step
1 Select the Resource that you are interested in
2 Select the Countermeasure Group that you are interested in (Only those
countermeasure groups which the Resource has some responsibility for
will be shown)
3 Select the Countermeasure Sub Group that you are interested in (Only
those countermeasure sub groups which the Resource has some
responsibility for will be shown)
4 Highlight the specific countermeasure that you are interested in. (Only
those countermeasure groups which the Resource has some responsibility
for will be shown) The Assets, Applicable Assets and Other Resource sub
forms will become enabled
5 To record the status the countermeasures, select the appropriate assets
and select the appropriate status from the Mark selected asset(s) as combo
box. If no assets are selected the selected status flag will be applied to all
the assets shown.
6 It is possible to use this screen even before the risk assessment is
completed. Once you have completed the modelling of the system, when
you use this screen the Applicable Assets will show the assets that may
potentially be recommended for the selected countermeasure depending
on the measure of risk. Even if the measure of risk / recommendation
countermeasure calculations have yet to be run, you can select an asset
and press the Add so that it can then have a status flag recorded against
it.
7 If you wish to remove an countermeasure / asset combination from
consideration, you should select the asset in the Asset box and press the
Remove button.

15.8 Print Security Resource Reports


Method Concept: Having recorded the resources that help deliver the
recommended countermeasures and where the details of the procedures that need to
be followed are recorded, CRAMM provides a report that allows the reviewer to
print out that information
The Print Security Improvement Programme screen is shown below

Page 14-10 Issue 1.0


Chapter 15
Security resources

Figure 15-148: Printing Security Resources reports

To Print the Security Improvement Programme


Step
1 Select the countermeasure groups that you wish to print out. If you wish
to print all the countermeasure groups tick the Include all box
2 Select the resources that you wish to print out. If you wish to print all the
resources tick the Include all box
3 To preview the report press the Preview Report button.
4 To obtain a printed version of the report press the Print button.

15.9 Print Resource Summary Reports


Method Concept: This report is aimed at providing a summary of the comparison
between the assignment of responsibility, as recorded using the Security Resource
functions, and the status of the countermeasures, as recorded using the Enter
Installed Status screens. It can be particularly useful in demonstrating the extent of
compliance / non-compliance with existing standards, where such standards have
been defined as security resources.
The Resource Summary Report screen is shown below

Issue 1.0 Page 14-11


CRAMM User Guide

Figure 15-149: Printing Resources Summary reports

To Print the Resource Summary Programme


Step
1 Select the countermeasure groups that you wish to print out. If you wish
to print all the countermeasure groups tick the Include all box
2 Select the resources that you wish to print out. If you wish to print all the
resources tick the Include all box
3 To preview the report press the Preview Report button.
4 To obtain a printed version of the report press the Print button.
The following image shows a sample of the type of report that this screen can
generate:

Figure 15-150: Sample Resource Summary report

Page 14-12 Issue 1.0


Chapter 15
Security resources

15.10 Print Detailed Compliance Report


Method Concept: The Resource Summary report shows the total numbers of
countermeasures and the status flags given to those countermeasures for the
resources that have defined in the review, but it may be necessary to identify
precisely which countermeasures are either implemented or not implemented. The
Detailed Compliance Report allows the reviewer to select the countermeasures
according to any combination of group, resource and status.
The Detailed Compliance Report screen is shown below

Figure 15-151: Printing Detailed Compliance reports


To Print the Detailed Compliance Report
Step
1 Select the countermeasure groups that you wish to print out. If you wish
to print all the countermeasure groups tick the Include all box
2 Select the resources that you wish to print out. If you wish to print all the
resources tick the Include all box
3 Select the status flags associated with the individual countermeasures that
should be included in the report
4 Select the destination of the report and the press the Generate Report
button.
The following image shows a sample of a Detailed Compliance Report

Issue 1.0 Page 14-13


CRAMM User Guide

Figure 15-152: Sample Detailed Compliance report

Page 14-14 Issue 1.0


Chapter 16
Security resources

16. SECURITY INSPECTIONS


16.1 Steps in a Security Inspection
Method Concept The security inspection or review process is carried out in
support of a number of objectives, for example:
to ensure that the required minimum standards are applied and
continue to be applied;
to maintain an organisations focus on the importance of security;
to recommend countermeasures to meet specific impacts of the loss
of the security objectives (confidentiality, integrity and availability);
the impacts being specifically related to the organisations mission;
and
as part of an ongoing security education and awareness programme.
CRAMM provides support for organisations conducting inspections on their own
operations or external auditors carrying out inspections.
On selecting the Security Inspection options, you are presented with the Security
Inspection Steps form which is shown below:

Figure 16-153: Security Inspection Steps


It is possible to navigate to each step in the Inspection either by pressing the relevant
button to show the lower level steps.

Issue 1.0 Page 14-1


CRAMM User Guide

16.2 Print Security Inspection Questionnaire


Method Concept: In order to complete a security inspection it is necessary to have
a copy of the Inspection questionnaire. CRAMM provides an option to print off
this questionnaire. You can choose to focus on specific sections of an inspection by
just printing of a sub set of the sections.

Once the Security Inspection Questionnaire has been printed, it can be used as the
basis of a series of interviews with members of the organisations staff to find out the
current status of the organisation against the questionnaire.
The Print Security Inspection Questionnaire screen is shown below

Figure 16-154: Security Inspection Screen

Page 14-2 Issue 1.0


Chapter 16
Security resources

To Print Security Inspection Questionnaire:


Step
1 Select the Section(s) of questionnaire that you wish to print out. If you
wish to print all the section tick the Include all box
2 To preview the report press the Preview Report button.
3 To obtain a printed version of the report press the Print button.
4 You can use this screen after the results of the inspection have been
entered and print a report showing all the information recorded by
selecting the completed option.
5 If you wish to print the report without showing the actions that you have
defined deselect the Include actions on report box

16.3 Enter Findings from the Security Inspection


Method Concept: Using the printed copy of the Security Inspection
Questionnaire the reviewer should gather information about the organisations
current status with respect to the questionnaire.
The gathering of information about the current status of the organisation against
questionnaire is a staged approach. The steps involved as follows:
Arrange a series of interviews with individuals identified during the
Initiation phase
Record the findings from those interviews
Analyse those findings and record the analysis in the tool
Where the analysis has indicated that there is a need for actions to be taken,
record those actions.
The Inspection Findings screen is shown below

Issue 1.0 Page 14-3


CRAMM User Guide

Figure 16-155: Inspection Findings Screen

To enter Inspection Findings:


Step
1 Use the tree view control to navigate to specific questions. Once you
have highlighted a detailed question the Findings, Actions and Resource
sub-forms will be enabled
2 For the selected control record the status of the question and any findings
3 To record an action against the selected control click on the new action
button on the bottom of the Actions Sub Form. This will open a pop-up
similar to the one shown in the Section 11.12.1 that allows the details of
the action to be recorded.
4 To record a resource as being responsible for this particular area then use
the Resource sub form.
5 If you want add further resources you can click on the Add New Resource
button on the Resource Sub form.
16.3.1 Recording an Action
Method Concept: Actions are recorded when conducting the Security Inspection.
These will form the basis of the Security Improvement programme, indicating what
requires to be done in order to bring the organisation in line with the expected
standards.
The Action screen is shown below

Figure 16-156: Recording an Action Screen

To Record an Action
Step
1 Type in a brief description of the action
2 Record the status of the action. Allowable statuses are:
Not Assigned

Page 14-4 Issue 1.0


Chapter 16
Security resources

Assigned
Underway
Complete
Under Review

3 If the person who is to carry out the action has already been defined,
select their name from the drop down list. If the person who is to carry
out the action has not been already defined type their name in, and you
will be prompted if you wish to create that person as a security resource.
4 Record the priority of the action. Allowable priority are:
Mandatory
Recommendation
Observation

5 Type in an estimate of how much effort will be required to complete the


action
6 Record the time scale for the implementation of the action. If the
timescale has already been defined, then select it from the drop down list.
If the timescale has not been already defined then type the appropriate
timescale as free text and you will be prompted if you wish to create that
as a new timescale.
7 Record any notes you wish about the action that you have just created
8 To save the action, click on the Save Action button. The Action form
remains open so that you can create further actions if you require.

16.4 Print Security Inspection Summary


Method Concept: Having recorded the organisations current status against the
questionnaire, CRAMM provides a report that allows the reviewer to print out a
summary of the areas of compliance / non compliance against the questionnaire.
Please note, to obtain the more detailed report showing all the information recorded
using the Findings screen use the Print Security Inspection Questionnaire form and
select the Completed option.
The Security Inspection Summary screen is shown below

Issue 1.0 Page 14-5


CRAMM User Guide

Figure 16-157: Printing Security Inspection Summary Screen


To Print the Security Inspection Summary Report:
Step
1 Select the Section of questionnaire that you wish to print out. If you wish
to print all the section tick the Include all box
2 To preview the report press the Preview Report button.
3 To obtain a printed version of the report press the Print button.

16.5 Print Action Lists


Method Concept: During the Security Inspection CRAMM provided facilities to
allow the reviewer to record actions necessary to bring the organisation in line with
the questionnaire. This report allows those actions to be printed out in a variety of
different orders which can be used during the Security Improvement Programme.
The Print Action Lists screen allows the actions to be printed in the following
different orders:
Section Order
Priority Order
Status Order
Person Order

Page 14-6 Issue 1.0


Chapter 16
Security resources

The Print Action List screen is shown below

Figure 16-158: Print Action Lists Screen


To Print the Action Lists:
Step
1 Select the Sections of questionnaire that you wish to print out. If you wish
to print all the section tick the Include all box
2 Select the Resource that you wish to print out. If you wish to print all the
resource tick the Include all box
3 Select the report sort order that fits your requirements most closely
4 To preview the report press the Preview Report button.
5 To obtain a printed version of the report press the Print button.

16.6 Producing Security Inspection Report


Selecting this option will initiate a Wizard that will take users through the process of
writing a Security Inspection Report.
The screens in the Wizard are as follows:
Screen 1 Select Name of Report
This screen allows users to create new reports or to open a report that they
have already been working on.
Screen 2 Basic Information
This screen also provides an opportunity to make a couple of global
changes to the information in the report regarding:
The name of the organisation

Issue 1.0 Page 14-7


CRAMM User Guide

The people conducting the inspection:


Screen 3 Select Sections to appear in report
This screen gives the user to opportunity to choose which sections of the
standard report they wish to include in their report.
Screen 4 Report Tree for editing information in the report
This screen provides Tree view structure that allows users to edit the
standard words that are contained in the normal template. .
Screen 5 Save/Print/Export report
This screen allows users to specify which appendices they wish to include
in their report, and then to either preview the report, print the report or to
export it into MS Word format for further editing.

Page 14-8 Issue 1.0


Chapter 17
What if scenarios

17. What if scenarios


17.1 Introduction
Method Concept: Security requirements are rarely static. Threats, vulnerabilities
and asset values can change, hardware and network configurations can be updated,
new applications can be developed and so on.
Risk assessments need to be reviewed regularly to ensure that a suitable level of
protection is being provided.
The What If facility is a powerful tool provided by the CRAMM software to enable
you to explore the effect of changes. You can use it, for example, to illustrate the
implications of different options at a management review meeting, or to determine
the effect of a proposed change to the configuration or running of the system.
In reviews of systems that are under development, the What If facility can be used to
explore the different technical options that the project is considering. It may be that,
where variations in project options are being evaluated, the difference in
countermeasures required is such that it can influence the decision on which option
to adopt.
The What If analysis shows countermeasures that are additional recommendations or
are no longer recommended as a result of the changes in the CRAMM model of the
system.
When performing a What If analysis, CRAMM makes a copy of the review data and
performs the calculations on this copy, so that the original review is unaffected.
There is, however, an option to update the original review with data recorded in the
What If analysis.
The remainder of this section describes how to carry out a What If analysis.

17.2 Carrying out a What If analysis


As the purpose of carrying out a What If analysis is to compare the countermeasure
recommendations of the What If analysis with that of the original review, it is not
possible to initiate a What If analysis until some countermeasure recommendations
have been generated. Whilst you are in a What If analysis, it is also not possible to
alter the details of the original review or take a copy of the What If review.
To carry out a What If analysis using the software:
Step
You should take a back up copy of the review before you embark on a
What If exercise. Section 19.4 describes how to back up a review.
From the Risk Management screen, choose What If option. This will
preserve the existing review details and produce a copy on which all
further changes to the review will be recorded.
Until you terminate the What If analysis (described below), you will be
using the What If analysis review and any changes made will not alter the
original review.
Carry out any normal review actions.

Issue 1.0 Page 15-1


CRAMM User Guide

To produce a report detailing the differences between the What If analysis and the
original review:
Step
From the Stage 3 What If menu, choose Report. The What If Report screen
is displayed, as shown in Figure 17-159.

Figure 17-159: What If Report screen


This screen is identical to the Countermeasure Assessment Reports
screen (see section 10.6) except that the Differences Only check box replaces
the Recommended Countermeasures Only check box. Select the Differences
Only check box if you only want to see the additional and deleted
countermeasures resulting from the What If analysis.
Use the other fields in the screen as described for the Countermeasure
Assessment Reports screen (see section 10.6).
The report itself is also identical to the Recommended Countermeasure
report, except that the Rqr column is called Diff. This column is blank for
recommendations which have not changed, contains Add for new
recommendations and Del for recommendations which have been
deleted as a result of the What If analysis.

Page 14-2 Issue 1.0


Chapter 17
What if scenarios

To terminate the What If analysis:


Step
From the Stage 3 What If menu, choose Action. The What If Review
Maintenance screen is displayed, as shown in Figure 17-160.

Figure 17-160: What If Review Maintenance screen


Select the option button for the action you require. You can either discard
the What If analysis and revert to the original review, or keep the What If
analysis and discard the original, or keep both the original and the What
If analysis. If you choose the last option you will be asked to supply a
name for the review which will be created from the What If analysis.
Select the Perform button to carry out the required action.

17.3 Section summary


This section has described how to model the effect of changes on the security
requirements for different options using the CRAMM What If facility.

Issue 1.0 Page 15-3


Chapter 18
Post review

18. Post review


18.1 Introduction
Method Concept: CRAMM provides comprehensive support for the identification
of justified security countermeasures for a system or network. However,
implementation of recommendations falls outside the scope of CRAMM. The
reviewer and management involved in the CRAMM review should, however,
schedule the implementation of agreed countermeasures, establish the timing for the
next review and tidy up the review files.
The topics covered in this section are:
scheduling the implementation of the recommendations (section 18.2)
the timing of the next review (section 18.3)
tidying up the review files (section 18.4).
These tasks are not included in the CRAMM software but are still important to the
success of a CRAMM review.

18.2 Scheduling implementation


Method Concept: Depending upon the findings of the risk assessment,
implementation of agreed recommendations may be a separate project in its own
right. Whether this is the case or not, responsibilities will need to be allocated and
priorities and timescales set.
Management need to decide which countermeasures should be installed and, in some
cases, which should be removed or replaced. The following guidelines can be used to
help decide which countermeasures to implement and the relative priorities of the
measures:
using information from the Countermeasure Cost Report and
Prioritisation Report, identify those countermeasures which are likely to
fit within the budget. Ensure that no assets are left at too high a level of
risk exposure and that all identified threats have been responded to
within CRAMM there are six aspects of security which require
consideration when countermeasures are being applied to a system. These
are:
Physical
Personnel
Procedural
Communications
Environmental
Hardware
Software

The method recognises that effective control can only be achieved where
particular countermeasures are themselves supported by other
countermeasures. For example, when it is recommended that a task be
undertaken (a procedure), it may also be recommended that guidance is
drawn up (documentation) and possibly that staff be trained (personnel).
You should ensure that an appropriate mix of countermeasures from
different security aspects are implemented

Issue 1.0 Page 13-1


CRAMM User Guide

CRAMM also acknowledges the need for layers of protection. The


countermeasures in CRAMM reflect the axiom prevention is better than
cure. Recommendations made by CRAMM will contain a mix of
avoidance measures, measures that will reduce threat, vulnerability or
impact and measures that will enable an impact to be detected and then
recovered from. You should aim to ensure that balanced layers of
protection are implemented.
Other options available are to reduce the risk by making changes to the system, such
as removing highly sensitive data, or substituting an automated process with a
manual process.
Once agreement has been reached, you need to draw up a schedule for the
implementation of these decisions. This involves producing an Implementation Plan.
This plan should:
show all the countermeasure recommendations that need to be
implemented
identify who is responsible for implementing each of the
recommendations
estimate what resources are required to implement each recommendation
suggest when work should commence and the date by which the
recommendation should be implemented
identify who is responsible for checking that the recommendation has
been implemented correctly.
The starting point for an Implementation Plan should be the detailed Stage 3 reports.
For each recommendation you should agree with management the person or team of
people responsible for its implementation and the dates by which it should be
implemented.
Once the Plan has been produced and agreed, the CRAMM review can be considered
complete, but further work may be necessary to ensure that security of the system or
network continues to be maintained. For example, management could, as a result of
recommendations made during the review, consider arranging for compliance tests
to be carried out on countermeasures identified as being either already installed or
implemented.

18.3 Timing of the next review


Method Concept: The timing of the next review will depend upon the anticipated
level of future change.
Typically, a follow-up review should be carried out once every three years, or during
the planning phase of a major change to the IT system or network architecture.
It may also be useful to carry out a follow-up review after the issue of a new version
of CRAMM. The guidance contained in CRAMM will be kept up-to-date to reflect
changes in technology and advice given by the authorities. When you receive a new
version of the software, you may wish to consider how the changes in guidance affect
the reviews that you have already conducted. You can obtain details of all the
changes made to the countermeasures and the threat and vulnerability
questionnaires from your software supplier.

Page 13-2 Issue 1.0


Chapter 18
Post review

18.3.1 Reviewing changes


Method Concept: Where changes occur that could alter the risks facing the system,
and hence the requirements for security, the effect of the changes should be reviewed,
perhaps using the CRAMM What-If facility.
Security is never static and must be kept under constant review throughout the life of
the system or network. Management must consider how to review changes so that
they can assess their effect on either the existing levels of security or the overall
requirements for security.
The best method for reviewing such changes is to ensure that the organisations
formal change control procedures take into account the need for security. The change
control form should ask the following questions:
does the proposed change affect the security of the system or network?
does the proposed change affect the requirement for security?
If the proposed change affects the security of the system, management can then
decide whether the change is acceptable or not. Where a proposed change affects the
requirement for security, all the parts of the system or network that could be affected
should be investigated. Such changes can usefully be modelled by using CRAMMs
What If facility (see section 17). This can help by:
identifying what parts of the system or network are likely to be affected
by the change
assessing whether the risks will change
identifying additional countermeasures that may need to be implemented
where risks have increased
identifying countermeasures which may no longer be necessary where
risks have decreased.

18.3.2 The follow-up review


Method Concept: Even where the system operates in a well controlled
environment, with good security change management procedures, it is advisable to
undertake follow-up CRAMM reviews at regular intervals.
Provided that changes are managed effectively it may not be necessary to carry out a
follow-up review for several years. However, such a review will eventually become
necessary because some events are outside the scope of the change control
mechanism. For example, the security of the system could be affected by:
the perception that a threat is increasing or decreasing
changes in technology that make it easier or more difficult to mount
specific types of attack
changes to the business affecting the requirements for availability,
integrity or confidentiality.
In many cases these follow-up reviews can be conducted very quickly by making use
of the details already documented within CRAMM and in the management reports
produced for previous reviews. However, you need to check this information to
ensure that it is still accurate.

Issue 1.0 Page 13-3


CRAMM User Guide

18.4 Tidying up
Method Concept: To allow changes to be modelled effectively, and to support
follow up reviews, the CRAMM database relating to the review and all supporting
paper and electronic documentation may need to be tidied up.
On completion of the CRAMM review you should ensure that all documentation is
tidy and accessible, and that all reference documents are clearly marked and stored
securely. A copy of both the review data and CRAMM software should be made and
stored with the reports, preferably at a separate location from the PC running the
CRAMM software.

18.5 Section summary


This section has described how to schedule the implementation of recommendations
from a CRAMM review, establish the timing for the next review, and tidy up the
review files.

Page 13-4 Issue 1.0


Chapter 19
CRAMM software administration facilities

19. CRAMM software administration facilities


19.1 Introduction
This section describes how to carry out software administration activities for the
CRAMM software.
The CRAMM Administration screen is shown below:

Figure 19-161: CRAMM Administration screen

19.2 General Configuration


You can configure the following options:
whether to run the software in novice or expert mode. If you run in novice
mode you will see more messages asking you to confirm the actions you
request
whether a confirmation dialog box is displayed when you choose a delete
action
whether to display help information for the field which the mouse cursor
is on in the status bar at the bottom of the application window
the screen background colour; the default is grey
whether dates should be displayed in the long or short formats which
have been set in the Windows configuration.

Issue 1.0 Page 14-1


CRAMM User Guide

To set the software options:


Step
1 In the System Admin application, from the Administration menu choose
General Configuration. The CRAMM Options screen is displayed, as
shown in Figure 19-162.

Figure 19-162 CRAMM Options screen


2 To set the user level, select the Novice or Expert option button.
3 Select or clear the Confirm on delete check box as required.
4 Select or clear the Display the window status bar check box as required.
5 Select or clear the Display dates in long format check box as required.
6 To change the screen background colour, press the Change Background
Colour button. A standard Windows colour dialog box is displayed in
which you can select a colour. For further details see the Control Panel
section of the Microsoft Windows Users Guide for the version of
Windows that you are using.

19.3 Maintain Tool Password


To change the password that is prompted for when you enter the software:
Step
1 In the System Admin application, from the Administration menu choose
Maintain Password. If the software is password protected, the Tool
Authentication screen is displayed, as shown in Figure 5-4. Type the
current password into the Enter Password text box.
2 The Maintain Tool Password screen is displayed, as shown in Figure
19-163.

Page 14-2 Issue 1.0


Chapter 19
CRAMM software administration facilities

Figure 19-163: Maintain Tool Password screen


3 Type the new password into the New Password text box. Confirm the new
password by typing it again into the Confirm New Password text box.
4 Select the Do not password protect check box if you want CRAMM to be
accessible without a password.
5 If you decide that you do not wish to change the password, press the
Cancel button.

19.4 Back-up/Restore/Delete Reviews


19.4.1 Back up a Review
To make a back-up copy of a review:
Step
1 From the System Admin screen choose Backup/Restore/Delete review option.
The Backup/Restore Review screen is displayed, as shown in Figure
19-164.

Figure 19-164: Backup/Restore Review screen

2 Select the review you wish to back up in the Existing Reviews list box.
3 Press the Backup button.
4 If the review you selected is password protected, the Review
Authentication screen is displayed in which you need to type the
password.
5 The Backup Review to File screen is displayed for you to supply the
details of the file to which you want the back-up copy to be written. (This
is based on the standard Windows file browse screen.) The file will be
given the suffix .CRM.

Issue 1.0 Page 14-3


CRAMM User Guide

6 A screen is displayed whilst the back-up is taking place that contains a


mobile activity indicator and a Cancel button.
Note that two files will be created by the back-up operation. Both will have the
filename supplied in step 6; one will have the suffix .CRM and the other will have the
suffix .CTL. If the review is undergoing a What If analysis, a further two files will be
produced with the suffixes .CRW and .CTW. All files must be present in the same
directory when the review is restored.
The following table summarises the types of files produced by the CRAMM Back-up
routine:
Extension Contents of File
.CRM This file holds the data entered during a
CRAMM review
.CTL This file holds control data about a
particular review
.CRW This file holds the data related to a
What-if analysis performed on a
CRAMM review
.CTW This file holds the control data about a
particular What if analysis

Table 19-1: CRAMM File Extensions


The information stored in the Access tool is recorded in an Access Database with the
same name as the review. To back-up this data, you should copy the Access
Database to a safe location.

19.4.2 Restoring a review


To restore a back up copy of a review:
Step
1 From the System Admin screen choose Backup/Restore/Delete Review option.
The Backup/Restore Review screen is displayed, as shown in Figure
19-164.
2 Type a name for the restored review into the Restore as (Review Name) text
box. This name must be different to those displayed in the Existing
Reviews list box.
3 Press the Restore button. The File to Restore Review From screen is
displayed (which is based on the standard Windows file browse screen).
Select the CRAMM back-up file to restore the review from and press the
OK button.
4 A screen is displayed whilst the back-up is being restored that contains a
mobile activity indicator. The CRAMM System Administration window
is disabled until the restore is complete.
19.4.3 Deleting a review
To delete a review:
Step

Page 14-4 Issue 1.0


Chapter 19
CRAMM software administration facilities

1 From the System Admin menu choose Backup/Restore. The Backup/Restore


Review screen is displayed, as shown in Figure 19-164.
2 Select the name of the review you wish to delete.
3 Press the Delete button.

19.5 Copying a review


To copy an existing review:
Step
1 From the System Admin menu choose Copy Review. This displays the Copy
Review screen, as shown in Figure 19-165.

Figure 19-165: Copy Review screen


2 Use the Copy from Review drop-down list box to select the review you wish
to copy from.
3 The Review Authentication screen is displayed, in which you need to type
your review password and press the OK button. (This screen is not
displayed if a password has not been set up for the review.)
4 Use Copy to Review drop-down list box to select the review you wish to
copy into.
5 Select the appropriate option button to either copy the whole review or
indicate how you wish to select part of the review to copy. The option
buttons are:

Issue 1.0 Page 14-5


CRAMM User Guide

Copy Entire Review: copies the whole review

Locations: displays a list of the locations in the source review from


which you can select those to copy to the new review

Physical Assets and their Locations: displays a list of the physical assets
in the source review from which you can select those to copy to the
new review. This also copies the locations of those assets to the new
review

Software and Data Assets: displays a list of the software and data
assets in the source review from which you can select those to copy
to the new review

Asset Models: displays a list of the data asset/end-user service pairs,


for which asset models have been created in the source review. From
this list you can select those to copy to the new review. This copies
all of the assets in the asset models as well as the links between them

Asset Groups and Threat Vulnerability Assessment: displays a list of the


asset groups in the source review from which you can select those to
copy to the new review. This copies the asset groups, the assets in the
groups, the threat/impact/asset group relationships and the threat
and vulnerability questionnaire answers for the groups.

6 You can further qualify the above copy actions by selecting the following
check boxes:
Include Countermeasure Details: this copies details of countermeasures
installed for the assets copied to the new review

Include Textual Information: this copies descriptive information held


with assets, valuations and threat vulnerability questionnaire
answers.

Note that only the given valuations of the assets are copied, not the
implied values calculated by the software. The latter must be recalculated
in the new review.
7 To add items to be copied to the new review, select from the list box in the
bottom right corner of the screen and press the Add button. This will add
the items selected to the Items to Copy list box. You can remove items from
the Items to Copy list box by selecting them and pressing the Remove
button.
8 When you are satisfied with the details you wish to copy, press the Copy
Items button.
9 You may copy as many reviews as you like before pressing the Close
button to return to the CRAMM System Administration window.

Page 14-6 Issue 1.0


Chapter 19
CRAMM software administration facilities

19.6 Modifying a review password


To change the password of the review you have open:
Step
1 In the CRAMM 5.1 application, from the Review menu choose Review
Information. The Maintain Review Textual Information screen is
displayed, as shown in Figure 14/2.
2 Press the Change Password button. If the review is password protected, the
Review Authentication screen is displayed, as shown in Figure 5-8. Type
the current password into the Enter Password text box.
3 The Maintain Review Password screen is displayed, as shown in Figure
19-166.

Figure 19-166: Maintain Review Password screen


4 Type the new password into the New Password text box. Confirm the new
password by typing it again into the Confirm New Password text box.
5 Select the Do not password protect check box if you want the review to be
accessible without a password.
6 If you decide that you do not wish to change the password, press the
Cancel button.

Issue 1.0 Page 14-7


CRAMM User Guide

19.7 Maintain Impact Applicability


To change the defaults for the impact applicability guidance:
Step
1 From the System Administration menu, select the Maintain Impact
Applicability option.
2 The Maintain Impact Applicability screen is displayed, as shown below.

Figure 19-167: Maintain Review Password screen


3 Select the threat that you interested in.
4 Using the drop down boxes change the applicability of the threat to the
impacts it may cause to those that you wish being seen given as default
guidance.

Page 14-8 Issue 1.0


Chapter 19
CRAMM software administration facilities

19.8 Maintain Status Flags


To maintain the status flags used when marking the installed status of
countermeasures:
Step
1 From the System Administration menu, select the Maintain Status Flag
option.
2 The Maintain Status Flag screen is displayed, as shown below.

Figure 19-168: Maintain Review Password screen

Issue 1.0 Page 14-9


CRAMM User Guide

3 Select the installed status that you interested in.


4 Edit the text to reflect the terms that you wish to use when marking up
the status of the recommendations.

19.9 Maintain Value Ranges


To maintain the value ranges used when :
Step
1 From the System Administration menu, select the Maintain Value Ranges
option.
2 The Maintain Value Ranges screen is displayed, as shown below.

Figure 19-169: Maintain Review Password screen


3 You can either edit each row to reflect the scores that you want to see
applied, or by entering a factor, all the scores will be multiplied by the
factor that you have entered.

Page 14-10 Issue 1.0


Chapter 19
CRAMM software administration facilities

19.10 Maintain Default Priority Factors


To maintain the default priority factors used when :
Step
1 From the System Administration menu, select the Maintain Priority
Factors option.
2 The Maintain Priority Factors screen is displayed, as shown below.

Figure 19-170: Maintain Review Password screen


3 Select the factor that you wish to edit, and change the default scoring to
reflect that you wish to use in future reviews.

19.11 Section summary


This section described how to use the CRAMM software administration facilities. It
covered how to maintain details of a review, configure the printer, configure the
software, modify the software and review passwords, display the status of a review
and browse through a reviews assets.

Issue 1.0 Page 14-11


Chapter 20
Further information about CRAMM

20. Further information about CRAMM


20.1 Introduction
The topics covered in this chapter are:
sources of further information about CRAMM and the countermeasures
referred to in the CRAMM countermeasure library
CRAMM training courses
CRAMM specialist help and assistance
the CRAMM User Group
the added value and benefits that CRAMM can bring.

20.2 Additional sources of information about CRAMM


20.2.1 CRAMM-specific documentation
The following documents provide further information about CRAMM and its use in
specific circumstances.
An Overview of CRAMM: This explains the CRAMM method to people who are
unfamiliar with it. It can be used when introducing CRAMM into an organisation or
providing briefings to senior management. It provides a brief summary of the major
activities conducted during a CRAMM review, together with an explanation of some
of the benefits that such reviews can deliver.
Management Guide to CRAMM: This describes the major tasks that are carried out
during a CRAMM review and provides details of the responsibilities of management
during such a review. It is aimed at those people who are on a CRAMM review board
or who have read An Overview of CRAMM and want to know more about what a
CRAMM review involves and what it will produce.
PRINCE Users Guide to CRAMM: This is aimed at project managers in charge of IT
development projects who are using PRINCE to control the development process. It
provides detailed guidance on how security can be tackled during such projects and
how CRAMM can help to produce the security-related deliverables.
CRAMM / SSADM V3 and V4 Guides: These guides explain how CRAMM can be
used during a development project using SSADM Version 3.0 or Version 4.0. It
explains how appropriate controls can be identified and incorporated into the design
of an application and the IT environment that supports them.

20.2.2 Other documentation


The following documents were used when constructing the CRAMM
countermeasure library. They are useful sources of further information about how
the recommendations may be implemented:
Manual of Protective Security, available to Government Departments
Information Technology Security Evaluation Criteria, published by the
Office for Official Publications of the European Communities
A Code of Practice for Information Security Management, (BS7799),
published by the British Standards Institute.

Issue 1.0 Page 15-1


CRAMM User Guide

20.3 CRAMM training


CRAMM training courses are provided by a range of suppliers, including those
organisations that are licensed to market CRAMM. The courses provide a vital
introduction to the principles of CRAMM, together with practical guidance on the
use of the CRAMM software. They may also involve role playing some of the
reviewer activities within a risk assessment case study.
You cannot however become highly skilled in the use of CRAMM, or fully aware of
all of its practical applications, within the short timescale of a training course. The
gap between training and experience can best be tackled by ensuring that your first
review is of a small, local and non-critical system. Alternatively the review team
should include at least one person with previous experience of conducting a
CRAMM review.

20.4 CRAMM specialist help and assistance


Government departments and private organisations wishing to use CRAMM, but
who do not have any expert resources available in-house, can employ CRAMM
consultants.
It can also be useful to employ a CRAMM consultant as the leader of a review team
for a first review. This enables skills to be transferred to the organisation.
The official and commercial profiles of CRAMM can be tailored in order to meet an
individual organisations specific requirements. The tailoring of the method can
involve changing any of the profile-specific elements, such as the threat and
vulnerability questionnaires, the asset classes and the detailed countermeasures.
Since the process of producing the profile is complex and requires an extensive
understanding of the method, it can only be undertaken by authorised CRAMM
licensees.

20.5 CRAMM User Group


The CRAMM User Group provides a forum for the exchange of ideas on the
application and use of CRAMM, and how to get the best out of the method. The
Group provides valuable assistance when enhancements to the CRAMM method are
being specified, and also helps to suggest improvements to the software and
supporting documentation.
Membership of the CRAMM User Group is recommended for all users of the
method. It provides an opportunity to talk to other users about their experiences and
how they overcame initial difficulties. This can help you to quickly become skilled in
the use of CRAMM.
The CRAMM User Group can be contacted at the following address:
CRAMM User Group
PO Box 2138
Reading
Berkshire, RG30 3YS.
Tel: 01734-591620.

Page 15-2 Issue 1.0


Chapter 20
Further information about CRAMM

20.6 CRAMM added value and benefits

When a CRAMM review has been completed the CRAMM software contains a
complete database of the system or network reviewed. It holds valuable information
covering all aspects of the system or network components and the data it processes.
This information can be used for system configuration management, where changes
or development to the system or network can be logged along with any changes to
the security requirements or countermeasures. The CRAMM database can be
beneficial to both the business and security aspects of IT systems as well as providing
a central point for audit information.

20.7 Section summary


This section provided details of further information on CRAMM. It covered
documentation, training courses, specialist help and assistance, the CRAMM User
Group, and the benefits that CRAMM can bring.

Issue 1.0 Page 15-3


Annex A
Installing the CRAMM software

A Installing the CRAMM software


A.1 Hardware requirements

For reasonable performance the following is recommended:


Processor: Pentium II 600Mhz
RAM: 128 MB
Hard disk space: 100MB on top of other requirements
Monitor: 800x600.

A.1.1 DOS and Windows configuration settings

The installation process makes the necessary changes to the following files to ensure
the correct configuration:
system.ini
config.sys
autoexec.bat.
If you have specific configuration requirements for other applications which you run
you should make back-up copies of these three files. Following the CRAMM
installation, you should compare the two sets of files to ensure that the needs of both
CRAMM and your other applications will be met.
The installation process puts the following files in your Windows directory:
sql.ini
cramm.ini
sentinel.386.

A.1.2 CRAMM and networks

Although it is possible to use the CRAMM software on some types of PC network,


this is not advisable as the performance is unlikely to be satisfactory. The software
can be used on a PC which is connected to a network for other purposes, such as
printing.

A.1.3 Dongle protection

CRAMM is supplied with a hardware dongle. You must ensure that the dongle is
connected to the parallel printer port before attempting to run the software. If you
remove the dongle whilst the software is running, the software will close down.
A.2 Software requirements

The CRAMM software will run in the following software environment:


Windows 98
Windows NT

Issue 1.0 Page A-1


CRAMM User Guide

Windows 2000
Windows XP
Please note, CRAMM will not run on Windows 3.1, Windows 3.11 or Windows 95
machines.

A.3 Installing CRAMM

To install the CRAMM software


In order to install the software carry out the following actions:

1. If you are installing CRAMM on a Windows NT, Windows 2000 or Windows


XP machine, you will need to log on to your machine as an administrator
2. Place the CD labelled CRAMM v5.1in the machine
3. Run the application called Setup by selecting Run from the Start menu, and
then typing:
d:\setup
(if d: is the drive letter for your CD drive)

4. When prompted by the software, you can choose to install the user guide or the
adobe acrobat reader
5. If you see messages about DLLs in use, please take a note of the names of
these DLLs but choose the Ignore option
6. Reboot the machine when prompted by the software
7. You should now be able to run the CRAMM software. Remember the software
is copy protected, by the use of a dongle, so you will need to have the dongle
in the printer port before you can run the software
Once CRAMM has started, you should select New from the Review Menu in order
to create a new review.
After the CRAMM V5.1software has been installed, a shortcut will appear on the
desktop which can then be used to start up the CRAMM software

You can uninstall the CRAMM software using the add/remove programs option from
the Control Panel. You will need to uninstall by the Centura component of the
CRAMM software and the Access component of the CRAMM software separately.
Once you have removed all these components you will find that the CRAMM51
directory still remains because the uninstall program will not delete the Access
databases that contain some of the information you entered during the review. If you
no longer require these databases it is safe to delete the CRAMM51 and CRAMM
v5.1 Access Database directories.

Page A-2 Issue 1.0


Annex B
Glossary of terms

B. Glossary of terms

Term Definition

Abnormal termination An unplanned cessation of processing.


Abnormal end
Abend (abbreviation)

Abort sequence A specified bit pattern, occurring anywhere in the bit


stream, that is used to terminate transmission of a
frame prematurely
Abstract syntax The specification of application layer * data or
application protocol control information by using
notation rules that are independent of the encoding
technique used to represent them.

Remark : Definition from ISO 8822, num. 3.4.3.


Acceptance test The test of a system or functional unit usually
performed by the purchaser on his premises after
installation with the participation of the vendor to
ensure that the contractual requirements are met.
access category A grouping of users or resources having similar access
rights
Access control The prevention of unauthorised use of a resource,
including the prevention of use of a resource in an
unauthorised manner.
(ISO 7498-2/3.3.1)

Access control matrix A two-dimensional matrix representing subjects on the


rows and objects on the columns and in which each
entry represents the access right by that subject to that
object.

Access control procedures Hardware, firmware or software features, operating


procedures, management procedures, and various
combinations of these designed to detect and prevent
unauthorised access and to permit authorised access to
a system or network.
Access level The hierarchical portion of the security level used to
identify the classification of objects and the clearance
or authorisation of subjects.
Access list A list of users or classes of users specifically granted
access to data, processes, or other resources
Access permission All of a user's access rights with respect to some data
or programs
Access port A logical identifier or physical entry that a computer
uses to distinguish different input or output data
streams
Access right The right granted to a user to access some data or
programs and use them in a particular manner.
Example : The right to read a file, the right to write a
file, the right to delete a file, the right to place files on
a volume, the right to cause execution of an object
program.

Issue 1.0 Page B-1


CRAMM User Guide

Term Definition

Accidental threat The threat to a system or network that exists with no


premeditated intent.
(ISO 7498-2/A.2.4.1)
NOTES
1 Examples of realised accidental threat include
system malfunctions, operational mistakes and
software bugs.
2 Contrasts with intentional threat - see also active
threat, passive threat and physical threat.
Accountability The property that ensures that the actions of an entity
may be traced uniquely to the entity.
(ISO 7498-2/3.3.3)

Accounting Recording the creation, transmission, modification, or


deletion of types of information.
(ISO 7498-2/ 3.3.3)
Accreditation The authorisation and approval granted to an data
processing system or network to process classified
information in its operational environment.
Active threat The threat of a deliberate unauthorised change to the
state of the system.
(ISO 7498-2/3.3.4)
NOTES
1 Examples of security relevant active threats may be
modification of messages, replay of messages,
insertion of spurious messages, masquerading as an
authorised entity and denial of service.
2 Other examples : malicious software, unauthorised
access.
3 Contrasts with passive threat - see also accidental
threat, intentional threat and physical threat
Address administration The assignment of LAN *addresses locally or on a
universal basis.
Address resolution protocol A special frame used to find a node address.
ARP (abbreviation) Functionality depends on protocol used

Application association A co-operative relationship between two application


entities for the purpose of communication of
information and co-ordination of their joint operation.
NOTE - An application association is supported by the
exchange of application protocol control information
using the presentation service
Application configuration This is an independent service which allows a client to
access protocol access configuration information and preferences from
ACAP (abbreviation) a central location.

Application layer The layer that provides means for the application
processes to access the OSI environment.
NOTES
1 This layer provides means for the application
processes to exchange information and it contains the
application-oriented protocols by which these
processes communicate.

Page B-2 Issue 1.0


Annex B
Glossary of terms

Term Definition

Application Software Asset An application software program (or suite of


programs) written to carry out a specific business
process.
Application service element That part of an entity of the application layer that
provides a capability within the OSI environment,
using underlying services when appropriate.

archive file A file out of a collection of files set aside for later
research or verification, for security or for any other
purposes.

archived file A file for which an archive file exists.

archiving The storage of backup files and any associated


journals, usually for a given period of time.

ASCII format file A plain text file, with no formatting included.


Asset A component or part of the total system. Assets may
be of four types:
physical
application software
data
end user services.

Asset Group A group of assets that can be conveniently considered


together for the purpose of investigating threats or
vulnerabilities
Asset Model A model of the system or network under review which
shows the linkages between different types of asset.
association control service An application service element that provides a single
element consistent means for establishing and terminating all
ACSE (abbreviation) application associations.

Assurance The confidence that a system or product or a feature of


a system or product is free from vulnerability.

Assurance Level A measure of assurance as defined in an assurance


standard, such as ITSEC
Attack An activity which threatens the confidentiality,
integrity or availability of a system or network.

Audit Monitoring to detect and warn of events that might


threaten security, or the investigation of suspected or
detected breaches of security
audit events Logged data items, which are especially recorded for
auditing purposes.

audit trail Data, in the form of a logical path linking a sequence


of events, used for tracing the transactions that have
affected the contents of a record.

Issue 1.0 Page B-3


CRAMM User Guide

Term Definition

audit-review file A file created by executing statements for the explicit


purpose of providing data for auditing

Authentication The process of verifying a claimed identity.


Authorisation The granting of rights.
(ISO 7498-2/3.3.10)
NOTE -- Authorisation includes the granting of access
based on access rights.
authorization type The purpose for which access may be gained or the
action which may be authorized, such as: read, write,
append, modify, delete, create.
automatic check built-in check A check performed by equipment built in specifically
hardware check for checking purposes.
Contrast with programmed check.

automatic data processing The application of security measures to automatic data


security (ADPSEC) processing systems or networks, in order to protect
against, or prevent, exploitation, modification
(including destruction) or denial of service, through
interception, unauthorised electronic access, of related
technical intelligence threat.
NOTE --Such measures include computer and
communications security, and also procedural,
physical, personnel and document security.
Availability The property of being accessible and usable upon
demand by an authorised entity.
(ISO 7498-2/3.3.11)

Backtrack A CRAMM facility that allows you to identify the


factors that led to a particular countermeasure being
recommended.
Backup Provisions and procedures for continued operation of a
system and for recovery of the data files, program
libraries, and replacement data processing systems and
facilities after a disaster, system failure, or any type of
damage.
See also standby system.
backup file A copy of a file made for possible later reconstruction
job-recovery control file of the file.

backward (file) recovery The reconstruction of an earlier version of a file by


using a newer version and data recorded in a journal.

baseband LAN A local area network in which data are encoded and
are transmitted without modulation of carrier.

batch total A total accumulated from certain field(s) in a computer


record or batch of source documents or file of punched
cards to provide a check that all records were present
during processing.

Page B-4 Issue 1.0


Annex B
Glossary of terms

Term Definition

batch-header document A document that accompanies and identifies a batch of


input documents and that may be used to validate
them.
Example : A document that includes balances, control
totals, hash totals or checksums.
Beginning-of-file label An internal label that identifies a file, marks its
(file) header label location, and contains data for use in file control.
HDR (abbreviation)
Header label (HDR)

Bell-LaPadula model A formal computer security policy model that


describes a specific set of access control rules, based
on the security clearances of subjects and the
classification levels of objects.
benchmark (test) A test that uses a representative set of programs and
data designed to evaluate the performance of
computer *hardware and software in a given
configuration.

benchmark testing The running of particular programs or program suites


in order to measure relative or absolute performance of
hardware and systems software under specified
conditions.

bounds checking Testing an access request or memory reference for


boundary violations.

bridge A functional unit that interconnects two local area


networks that use the same logical link control
protocol but may use different medium access control
protocols.

broadband LAN A local area network consisting of more than one


channel, in which data are encoded, multiplexed, and
transmitted with modulation of carriers.

BS 7799 The British Standard for Information Security


Management
Building A single structure separated from others which is
separately controllable for purposes of physical access.
bus network A local area network in which there is only one path
between any two data stations and in which data
transmitted by any station are available to all other
stations connected to the same transmission medium.

NOTE -- A bus network may be a linear network, a


star network, or a tree network.
Business Continuity Planning The process by which an organisation develops plans
to handle and recover from disruptions to business
processes, whether related to the IT service or not.
called service user A service user with which a callinq service user
wishes to establish a connection.

Issue 1.0 Page B-5


CRAMM User Guide

Term Definition

calling service user A service user that initiates a request for the
establishment of a connection.

carrier sense In a local area network, an ongoing activity of a data


station to detect whether another station is
transmitting.

caveat (information category) A type of information category used to define groups


of mutually exclusive subjects who may be given
access rights to the information.
CCTA - The Government Part of the Office of Public Service and Science,
Centre for Information Systems CCTA provides guidance to government departments
on all aspects of Information Technology.
certificate authority A certificate authority distributes public keys and is
CA (abbreviation) central to the process of verification of digital
signatures. It is based upon a digital certificate
server.

certification The issue of a formal statement, supported by an


independent review of the conduct and results of an
evaluation, of the extent to which an data processing
system or network meets the security requirement, or a
computer security product meets pre-defined security
claims.
character check A check that verifies the observance of rules for the
formation of characters.

check A process for determining accuracy.


See also arithmetic check, automatic check, built-in
check, character check, duplication check, echo check,
hardware check, marginal check, mathematical
See also check, modulo-n check, odd-even check,
parity check, programmed check, residue check,
selection check, self-checking code, sight check,
summation
See also check, transfer check.
check bit A binary element associated with a character signal or
a block signal for the purpose of checking the absence
of error within the character or block.
(IEC 721.08.46).

check digit [check character] A check key consisting of a single digit [character].

check key One or more characters derived frorn and appended to


a data item, that can be used to detect errors in the
data item.

check problem A problem with a known solution used to determine


whether a functional unit is operating correctly.

Page B-6 Issue 1.0


Annex B
Glossary of terms

Term Definition

checksum The sum of a group of data associated with the group


and used for checking purposes.
NOTE--The data are either numneric or other
character strings regarded as numeric for the purpose
of calculating the checksum.
commitment, concurrency and An application service element that controls
recovery operations performed by two or more application
CCR (abbreviation) processes on shared data to ensure that the operations
are performed either completely or not at all.

Communications Electronic CESG is part of the Government Communication


Security Group (CESG) Headquarters (GCHQ). It is the security authority on
technical (IT and communications) issues for UK
Government Departments.
communications security The application of security measures to
(COMSEC) telecommunications in order to deny unauthorised
persons information of value which might be derived
from the possession and study of such
telecommunications or to ensure the authenticity of
such telecommunications.
NOTE -- Such measures include crypto, transmission
and emission security ; and also include procedural,
physical, personnel, document and computer security.
compartment A block of sensitive information to which are applied
special handling procedures associated with the
category designation of the information and the
general class of people who may have access to the
information.
NOTE -- Information in a compartment may belong to
one or more information categories
compartmentation Segregation of information in order to provide
protection against unauthorised access by other users
or programs.

completeness check A check to determine whether data are present where


data are required.

compromise A violation of the security system such that an


unauthorised disclosure, modification or destruction of
sensitive or classified information may have occured
or that a denial of service condition has been induced.

computer security The application of hardware, firmware and software


(COMPUSEC) security features to a computer system in order to
protect against, or prevent, the unauthorised
disclosure, manipulation, modification or deletion of
information or denial of service.

computer security feature Hardware, firmware or software which are part of, or
added to, a computer system to enhance overall
security.

Issue 1.0 Page B-7


CRAMM User Guide

Term Definition

computer-system audit An examination of the procedures used in a computer


system to evaluate their effectiveness and correctness,
and to recommend improvements.

concrete syntax Those aspects of the rules used in the formal


specification of data that embody a specific
representation of that data.
Remark : Definition from ISO 7498, num. 7.2.1.1.
Confidential A Protective Marking within the UK Governments
Protective Marking Scheme.
confidentiality The property that information is not made available or
disclosed to unauthorised individuals, entities or
processes.
(ISO 7498-2/3.3.16)

confirm primitive A primitive issued by a service provider to indicate


that it has completed a procedure previously invoked
by a request primitive at the same service access point.

connection In Open Systems Interconnection architecture, a


cooperative relationship established by a given layer
between two or more entities of the next higher layer
for the purpose of data * transfer.

connectionless-mode The transmission of a single unit of data from a source


transmission service access point to one or more destination service
connectionless transmission access points without establishing a connection.

connection-mode transmission The transmission of units of data from a source


connection-oriented service access point to one or more destination service
transmission access points by means of a connection.

NOTE - The connection is established prior to data *


transfer and released following data transfer.
contingency procedure A procedure that is an alternative to the normal path of
a process if an unusual but anticipated situation
occurs.
NOTE--A contingency procedure may be triggered bv
events such as an overflow or an operator intervention.
control total A total established for a file or group of records during
a specific operation to check that the processing
operation has been applied to all records. The total
may be significant in itself.
See also check sum, hash total.
controlled accessibility The protection achievable by the set of
computer-based security and integrity measures.

correspondent entities Entities in the same layer that have a connection


between them at the next lower layer.

Page B-8 Issue 1.0


Annex B
Glossary of terms

Term Definition

covert channel A communication channel that allows a process to


transfer information in a manner that violates the
system's security policy.
NOTE -- A covert channel typically communicates by
exploiting a mechanism not intended to be used for
communication.
covert storage channel A covert channel that involves the direct or indirect
writing of a storage location by one process and the
direct or indirect reading of the storage location by
another process.
NOTE -- Covert storage channels typically involve a
finite resource (for example, sectors on a disc) that is
shared by two subjects at different security levels.

covert timing channel A covert channel in which one process signals


information to another by modulating its own use of
system resources in such a way that this manipulation
affects the real response time observed by the second
process.
NOTE -- The system resource modulated may be, for
example, computer unit time.
Countermeasure A check or restraint on a system, designed to enhance
security in one of the following ways:
reducing the threat of an attack occurring
reducing the vulnerability to an attack
reducing the impact of an attack
detecting an attack
recovering from an attack.
Countermeasure Category CRAMMs countermeasure library is hierarchical in
structure. Countermeasures can be in one of the
following three categories:
Security Objectives
Functions
Examples or implementation options.
Countermeasure Library The collection of countermeasures held by the
CRAMM software.
Cross-footing Checking in which individual columns are totalled and
the sum of these totals is compared with the sum of the
totals of the individual rows.

Cryptographic security The application of security measures, including the


(CRYPTOSEC) application of physical security measures to the
cryptographic equipment and associated key material,
in order to protect against the exploitation of
information during transmission.

CSV format file Comma Separated Values format file. A file


containing values separated by commas.

Issue 1.0 Page B-9


CRAMM User Guide

Term Definition

cyclic redundancy check A redundancy check in which the extra digits or


CRC (abbreviation) characters are generated by a cyclic algorithm.

Data Asset A set of related information that can be conveniently


considered together in assessing its value to the
organisation.
data authentication A process used to verify the integrity of transmitted
data, especially a message.
NOTENot to be confused with user authentication.
data corruption A violation of data integrity.
data contamination

data degradation A reduction of the information content of data by the


removal, or corruption of existing data or the addition
of extraneous data.

data encryption standard An encryption standard used by the US Government to


DES (abbreviation) protect sensitive but not classified data

data integrity The data quality that exists as long as accidental or


malicious destruction, alteration, or loss of data does
not occur.

data link layer The layer that provides services to transfer data
between network layer * entities, usually in adiacent
nodes.

NOTES
1 The data link layer detects and possibly corrects
errors that may occur in the physical layer.
data processing system security The technological and administrative safeguards
computer system security established and applied to a data processing system to
protect hardware, *software, and data from accidental
or malicious modifications, destruction, or disclosure.
data protection The implementation of appropriate administrative,
technical or physical means to guard against the
unauthorized interrogation and use of procedures and
data.
Data Protection Act The Data Protection Act (1998) is concerned with the
protection of personal information
data quality The correctness, timeliness, accuracy, completeness,
relevance, and accessibility that make data appropriate
for their use.
data security The protection of data from either accidental or
unauthorized intentional modification, destruction, or
disclosure.
data validation
A process used to determine if data are inaccurate,
incomplete, or unreasonable.
NOTE-- Data validation may include format checks
completeness checks, check key tests, reasonableness
checks and limit checks.

Page B-10 Issue 1.0


Annex B
Glossary of terms

Term Definition

data-dependent protection Application of protection to individual data elements


but no uniformly to the entire file.

Dedicated security mode A mode of operation in which ALL individuals with


access to the data processing system or network are
cleared to the highest classification level of
information stored, processed or transmitted within the
data processing, and with a common need-to-know for
ALL of the information stored, processed or
transmitted within the data processing system or
network.
NOTES
1 The common need-to-know indicates there is no
mandatory requirement for computer security features
to provide separation of information within the data
processing system or network.
2 Other security features (for example, physical,
personnel and procedural) shall conform to the
requirements for the highest classification level and all
category designations of the information stored,
processed or transmitted within the data processing
system or network.
3 Contrasts with "System High security mode" and
"Multi-Level security mode.

Departmental Security Officer A person who is responsible for establishing and


(DSO) enforcing departmental security policy. This includes
the application of minimum standards and system
accreditation. A DSO will report to the permanent
head of a government department.
Dependencies Relationships between different types of asset which
are implicit in an asset model. Assets can either be
dependent on other assets, depended on by other
assets, or both.
denial of service The prevention of authorised access to resources, or
the delaying of time-critical operations.
(ISO 7498-2/3.3.25)

descriptive top-level A specification that is written in a natural language


specification (for axample, English), an informal program design
DTLS (abbreviation) notation, or a combination of the two.

digital certificate server The central point of management for multiple


DCS (abbreviation) public keys, also known as Certificate Authorities

Directory service An application service that translates the symbolic


DS (abbreviation) names used by application processes into the complete
network addresses used in an OSI environment.

Discretionary access control A means of controlling access to objects by giving


identified subjects with a permission to access
authorisation to pass that permission on to any other
subject unless restrained by mandatory access control.

Issue 1.0 Page B-11


CRAMM User Guide

Term Definition

Distance vector routing Dynamic routing technique where router builds its
DVR (abbreviation) table from information obtained secondhand from
tables advertised by adjacent routers. The routing
information protocal (RIP) is based on distance
vectors.

Document security The application of security measures, in order to


ensure the proper classification marking, receipt,
exchange, dissemination, storage, de-classification and
destruction of documents.
NOTE -- The term "document" means any letter, note,
minute, report, memorandum, signal or message,
sketch, photograph, film, map, plan, chart, notebook,
carbon, typewriter ribbon, etc. or other information
medium (for example, computer storage media).
Domain name services A service responsible for mapping host names to IP
DNS (Abbreviation) addresses and vice versa

drop cable The cable that connects a data station to a trunk


coupling unit.

Duplication check A check based on the consistency of two independent


performances of the same task.

echo check A check to determine the correctness of the


loop check transmission of data in which the received data are
returned to the source for comparison with the
originally transmitted data.

Emission security (EMSEC) The application of security measures, in order to


protect against the capturing of information through
intercept and analysis of compromising emanations
from electronic equipment.

end open system An open system that provides services directly to end
users.

Alternatively :
An open system which is the source or the sink of the
data for a given instance of communication.
Reason : The phrase "end user" is ambiguous (if this
phrase designates the operator before a terminal, the
definition is not true).

end-of-file label An internal label that indicates the end of a file and
trailer label that may contain data for use in file control.
EOF (abbreviation) NOTE--An end-of-file label may include control totals
for comparison with counts accumulated during
processing.
end-of-volume label An internal label that indicates the end of the data
EOV (abbreviation) contained in a volume.

Page B-12 Issue 1.0


Annex B
Glossary of terms

Term Definition

End User Service A description of the type of service provided to the


end user (where the end user can be either a human
being or an automated process). Possible end-user
services include electronic mail, application to
application messaging, electronic document
interchange, web browsing, ad-hoc file transfer,
interactive session, batch processing, voice and video.
entity In Open Systems Interconnection architecture, an
active element within a subsystem.
NOTE - Cooperation between entities in a layer is
controlled by one or more protocols.
error control software Software that monitors a computer system to detect,
record and possibly to correct errors
error recovery The process of correcting or bypassing the effect of a
fault to restore a computer system to a prescribed
condition
error-correcting code An error-detecting code designed to allow for the
automatic correction of certain types of errors.
ethernet frame An ethernet frame is a set of digital pulses transmitted
onto the transmission media in order to convey
information.
evaluation The detailed technical examination, by an appropriate
authority, of the security aspects of an data processing
system or network, or computer security product.
NOTES
1 The evaluation investigates the presence of required
security functionality, the absence of compromising
side-effects from such functionality and assesses the
incorruptibility of such functionality.
2 The evaluation determines the extent to which the
security requirements of an data processing system or
network, or the security claims of a computer security
product, are satisfied and establishes the assurance
level of the data processing system or network, or the
computer security product's trusted function.
expedited data unit A short service data unit whose delivery to a peer
entity in the destination open system is ensured before
the delivery of any subsequent service data units sent
on that connection.

expiration check A comparison of a given date with an expiration date.


retention period check Example: An expiration check for a record or a file

exploitable channel Any channel that is usable or detectable by subjects


external to the Trusted Computing Base.

external label A label, usually not machine-readable, attached to a


data medium container.
Example : A paper sticker attached to the outside of a
magnetic storage device
fail-safe The condition whereby, if a system malfunction
occurs, the system reverts to a non-optimum but still
correct operation.
See also crippled mode

Issue 1.0 Page B-13


CRAMM User Guide

Term Definition

failsoft Pertaining to a computer system continuing to function


because of its fault tolerance.

fatal error An error that renders further execution if any to


produce meaningless results.

fault threshold A prescribed limit to the number of faults in a


specified category which, if exceeded, requires
appropriate action.
NOTE -- Such actions may include notifying the
operators running diagnostic programs or
reconfiguration to exclude a faulty unit.
fault tolerance The ability of a computer system to continue to operate
(computer system) resilience correctly even though one or more of its component
parts are
Malfunctioning.
fault trace A record of faults, obtained by a monitor, that reflects
the sequence of states that immediately preceded the
occurrence of the faults.

fault-rate threshold A fault threshold expressed in terms of the number of


faults in a prescribed period of time.

Feasibility Study A feasibility study may be undertaken as part of a


development project. The objective of a feasibility
study is to allow an informed decision to be taken on
whether to commit resources to developing a system.
The business and technical feasibility, and potential
costs and benefits, are examined as far as they can be
at this stage.
fetch protection A mechanism to prevent the unauthorized reading of
data from storage.

file clean-up The removal of superfluous or obsolete


data from a file.

file protection A method or routine to prevent the overwriting of data


held in a file.
See also file security.
file security The hardware, software, physical or procedural
measures adopted to prevent unauthorized users from
gaining access to system files and programs.
See also file protection.
file transfer protocol A service used to transfer session commands
ftp (Abbreviation)

file transfer, access and An application service that enables user application
management processes to move files between end open systems and
FTAM (abbreviation) to manage and access a remote set of files, which may
be distributed.

firewall A firewall is a system or group of systems which


enforces an access control policy.

Page B-14 Issue 1.0


Annex B
Glossary of terms

Term Definition

flaw An error of commission, omission or oversight in a


data processing system or network that allows
protection mechanisms to be bypassed or disabled.
flaw hypothesis methodology A system analysis and penetration technique where
specifications and documentation are analysed to
establish a list of hypothesised flaws which are
prioritised on the basis of the estimated probability
that a flaw actually exists and, assuming it does, on the
ease of exploiting it and on the extent of control or
compromise it would provide.
flow regulator A security feature in a system which may be used to
restrict the flow of information in accordance with
defined principles, system security policy and system
requirements.

formal proof A complete and convincing mathematical argument,


presenting the full logical justification for each proof
step, for the truth of a theorem or set of theorems.
NOTE -- The formal verification process uses formal
proofs to show the truth of certain properties of formal
specification and for showing that computer programs
satisfy their specifications.
formal security policy model A mathematically precise statement of a security
policy.
NOTES
1 Such a model must define a "secure" state, an initial
state, and how the model represents changes in state.
The model must be shown to be "secure" by proving
that the initial state is "secure" and that all possible
subsequent states remain "secure".
2 Some formal modelling techniques include : state
transition models, temporal logic models, denotational
semantics models, algebraic specification models.
formal top-level specification A specification that is written in a mathematical
FTLS (abbreviation) language to allow theorems showing the
correspondence of the system specification to its
formal requirements to be hypothesised and formally
proven.

formal verification The process of using formal proofs to demonstrate the


consistency of the specification of a system with a
formal security policy model or with its program
implementation.
NOTE -- see also, formal proof, formal top-level
specification and formal security policy model.
format check A check to determine whether data conform to a
specified layout.

forward recovery The reconstruction of a newer version of a file by


updating an earlier version with data recorded in a
journal.

Issue 1.0 Page B-15


CRAMM User Guide

Term Definition

frame check sequence The frame check sequence is used to insure that the
FCS (Abbreviation) data received is actually the data sent.

ftp-data A service used to transfer actual file information

Functional security testing The portion of security testing in which the advertised
features of a system are tested for correct operation.

Gateway Devices used in IP world to connect logical networks


Also known as router.
Gopher A simple yet powerful file retrieval tool.

Grandfather-father-son cycle A cyclical period covering three file generations


during which a file is not destroyed or over-written,
thus facilitating recovery in the event of loss of
information in a subsequent run.

group user A user of a system whose system identification is


associated with the name of a defined group of users
on that system.

guard processor A processor that provides a security filter function.

Hacker In computing, a computing enthusiast who enjoys


exploiting a data processing system or network for
either curiosity or malevolent reasons.

Handshaking procedure A user-computer dialogue to identify the user and then


Password dialogue authenticate his identity through a sequence of
questions and answers based on information known
only to that user.

Hardware lockout A means (normally an electrical switch) whereby the


transfer of data or program to a peripheral device or,
exceptionally, an area of the core store, is physically
inhibited.

hash total The result obtained by applying an algorithm to a set


of heterogeneous data for checking purposes.
Example : A summation obtained by treating items of
data as numbers.
Hub A hub is a multiport repeater

hypertext transfer protocol Used to communicate between Web browsers and


http (Abbreviation) Web clients. Every request for information creates a
single session which is terminated once that request
has been completed.

Identification The process that enables, generally by the use of


unique machine-readable names, recognition of users
or resources as identical to those previously described
to the data processing system or network
Impact The effect on the organisation of a breach in security.

Page B-16 Issue 1.0


Annex B
Glossary of terms

Term Definition

indication primitive A primitive issued by a service provider either to


indicate that it has invoked a procedure or to indicate
that a procedure has been invoked by the service user
at the peer service access point.
individual accountability The system ability to associate positively the identity
of a user with the time, process and access level to the
system.

individual user A user of a system whose system identification is


unique, in that no other user on that system has that
same identification.

Information category A grouping of objects to which a non-hierarchical


restrictive label is applied.

Information System (IS) Any procedure or process, with or without IT support,


that provides a way of acquiring, storing, processing
or disseminating information. Information systems
include applications and their supporting
infrastructure.
Information Technology (IT) The term used to encompass the methods and
techniques used in information handling and retrieval
by automatic means, including computing,
telecommunications and office systems.
Information Technology A European Commission publication that formally
Security Evaluation Criteria defines a set of criteria for the evaluation of
(ITSEC) information systems against pre-determined levels. For
UK Government Departments the appropriate
evaluation level must be determined by using Infosec
Standard No. 1.
Initiation A key planning progress control mechanism, designed
to get a project started in the right direction under
appropriate control.
Integrity The preservation of information and the information
handling process in its original or intended form unless
it is altered by authorised users in an authorised
manner.
intentional threat The threat which may range from casual examination
using easily available monitoring tools to sophisticated
attacks using special system knowledge.
(ISO 7498-2/A.2.4.2)
NOTES
1 An intentional threat, if realised, may be considered
to be an "attack".
2 Contrasts with accidental threat - see also active
threat, passive threat and physical threat.
internal label A machine-readable label, recorded on a data medium,
. that provides information about data recorded on the
medium
Internal labelling Recording of the identifier or the description of the
contents in the storage medium.

Issue 1.0 Page B-17


CRAMM User Guide

Term Definition

internet control message Supports the IP protocol rather than transmitting user
protocol data. Ping is as example, using ICMP to insure that
ICMP (abbreviation) there is connectivity between two hosts.

internet message access protocol An evolutionary development of post office protocol


IMAPn (Abbreviation see for handling e-mail, it permits an additional
note) connection mode referred to as disconnected, in which
the client receives only a copy of the message the
original being left on the IMAP server.

NOTE: IMAPn (where n is Version # : the latest is


IMAP4)

IT Security Officer (ITSO) A central point of contact for IT security within an


organisation, usually responsible for advising on the
implementation of security policy.
job transfer and manipulation An application service that enables user application
JTM (abbreviation) processes to transfer and manipulate documents
relating to processing tasks and to direct the execution
of those tasks.

Journal A chronological record of data processing operations.


log NOTE -- The journal may be used to reconstruct a
previous or an updated version of a file.
key matching The technique of comparing the keys of two or more
records to select some of them for a particular stage of
processing and to reject the other ones.

Keystroke verification The verification of the accuracy of data entry by the


re-entry of the same data through a keyboard.

LAN broadcast Sending of a frame that is intended to be accepted by


all other data stations on the same local area network.

LAN broadcast address A LAN group address that identifies the set of all data
LAN global address stations on a local area network.

LAN gateway A functional unit that connects a local area network to


another network using different protocols.
NOTES
1 The network may be another local area network, a
public data network, or another type of network.
LAN group address An address that identifies a group of data stations on a
local area network.

LAN individual address An address that identifies a particular data station on a


local area network.

LAN multicast Sending of a frame that is intended to be accepted by a


group of selected data stations on the same local area
network.

Page B-18 Issue 1.0


Annex B
Glossary of terms

Term Definition

LAN multicast address A LAN group address that identifies a subset of the
data stations on a local area network.

LAN server A data station that provides specific services to other


data stations on a local area network.
Example : File server, print server, mail server.
Lattice A partially ordered set, for which every pair of
elements has a greatest lower bound and a least upper
bound.

Layer In the Open Systems Interconnection reference model,


one of seven conceptually complete, hierarchically
arranged groups of services, functions, and protocols,
that extend across all open systems.

leapfrog test A check routine that copies itself through storage.

least privilege Security status requiring that each subject in a system


be granted the most restrictive set of privileges needed
for the performance of authorised tasks.

limit check A check to determine whether a value lies above or


below, or has reached a stipulated limit

link state routing An enhanced routing technique which, unlike


LSR (Abbreviation) distance vector routing, builds tables from
information supplied directly from other routers
on the network
local address Address administration in which all LAN individual
administration addresses are unique within the same local area
network.
local area network A computer network located on a user's premises
LAN (abbreviation) within a limited geographical area.

NOTE -- Communication within a local area network


is not subject to external regulations; however,
communication across the network boundary may be
subject to some form of regulation
lock and key protection system A protection system that involves matching a key or
password with a specific access requirement.
logic bomb A resident computer program that triggers the
perpetration of an unauthorised act when particular
states of the system are realised.
longitudinal parity check A parity check on a row of binary digits that are
members of a set forming a matrix.
Example : A parity check on the bits of a track in a
block on a magnetic tape.
malicious logic Hardware, firmware or software that is intentionally
included in a system for the purpose of causing loss or
harm.
NOTE -- For example, Trojan Horses.

Issue 1.0 Page B-19


CRAMM User Guide

Term Definition

Mandatory access control A means of restricting access to objects based on the


MAC (abbreviation) sensitivity, as represented by a label, of the
information contained in the objects and on the formal
authorisation of subjects to access information of such
sensitivity.

Manufacturing message service An application service that enables a supervisory


MMS (abbreviation) computer to control the operation of a distributed
community of computer-based devices in a network
used for manufacturing or process control.
Manual of Protective Security A document that provides guidance to Government
Departments on all aspects of security
Masquerade The pretence by an entity to be a different entity.
(ISO 7498-2/3.3.36)

Alternatively :
An attack on a system in which an unauthorised entity
pretends to be an authorised one for the purpose of
gaining access to system assets.

Measures of Risks A figure based on a scale of one (low) to seven (high)


which represents the need for security. It is based on a
combination of threat rating, vulnerability rating and
asset value.
media access control address A number used by all systems attached to a network to
MAC address (Abbreviation) uniquely identify themselves

Medium access control A technique used to establish the sequence of data


MAC (abbreviation) stations that are in temporary control of the
transmission medium.

Medium interface connector In a local area network, the connector used to attach a
MIC (abbreviation) data station to a trunk coupling unit, *trunk cable, or
drop cable.

Message handling service An application service that provides a generalized


Message-oriented text facility for exchanging electronic messages between
interchange system systems.
MHS (abbreviation)
MOTIS (abbreviation)

Minimum Standards National security standards which must be observed


by all Government Departments.
Mode of Operation There are four security Modes of Operation:
Dedicated
System High
Compartmented
Multi-level Secure.

Page B-20 Issue 1.0


Annex B
Glossary of terms

Term Definition

Modulo-N check A check in which a number is divided by a number N to


Residue check generate a remainder that is compared with the remainder
previously calculated.

multi-level device A device that is permitted to simultaneously process


data of two or more security levels without risk of
compromise.
NOTES
1 To accomplish this, sensitivity labels are normally
stored on the same physical medium and in the same
form, for example machine-readable or human-
readable, as the data being processed.
Contrasts with single-level device.

multi-level network subject A network subject that causes information to flow


through the network at two or more security levels
without risk of compromise.
NOTES
1 To accomplish this, sensitivity labels are transmitted
along with the data.
Contrasts with single-level network subject.

multi-level secure system A system containing information with different


sensitivities that simultaneously permits access by users
with different security clearances and needs-to-know,
but prevents users from obtaining access to information
for which they lack authorisation.

multi-level security mode A mode of operation in which NOT ALL individuals


with access to the data processing system or network
are cleared to the highest classification level of
information stored, processed or transmitted within the
data processing system or network, and NOT ALL
individuals with access to the data processing system
or network have a common need-to-know for the
information stored, processed or transmitted within the
data processing system or network.
NOTES

This mode of operation permits, concurrently, the


storing, processing or transmitting of information of
different classification levels and of mixed information
category designations.

The lack of all individuals being cleared to the highest


level, associated with a lack of common need-to-know
indicates that there is a requirement for computer
security features to provide selective access to, and
separation of, information within the data processing
system or network.

Contrasts with "Dedicated security mode" and "System


High security mode".

Issue 1.0 Page B-21


CRAMM User Guide

Term Definition

Multimedia internet mail Included in HTTP to support negotiation of data types,


extensions allowing Web browser to inform the server what type
MIME (Abbreviation) of file formats it can support.

NetBIOS over IP A psuedo-service which adds session layer support to


enable the encapsulation of NetBIOS traffic within an
IP packet.

network file system A system which allows file sharing over a network.
NFS (abbreviation)

network layer The layer that provides for the entities in the transport
layer the means for transferring blocks of data, by
routing and switching through the network between
the open systems in which those entities reside.
NOTES
1 The network layer may use relay open systems.
network news transfer protocol A service, similar to e-mail, enabling news rather than
NNTP (abbreviation) mail to be delivered to newsgroups.

Non-delivery The failure of information to reach its intended


destination.
non-kernel security-related Security-relevant software, which is executed in the
software environment provided by a security kernel, rather than
NKSR software (Abbreviation) as part of the kernel.

null address In a frame an address that is not associated with any


station.
NOTE -- A null address may be used for maintenance
purpose.
one-way regulator A flow regulator in a system which provides an overt
channel in one direction only.
NOTE -- For example, a one-way regulator may be
used to connect two elements of a system, where the
security class of the receiver dominates that of the
sender.
open system The representation within a generalized abstract model
of those aspects of a real open system that are
pertinent to its communication with other real open
systems.
open systems interconnection The interconnection of open systems in accordance
OSI (abbreviation) with ISO standards and CCITT Recommendations for
the exchange of data.
open systems interconnection A model that describes the general principles of open
reference model systems interconnection and the network architecture
OSI reference model resulting from those principles.
NOTES
1. This model, described in ISO 7498 and CCITT
X.200, provides a framework for co-ordinating the
development of standards which refer to it.

Page B-22 Issue 1.0


Annex B
Glossary of terms

Term Definition

OSI environment An abstract representation of the set of concepts,


OSIE (abbreviation) elements, functions, services, protocols, as defined by
the OSI reference model and the derived specific
standards which, when applied, enable
communications among open systems.

OSI management The facilities to control, co-ordinate, and monitor the


resources that allow communication to take place in
the OSI environment.

Operating System The software that controls the operational processes of


an IT system.
overflow check A limit check to determine whether a representation of
data exceeds a stipulated length.

overt channel A path within a data processing system or network


which is designed for the authorised transfer of data.

parity bit A binary digit appended to a group of binary digits to


make the sum of all the digits, including the appended
binary digit, either odd or even as predetermined.

parity check A redundancy check by which a recalculated parity bit


is compared to the predetermined parity bit.

passive threat The threat of unauthorised disclosure of information


without changing the state of a system.
(ISO 7498-2/3.3.38)
NOTE Contrasts with active threat - see also
accidental threat, intentional threat and physical
threat.
password A character string that enables a user to have full or
data. limited access to a system or to a set of

PDU (abbreviation) A unit of data specified in a protocol of a given layer


and consisting of protocol control information of that
layer, and possibly user data of that layer.

peer entities Entities in the same or different open systems that are
in the same layer.
NOTE - The communication between entities located
in the same open system is outside the scope of OSI.

peer-entity authentication The corroboration that a peer-entity in an association


is the one claimed.
(ISO 7498-2/3.3.40)

Penetration The successful violation of a protected system.

Issue 1.0 Page B-23


CRAMM User Guide

Term Definition

penetration testing The portion of security testing in which the penetrators


attempt to circumvent the security features of a
system.
NOTE -- The penetrators may be assumed to use all
system design and implementation documentation,
which may include listings of system source code,
manuals, and circuit diagrams. The penetrators work
under no constraints other than those that would be
applied to ordinary users.

personal identification device A hardware device carried by a used for authentication


PID (Abbreviation) purposes.

Personnel security The application of security measures, in order to


ensure that all personnel who have access to
information have the required need-to-know and have
the appropriate security clearance.
Physical layer The layer that provides the mechanical, electrical,
functional, and procedural means to establish,
maintain and release physical connections for transfer
of bits over the transmission medium.

Physical security The measures used to provide physical protection of


resources against deliberate and accidental threats.
See also AAP-6.
(ISO 7498-2/3.3.41)
physical threat A threat which affects the actual existence and
physical condition of the computer facilities.
NOTES
1 For example, the possibility of theft of equipment,
fire, etc..
2 See also accidental threat, intentional threat, active
threat and passive threat.
piracy Unauthorised copying of software or hardware,
usually for financial gain.
post office protocol Used to receive mail from a UNIX shell account,
POPn (Abbreviation see note) without creating a telnet connection. POP3 is current
version, supported by the majority of mail clients.
NOTE: POPn (where n is version # eg POP3)

prerecorded (data) medium A data medium on which certain preliminary items of


data are present, the remaining items of data being
entered during subsequent operations.
presentation layer The layer that provides for the selection of a common
syntax for representing data and for transformation of
application data into and from this common syntax.

Page B-24 Issue 1.0


Annex B
Glossary of terms

Term Definition

primitive An abstract description of an interaction between a


service primitive service user and a service provider.
NOTES
1 A service user is usually an entity. A service
provider at a given layer usually comprises entities of
that layer and a lower layer service (except at the
physical layer). Therefore, a service primitive is also
an abstract description of an interaction between two
adjacent entities.
Privacy The rights of individuals to control or influence what
information related to them may be collected and
stored, and by whom and to whom that information
may be disclosed.
(ISO 7498-2/3.3.43)
NOTE Because this term relates to the right of
individuals, it cannot be very precise and its use
should be avoided except as a motivation for requiring
security.
Privacy protection The implementation of appropriate administrative,
technical, and physical safeguards to ensure the security
and confidentiality of data records and to protect both
security and confidentiality against any threat or hazard
that could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual about
whom such information is maintained.

Privilege The status granted to a subject to allow it access rights


to an object
Procedural security The application of securit measures, in the form of
management constraints, operational procedures,
accountability procedures and supplemental controls in
order to provide an acceptable level of protection for
information.

Programmed check A check procedure designed by the programmer and


implemented specifically as a part of his program.
Contrast with automatic check.
(ANSI)
Project Initiation Document A document which records the vital characteristics of a
(PID) project. It is produced during the Project Initiation
stage.
Protection ring A detachable, non-conductive ring which may be fitted
file protection ring round the hub of a magnetic tape reel to indicate the
status of the reel.
See also write inhibit ring, write permit ring.
Protocol A set of semantic and syntactic rules that determine
the behaviour of entities in the same layer in
performing communication functions.
public key infrastructure The global infrastructure which facilitates use of
PKI (Abbreviation) public key encryption to encrypt data and authenticate
users.

Issue 1.0 Page B-25


CRAMM User Guide

Term Definition

purge date The date before which recorded data cannot


inadvertently be erased or overwritten.

Quality Criteria Measurable statements of acceptability, for use in the


various quality reviews of products.
range check A combination of two limit checks, one of which
applies to an upper limit, and the other to a lower limit.

real open system A real system that complies with the requirements of
open systems interconnection standards in its
communication with other real systems.

real system A set of one or more computers, associated software,


*peripheral equipment, terminals, human operators,
physical processes, and means of communication that
form an autonomous whole capable of performing
information processing or information transfer or both.
Reasonableness check A check to determine whether a value conforms to
specified criteria.

Receiving service user A service user that acts as a data sink during the data
transfer phase of a connection or during a particular
instance of connectionless-mode transmission.

Reconstruction (of data) The restoration of data to a previously known or


Reconstitution (of data) specified state.

Redundancy check A check that uses one or several extra digits or


characters associated to data for the detection of
errors.

relay open system An open system that performs functions, such as


routing, enabling data received from one open system
to be forwarded to another open system.
NOTE - There may be a series of several relay open
systems.
Alternatively ::
In the OSI model, "relay" is specified as a function,
and not as a system. We suggest to define
"intermediate system" rather than "relay open system".
Intermediate system
An open system which is neither the source nor the
sink of the data for a given instance of
communication.

Reliable transfer service An application service elememt that guarantees the


RTS (abbreviation) integrity of protocol data units exchanged between
pairs of application entities involved in a given
association, and provides for recovery from
communication and end open system failures with a
minimum number of retransmissions.

Page B-26 Issue 1.0


Annex B
Glossary of terms

Term Definition

remote operations service An application service element that provides a


element generalized facility for initiating and controlling
ROSE (abbreviation) operations remotely.

Repeater A simple two port signal amplifier

Repeater In a local area network, a device that amplifies and


regenerates signals to extend the range of transmission
between data stations or to interconnect two branches.

Replay Unauthorised repeat of an information exchange,


either deliberately or accidentally.
Repudiation of Origin False denial by a user that information had originated
from that user.
Repudiation of Receipt False denial by a user that information had been
received by that user.
request primitive A primitive issued by a service user to invoke a
procedure.

residual risk The portion of risk that remains after security


measures have been applied.

residue control Procedures and mechanisms to control access to and to


dispose of data left in storage units after completion of
a job.

response primitive A primitive issued by a service user to indicate that it


has completed a procedure previously invoked by an
indication primitive at the same service access point.

Restricted A Protective Marking within the UK Governments


Protective Marking Scheme.
Rich Text Format file. A file format that uses ASCII characters to encode
(Abbrev. RTF file) layout and format settings. This allows you to preserve
the formatting of the file when you transfer it to
another application.
Risk A measure of the exposure to which a system or
potential system may be subjected. This is determined
by the combination of:
the level of threat
the vulnerability
the possible loss which may result from such
an attack.
router A router is a multi-port device that determines how to
handle the contents of a frame, based on protocol and
netwrok information. They are used to connect logical
networks.

Also referred to in IP world as gateways

Issue 1.0 Page B-27


CRAMM User Guide

Term Definition

routing information protocol A routing protocol which takes into account the
RIP (Abbreviation) numbers of hops taken for a packet to traverse a
network. The basis of distance vector routing.

routing table Routing tables tell the router which logical networks
are available to deliver information to and which
routers are capable of forwarding information to that
network.
Scavenging Searching through residue for the purpose of
unauthorised data acquisition.

Secret A Protective Marking within the UK Governments


Protective Marking Scheme.
secure operating system An operating system comprising computer security
features which have been evaluated and certified.

secure state A condition in which no subject can access any object


in an unauthorised manner.

security architecture The subset of the information system or


communication system architecture dealing with the
security of that system.

Security Aspect Six security aspects are recognised by CRAMM:


Hardware
Software
Communications
Procedural
Physical
Personnel.
security audit An independent review and examination of system
records and activities in order to test for adequacy of
system controls, to ensure compliance with established
policy and operational procedures, to detect breaches
in security, and to recommend any indicated changes
in controls, policy, and procedures.
(ISO 7498-2/3.3.47)

security baseline The specification of the requirement for computer


security of a system, in terms of functionality and
assurance, against which the implementation of the
system is assessed during the evaluation of the system.

security event A change of state which affects the security of the


system.

security fault analysis A security analysis to determine the security properties


SFA (Abbreviation) of a device when a hardware fault is encountered.

Page B-28 Issue 1.0


Annex B
Glossary of terms

Term Definition

security filter A filter used to enforce security requirements

security flow analysis A type of security analysis performed on a non-


procedural formal system specification that locates
potential flows of information between system
variables.

security integrity policy That part of a security policy that prevents


unauthorised users from modifying sensitive
information.

security kernel The hardware, firmware and software elements of a


Trusted Computing Base, which mediate all accesses,
are protected from modification, and are verifiable as
correct.

security label The marking bound to a resource (which may be a data


unit) that names or designates the security attributes of
that resource.
(ISO 7498-2/3.3.49)
NOTE -- The marking and/or binding may be explicit
or implicit.
security level The combination of a hierarchical classification and, if
necessary, a set of non-hierarchical information
categories that represents the sensitivity of
information.

security model A representation of the security policy for a data


processing system or network.

security operating procedures A precise description of the implementation of a


previously defined security policy, the operating
procedures to be followed, and personnel
responsibilities, of a specific system or network.
Abbreviated SecOP's

security policy The set of laws, rules and practices that regulate how
information is managed, protected and distributed in a
system or network.
The set of criteria for the provision of security
services.
(ISO 7498-2/3.3.50)
NOTE -- A complete security policy will necessarily
address many concerns which are outside of the scope
of OSI.

Security risk The likelihood of a system's inherent vulnerability


being exploited by the threats to the system, leading to
the system being penetrated.
security risk management The total process of identifying, controlling and
minimising uncertain events that may affect system
resources.

Issue 1.0 Page B-29


CRAMM User Guide

Term Definition

security-compliant channel A channel where the enforcement of the network


security policy depends only upon characteristics of
the channel.

selection check A check that verifies the choice of devices, such as


registers, in the execution of an instruction.

sending service user A service user that acts as a data source during the
data transfer phase of a connection or during a
particular instance of connectionless-mode
transmission.

sensitive information Information that, as determined by a competent


authority, must be protected because its unauthorised
disclosure, alteration, loss or destruction will at least
cause perceivable damage to someone or something.

Sensitivity The characteristic of a resource which implies its value


or importance, and may include its vulnerability.
(ISO7498-2/3.3.53)

Sensitivity label An information that represents the security level of an


object and that describes the sensitivity of the data in
the object.
NOTE -- For example, classification.
sequence check A check to determine whether items follow one
another in a prescribed manner.

service A capability of a given layer and the layers below it


that is provided to the entities of the next higher layer.

NOTE The service of a given layer is provided at the


boundary between this layer and the next higher layer.
Service access point The point at which the services of a given layer are
SAP (abbreviation) provided by an entity of that layer to an entity of the
next higher layer.

Service data unit A set of data that are sent by a user of the services of a
SDU (abbreviation) given layer and that must be transmitted to the peer
service user semantically unchanged.

service provider An abstract representation of all the entities that


provide a service to peer service users.

service user An entity in a single open system that makes use of a


service through service access points.

sight check A check performed by sighting through the holes of


two or more aligned punched cards toward a source of
light to verify the punching, e.g. to determine if a hole
has been punched in a corresponding punch position
on all cards in a card deck.

Page B-30 Issue 1.0


Annex B
Glossary of terms

Term Definition

simple mail transfer protocol A service used for transfer of e-mail


SMTP (abbreviation)

simple network management A service used to monitor and control network


protocol devices.
SNMP (Abbreviation)

simple security condition A Bell-LaPadula security model rule allowing a


subject read access to an object only if the security
level of the subject dominates the security level of the
object.
single-level device A device that is used to process data of a single
security level at any one time.
NOTES
1 Since the device need not be trusted to separate data
of different security levels, sensitivity labels do not
have to be stored with the data being processed.
Contrasts with multi-level device.

single-level network subject A network subject that causes information to flow


through the network at a single security level.
NOTES
1 Since the single-level network subject need not be
trusted to separate data of different security levels,
sensitivity labels do not have to be transmitted along
with the data.
Contrasts with multi-level network subject.

software lockout A programmed inhibitor which prevents the transfer of


data or program to a peripheral device or,
exceptionally, an area of the core store, unless certain
preset conditions are fulfilled.
spoofing The act of fooling a legitimate user into believing that
he is interacting with the intended data processing
system or network when, in fact, he is not.

standby system Any system, other than the normal one, which enables
some continuation of work when the normal system
has failed.
star property A Bell-LaPadula security model rule allowing a
subject write access to an object only if the security
level of the subject is dominated by the security level
of the object.
Abbreviated *-property
static routing The simplest method of routing, generally used in IP
networks, where a static route is defined in the routing
table as the point leading to a specific network
strength of mechanism A measure of the effectiveness of a security
mechanism to prevent a breach of the system security
policy, assuming it has been correctly implemented.

Issue 1.0 Page B-31


CRAMM User Guide

Term Definition

Structured System Analysis and A structured system development method used widely
Design Method (SSADM) both within UK government departments and
commercially.
Security Operating Procedures Documentation specifying the procedures that need to
(SyOPs) be carried out in order to ensure the security of a
system.
sublayer In the Open Systems Interconnection reference model,
a conceptually complete group of services, functions,
and protocols that may extend across all open systems
and that is included in a layer.

subsystem In Open Systems Interconnection architecture, an


element in a hierarchical division of an open system
that directly interacts only with elements in the next
higher division or the next lower division of that open
system.

NOTE - A hierarchical division of an open system


may be either a layer or a sublayer.

summation check A comparison of checksums, computed on the same


sum check data on different occasions, or on different
representations of the data, to verify data integrity.

Switch A switch merges hub and bridge technology. It will


tack the MAC addresses attached to each of its ports
and route traffic destined for a certain address only to
the port to which it is attached.

Page B-32 Issue 1.0


Annex B
Glossary of terms

Term Definition

system high security mode A mode of operation in which ALL individuals with
access to the data processing system or network are
cleared to the highest classification level of
information stored, processed or transmitted within the
data processing system or network, but NOT ALL
individuals with access to the data processing system
or network have a common need-to-know for the
information stored, processed or transmitted within the
data processing system or network.
NOTES

1 The lack of common need-to-know indicates that


there is a requirement for computer security features to
provide selective access to, and separation of,
information within the data processing system or
network.

2 Other security features (for example, physical,


personnel and procedural) shall conform to the
requirements for the highest classification level and all
category designations of the information stored,
processed or transmitted within the data processing
system or network.

3 All information stored, processed or being available


to an data processing system or network under this
mode of operation, together with any output generated,
will be protected as potentially of the information
category designation and of the highest classification
level being stored, processed or transmitted until
determined otherwise, unless there is an acceptable
level of trust that can be placed in any labelling
functionality present.

Contrasts with "Delicated security mode" and "Multi-


Level security mode".

System Security Policy A document that outlines the specific security


objectives of the proposed system. It acts as a form of
agreement between the users and the IT service
provider that provides a common understanding of the
level of security that the proposed system should
provide. It should be in line with the Departmental/
Corporate IT Security Policy.
system-specific security A complete and systematic statement of the security
requirement statement principles to be observed and of the detailed security
requirements to be met by a particular system, based
on the user requirements and a formal and
comprehensive security risk analysis.
Abbreviated SSRS
telnet A service used to create a remote session

Issue 1.0 Page B-33


CRAMM User Guide

Term Definition

TEMPEST Term referring to investigations and studies of


compromising emanations and the measures taken to
provide protection against them.
NOTES
1 Used in the context of TEMPEST tests, TEMPEST
equipment, TEMPEST inspection, TEMPEST
installation criteria, TEMPEST zoning, etc..

Test The operation of a functional unit and comparison of


its achieved result with the defined result to establish
acceptability.
Example : A device test or a program test.
test data The data used for a check problem.

test harness A control program which enables programmers to test


program modules or independently compiled
subroutines.

Threat A potential violation of security.


(ISO 7498-2/3.3.55)
NOTES
1 For example, disclosure, modification, destruction,
or denial of service.
A threat is defined by its source, motivation, path,
target, and result.
See also - accidental threat, intentional threat, active
threat, passive threat and physical threat.

threat assessment The determination of the source, extent, and nature of


possible attacks, including an assessment of the
likelihood of an attack.

tiger team A team of people engaged in penetration testing of a


data processing system or network after it has been in
operational use for some considerable time.

to abort To terminate, in a controlled manner, a processing


activity in a computer system because it is impossible
or undesirable for the activity to proceed.

token In a local area network, a specified group of bits


serving as a symbol of authority passed successively
from one data station to another to indicate the station
temporarily in control of the transmission medium.
NOTE -- All information is conveyed by frames.
Some frames contain a token and no user data, others
contain data and no token.
token passing protocol In a local area network using a token, the set of rules
token passing procedure that governs how a data station acquires, uses, and
transfers the token.
Top Secret A Protective Marking within the UK Governments
Protective Marking Scheme.

Page B-34 Issue 1.0


Annex B
Glossary of terms

Term Definition

Traffic Monitoring Unauthorised monitoring of the volume of data


transmitted and/or monitoring the identities of the
parties involved, without necessarily monitoring the
information being passed itself.
transfer syntax That concrete syntax used in the transfer of data
between open systems.
Remark : Definition from ISO 7498, num. 7.2.1.2.
Transmission control A service which forms the backbone of all internet
protocol/internet protocol communicaions. It uses the session and transport
TCP/IP (Abbreviation) layers of the OSI model

Transmission security The application of security measures, in order to


(TRANSEC) protect transmissions from interception and
exploitation by means other than cryptoanalysis.
transport layer The layer that provides a reliable end-to-end data
transfer service.
NOTES
1 Under specific conditions, the transport layer may
improve the service provided by the network layer.
Transverse parity check A parity check on a column of binary digits that are
members of a set forming a matrix.
Example : A parity check on the set of bits on a tape
row.
trap door A hidden software or hardware mechanism that
permits system protection mechanisms to be
circumvented.
NOTE -- It is activated in some non-apparent manner,
for example, by a special "random" key sequence at a
terminal.
Trojan horse A computer program with an apparently or actual
useful function that contains additional, hidden
functions that surreptitiously exploit the legitimate
authorisations of the invoking process to the detriment
of security.
NOTE -- For example, making a "blind copy" of a
sensitive file for the creator of the Trojan Horse.

trunk cable A cable connecting trunk coupling units for the


purpose of allowing communication among data
stations.
trunk coupling unit A physical device that connects a data station to a
trunk connecting unit trunk cable by means of a drop cable.
TCU (abbreviation) NOTES
1 The trunk coupling unit contains the means for
inserting the station into the network or bypassing it.

Trusted Having, involving, or denoting a security feature that


has been granted security certification.
NOTE -- A system component is said to be trusted if it
can be relied upon to enforce the relevant security
policy.

Issue 1.0 Page B-35


CRAMM User Guide

Term Definition

trusted channel A mechanism by which two network subject can


communicate directly, without loss of integrity of
information.

trusted computer system A system that employs sufficient hardware and


software integrity measures to allow its use for
processing simultaneously a range of sensitive or
classified information.

Trusted Computer System A US Department of Defense publication that formally


Evaluation Criteria (TCSEC) defines a set of criteria for the evaluation of
information systems against pre-determined levels. In
Europe this publication has been superseded by
ITSEC. TCSEC is also known as the Orange Book.
Trusted computing base The totality of protection mechanisms within a
computer system, including hardware, firmware and
software, the combination of which is responsible for
enforcing a security policy.
Abbreviated TCB
NOTES
1 A TCB consists of one or more components that
together enforce a unified security policy over a
product or system.
The ability of a TCB to correctly enforce a security
policy depends solely on the mechanisms within the
TCB and on the correct input by system administrative
personnel of parameters (for example, a user's
clearance) related to the security policy.

Trusted distribution A trusted method for distributing the Trusted


Computing Base hardware, firmware and software
components, both originals and updates, that provides
methods for protecting the Trusted Computing Base
from modification during distribution and for detection
of any changes to the Trusted Computing Base that
may occur.

trusted function A function whose correct operation is relied upon for


the security policy to be upheld.

trusted function assurance level The overall assurance level that is established for a
trusted function of a system during the evaluation of
the system.

trusted path A mechanism by which a person at a terminal can


communicate directly with the Trusted Computing
Base, without loss of integrity of information.
NOTE -- This mechanism can only be activated by the
person or the Trusted Computing Base and cannot be
imitated by untrusted software.

Page B-36 Issue 1.0


Annex B
Glossary of terms

Term Definition

trusted recovery The property of a system which ensures that it can be


returned to a secure operating state following a system
failure without compromising the security policity.

universal address Address administration in which all LAN individual


administration addresses are unique within the same or other local
global address administration area networks.

unrecoverable error An error for which recovery is impossible without the


use of recovery techniques external to the computer
program.

user authentication The corroboration that the user identity is as claimed.

user data Data transferred between entities of a given layer on


behalf of the entities of the next higher layer for which
the former entities are providing services.

user datagram protocol A protocol used to support connectionless transport


UDP (Abbreviation) over internet protocol (IP)

user profile A set of pre-defined system parameters that can be


used to control a user's activities.

Validation The checking of a system or of a system specification


for self-consistency and completeness.

Verification The process of comparing two levels of system


specification for proper correspondence.
NOTE -- For example, comparing security policy
model with the top-level specification, or the top-level
specification with source code, or source code with
object code.

verify (v) To determine whether a transcription of data or other


operation has been accomplished accurately.

virtual local area network Using switches, software enables virtual networks to
VLAN (Abbreviation) be set up logically (work-group based) rather than
geographically.

virtual private network A virtual private network session is an authenticated


VPN (Abbreviation) and encrypted communication channel across some
form of public network, such as the internet.

virtual terminal A generalized logical model of different terminals of a


certain class, describing how terminals of that class
will perform in the OSI environment.

Issue 1.0 Page B-37


CRAMM User Guide

Term Definition

virus A piece of code that adds itself to other programs,


including operating systems, but cannot run
independently, requiring its running host program to
activate it.
NOTE
A virus consists of two parts :
- self-replicating code that inserts itself at the
beginning or end of a program ; and
the side-effect, malicious or otherwise, when activated.

Volume (header) label An internal label that identifies the volume and
Volume header indicates the beginning of its data.

Vulnerability A weakness or lack of controls that would allow or


facilitate a threat actuation against a specific asset or
target.
NOTES
1 A vulnerability may be an omission or it may relate
to a deficiency in a control's strength, completeness or
consistency.
A vulnerability may be technical, procedural or
operational.

WHOIS A utility used to gather information about a specific


domain over a network.

Worm A program that can run by itself and can propagate a


fully working version of itself to other machines.

Write inhibit ring A protection ring which, when in place, physically


write lock-out ring prevents writing on or over-writing a magnetic tape.

Write permit ring A protection ring which must be in place before a


magnetic tape can be written on or over-written.

Page B-38 Issue 1.0


Annex C
Checklists

C. Checklists
C.1 Stage 1 checklist
At the end of Stage 1 you will have done the following:
obtained management authorisation and commitment to the review
defined the overall project schedule
established the boundary of the review
entered the review boundary into CRAMM
identified the data owners for interviewing
created a Project Initiation Document (PID)
obtained approval for the PID from management
identified the physical assets
identified the data assets
identified the application software assets
identified the locations
modelled the interrelationships between the data, application software
and physical assets, and the locations
printed the Data Asset Valuation forms
interviewed appropriate staff using these forms
entered the interview results into the CRAMM software
if required:
printed the Recovery Objectives form

completed the form through interviews with users and support staff

entered the information into the CRAMM software

produced reports from the CRAMM software on recovery


requirements for users, support staff and assets

printed the Physical Asset Valuation forms


interviewed the appropriate staff using these forms
entered the interview results into CRAMM
if your review has included contingency planning:
printed the Application Software Valuation forms

interviewed appropriate staff using these forms

entered the results into CRAMM

produced Impact Assessment Reports and reviewed the asset valuations


for errors and omissions

Issue 1.0 Page C-1


CRAMM User Guide

if required, produced a Stage 1 Management Report and reviewed it with


management
documented the results of the management review
revised the project schedule, as appropriate.

C.2 Stage 2 checklist


At the end of Stage 2 you will have done the following:
generated asset groups automatically and, if necessary, created additional
groups
linked threats to asset groups
reviewed and, if necessary, adjusted the impacts that could result from
each threat/asset group pairing
undertaken a full or rapid risk assessment
calculated the measures of risks using CRAMM
reviewed the measures of risks for anomalies
prepared and reviewed reports with management.

C.3 Stage 3 checklist


At the end of Stage 3 you will have done the following:
identified, using CRAMM, the countermeasures to protect against the
threats and vulnerabilities
printed the countermeasure lists
identified all existing countermeasures
entered the existing countermeasures into the CRAMM software
entered those countermeasures deemed not applicable into the CRAMM
software
printed the countermeasure recommendation listings
defined the priorities that you would place on the individual
recommendations, using the prioritisation, What If and backtrack facilities
provided by the CRAMM software
produced a report or reports covering specific topics for review by
interested representatives from the project board
produced a management summary report
held a Stage 3 management review meeting
produced and issued the final management report.

Page C-2 Issue 1.0


Annex D
Impact types

D. Impact types
D.1 Introduction
CRAMM allows data assets to be valued against the following impacts:
unavailability
destruction
disclosure
modification.
These are described in section D.2.

D.2 The impact types

The impact types used in CRAMM are as follows.


Unavailability:
less than 15 minutes
1 hour
3 hours
12 hours
1 day
2 days
1 week
2 weeks
1 month
2 months and over.
Destruction:
destruction since the last successful back-up
total destruction including back-ups.
Disclosure:
unauthorised disclosure to insiders
unauthorised disclosure to contracted service providers
unauthorised disclosure to outsiders.
Modification:
Where the end-user service is interactive, batch processing, voice or video, the
following impacts may be covered:
small-scale errors
widespread errors
deliberate modification.
For interactive and batch processing end-user services the emphasis will be as
follows:
small-scale errors (for example, keying errors, duplication of input)
widespread errors (for example, caused by a programming error)

Issue 1.0 Page D-1


CRAMM User Guide

deliberate modification (of stored data).


For voice and video end-user services the emphasis will be as follows:
small-scale error (in data transmission)
widespread error (in data transmission)
deliberate modification (of data in transmission).
Where the end-user service is Electronic Mail, Application to Application Messaging,
Electronic Data Interchange or Web Browsing, the consequences of small-scale,
widespread and deliberate modification may be investigated as appropriate. In
addition, the consequences of the following impacts may also be investigated:
insertion of false messages (for example, inserting an unauthorised
request for a payment)
repudiation of origin (for example, the sender of a message denying they
had actually sent the message)
repudiation of receipt (that is, the recipient of a message denying they had
actually received the message)
non-delivery (for example, an authorised request for payment failing to be
delivered, either accidentally or deliberately)
replay (for example, the accidental or deliberate duplication of an
authorised request for a payment)
mis-routing (for example, accidental or deliberate alteration of the
destination address so that data is sent to an unauthorised recipient)
traffic monitoring (that is, disclosing the volume of data being
transmitted, or the fact that two parties were communicating with each
other, but not the actual contents of the messages being passed)
out of sequence (for example, accidental or deliberate delivery of
authorised messages in the wrong order).
The reviewer need only investigate those impacts about which there is a particular
concern.

Page D-2 Issue 1.0


Annex D
Impact types

On some screens the impacts are represented by abbreviations, as shown in Table


D/1.

P Physical destruction
15 M Unavailability - 15 minutes
1 Hr Unavailability - 1 hour
3 Hr Unavailability - 3 hours
12 Hr Unavailability - 12 hours
1 Dy Unavailability - 1 day
2 Dy Unavailability - 2 days
1W Unavailability - 1 week
2W Unavailability - 2 weeks
1M Unavailability - 1 month
2M Unavailability - 2 months
B Loss of data since last back-up
T Total loss of all data
I Unauthorised disclosure to insiders
C Unauthorised disclosure to contracted third parties
O Unauthorised disclosure to outsiders
S E/T Small-scale errors (for example, keying errors)/small-scale errors in
transmission
W E/T Widespread errors (for example, programming errors)/widespread
errors in transmission
D S/T Deliberate modification of stored data/deliberate modification of data
in transit
Or Repudiation of origin
Rc Repudiation of receipt
Nd Non-delivery
Rp Replay
Mr Mis-routing
Tm Traffic monitoring
Os Out-of-sequence
In Insertion of false message

Table D/1: Abbreviations for impacts

Issue 1.0 Page D-3


CRAMM User Guide

E. Valuation guidelines
E.1 Introduction
The guidelines for the Standard Profile are shown in Table E/1. Where a protective
marking (Restricted, Confidential, Secret or Top Secret) applies, it is indicated in
brackets. No such entry means that a protective marking is not justified or not
relevant.
Notes and examples on how to interpret the guidelines in specific circumstances are
provided in sections E.3 to E.14. Where examples are given, the numbers refer to the
numbers in the Asset Value column in Table E/1.

Page D-4 Issue 1.0


Annex E
Valuation guidelines

Management and Business Operations

Asset Management and Business Operations


Value
1 Inefficient operation of one part of an organisation
2 No entry
3 Undermine the proper management of the organisation and its
operation, or
4 No entry
5 Impede the effective development or operation of the organisations
policies
6 Disadvantage the organisation in commercial or policy negotiations
with others
7 Seriously impede the development or operation of major
organisational policies, or shut down or otherwise substantially disrupt
significant operations
8 No entry
9 No entry
10 No entry

E-5
CRAMM User Guide

Personal safety

Asset Personal Safety


Value
1 No entry
2 Could lead to minor injury to several individuals
3 Is likely to lead to a minor injury to an individual
(Restricted)
4 Is likely to lead to minor injury to several individuals
(Restricted)
5 No entry
6 Is likely to lead to more than a minor injury, restricted to an
individual
(Restricted)
7 Is likely to lead to more than minor injury to several
individuals
(Confidential)
8 Is likely to prejudice individual security/liberty (for example,
is likely to lead to the life of an individual or group of
individuals being threatened)
(Confidential)
9 Is likely to lead to the death of an individual, and/or seriously
prejudice individual security/liberty
(Secret)
10 Is likely to lead to the widespread loss of life
(Top Secret)

The unauthorised disclosure, modification or unavailability of information could


lead to the endangerment of personal safety. Examples are as follows:
the unauthorised disclosure of the addresses of certain people could mean
that they are targeted by those who desire to cause them harm, whether
for political, grievance or other motives
the unauthorised modification of information (for example associated with
manufacturing processes, travel movements and medical processes),
could mean the malfunctioning of equipment or incorrect decisions being
made, with resultant adverse effects on the safety or well-being of people
the unavailability of information from some systems (again for example
associated with travel movements and medical processes), could result in
incorrect or late decisions, with resultant adverse effects on the safety or
well-being of people.
Examples
8 prejudice individual liberty: restrict the ability of persons to move around
freely, such as general police informants, and in some cases (other)
witnesses
9 seriously prejudice individual liberty: severely restrict the ability of persons
to move around freely, such as terrorist informants, witnesses to serious
crimes, and intelligence sources, particularly if a new identity were
disclosed.

Page D-6 Issue 1.0


Annex E
Valuation guidelines

In some circumstances this guideline will be related to the law enforcement


guideline.

E-7
CRAMM User Guide

Personal information

Asset Personal Information


Value
1 Minor distress to an individual but no breach of legal or regulatory
requirement occurs
2 Distress to an individual but no breach of legal or regulatory requirement
occurs
3 A breach in a legal, regulatory or ethical requirement or publicised
intention on the protection of information, leading to minor distress to an
individual
(Restricted)
4 A breach in a legal, regulatory or ethical requirement or publicised
intention on the protection of information, leading to minor distress to a
group of individuals
(Restricted)
5 A breach in a legal, regulatory or ethical requirement or publicised
intention on the protection of information, leading to substantial distress
to an individual
(Restricted)
6 A breach in a legal, regulatory or ethical requirement or publicised
intention on the protection of information, leading to substantial distress
to a group of individuals
(Restricted)
7 No entry
8 No entry
9 No entry
10 No entry

Many IT systems hold and process information about individuals, for example pay,
personnel appraisal and medical details. In such cases each person can readily be
identified.
It is morally and ethically correct, and in some circumstances legally required, that
information about people is protected against unauthorised disclosure. This
disclosure could result in, at best, embarrassment and reduction in self esteem and, at
worst, adverse legal action (for example under the data protection legislation).
Equally it is required that information about people is always correct, as
unauthorised modification resulting in incorrect information could have effects
similar to those caused by unauthorised disclosure.
It is also important that information about people is not made unavailable or
destroyed, as this could result in incorrect decisions or no action by a required time,
with effects similar to those caused by unauthorised disclosure or modification.
Where an adverse impact is likely to result in an infringement of, for example, the
Data Protection Act, or other legal action, the legal guidelines for assigning values
must also be reviewed. Where an adverse impact could have implications for the
safety of an individual, the personal safety guidelines should be referenced.
Example
6 group of individuals: examples are individual pressure groups, charities or
groups of patients.

Page D-8 Issue 1.0


Annex E
Valuation guidelines

Notes
Within the guideline, distress can be taken to mean anger, frustration,
disappointment, embarrassment or concern.

E-9
CRAMM User Guide

Legal and regulatory obligations

Asset Legal and Regulatory Obligations


Value
1 No entry
2 No entry
3 Civil suit or criminal offence resulting in damages/penalty of
2,000 or less
4 Civil suit or criminal offence resulting in damages/penalty of
between 2,001 and 10,000
5 Civil suit or criminal offence resulting in damages/penalty of
between 10,001 and 50,000, or a prison term of up to two
years
6 Civil suit or criminal offence resulting in damages/penalty of
between 50,001 and 250,000, or a prison term in excess
of two years and up to ten years
7 Civil suit or criminal offence resulting in unlimited
damages/penalty, or a prison term in excess of ten years
8 No entry
9 No entry
10 No entry

Data held and processed by an organisation may be subject to legal and regulatory
obligations, or data may be held and processed by an organisation in order to allow it
to comply with legal and regulatory obligations. Failure to comply, either
intentionally or unintentionally, may result in legal or administrative actions taken
against individuals within the organisation concerned. These actions may result in
fines and/or prison sentences.
Note that the inclusion of valuations in the guideline for legal and regulatory
obligations is not intended for any other reason than to give weight to, and assist in
highlighting through the method, the countermeasures that are justified to prevent
the compromise occurring.
Notes
1 The following is a list of the main acts of law and regulations which are
relevant to this guideline. This is not intended to be a complete list:
the Data Protection Act of 1984 (see also the personal information
guideline)

the draft EC Data Protection Directive

the Computer Misuse Act of 1990 (see also the law enforcement
guideline)

the Official Secrets Act

the EC Software Directive

the EC Database Directive

the Copyright Designs and Patents Act of 1988 (see also the
commercial and economic interests guideline)

Page D-10 Issue 1.0


Annex E
Valuation guidelines

the Telecommunications Act of 1984

the Police and Criminal Evidence Act of 1984 (see also the law
enforcement guideline)

the Civil Evidence Act of 1968 (see also the law enforcement
guideline).

2 If an organisation using this guideline, and other guidelines containing


financial figure ranges, feels that the ranges are not appropriate it is
permissible to raise the value to reflect the real situation. For example, the
organisation may feel that an impact of between 2,001 and 10,000 is
really greater than a value of 4.

E-11
CRAMM User Guide

Law enforcement

Asset Law Enforcement


Value
1 No entry
2 No entry
3 Facilitate the commission of a crime, or prejudice the investigation of a
crime
(Restricted)
4 Cause the investigation or trial of a crime to be abandoned
(Restricted)
5 No entry
6 No entry
7 Facilitate the commission of a serious crime, or impede the investigation
of a serious crime
(Confidential)
8 Cause the investigation or trial of a serious crime to be abandoned
(Confidential)
9 No entry
10 No entry

If certain types of information were to be disclosed or modified without authority,


crime might be facilitated. Similarly, if certain types of information were to be
disclosed or modified, or to become unavailable, there could be an adverse impact on
the investigation or prosecution of a crime. For example, the unauthorised disclosure
of personal information could lead to blackmail attempts or terrorist targeting.
The disclosure of information during a criminal investigation could result in suspects
being forewarned. During prosecution, if evidence were tampered with, or altered
inadvertently through, for example, software malfunction, or became unavailable,
this could interfere with the course of a trial. The leakage of address details of key
witnesses could also affect the outcome of a trial.
Notes
1 The following is one definition of a serious crime, although there are
others:
Conduct which constitutes... one or more offences shall be regarded as a
serious crime if and only if (a) it involves the use of violence, results in
substantial financial gain or is conducted by a large number of persons in
pursuit of a common purpose, or (b) the offence or one of the offences is
an offence for which a person who has attained the age of 21 and has no
previous conviction could reasonably be expected to be sentenced to
imprisonment for a term of three years or more.

Page D-12 Issue 1.0


Annex E
Valuation guidelines

Commercial and economic interests

Asset Commercial and Economic Interests


Value
1 Be of interest to a competitor but of no commercial value
2 Be of interest to a competitor to a value that is 10,000 or less
(turnover)
3 Be of value to a competitor to a value that is between 10,001 and
100,000 (turnover), or

Cause financial loss, or loss of earning potential, or facilitate improper


gain or advantage for individuals or organisations
(Restricted), or

Constitute a breach of proper undertakings to maintain the confidence


of information provided by third parties (Restricted)
4 Be of value to a competitor to a value that is between 100,001 and
1,000,000 (turnover)
5 Be of value to a competitor to a value that is between 1,000,001 and
10,000,000 (turnover)
6 Be of value to a competitor to a value that is more than 10,000,000
(turnover)
7 Could substantially undermine national economic and commercial
interests
(Confidential), or

Work substantially against national finances


(Confidential), or

Substantially undermine the financial viability of major organisations


(Confidential)
8 No entry
9 Would be likely to cause substantial material damage to national
economic and commercial interests
(Secret)
10 Would be likely to cause severe long term damage to the UK economy
(Top Secret)

Commercial and economic information needs to be protected, and is valued by


considering its value to competitors or the effect its compromise could have on
national or commercial interests. Such information could be, for example, details of
awarded contracts, licences, discretionary grants, or other forms of approval. It could
also be details of competitive tenders, industrially developed processes, methods,
techniques, programs or details of intended announcements that could significantly
affect trade and/or business.
Examples
7 one company in financial trouble to the extent that there would be
uncertainty on the Stock Exchange
9 through adverse changes to the exchange rate, with a run on the Pound.

E-13
CRAMM User Guide

Notes
1 The second and third entries against asset value 3, where no financial
values are mentioned, should be considered in relation to the financial
value threshold used in the first entry against asset value 3.
2 The word could in the description of asset value 7 should be interpreted
as indirectly causing the impact, and for asset values 9 and 10 the word
would should be interpreted as directly causing the impact.

Page D-14 Issue 1.0


Annex E
Valuation guidelines

Financial loss/ Disruption to activities

Asset Financial Loss/Disruption to Activities


Value
1 Result directly or indirectly in losses of 1,000 or less
2 Result directly or indirectly in losses of between 1,001 and 10,000
3 Result directly or indirectly in losses of between 10,001 and 30,000
4 Result directly or indirectly in losses of between 30,001 and
100,000
5 Result directly or indirectly in losses of between 100,001 and
300,000
6 Result directly or indirectly in losses of between 300,001 and
1,000,000
7 Result indirectly in losses of more than 1,000,000
8 Result directly in losses of more than 1,000,000
9 No entry
10 No entry

Some IT systems store and process information which is concerned directly with
financial transactions or has a bearing on the financial well-being of the organisation
concerned. The consequences of unauthorised disclosure and modification, as well as
unavailability and destruction, of such information could well be financial loss.
Examples are loss from a reduction in share prices, fraud or breach of contract
because of late or no action.
Equally, the consequences of unavailability or destruction of any information could
be disruptions to users. To rectify and/or recover from such incidents takes time and
effort. This will in some cases be significant and should be considered. In order to use
a common denominator, the time to recover should be calculated in man months and
converted to a financial cost. This cost should be calculated by reference to the
normal cost for a man month at the appropriate grade/level within the organisation.
Notes
1 If the losses were large enough, that is the effects on the organisation were
very significant, there might be cases where a protective marking, or a
treat as a protective marking, could apply.

E-15
CRAMM User Guide

Public order

Asset Public Order


Value
1 Is likely to cause very localised or community level protest
2 No entry
3 Is likely to cause limited or localised protest
4 No entry
5 No entry
6 Is likely to cause demonstrations, or significant lobbying, or localised
industrial action
7 Is likely to cause industrial action with nationally felt effects
8 No entry
9 Is likely to cause widespread industrial action, for example a general
strike, or Is likely to seriously prejudice public order
(Secret)
10 Threaten directly the internal stability of the UK
(Top Secret)

Information may be held by a government organisation which, if compromised,


could jeopardise public order. This may take the form of information relating to a
local scheme (such as a motorway expansion scheme) which if compromised may
result in localised protest, or information relating to a national policy (such as the
poll tax) which if compromised may cause widespread protest. Similarly,
information may be held which if made unavailable or altered may threaten public
order, for example information associated with benefits payments.
Examples
1 unauthorised disclosure of plans to close a local service, such as a post
office
3 unauthorised disclosure of proposals for a travellers commune that
would considerably affect the surrounding area
6 unauthorised disclosure of plans for a motorway expansion scheme with
economic ramifications such as the compulsory purchase of property
7 unauthorised disclosure of proposals for pay freezes, or redundancies in a
nationalised industry
9 unauthorised disclosure of a proposal or report on a topic for which
national policies are in the formative stage and which is extremely
unlikely to be acceptable to the general public and/or is significantly
against public opinion, for example the introduction of a three day week,
or of a harsh tax/tax increases
10 unauthorised disclosure of initial reports that detail the potential
endangerment of the majority of the UK population, related to such as
significant water pollution, toxic waste or nuclear incident, before the full
facts are made generally available, to the extent that there is public panic.
Notes
1 The reason that no protective marking is applicable to the descriptions for
asset values 1 to 7 and the first option for asset value 9 is that such actions
are legally permissible.

Page D-16 Issue 1.0


Annex E
Valuation guidelines

2 In some cases where using this guideline it will be necessary to cross refer
to the policy and operations of the public service guideline.

E-17
CRAMM User Guide

International relations

Asset International Relations


Value
1 No entry
2 No entry
3 Adversely affect diplomatic relations
(Restricted)
4 No entry
5 No entry
6 No entry
7 Materially damage diplomatic relations
(Confidential)
8 No entry
9 Raise international tension
(Secret), or

Seriously damage relations with friendly governments


(Secret)
10 Cause exceptionally grave damage to relations with friendly
governments
(Top Secret), or

Threaten directly the internal stability of friendly countries


(Top Secret)

A number of government organisations (particularly the FCO, the MOD and the DTI)
produce and handle information that concerns the UKs dealings with, and
relationships to, the governments of other countries (both friendly and unfriendly)
and international organisations. The unauthorised disclosure of some types of
information could affect the UKs relationships with one or more countries, or an
international organisation. Similarly, unauthorised modification of some types of
information (for example changing the meaning of a new policy) could have adverse
effects. Unavailability of some types of information (for example at critical stages of
negotiations) could affect the UKs position.
Examples
7 caused by formal protest or other sanctions
9 when the potential consequences could be the withdrawal of ambassadors
10 extreme cases where the consequence could be results in war.

Page D-18 Issue 1.0


Annex E
Valuation guidelines

Defence

Asset Defence
Value
1 Is likely to make it more difficult to maintain the operational
effectiveness or security of UK or allied forces at a local level
2 No entry
3 Is likely to make it more difficult to maintain the operational
effectiveness or security of UK or allied forces beyond a local level
(Restricted)
4 No entry
5 No entry
6 No entry
7 Is likely to cause damage to the operational effectiveness or security of
UK or allied forces
(Confidential)
8 No entry
9 Is likely to cause serious damage to the operational effectiveness or
security of UK or allied forces

(Secret)
10 Is likely to cause exceptionally grave damage to the operational
effectiveness or security of UK or allied forces
(Top Secret)

The UKs Defence forces perform a number of roles. These can be summarised as the
protection and security at home and abroad of the UK, its dependent territories and
allies, and the promotion of the UKs wider security interests through the
maintenance of international peace and stability. Thus, defence-related information is
concerned with the policy, direction, preparation, training and engagement of the
Services in fulfilment of its roles, including associated support activities.
Note that this guideline in particular should be used with great care, because so
much depends on the characteristics of each particular situation. For instance, the
corruption of a military communications system would have more serious
consequences in time of war than it would in peacetime.
Examples
The examples must be used with great care, because much depends on the particular
situation.
3 unauthorised disclosure of information concerning security force radio
communications
unauthorised disclosure of counter-terrorist measures at a military unit
7 unauthorised disclosure of plans for a peacekeeping mission
unauthorised disclosure of information on the whereabouts and types of
vehicles on an operation
unauthorised disclosure of information concerning a military
communications system
9 unauthorised disclosure of a military plan
loss of information on an operational IT command and control system
disruption of data on an IT system leading to a loss of re-supply capability

E-19
CRAMM User Guide

10 unauthorised disclosure of plans for wartime operations


unauthorised disclosure of information concerning a nuclear weapons
facility
disruption of data on a vital IT system, such as relating to nuclear
command and control facilities

Page D-20 Issue 1.0


Annex E
Valuation guidelines

Security and intelligence

Asset Security and Intelligence


Value
1 No entry
2 No entry
3 No entry
4 No entry
5 No entry
6 No entry
7 Cause damage to the effectiveness of valuable security or intelligence
operations
(Confidential)
8 No entry
9 Cause serious damage to the continuing effectiveness of highly
valuable security or intelligence operations
(Secret)
10 Cause exceptionally grave damage to the continuing effectiveness of
extremely valuable security or intelligence operations
(Top Secret)

Security and intelligence operations cover investigations and methods of obtaining


information about the activities and intentions of hostile intelligence services,
terrorists, extremists, subversives, organised criminals and others whose activities
may threaten the well-being of the UK. Sources are vital to the acquisition of
intelligence. Therefore, source protection figures prominently in the reasons for
protectively marking intelligence material.
Note that Restricted is generally not used for security and intelligence material.
Also, the consequences of compromise should be carefully considered in each case.
Examples
7 the unauthorised disclosure of routine intelligence material, information
from general intelligence databases, or correspondence concerning
individuals of intelligence interest
9 the unauthorised disclosure of details concerning live investigations
which are based on information from secret sources, or concerning the
identity of agents
10 the unauthorised disclosure of the existence of certain extremely sensitive
technical operations and their targets, or in certain circumstances
information about agents whose life may be put at risk by compromise.
Notes
Within this guideline the word valuable should be interpreted as important.

E-21
CRAMM User Guide

Policy and operations of public service

Asset Policy and Operations of Public Service


Value
1 Inefficient operation of one part of an organisation
2 No entry
3 Undermine the proper management of a public sector organisation and its
operation
(Restricted)
4 No entry
5 Impede the effective development or operation of government policies
(Restricted)
6 Disadvantage government in commercial or policy negotiations with others
(Restricted)
7 Seriously impede the development or operation of major government
policies
(Confidential), or

Shut down or otherwise substantially disrupt significant national operations


(Confidential)
8 No entry
9 No entry
10 No entry

Information may be such that its compromise would prejudice the effective
performance of a public service organisation or organisations. For example,
information relating to a change in a government policy may, if disclosed, provoke
public reaction to the extent that it would not be possible to implement the policy.
Similarly, information relating to the staff of a public sector organisation (such as
changes in conditions of employment) may, if compromised prior to consultation,
lead to bad staff relations and thus undermine the proper management of that public
sector organisation. Modification or unavailability of information concerned with
financial aspects, or computer software, could also have serious ramifications for the
operation of a public sector organisation.
Note that this guideline should not be blindly applied to all possible compromises;
each case should be considered carefully to decide what is appropriate.
Examples
3 the unauthorised disclosure of staff-related information, the compromise
of which could seriously affect staff morale and therefore the operation of
the organisation, or detail of management decisions
5 the unauthorised disclosure of details of changes to the machinery of
government, such as proposals for relocations or redundancies, prior to or
without consultation
6 the unauthorised disclosure of contract material which could affect the
governments position, or information relating to a privatisation exercise
7 the unauthorised disclosure of plans which are against public opinion. If,
for example, plans to privatise air traffic control were made public
prematurely it would be difficult to get such policy adopted, and there
could be knock-on effects on the air traffic control service because of strike
action. Similar situations could arise related to negotiating positions with
unions, on road schemes, and on benefits.

Page D-22 Issue 1.0


Annex E
Valuation guidelines

Loss of goodwill

Asset Loss of Goodwill


Value
1 No entry
2 Adversely affect relations with other parts of the
organisation
3 Adversely affect relations with other organisations or the
public, but with the adverse publicity confined to the
immediate geographic vicinity and with no lasting effects
4 No entry
5 Adversely affect relations with other organisations or the
public, with the adverse publicity more widespread than just
the immediate geographic vicinity
6 No entry
7 Significantly affect relations with other organisations or the
public, resulting in widespread adverse publicity
8 No entry
9 No entry
10 No entry

The unauthorised disclosure or modification, or indeed unavailability, of


information, could lead to a loss of goodwill towards an organisation, with resultant
damage to its reputation, loss of credibility and other adverse consequences.
Note that this guideline has only indirect relativity to the Protective Marking Scheme
and is not part of government national security policy. It should be used with
extreme care and only where the potential consequences from adverse impacts can be
fully justified.

E-23
CRAMM User Guide

E.2 Table of Data Valuation Guidelines


The following tables shows all the Data Valuation Guidelines in two tables
Value Management and Personal Safety Personal Information Legal and Regulatory Law Enforcement Commercial and Financial Loss/Disruption
Business Operations Obligations Economic Interests to Activities
1 Inefficient operation of No entry Minor distress to an No entry No entry Be of interest to a Result directly or indirectly
one part of an individual but no breach of competitor but of no in losses of 1,000 or less
organisation legal or regulatory commercial value
requirement occurs
2 No entry Could lead to minor Distress to an individual but No entry No entry Be of interest to a Result directly or indirectly
injury to several no breach of legal or competitor to a value in losses of between 1,001
individuals regulatory requirement that is 10,000 or less and 10,000
occurs (turnover)
3 Undermine the proper Is likely to lead to a A breach in a legal, Civil suit or criminal Facilitate the Be of value to a Result directly or indirectly
management of the minor injury to an regulatory or ethical offence resulting in commission of a competitor to a value in losses of between
organisation and its individual requirement or publicised damages/penalty of crime, or prejudice the that is between 10,001 10,001 and 30,000
operation, or (Restricted) intention on the protection 2,000 or less investigation of a and 100,000 (turnover),
of information, leading to crime or
minor distress to an (Restricted)
individual Cause financial loss, or
(Restricted) loss of earning potential,
or facilitate improper
gain or advantage for
individuals or
organisations
(Restricted), or

Constitute a breach of