Académique Documents
Professionnel Documents
Culture Documents
RISK ASSESSMENT
PROCEDURES
VERSION 1.0
May 2007
Prepared by:
The following Risk Assessment Procedures should be reviewed at least annually and the date
recorded on the table below.
Change/Review Record
Document Title: IAH Volume 14 –Risk Assessment Procedures
TABLE OF CONTENTS
1 INTRODUCTION............................................................................................................. 1
1.1 Background ......................................................................................................................... 1
1.2 Purpose................................................................................................................................ 1
1.3 Scope and Applicability...................................................................................................... 1
2 PROCESSES ..................................................................................................................... 2
2.1 Security Categorization....................................................................................................... 2
2.2 Risk Assessment ................................................................................................................. 3
2.3 Risk Assessment Update..................................................................................................... 4
2.4 Vulnerability Scanning ....................................................................................................... 4
3 PROCEDURES ................................................................................................................. 7
3.1 Security Categorization....................................................................................................... 7
3.2 Risk Assessment ................................................................................................................. 8
3.3 Risk Assessment Update................................................................................................... 10
3.4 Vulnerability Scanning ..................................................................................................... 11
3.5 Compliance ....................................................................................................................... 14
APPENDIX A: ACRONYMS .................................................................................................... 15
APPENDIX B: RISK ASSESSMENT TEMPLATES & INSTRUCTIONS ......................... 16
APPENDIX C: SAMPLE VULNERABILITY SCANNING TOOLS ................................... 35
1 INTRODUCTION
1.1 BACKGROUND
Based on Federal statutes, regulations and mandates, the Pension Benefit Guarantee Corporation
(PBGC) is responsible for ensuring that all PBGC information systems meet the minimum
security requirements defined in the Federal Information Processing Standards (FIPS)
Publication (PUB) 200, Minimum Security Requirements for Federal Information and
Information Systems. All PBGC information systems 1 must meet the security requirements
through the use of the security controls in the National Institute of Standards and Technology
(NIST) Special Publication (SP) 800-53, “Recommended Security Controls for Federal
Information Systems”. The Office of Information Technology (OIT), Enterprise Information
Security (EIS) has developed Risk Assessment procedures to ensure the Confidentiality,
Integrity and Availability of its information and information systems. These procedures ensure
that NIST guidance on risk assessments for Federal information systems is appropriately
implemented. Sections I and II of this volume address the policies and procedures/standards set
forth by PBGC and, in compliance with, the risk assessment family of controls found in NIST SP
800-53. The controls are then documented in the SSP. Final selection of security controls must
be compliant with Federal statutes, regulations, mandates, and PBGC Information Assurance
Handbook (IAH) Volume 12, Security Planning, Section I.
1.2 PURPOSE
The purpose of these procedures is to provide guidance on implementing PBGC policy for
security risk assessment as defined in Section I of this volume.
1
Information System(s) refers to General Support Systems and Major Applications.
2 PROCESSES
The PBGC risk assessment processes are based on applicable NIST guidance, including SP 800-
30,”Risk Management Guide for Information Technology Systems”, SP 800-42, “Guideline on
Network Security Testing”, and SP 800-60, “Guide for Mapping Types of Information and
Information Systems to Security Categories”. The information described in the aforementioned
guides allows for consistent application of the risk assessment processes for security
categorization, risk assessment, risk assessment update, and vulnerability scanning.
The process begins by evaluating the security needs of the system and the protections required
for the mission and information held. The Federal Enterprise Architecture (FEA) Business
Reference Model (BRM) provides an aid to identifying information contained in the system.
The BRM indicates the type of information on the system based on the business area and line of
business of the system. NIST SP 800-60, Volume I and II, provides guidance to identify the
security categorization of the information for each security objective (i.e., confidentiality,
integrity, availability). While NIST SP 800-60 provides a recommended level for the security
categorization, additional security considerations may be required by department senior
management. All applicable Federal laws and acts must be applied to ensure the proper security
categorization of PBGC information systems. The Information System Owner then uses the
resulting characterization to determine the appropriate minimum security control baseline and
system specific security controls to use for protecting the information resources. Systems that
are under development must use the minimum security controls baseline as requirements;
systems in production must ensure that the security controls required by the minimum security
controls baseline are in place and operating effectively in accordance with their security
categorization. The controls are documented in a system security plan (SSP), IAH Volume 12,
Security Planning.
• System Characterization
• Threat Identification
• Vulnerability Identification
• Security Control Analysis
• Likelihood Determination
• Impact Analysis
• Risk Determination
• Security Control Recommendations
• Risk Assessment Results Documentation
The process begins by characterizing the system. The system boundaries are identified and the
system operating characteristics are described. The FIPS 199 security categorization, or impact
level, are identified to aid the assessor in establishing the minimum security control
requirements.
Once the system has been characterized, the threats to the system are identified. This includes all
threats to normal operations and includes environmental, human, and natural threats. The source
of the threat is also identified and characterized to determine the motivation, available resources,
and capabilities of the threat so that a better evaluation of the threat can be performed.
The next step is to identify the vulnerabilities in the system that might allow for the system to
either be misused or otherwise render the system unable to meet the mission objectives. The
vulnerabilities are paired with the identified threat sources to create threat source/vulnerability
pairs that are used throughout the analysis. The vulnerability list should be comprehensive and
be based on all available sources. The threat action or activity that the threat source could
execute to exploit the vulnerability is also listed here.
Following the identification of the threats and vulnerabilities, the existing and planned security
controls are evaluated. The current state of the security controls is analyzed. Each
recommended control provided in NIST SP 800-53 is analyzed to determine the current status of
the control. Based on the threat source/vulnerability pairs, the controls are matched to determine
the level of protection the system currently has in place for a particular threat
source/vulnerability pair. The likelihood that the vulnerability be exploited by the paired threat
source will be exploited is then determined for each threat source/vulnerability pair. In a similar
manner, the threat source/vulnerability pairs are then evaluated to determine the impact to system
operations, if exploited. The impact analysis is based on the FIPS 199 security categorization
impact level to the system. The security categorization process determines the maximum impact
rating for the security objectives of confidentiality, integrity, and availability for the information
system. The high water mark from the three security objectives determines the maximum impact
rating to the system and is used to analyze each threat source/ vulnerability pair.
Based on the analysis provided in the likelihood determination and the system impact rating, the
risk determination is generated to demonstrate the final risk level for each threat
source/vulnerability pair. The threat source/vulnerability pair residual risk levels allow the
assessor to further examine the security controls. The analysis of the security controls will allow
the assessor to make a recommendation as to the adequacy of the in-place controls of the system
and to recommend any corrective action to lower the residual risk of each source/vulnerability
pair.
Finally, the resulting documentation is used to summarize the activities and results associated
with the risk assessment. The results are analyzed by the assessor and used to develop a
conclusion of the final risk rating of the system based on the analysis of all threat
source/vulnerability pairs and the status of the controls. A final residual risk description and
rating should be provided. The results are then taken and incorporated into the risk assessment
report which is presented to the Designated Approving Authority (DAA), Information System
Security Officer (ISSO), and Information System Owner for review and action.
The second procedure related to RA update requires a review of the RA on a periodic basis, but
not less than annually. The risk characteristics of an information system may change on a
regular basis; therefore, PBGC requires that the RA for each major information system be
reviewed and updated annually to reflect the current operating environment of the system. Once
the update is performed, the Information System Owner and ISSO review the document,
document the activities as part of the continuous monitoring program, and provide an updated
copy to the Senior Agency Information Security Officer (SAISO).
2.4 VULNERABILITY SCANNING
Vulnerability scanning is a critical component of managing information system risk and is a part
of an overall vulnerability management program. A vulnerability is an area that is susceptible to
attack and may be a bug, error in configuration, or special set of circumstances that could result
in an attacker or threat being able to exploit the information resources for unauthorized purposes.
Vulnerability scanning is the automated process of proactively identifying vulnerabilities of
computing systems in a network in order to determine if and where a system can be potentially
exploited.
Vulnerability scanning employs software that seeks out security flaws based on a database of
known flaws, testing systems for the occurrence of these flaws, and generating a report of the
findings that an individual or Information System Owner can use to tighten the network’s
security. Vulnerability scanning provides information on the associated vulnerabilities. Most
vulnerability scanners attempt to provide information on mitigating discovered vulnerabilities.
Vulnerability scanning can also help identify out-of-date software versions, applicable patches,
and system upgrades, and then validate compliance with, or deviations from, PBGC’s security
policy.
Vulnerability scanners tend to generate significant network traffic. This may have a negative
impact on the hosts or network being scanned or network segments through which scanning
traffic is traversing. Many vulnerability scanners also include tests for denial of service (DoS)
attacks that, in the hands of an inexperienced tester, can have a considerable negative impact on
scanned hosts. In general, DoS tests should always be disabled when vulnerability scanning is
performed. As a result of this, extra steps and efforts should be taken to coordinate vulnerability
scan activities with operation staff and incident response teams.
Another significant limitation of vulnerability scanners is that they rely on constant updating of
the vulnerability database in order to recognize the latest vulnerabilities. Before running any
scanner, the ISSO should install the latest updates to its vulnerability database. Some
vulnerability scanner databases are updated more regularly than others. The frequency of
updates should be a major consideration when choosing a vulnerability scanner.
vulnerability scans mimic some signs of an attack, the appropriate management must be notified
to avoid confusion and unnecessary expense.
Active vulnerability scanning involves assessing the information system with the use of
automated assessment tools. As previously mentioned, these tools identify known weaknesses
and often suggest ways to remediate the vulnerability. Active vulnerability scanning is more
common than passive vulnerability scanning, but passive vulnerability scanning is gaining
ground. Passive vulnerability scanning involves monitoring network traffic at the packet level.
This is performed similarly to an intrusion detection system by sniffing the network traffic on a
hub, through a spanned port on a network switch or through a network tap. When initially
deployed, the passive vulnerability scanner will observe network traffic for a specified period of
time and establish a baseline for systems and traffic patterns and later report on deviations to the
baseline. The passive vulnerability scanner can also reconstruct TCP/IP sessions and evaluate
the session for known vulnerabilities. The passive vulnerability scanner has an added benefit of
having no negative impact on a system. Passive vulnerability scanning augments active
vulnerability scanning and in no way replaces it. When utilized simultaneously, active and
passive vulnerability scanning can further identify vulnerabilities and weaknesses within an
Information System.
3 PROCEDURES
3.1 SECURITY CATEGORIZATION
A productivity aid is provided for all PBGC information systems to assist with the FIPS 199
security categorization of the system. This aid must be utilized during the Initiation Phase of the
ITSLCM in accordance with Federal statutes, regulations, mandates and PBGC directives. This
aid must also be used to complete a reevaluation of either the information types contained in the
system or the FIPS 199 security categorization of the information resources. The security
categorization is then used throughout the remainder of the life cycle of the system to determine
the potential security impact to PBGC.
• System High is the term used by NIST to reflect that the information system
takes on the high water mark for corresponding attribute for any other
information system that relies on this system for providing security controls.
This is most common for a GSS that provides security controls to major
applications.
• Any system containing personally identifiable information shall be considered
a major information system and have confidentiality and integrity of moderate.
• Major information systems must have a security categorization high water
mark of moderate..
During the Project Initiation Phase of a system, the completed security categorization
must be reviewed by the ISSO. Following the Information System review, the ISSO shall
provide the result of the security categorization to the Senior Agency Information
Security Officer (SAISO) via a CD or otherwise secure transmission. Information
System Owners are expected to retain a hard copy of this report on file. Any updates to
the FIPS 199 security categorization must be similarly submitted to the ISSO within 10
business days of the change. Note that a change in FIPS 199 security categorization
would result in a change to the inventory status to the system and should be reported as
an out-of-cycle inventory modification. Additionally, the change might result in a
significant change to the system due to the change in minimum security controls and
require a new C&A of the system.
3.2 RISK ASSESSMENT
EIS has developed the following procedures based on NIST SP 800-30. The procedures include
the use of a standard RA spreadsheet and a reporting template to ensure standardized
methodology across PBGC. Procedures 1 – 8 utilize the Risk Assessment Report template (i.e.,
Microsoft Word document) and the Risk Assessment Spreadsheet (i.e., compilation of excel
worksheets) to aid in gathering and analyzing information throughout the process. The template
and worksheets can be found in the appendixes to this volume. Procedure 9 utilizes the reporting
template to prepare the final report.
Using the system characterization section of the Risk Assessment Report template, found
in the Appendix B of this volume, exercises the system characterization process. This
process is intended to gather system-related information based on system-specific
information and the general operating environment, including the FIPS 199 security
categorization process. Detailed information contained in other supporting
documentation may be referenced, provided a specific version and date of the referenced
document are provided.
Using the risk assessment instructions and template, found in Appendix B of this volume,
develop a comprehensive list of threats that affect the information system. Use this
information to classify the threats according to the defined categories. Identify the threat
sources for each threat.
Using the risk assessment instructions and template, develop a comprehensive list of
vulnerabilities that affect the information system. This information should be based on
several sources, including, but not limited to:
Using the list of vulnerabilities, add in the list of threat sources that may attempt to
exploit the vulnerability. List the possible threat actions that the threat source may take
to exploit the vulnerability.
The probability that a vulnerability will be exploited by a threat source is critical when
focusing on security resources. The information provided in Procedure 3 will be
automatically populated into the Likelihood – Impact – Risk worksheet. The SP 800-53
security control that is employed to limit the exposure to the threat source/vulnerability
pair should be listed. Based on the status of the security controls, a likelihood rating of
the vulnerability being exercised by the threat source must be provided by the assessor.
The maximum impact that any threat source/vulnerability pair can have on the security of
an information system is equivalent to the security categorization for the information
system. This is based on the high watermark for the security categorization was
developed based on the FIPS 199 methodology which examines all information types in
the information system. As such, the security categorization for each security objective
describing the overall information system determines the maximum impact rating for the
system.
To determine the impact rating for each threat source/vulnerability pair, provide the
impact rating for each security objective. The high watermark is automatically calculated
and then used to develop the risk rating.
EIS has provided a template for reporting the results of the RA. The template
summarizes the current level of risk, system characterization, and the results of the
assessment. The final RA report should be prepared in accordance to this template,
provide a conclusion that includes an overall risk statement, and be provided to the DAA,
ISSO, and Information System Owner.
All system changes must be reviewed to determine if they meet the criteria of being a
significant change. A significant change is defined as a change to the operating
environment of a major information system that alters the overall level of risk previously
authorized by the DAA.
The RA must also undergo an annual review to ensure that updates, including, but not
limited to, changes in essential personnel are documented. The annual review is to be
performed by the Information System Owner and the ISSO and then reported to the
DAA. The document review history must be updated to reflect the date the review was
performed. The ISSO must notify the SAISO when the annual review of the RA has
been completed.
Procedure 1: Define a clear scope for all vulnerability scanning activities and
designate individuals to perform the scans
In order to meet the requirements of control objective RA-5 in NIST SP 800-53, the
PBGC has implemented network-based active vulnerability scanning (hereto referred to
as “vulnerability scanning”) at a minimum. The individuals who will be performing
active vulnerability scanning must be authorized in advanced and specific set of
guidelines for the scans must be documented and approved.
A passive network scanner may be configured with a wide range of settings to meet the
needs of a PBGC information system.
• Scanner selection – EIS should evaluate the tools for use within the PBGC WAN
environment. Network and host-based vulnerability scanners are available for free or
for a fee. Appendix D contains a list of readily available vulnerability scanning tools.
This list of tools is provided for informational purposes and is not endorsed by EIS.
If scans will occur outside the realm of responsibility for that department, then a
memorandum of understanding (MOU) must be drafted and signed by the DAA of
each affected department.
Scans typically should be performed only on systems and networks that are known to
be stable and preferably during times of least impact to the critical functionality of the
system. It is expected that vulnerability scanning will occur during the deployment
and Solutions Operations and Maintenance phases of the ITSLCM.
• Perform scanning exercise – The designated personnel should perform the scan of
the network and devices in accordance with the rules of engagement.
• Verify system availability – After completing the test, the designated personnel
should check system status directly or by coordinating with the system administration
team to ensure that the test did not result in unintended consequences and that the
system remains operational.
Procedure 4: Document the scan results and provide to the ISSO and Information
System Owner
• Report Results – Once the vulnerability scanning has been completed, the results
should be analyzed and documented in a vulnerability scan report. Discovered
deficiencies must be disseminated to the affected Information System Owner(s) and
added to the system plan of action and milestones (POA&M) for correction or
mitigation. The following corrective actions may be necessary as a result of
vulnerability scanning:
3.5 COMPLIANCE
ISSO Documentation Compliance Review
The PBGC ISSO shall review the RA, security categorization and vulnerability scanning results
for compliance with PBGC and department information security policies prior to submission to
the Information System Owner and the SAISO. The Information System Owner shall notify the
ISSO within 10 business days of a significant change that requires a new C&A. The Information
System Owner shall submit updated risk assessment documents to the ISSO within 30 calendar
days of completing the changes.
APPENDIX A: ACRONYMS
BRM Business Reference Model
C&A Certification and Accreditation
CERT Computer Emergency Response Team
DAA Designated Approving Authority
DoS Denial of Service
DRI Disaster Recovery Institute
FEA Federal Enterprise Architecture
FIPS Federal Information Processing Standards
GSS General Support System
IAH Information Assurance Handbook
ISA Interconnection Security Agreement
ISSO Information System Security Officer
ID Identifier
ISP Internet Service Provider
IT Information Technology
ITSLCM Information Technology Solutions Life Cycle Methodology
MA Major Application
MOU Memorandum of Understanding
NIST National Institute of Standards and Technology
OIT Office of Information Technology
PBGC Pension Benefit Guaranty Corporation
POA&M Plan of Action and Milestones
PUB Publication
RA Risk Assessment
SAISO Senior Agency Information Security Officer
SCA Security Controls Assessment
SCW System Categorization Worksheet
SP Special Publication
SSP System Security Plan
In order to access the most current template, please refer to the following document: Risk
Assessment Report Template
• System Connections
Identify and describe the internal and external system connections (e.g., communication
links), including the services provided by each interface and the relationship between the
interface and the system. Identify the significant features of the communications layout.
Obtain and review, or create, a complete, high-level description of the system and network
architecture, including diagrams or drawings to amplify the description of all components of
the system. Lastly, include a description and a diagram depicting the flow of information
upstream and downstream, including inputs and outputs to the system and any inter-
department connections that exist to the system. The preceding information may already be
documented in the system/application documentation.
The key part of defining the system boundary is to look at where it meets other systems and
to define where the dividing line is located. This applies not only to physical connections,
but also to logical connections where data is exchanged. The owner of this system and the
owners of the interconnected systems must agree on the boundary between their systems, so
that all components are the responsibility of someone, and no components are covered more
than once. In the event that the system boundary crosses a management boundary, the details
should be clearly defined in a MOU and an Interconnection Security Agreement (ISA). See
Volume 4 of the IAH for instructions on completing an MOU and an ISA. The system
boundary should be based on non-arbitrary characteristics, such as funding boundaries, air
gaps, contractual boundaries, operational boundaries, and transfer of information custody.
The purpose of this step is to identify the threats posed to the system or organization. Open the
Risk Assessment Spreadsheet. Go to the “Threat Identification” worksheet. It will appear as
displayed in Figure B-3:
Figure B-1
• Natural
• Human
• Environmental
Table B-1 contains a sample of threats. You may select from this list and consult NIST SP 800-
30. The threats listed in the table are provided only as a sample and are not specific for any
system. They are not complete, not necessarily specific or unique to your system, or detailed
enough for a thorough risk assessment; therefore, it is expected that the Information System
Owner and ISSO will need to augment this list. Keep in mind that threats are dynamic. A
previously conducted threat identification or risk assessment may not accurately and
comprehensively identify all threats in your system’s threat environment.
The list of threats for an average-size system is typically many pages long. It is important that as
many threats as possible be identified, since you are certifying to the DAA that all threats have
been identified and appropriate protections have been implemented or planned. Some of the
threats you identify may have a relatively low probability of occurrence but a large impact if they
occur (e.g., earthquakes). Natural disasters are tracked by the Federal Emergency Management
Agency; regional disaster information is available on their website (http://www.fema.gov/).
Table B- 2 shows a list of threat-sources, motivations, and actions. In addition, threats unique to
the system being assessed should be developed using brainstorming sessions and collaborative
techniques. The Information System Owner, system development team leader, and two to three
typical users should attend these sessions.
Note that the threat-source column in Table B-2 will not be a direct one-to-one mapping into the
final risk assessment matrix. Not all potential threats require risk management. Only those
threats that may be paired with identified system vulnerabilities should receive risk management
attention. The comprehensive list in Table B-2 will be used to apply the appropriate threat-
sources to their corresponding vulnerabilities, as detailed in Step 3.
Motivation or
Threat-Source Threat Actions
Mechanism
Natural
Flood Act of Nature Loss of Infrastructure or Resources
Flash Flood Act of Nature Loss of Infrastructure or Resources
Drought Act of Nature Loss of Infrastructure or Resources
Hurricane Act of Nature Loss of Infrastructure or Resources
Earthquakes Act of Nature Loss of Infrastructure or Resources
Landslides Act of Nature Loss of Infrastructure or Resources
Avalanches Act of Nature Loss of Infrastructure or Resources
Electrical Storms &
Act of Nature Loss of Infrastructure or Resources
Lightning
Severe Storms Act of Nature Loss of Infrastructure or Resources
Tornadoes Act of Nature Loss of Infrastructure or Resources
Winter Storm Act of Nature Loss of Infrastructure or Resources
Loss of Human Resources
Illness or Epidemic Act of Nature
Inability To Operate
Electrical Interference or
Act of Nature Loss of Infrastructure or Resources
Disruption
Electrical Fire Act of Nature Loss of Infrastructure or Resources
Wild Fire Act of Nature Loss of Infrastructure or Resources
Extreme Temperatures Act of Nature Loss of Infrastructure or Resources
Human
Network-based Attacks (i.e., Hacking)
Telephone-switch Attacks (i.e., Phreaking)
Hacker Challenge
Social Engineering
Cracker Ego
System Intrusion, Break-ins, or Unauthorized System
Phreaker Rebellion
Access (e.g., Cracking)
Unauthorized Disclosure
Computer Crime (e.g., Cyber Stalking)
Destruction of
Fraudulent Act (e.g., Replay, Impersonation,
Information
Interception)
Illegal Information
Information Bribery
Computer Criminals Disclosure
Spoofing
Monetary Gain
System Intrusion
Unauthorized Data
Alteration System Attack (e.g., Denial of Service, Distributed
Denial of Service)
Motivation or
Threat-Source Threat Actions
Mechanism
Bomb, Bomb Threat, or Terrorism
Blackmail Destruction of Assets or Information
Destruction Information Warfare
Terrorist
Exploitation System Attack (e.g., Distributed Denial of Service)
Revenge System Penetration
System Tampering
Economic Exploitation
Information Theft
Industrial Espionage Theft of Assets
(e.g., Companies, Competitive Advantage Intrusion on Personal Privacy
Foreign Governments, Social Engineering
or Other Government Economic Espionage
System Penetration
Interests)
Unauthorized System Access (e.g., Access to
Classified, Proprietary, or Technology-related
Information)
Assault on an Employee
Blackmail
Browsing of Proprietary Information
Computer Abuse
Destruction of Information or Assets
Fraud and Theft
Information Bribery
Insider Threat with Intent Curiosity
Input of Falsified or Corrupted Data
(e.g., Poorly Trained, Ego
Interception
Disgruntled, Malicious, Intelligence
Negligent, Dishonest, or Malicious Code (e.g., Virus, Logic Bomb, Trojan
Monetary Gain
Terminated Employees) Horse)
Revenge
Sale of Personal Information
System Bugs
System Intrusion
System Sabotage
Unauthorized System or Facilities Access
Unauthorized Disclosure
Vandalism
Motivation or
Threat-Source Threat Actions
Mechanism
HVAC Failure Lack of Maintenance Loss of Infrastructure or Resources
Carelessness
Hardware or Software Lack of Procedures or
Loss of Infrastructure or Resources
Failure Guidelines
Lack of Maintenance
Lack of Contingency
Power Outage or Failure Loss of Infrastructure or Resources
Planning
Long-term Power Lack of Contingency
Loss of Infrastructure or Resources
Outage or Failure Planning
Carelessness
Radiological Incident Lack of Procedures or Loss of Infrastructure or Resources
Guidelines
Carelessness
Rodent or Insect
Lack of Procedures or Loss of Infrastructure or Resources
Infestation
Guidelines
Carelessness
Structural Fire Lack of Procedures or Loss of Infrastructure or Resources
Guidelines
Lack of Policy
Substance Abuse Lack of Policy Loss of Infrastructure or Resources
Enforcement
Lack of Contingency
Pollution Loss of Infrastructure or Resources
Planning
Carelessness
Lack of Procedures or
Liquid Leakage Loss of Infrastructure or Resources
Guidelines
Lack of Maintenance
Figure B-4
Provide a brief description of how the vulnerabilities were determined, and prepare a
comprehensive table of vulnerabilities specific to this system or application that could be
exploited by the potential threat-sources.
There are many methodologies or frameworks for determining system vulnerabilities. The
methodology should be selected based on where the system or application is in its life cycle, as
follows:
The description of how vulnerabilities are determined should show that the process was thorough
and likely to result in a complete and comprehensive list. If a vulnerability or risk assessment
report has been performed previously, it will probably contain a comprehensive list of
vulnerabilities that can be used to help you develop this section. See NIST SP 800-30 Section
3.3 for additional guidance.
The list of vulnerabilities also varies greatly from one system and organization to another.
System and network administrators may have different processes in place for more regularly
reviewing a system’s security, applying patches, correcting vulnerabilities, etc. It is important
that all known vulnerabilities be identified, since you are certifying to the DAA that appropriate
reviews and testing of the system’s required security controls have been performed.
Table 3 shows a comprehensive list of threat-vulnerability pairs. The list in Table 3 is only a
sample and is not specific to any system; therefore, it is expected that Information System
Owners will augment this list as needed. Vulnerabilities are dynamic. A previous vulnerability
identification or risk assessment may not have identified the current vulnerabilities. Develop a
list of threat Source/vulnerability pairs that list each threat-source on a separate line. This may
require you to list vulnerabilities multiple times; however, this information will carry into the
following worksheets.
Unauthorized Users (e.g., “Generic” accounts were found in Could be misused to access
hackers, disgruntled employees, the database (e.g., test, share, sensitive and critical data without
computer criminals, terrorists) guest). accountability
Remote OS authentication is
Unauthorized Users (e.g., A potential intruder exploiting the
enabled even though no user
hackers, disgruntled employees, functionality to access the
accounts were found to be set up
computer criminals, terrorists) database
with access.
Figure B-5
The analysis shall assess the effectiveness of in-place or planned controls in mitigating the
identified vulnerabilities of the system. The controls listed in this section shall be based on the
PBGC’s security requirements checklist and apply to all control families for the system. These
controls shall be documented in detail throughout the system’s SSP. Compliance to these
controls shall be measured on an annual basis through either a security self-assessment or
security control assessment.
The purpose of this step is to assign a likelihood rating of high, moderate, or low to each threat-
vulnerability pair identified in Step 3 and to correlate the information to the security control
analysis developed in Step 4.
Figure B-6
The likelihood rating shall be determined based on the likelihood that a potential vulnerability
might be exploited within the construct of the associated threat environment. The following
governing factors shall be considered:
Other factors may also be used to estimate likelihood. These include historical information,
records such as the annual rate of occurrence, and information from security organizations such
as US-CERT, SANS, Bugtraq, SecurityTracker, and the Disaster Recovery Institute (DRI)
International. The controls listed in the “Control Analysis” worksheet from Step 4 may be
considered, provided they adequately mitigate the potential vulnerability. The likelihood rating
levels are high, moderate, and low, as defined in Table B-4.
Likelihood
Likelihood Definition
Level
The threat-source is highly motivated and sufficiently capable, and controls to prevent the
High
vulnerability from being exercised are ineffective.
The threat-source is motivated and capable, but controls are in place that may impede
Moderate
successful exercise of the vulnerability.
The threat-source lacks motivation or capability, or controls are in place to prevent, or at
Low
least significantly impede, the vulnerability from being exercised.
Table B-5 shows an example of the likelihood ratings assigned to a system’s vulnerabilities.
Note that natural physical threats are deemed to be less likely and are assigned lower ratings,
while accidents are deemed to be fairly high.
Likelihood
Threat-Source Vulnerability Controls
Rating
Personnel security controls are in
place for closing user accounts, but
they appear to be inadequate.
A mitigating factor is that this
Terminated employees’ vulnerability is dependent on a
Terminated
application user IDs are not terminated employee gaining access Moderate
Employees
quickly removed. to the client application. This
appears to be adequately protected.
Dial-in access, physical access to
the building, workstation areas, and
network access are controlled.
Likelihood
Threat-Source Vulnerability Controls
Rating
Personnel security control policy,
which is in place, states that users
must be limited to the minimum
Malicious Insiders Default Connect and Resource
access rights needed to perform
roles are granted to arbitrary
Computer their job functions. Logical access High
users rather than predefined
Criminals control policies now in place enable
roles.
the enforcement of the personnel
security control policy, but it does not
currently appear to be enforced.
Large bogus TCP packets Intrusion detection is in place and
Malicious Insiders (greater than 50000 bytes) would detect a denial of service
directed at port 1521 will cause attack. It is anticipated that until the
Computer High
the application to stop incident is handled appropriately,
Criminals responding to the client users would lose application access
software. during the attack.
Application software maintenance
controls now in place specify vendor
advisories and subsequent critical
patch releases should be monitored.
These procedures, however, do not
Unauthorized appear to be followed consistently.
Users (e.g., A mitigating factor to consider is that
The vendor has identified flaws the vulnerability is dependent on an
Hackers,
in the security design of the unauthorized user’s gaining access
Disgruntled
application modules; new to the internal PBGC network. There Moderate
Employees,
patches exist but have not is a PBGC firewall protecting the
Computer
been applied. Internet connection and a Data
Criminals,
Terrorists) Center firewall protecting the Data
Center network.
Likelihood
Threat-Source Vulnerability Controls
Rating
Unauthorized
Users (e.g.,
Hackers,
Passwords are not set to
Disgruntled Authentication controls are built in to
expire, nor are regular Moderate
Employees, the application and can be enabled.
password changes enforced.
Computer
Criminals,
Terrorists)
The maximum impact that any threat source/vulnerability pair can have on the security of an
information system is equivalent to the security categorization for the information system. This
is based on the high watermark for the security categorization was developed based on the FIPS
199 methodology which examines all information types in the information system. As such, the
security categorization for each security objective describing the overall information system
determines the maximum impact rating for the system.
Magnitude
Impact Definition
of Impact
Exercise of the vulnerability: (1) may result in the highly costly loss of major tangible assets or
High resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation,
or interest; or (3) may result in human death or serious injury.
Exercise of the vulnerability: (1) may result in the costly loss of tangible assets or resources; (2)
Moderate may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result
in human injury.
Exercise of the vulnerability: (1) may result in the loss of some tangible assets or resources or
Low
(2) may noticeably affect an organization’s mission, reputation, or interest.
• To complete this step, use the resulting information from the security categorization.
The high watermark is automatically calculated and used to automatically feed the risk
determination.
NOTE: For Step 7, use the “Likelihood-Impact-Risk” worksheet in the Risk Assessment
Spreadsheets supplied by EIS.
The risk determination for each threat source/vulnerability pair is generated automatically using
the worksheet. The calculation is based on the risk rating matrix seen in Table B-8 and provided
in NIST SP 800-30. The matrix uses a standard 3x3 matrix.
For a thorough description of the risk rating calculation, refer to the annotated NIST SP 800-30,
Table 3-6, Risk Scale and Necessary Actions.
The worksheet will automatically calculate the Residual Risk Rating based on the Likelihood
and Impact levels.
Figure B-7
The goal of the recommended controls is to reduce the residual risk to the system and its data to
an acceptable level. This provides sufficient data supporting the DAA’s responsibility to make
informed risk-based decisions ensuring the protection of the system in question and the PBGC at
large. The following factors should be considered in recommending controls and alternative
solutions to minimize or eliminate identified risks:
Analyze each security control with the threat source/vulnerability pair. Then determine the
current level of adequacy and provide recommendations for improvement. Recommended
actions should be integrated into the system’s security POA&M.
The risk assessment report should not be presented in an accusatory manner. Rather, it should
rather be a direct and open discussion of the observations of the risk assessment team. Its
purpose is to inform senior management of the current threat-vulnerability environment and the
adequacy of current and planned security controls. The value of a risk assessment is that it helps
senior management to understand the current system exposure so they can allocate resources
effectively and efficiently to correct errors and reduce potential losses.
To that purpose, perform an analysis of the risk assessment activities. Use this information to
develop a conclusion based on the risk assessment that includes the overall final level of residual
risk to the PBGC and system. Include a paragraph on any deviations from the standard NIST
methodology used and prescribed in these procedures. Other considerations, which are beyond
the scope of the risk assessment but which may be addressed in the report and should be
discussed in the brief, are management’s assessment and subsequent POA&M. Depending on the
severity of actions required to mitigate the discovered risks, a risk mitigation plan with detailed
remedial action may be required to address the identified weaknesses. For each threat-
vulnerability pair management should—
• Estimate the resources (in terms of hours) required for implementing the
recommendation(s).
Next, develop the Introduction. The introduction shall briefly describe the purpose of this risk
assessment and include a brief description of the approach used to conduct the risk assessment.
The description of the approach shall include:
• The participants and their roles in the risk assessment in relation to their assigned
responsibilities at PBGC.
• The technique used to gather the necessary information (e.g., the use of tools,
questionnaires).
• The risk assessment methodology flow chart from NIST SP 800-30 and any
customization based on the system threat environment.
The level of risk shall be determined using a “3x3” risk-level scale that is based on inputs from
the threat likelihood and threat impact categories. The risk levels for each input category shall
be assessed as high, moderate, or low. These risk levels are defined in FIPS 199.
Next, copy the results of the Results Documentation worksheet into the template to provide
summary information of the assessment. Copy the worksheets from Steps 2 – 8 into the
appropriate appendices as references for senior management.
Finally, develop the executive summary highlighting the activities undertaken and the critical
elements of the analysis and conclusion. This section should highlight for senior management
the core results determined by this risk assessment.
ISS Internet Scanner is a network-based vulnerability-scanning tool that identifies security holes on
Description network hosts.
A network-based vulnerability-scanning tool that identifies security holes on network hosts. While
Nessus 3 is available free of charge is not be released under the GPL. There is a fee for a direct
Description feed of the latest plug-ins (i.e., signatures); otherwise a feed for registered scanners is released 7
days after the direct feed.
http://www.wwdsi.com/sai
SAINT Vulnerability scanner X X $
nt/
SAINT is an updated and enhanced version of SATAN, is designed to assess the security of
Description
computer networks.
Sourcefire RNA uses a combination of passive network discovery, behavioral profiling, and
Description integrated vulnerability analysis to deliver the benefits of real-time network profiling and change
management.
Tenable PVS monitors your network for vulnerable systems, watches for potential application
Description
compromises, client and server trust relationships, and open or browsed network protocols in use.