Risk Analysis And Security Plan Of Plastpack

Published Date: 02 Nov 2017

Vijay Shah – 21520466

Maulik Mandlik – 21565852

Disclaimer:

Due to the confidential nature of the products this company manufactures, we were asked not to disclose its name or any other actual information we were given. Therefore, the graphics, risk analysis and vulnerability maps are as approximate as we could make them, but they do not reflect the "real system" in-place.

Tutor: - Sanjay Jha

Table of Contents

Table of Contents 2

1.Organisation Description 4

1.1Organizational Chart 6

2.Security Policy 7

2.1 Security Goal 7

12. Monitor, control and protect organizational communications at the external boundaries and key internal boundaries of the information system. 8

13.Identify report and correct information and information system flaws in a timely manner. 8

2.2Responsibilities for Goals 9

The table below shows particular persons responsibility to archive specific goal: 9

To attain an acceptable level of security, some combination of these controls should be chosen. A selection should be made that is appropriate to the organizations overall risk profile, resources and capabilities. These should then be implemented across all the IT systems for the organizations, with adjustments in scope to address broad requirements of specific systems. 9

Class 9

Control Family 9

2.3Commitment to Security 10

The below table indicates training procedure for staff to create awareness about security. 10

The findings of this study create awareness among organisations on the importance of their commitment on security controls to ensure the integrity of financial statements and to produce quality information for decision-making. 11

3.Current Security Status 12

Plastpack is the local operations of a leaf global plastic manufacturing company. It has a large IT infrastructure used by numerous business areas. Its network includes a variety of servers, executing a range of application software typical of organisations of its size. It also uses applications that are far less common. It includes some of which are directly related to the health and safety of those working in the critical manufacturing department. Many of these systems used to be isolated, with no network connections among them. In recent years they have been connected together and connected to the company’s intranet to provide better management capabilities. However, this means they are now potentially accessible from the Internet, which has greatly increased the risk to these systems. 12

3.1Natural Disasters 12

3.2Physical Disaster 14

3.3Environmental Threats 15

Component or Medium 16

Sustained Ambient Temperature at which Damage May Begin 16

3.4Human -Caused Physical Threats 17

3.5Technical Threats 20

4.Recommendations 21

5.IT security management control and implementation 23

6.Network and systems diagram and description of current and/or new system 25

6.1WAN Topology 26

6.2LAN Topology 27

7.Responsibility for Implementation of Recommended Controls 28

8.Schedule for Review of Security and Control Items 29

9.Formulas 30

10.Cost-Benefit Analysis 31

10.1Natural Disaster Risk Analysis Spreadsheet 31

10.2Physical Disaster Risk Analysis Spread Sheet 31

10.3Human Caused Physical Threats Risk Analysis Spread Sheet 32

10.4Environmental Threats Risk Analysis Spread Sheet 33

10.5Technical Threats Risk Analysis Spread Sheet 34

11.Vulnerability Maps 35

12.Timetable for Implementation of Recommended Controls 38

13.References 39

Organisation Description

This is an analysis of the network in a Plastpack Plastic Industry located in the West Sydney, NSW, Australia. The plant is the local head-office of a multi-national conglomerate with headquarters in Singapore, and has around two hundred-and-fifty employees. Its site structure is divided into two main buildings, administration and manufacturing sites. The plant is the company’s head-office within the country and manages seven external sites located in different states.

This risk analysis and security plan is for the head-office only, as it would be very time-demanding to analyse all locations.

The manufacturing site is divided into five different areas: R & D Lab, Warehouse, Stock Control & Invoicing, Plant Management and Factory. The office building holds all other departmental areas: Finance & Accounting, Procurement, HR & Support Services, Sales & Marketing, Information Services and Executive Management.

A security booth located at the entrance gate controls all personnel and vehicles access to the plant.

To manage their operations a system called "Factory-wise" (fictional name) is used by all employees in regards to all operational processes, such as:

Ordering office equipment and stationary

Purchasing raw materials

Requesting maintenance

Managing financial information

Keeping employees records

Customer and sales records

Invoice recording

Delivery management

Production planning

Product data sheets

Commercial software applications are used for emailing and internet access, as well as office support applications. The company website and intranet are maintained by the Information Services team.

Fibre optic cabling connects the two main buildings and all computers within the building on the site are connected to the local area network. A wide area network connects the head-office and the external sites.

Multiple access levels are granted to users aiming to control the information and applications that can be accessed within the network. The company manufactures high security products and, therefore, its database containing proprietary and confidential information must be secured and available at all times

Organizational Chart

Sales Manager

Purchasing Manager

Administration Manager

Accounting Manager

Maintenance Manager

Finance Director

Information system Manager

Controller

Warehouse Manager

Plant Manager

Regional Office 3

Regional Office 2

Regional Office 1

Marketing Manager

Sales and Marketing Director

Operation Director

Executive Assistance

Managing Director

Security Policy

An organization should create a written security policy to enumerate the security threats it is trying to guard against, and the specific measures the organization must take. Security threats can be addressed with different types of measures:

Procedural, such as requiring data center employees to display security badges

Physical, such as securing computers in restricted-access facilities

Technical, such as implementing strong authentication requirements for critical business systems

Personnel-related, such as performing background checks or "vetting" key personnel

Consider whether the appropriate response to a threat is procedural, physical, technical, personnel-related, or a combination of the measures

Security Goal

Limit information system access to authorised users, processes acting on behalf of authorized users, or devices and to the type of transactions and functions that authorized users are permitted to exercise.

Ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful, unauthorized, or inappropriate information system activity.

Periodically asses the security controls in organizational information system to determine if the controls are effective in their application.

Establish and maintain baseline configurations and inventories of organizational information system through the respective system development life cycles.

Identify information system users, process acting on behalf of users, or device and authenticate the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information.

Establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, recovery and users response activities. And track, document, and report incidents to appropriate organizational authorities.

Perform periodic and timely maintenance on organizational information systems; and provide effective controls on the tools, techniques, mechanisms and personnel used to conduct information system maintenance.

Protect information system media, both paper and digital.

Limit physical access to information systems, equipment and the respective operating environments.

Ensure that individuals occupying positions of responsibilities within organization are trustworthy and meet established security criteria for those positions.

Monitor, control and protect organizational communications at the external boundaries and key internal boundaries of the information system.

Identify report and correct information and information system flaws in a timely manner.

Responsibilities for Goals

The table below shows particular persons responsibility to archive specific goal:

Position

Incumbent

Goals

Managing Director

Scott Clark

1, 2.

Controller

Jason Green

1, 5, 9, 10, 12, 13.

Information Systems Manager

Robert Stain

1, 3, 4, 7, 8,11,12

Systems Administrator

Adam Smith

2, 3, 4, 6, 7, 10, 12

Network Administrator

Jessica Santos

3, 4, 5, 6, 12

To attain an acceptable level of security, some combination of these controls should be chosen. A selection should be made that is appropriate to the organizations overall risk profile, resources and capabilities. These should then be implemented across all the IT systems for the organizations, with adjustments in scope to address broad requirements of specific systems.

Class

Control Family

Management

Risk Assessment

Management

Planning

Management

System and Service Acquisition

Management

Certification and Security Assessment

Operational

Personal Security

Operational

Physical and Environmental protection

Operational

Contingency Planning

Operational

Configuration Management

Operational

Maintenance

Operational

System and Information Integrity

Operational

Media Protection

Operational

Incident Response

Operational

Awareness and Training

Technical

Identification and Authentication

Technical

Access Control

Technical

Audit and Accountability

Technical

System and Communication Protection

Commitment to Security

The below table indicates training procedure for staff to create awareness about security.

Awareness

Training

Education

Attribute

"What"

"How"

"Why"

Level

Information

Knowledge

Insight

Objective

Recognition

Skill

Understanding

Teaching Method

Media

Video

Newsletters

Posters, etc.

Practical instruction

Lecture

Case study workshop

Hands-on practice

Theoretical instruction

Discussion Seminar

Background reading

Test measure

True/False

Multiple choice

(identify learning)

Problem solving

(apply learning)

Essay

(interpret learning)

Impact timeframe

Short term

Intermediate

Long Term

The findings of this study create awareness among organisations on the importance of their commitment on security controls to ensure the integrity of financial statements and to produce quality information for decision-making.

Here is some point describing our security commitment for our organization.

24/7 Network connection

Firewall protection on each network.

Intrusion Detection/Protection system installed

Periodically network security testing

Password authentication and periodic change of password

Back-up of critical data and application software’s

Installed Anti-virus software’s

Disaster recovery plans

Current Security Status

Plastpack is the local operations of a leaf global plastic manufacturing company. It has a large IT infrastructure used by numerous business areas. Its network includes a variety of servers, executing a range of application software typical of organisations of its size. It also uses applications that are far less common. It includes some of which are directly related to the health and safety of those working in the critical manufacturing department. Many of these systems used to be isolated, with no network connections among them. In recent years they have been connected together and connected to the company’s intranet to provide better management capabilities. However, this means they are now potentially accessible from the Internet, which has greatly increased the risk to these systems.

Natural Disasters

Natural Disaster is the source of a wide range of environmental threats to data centres, other information processing facilities, and their personnel. It is possible to assess the risk of various types of natural disasters and take suitable precautions so that catastrophic loss from natural disasters is prevented.

This graph below shows number of years and amount spent for Disaster recovery. It shows both covered loss and uncovered loss for next five years of time.

Earthquake

A major earthquake has the potential for the greatest damage and occurs without warning. A facility near the epicentre may suffer catastrophic, even complete, destruction; with significant and long-lasting damage to data centres and other IS facilities. Examples of inside damage include the toppling of unbrace computer hardware and site infrastructure equipment, including the collapse of raised floors.

Flood

Being located in a tropical country floods are small but accounted for risk. During its 20 years of operation in this location, the company has suffered loss only once, in 1997. However, this is a risk that is always taken into consideration. All back up media is kept in a waterproof storage and daily backup copies are sent to one of the regional offices for safekeeping.

Fire

Fire is always a risk that must be considered. Being plastic manufacturing plant, there’s a high fire risk due to the volatile nature of some of the raw materials used in the manufacturing process. Also, due to the tropical storms, lightning rods systems were installed in every building, to prevent both surges and fire caused by lightning.

An emergency plan has been developed to deal with such situations and periodic evacuation drills are conducted to educate the employees on this procedure.

Physical Disaster

Power Supply

The area is very prone to both power failure and surges, with surges happening almost daily, sometimes more than once, and failures at least twice a month, lasting up to an hour.

Power failures of up to five hours have happened in the past, but they are rare, and the power company is striving to keep those to a minimum, as it affects not only this plant, but the other seven around it. A power generator is installed and monthly tests are performed to ensure its maintenance is done appropriately, minimising risk of generator failure. Incremental backups throughout the day also provide an added security to ensure data integrity. Differential backups are performed twice per week and send off to one of the regional offices for safekeeping.

Power surges happen quite frequently and the electrical wiring has been modified to cope with that. Computers and other electronic equipment, such as printers, scanners and projectors can only be plugged into this special line. Tags on the power outlets identify the surge protected ones.

Environmental Threats

This category encompasses condition in the environment that can damage or interrupt the service of information system and the data they house. Off site, there may be severe region wide damage to the public infrastructure and, in the case of server hurricanes it may take days, weeks, or even years to recover from the event.

Inappropriate Temperature and Humidity

Computers and related equipment are designed to operate within a certain temperature range. Most computer system should be kept between 10 and 32 degree Celsius. Outside this range, resources might continue to operate but produce undesirable results. If the ambient temperature around a computer gets too high, the computer cannot adequately cool itself, and internal components can be damaged. If the temperature gets too cold, the system can undergo thermal shock when it is turned on, causing circuit boards or integrated circuits to crack. The table below shows the point at which permanent damage from excessive heat begins.

Dealing with this problem company purchased environmental-control equipment of appropriate capacity and appropriate sensors to warn of thresholds being exceeded.

Component or Medium

Sustained Ambient Temperature at which Damage May Begin

Flexible disks, magnetic tapes, etc.

38C (100 F)

Optical media

49*C (120 F)

Hard disk Media

66*C (150 F)

Computer equipment

79*C (175 F)

Thermoplastic insulation on wires carrying hazardous voltage

125*C (257 F)

Paper Products

177*C (350 F)

Water Damage

Water and other stored liquids in proximity to compute equipment pose an obvious threat. The primary danger is an electric short, which can happen if water bridges between a circuit board trace carrying voltage and a trace carrying ground. Moving water, such as in plumbing, and weather -created water from rain, snow, and ice also pose threats. A pipe may burst from a fault in the line or from freezing. Sprinkler systems, despite their security function, are a major threat to computer equipment and paper and electronic storage media. Dealing with this problem cut out switch implemented at every major power output.

Dust

Dust is a prevalent concern that is often overlooked. Even fibres from fabric and paper are abrasive and mildly conductive, although generally equipment is resistant to such contaminants. Larger influxes of dust can result from a number of incidents, such as a controlled explosion of a nearby building and windstorm carrying debris from a wildfire. Amore likely source of influx comes from dust surges that originate within the building due to construction or maintenance work.

Equipment with moving parts, such as rotating storage media and computer fans, are the most vulnerable to damage from dust. Dust can also block ventilation and reduce radiation cooling. To deal with this problem, premises should be clean properly on regular basis and equipments should be covered.

Human -Caused Physical Threats

It shouldn't be easy to walk into your facility without a key or badge, or without being required to show identity or authorization. Controlling physical access is our first line of defense, protecting your data and your staff against the simplest of inadvertent or malicious intrusions and interferences

Each organization must evaluate its own risks and budget. Elaborate measures may well not be needed, depending on many factors: company size, risk of loss, internal access controls, quantity and frequency of outside visitors, and so on. Preparing for accountability and recovery are additional considerations, possibly prompting alarms or video surveillance of entryways. The visibility of these preparations can also act as deterrence. Therefore we made a very rough of how much it would cost too implement them, placing more emphasis on the ongoing annual costs.

Unauthorized Access and Theft

The plant, warehouse and laboratories are restricted areas and can only be visited under supervision. On the administration building the Information Systems department had a key card lock and can only be opened by the employees of that department. Not even the Managing Director has access to that door and in case of emergency a password opens the door. This password is a combined password, in which half the code is known by the Managing Director and the other half by the Controller. The headquarters is responsible for issuing a new password every ninety days.

Vehicles access to the plant premises is restricted to delivery trucks, owned and third party, which are inspected on their way in and out. Top level management may park their company cars within the perimeter, but all other personnel have to use the employees car park located outside the main gate.

Physical threats are combined into one topic the controls implemented apply to both of them Surveillance is performed 24/7 on site by a rotational crew of three guards per shift. While two guards stay at the gate booth, dealing with formal access to the plant, the other guard patrols the fence perimeter. The patrol guard is also on the lookout for bush fires or any other emergency activity that might need activation of the Emergency Plan.

Surveillance cameras are installed in strategic locations throughout the plant, warehouse, administration offices and entrance. Surveillance videos are kept for two weeks and then recycled.

Employees need to swipe their key card to enter the premises and there a surveillance camera located overhead to record anyone trying to skip using their key cards. Employees who show up for work without their key card are issued a daily pass and if card is reported lost or stolen the privileges are suspended and a form is filled. For a period of six months after the loss of the card if anyone tries to use it to gain access to the building an alarm will sound and the security guard will retain the card and the person for interrogation. In that case the Operations Director is responsible to informing the authorities.

Denial off service attack

This is a very serious issue in every organisation, independent of size and in this case the top priority due to the nature of the formulations used in the manufacturing process. Controls implemented are anti-virus in all workstations, communications encryption and a firewall on the internet server.

This vulnerability was identified as the most threatening, because it would be the one to cause more financial damage, if one of its exclusive formulations or other important strategic were to find its way to a competitor for example. However, there’s a strong group policy in place and most of the decisions regarding that protection are made on a corporate level part of the costs absorbed by the headquarters.

There are also specific instructions regarding printed information and media destruction. General documents are shredded and media is to be returned to the Information Systems department for appropriate erasing. Laptops used by top level manager have fingerprint identification devices and are monitored on a regular basis.

To deal with this problem, we are providing VPN network with more secure connection. VPN follow a client and server approach. VPN clients authenticate users, encrypt data, and manage sessions with VPN servers utilizing a technique called tunnelling.

Viruses

All workstations have anti-virus software installed and updated automatically. Most of the workstations do not have CD or disk drives and/or have had their USB ports disabled. Internet downloads are also not allowed. Internet access and email accounts are monitored not only to ensure a virus-free environment, but also that confidentiality and internet access agreements are not being breached.

Technical Threats

Electromagnetic Interference

Noise along a power supply line is only one source of electromagnetic interference (EMI). Motors, fans, heavy equipment and even other computers generate electrical noise that can cause intermittent problems with the computer you are using. To deal with electromagnetic interference, a combination of filters and shielding be used at the site.

Recommendations

Because their current security plan is very effective, our recommendation would be that they follow up thoroughly on their reviews, in order to identify new threats as early as possible, as well as keep track of new technologies that would facilitate or improve the efficiency of counteracting old and new threats.

However, all this kinds of security measures are cheaper when implemented on a larger scale. Therefore the same amount of investment in security buys better protection. This includes all kinds of defensive measures such as filtering; patch management, hardening of virtual machine instances and hypervisors, etc.

More emphasis should be given to social engineering training by talking to employees during the course of their employment, not only at induction training, and keeping a channel open to everyone wanting to talk about any suspicious activity they may have witnessed.

Lastly, methods for choosing passwords should be developed and employees should follow different methods which would make harder to guess passwords by association.

Install Only What Is Required:

Do a custom installation. Avoid installing options and products you don't need. Choose to install only those additional products and options, in addition to the database server, that you do clearly need.

Lock And Expire Default User Accounts:

The Database installs with many default (preset) database server user accounts. Upon the successful creation of a database server instance, the Database Configuration Assistant automatically locks and expires most default database user accounts.

Change Default User Passwords:

Security is most easily broken when a default database server user account still has a default password even after installation.

Enable Data Dictionary Protection:

Implement data dictionary protection to prevent users who have the ANY system privilege from using it on the data dictionary

Practice The Principle Of Least Privilege:

Grant necessary privileges only

Revoke unnecessary privileges and roles from the database server user group public

Restrict permissions on run-time facilities

IT security management control and implementation

Actions ranking from High to Low

Risk levels from the risk assessment report

Step 1

Prioritize Actions

Step 2

Evaluate Recommended Control Options

List of possible controls

Risk assessment report

Feasibility

Effectiveness

Step 3

Conduct Cost Benefit Analysis

Cost Benefit Analysis

Impact of implementing

Impact of not implementing

Associated costs

Selected Controls

Step 4

Select Controls

List of responsible persons

Step 5

Assign Responsibility

Step 6

Develop Safeguard Implementation Plan

Safeguard Implementation Plan

Risks and associated risks levels

Prioritized actions

Recommended controls

Selected planned controls

Responsible persons

Start date

Target completion date

Maintenance requirements

Residual risks

Step 7

Implement Selected Controls

When you think carefully about security risks, the solutions you adopt will apply well to the actual situation you're addressing; not all security problems have a technical fix. For example, employees must occasionally leave their desks unattended. Depending on the sensitivity of their work and on your required level of security, your security procedures could require them to do any of the following:

Have another person cover for them while they're away

Clear the desk surface, locking all sensitive materials away, before leaving

Lock their doors, if they have private offices

Explicitly lock their computer screens before leaving the desk

No technical solution can fix a physically insecure work environment or a corrupt or disaffected employee. It is true, though, that procedural and technical protection might be able to limit the damage that a physical breach or a disgruntled employee (or ex-employee) can inflict.

Network and systems diagram and description of current and/or new system

WAN Topology

Wide Area Network

The WAN network diagram provided by the company shows the connection between the local head-office in Singapore and its regional offices in Sydney and Brisbane. The network is connected through leased lines to provide optimal security. The speed varies according to the number of users and traffic required.

LAN Topology

Local Area Network - Head-office

The plant and administration buildings workstations are connected to a local area network, with access to shared resources, such as printers and scanner. Files are stored in a database server where access rights apply by department. Application servers allow for sharing of software resources including their operations system, which is used at various levels by all departments.

Responsibility for Implementation of Recommended Controls

Responsibilities at the time they were implemented were assigned as follows:

Control

Task Description

Task Responsibility

Supervision

UPS and Generator

Quote, purchase, install and maintain

Chief of Maintenance

Operations Director

IT Manager

Building Insurance

Renew

Controller

Financial Director

Incremental/Differential backups

Develop and implement schedule

Systems Administrator

IT Manager

Offsite backup

Decide which regional office will hold the backups and implement routines

Network Administrator

IT Manager

Waterproof storage

Quote, purchase and install

Network Administrator

IT Manager

Anti-virus software

Comply with group decisions, implement

IT Manager, Systems Administrator

Headquarters

Audits

Perform periodic audits

IT Manager, Operations Director, Sales Director, Controller

Headquarters, Managing Director, Financial Director

Education

Induction Training, Periodical Recaps

IT Manager, Human Resources Manager

Controller

Firewall

Quote, purchase, install and maintain

Network Administrator

IT Manager, Headquarters

Policies and Procedures

Translate and implement

IT Manager, Controller

Managing Director

Key cards

Issue on demand

Human Resources

Controller

Physical locks

Purchase and install

Maintenance Manager

IT Manager

Security guards

Hire, train and supervise

Operations Director

Managing Director

CCTV

Quote, purchase, supervise installation and maintenance

Controller, IT Manager

Operations Manager

Schedule for Review of Security and Control Items

Audit trails can be used in multiple ways. The type of analysis depends, at least in part, on when the analysis is to be done. The possibilities include the following:

Item for Review

Responsibility

Frequency

Building Insurance

Controller

Yearly

Audits

Operations Director

Yearly

Education programs

IT Manager / HR Manager

Twice per year

Policies and Procedures

Controller

Yearly

Security team training

Operations Manager

Yearly

Anti-virus software

Headquarters

License Expiration

Distinct from an analysis from audit trail, data using, data reduction and an analysis tools is the concept of audit review. The common criteria specification call for a capability that allows pre-storage or post-storage audit selection and includes the ability to selectively review the following:

The actions of one or more users

The actions performed on a specific object or system resource

All or a specified set of audited acceptations

Actions associated with a specific system or security attribute

Formulas

No.

Formula

1.

Annual loss expectancy = Asset value X level of exposure X Likelihood of exposures

(with no control in place)

2.

Annual expected saving = Loss expectancy X Control effectiveness – Control cost

3.

Annual loss expectancy = loss expectancy – Expected saving

(with control in place)

Cost-Benefit Analysis

Natural Disaster Risk Analysis Spreadsheet

Risk Analysis

Vulnerability: Natural Disaster

Vulnerability Type

Asset Value or Loss Estimation

Likelihood of Exposure

Level of Exposure

Annual Loss expectancy

Fire

$150,000.00

0.4

95%

$57,000.00

Flood

$150,000.00

0.3

75%

$33,750.00

Earth quake

$45,000.00

0.4

75%

$13,500.00

 

 

 

 

 

 

 

 

 

$104,250.00

 

Control Cost

 

 

Controls - Yearly Recurring Costs

 

 

 

 

 

Back-Up Server

$20,000.00

 

Insurance Premium

$4,500.00

 

 

 

 

 

Total

$20,000.00

 

Total

$4,500.00

 

 

 

 

 

Combined Control Effectiveness

12%

 

 

 

 

 

 

 

 

Year 1

Year 2

Year 3

Year 4

Year 5

Uncovered Loss

Uncovered Loss

Uncovered Loss

Uncovered Loss

Uncovered Loss

$104,250.00

$208,500.00

$312,750.00

$417,000.00

$521,250.00

 

 

 

 

 

Savings

Savings

Savings

Savings

Savings

-$11,990.00

-$3,980.00

$4,030.00

$12,040.00

$20,050.00

 

 

 

 

 

Covered Loss

Covered Loss

Covered Loss

Covered Loss

Covered Loss

$116,240.00

$212,480.00

$308,720.00

$404,960.00

$501,200.00

 

 

 

 

 

Total Uncovered Loss Expectancy

$521,250.00

 

 

 

 

 

 

 

 

Total Covered Loss Expectancy

$501,200.00

 

 

 

 

 

 

 

 

Total Savings

$20,050.00

 

 

 

 

 

 

 

 

Total Control Cost

$42,500.00

 

 

 

 

 

 

 

 

Physical Disaster Risk Analysis Spread Sheet

Risk Analysis

Vulnerability: Physical Disaster

Vulnerability Type

Asset Value or Loss Estimation

Likelihood of Exposure

Level of Exposure

Annual Loss expectancy

 

 

 

 

 

Power Loss

$45,000.00

0.3

80%

$10,800.00

Power Surge

$90,000.00

0.5

50%

$15,000.00

 

 

 

 

 

 

 

 

 

$25,800.00

 

 

 

 

 

 

 

 

 

 

 

Control Cost

 

 

Controls - Yearly Recurring Costs

 

 

 

 

 

Surge Protection

$8,000.00

 

 

 

 

 

 

 

 

Total

$8,000.00

 

Total

$0.00

 

 

 

 

 

Combined Control Effectiveness

12%

 

 

 

 

 

 

 

 

Year 1

Year 2

Year 3

Year 4

Year 5

Uncovered Loss

Uncovered Loss

Uncovered Loss

Uncovered Loss

Uncovered Loss

$25,800.00

$51,600.00

$77,400.00

$103,200.00

$129,000.00

 

 

 

 

 

Savings

Savings

Savings

Savings

Savings

-$4,904.00

-$1,808.00

$1,288.00

$4,384.00

$7,480.00

 

 

 

 

 

Covered Loss

Covered Loss

Covered Loss

Covered Loss

Covered Loss

$30,704.00

$53,408.00

$76,112.00

$98,816.00

$121,520.00

 

 

 

 

 

Total Uncovered Loss Expectancy

$129,000.00

 

 

 

 

 

 

 

 

Total Covered Loss Expectancy

$121,520.00

 

 

 

 

 

 

 

 

Total Savings

$7,480.00

 

 

 

 

 

 

 

 

Total Control Cost

$8,000.00

 

 

 

 

 

 

 

 

Human Caused Physical Threats Risk Analysis Spread Sheet

Risk Analysis

Vulnerability: Human Caused physical Threats

Vulnerability Type

Asset Value or Loss Estimation

Likelihood of Exposure

Level of Exposure

Annual Loss expectancy

 

 

 

 

 

Malicious code

$100,000.00

0.5

70%

$35,000.00

Denial-of-service attack

$75,000.00

0.7

60%

$31,500.00

Unauthorized physical access

$40,000.00

0.8

50%

$16,000.00

 

 

 

 

 

 

 

 

 

$82,500.00

 

 

 

 

 

 

 

 

 

 

 

Control Cost

 

 

Controls - Yearly Recurring Costs

 

 

 

 

 

Packet-Filtering Firewall

$20,000.00

 

Anti-Virus Software

$12,000.00

 

 

 

 

 

Total

$20,000.00

 

Total

$12,000.00

 

 

 

 

 

Combined Control Effectiveness

20%

 

 

 

 

 

 

 

 

Year 1

Year 2

Year 3

Year 4

Year 5

Uncovered Loss

Uncovered Loss

Uncovered Loss

Uncovered Loss

Uncovered Loss

$82,500.00

$165,000.00

$247,500.00

$330,000.00

$412,500.00

 

 

 

 

 

Savings

Savings

Savings

Savings

Savings

-$15,500.00

-$11,000.00

-$6,500.00

-$2,000.00

$2,500.00

 

 

 

 

 

Covered Loss

Covered Loss

Covered Loss

Covered Loss

Covered Loss

$98,000.00

$176,000.00

$254,000.00

$332,000.00

$410,000.00

 

 

 

 

 

Total Uncovered Loss Expectancy

$412,500.00

 

 

 

 

 

 

 

 

Total Covered Loss Expectancy

$410,000.00

 

 

 

 

 

 

 

 

Total Savings

$2,500.00

 

 

 

 

 

 

 

 

Total Control Cost

$80,000.00

 

 

 

 

 

 

 

 

Environmental Threats Risk Analysis Spread Sheet

Risk Analysis

Vulnerability: Environmental Threats

Vulnerability Type

Asset Value or Loss Estimation

Likelihood of Exposure

Level of Exposure

Annual Loss expectancy

 

 

 

 

 

Inappropriate Temperature and Humidity

$70,000.00

0.7

70%

$34,300.00

Water Damage

$90,000.00

0.5

50%

$22,500.00

Dust Damage

$50,000.00

0.6

60%

$18,000.00

 

 

 

 

 

 

 

 

 

$74,800.00

 

 

 

 

 

 

 

 

 

 

 

Control Cost

 

 

Controls - Yearly Recurring Costs

 

 

 

 

 

Back up

$7,000.00

 

Air Condition, Maintenance

$10,000.00

 

 

 

 

 

Total

$7,000.00

 

Total

$10,000.00

 

 

 

 

 

Combined Control Effectiveness

15%

 

 

 

 

 

 

 

 

Year 1

Year 2

Year 3

Year 4

Year 5

Uncovered Loss

Uncovered Loss

Uncovered Loss

Uncovered Loss

Uncovered Loss

$74,800.00

$149,600.00

$224,400.00

$299,200.00

$374,000.00

 

 

 

 

 

Savings

Savings

Savings

Savings

Savings

-$5,780.00

-$4,560.00

-$3,340.00

-$2,120.00

-$900.00

 

 

 

 

 

Covered Loss

Covered Loss

Covered Loss

Covered Loss

Covered Loss

$80,580.00

$154,160.00

$227,740.00

$301,320.00

$374,900.00

 

 

 

 

 

Total Uncovered Loss Expectancy

$374,000.00

 

 

 

 

 

 

 

 

Total Covered Loss Expectancy

$374,900.00

 

 

 

 

 

 

 

 

Total Savings

-$900.00

 

 

 

 

 

 

 

 

Total Control Cost

$57,000.00

 

 

 

 

 

 

 

 

Technical Threats Risk Analysis Spread Sheet

Risk Analysis

Vulnerability: Technical Threats

Vulnerability Type

Asset Value or Loss Estimation

Likelihood of Exposure

Level of Exposure

Annual Loss expectancy

 

 

 

 

 

Electro Magnetic Interference

$75,000.00

0.6

80%

$36,000.00

 

 

 

 

 

 

 

 

 

$36,000.00

 

 

 

 

 

 

 

 

 

 

 

Control Cost

 

 

Controls - Yearly Recurring Costs

 

 

 

 

 

Surge Protection

$10,000.00

 

 

 

 

 

 

 

 

Total

$10,000.00

 

 

 

 

 

 

 

 

Combined Control Effectiveness

12%

 

 

 

 

 

 

 

 

Year 1

Year 2

Year 3

Year 4

Year 5

Uncovered Loss

Uncovered Loss

Uncovered Loss

Uncovered Loss

Uncovered Loss

$36,000.00

$72,000.00

$108,000.00

$144,000.00

$180,000.00

 

 

 

 

 

Savings

Savings

Savings

Savings

Savings

-$5,680.00

-$1,360.00

$2,960.00

$7,280.00

$11,600.00

 

 

 

 

 

Covered Loss

Covered Loss

Covered Loss

Covered Loss

Covered Loss

$41,680.00

$73,360.00

$105,040.00

$136,720.00

$168,400.00

 

 

 

 

 

Total Uncovered Loss Expectancy

$180,000.00

 

 

 

 

 

 

 

 

Total Covered Loss Expectancy

$168,400.00

 

 

 

 

 

 

 

 

Total Savings

$11,600.00

 

 

 

 

 

 

 

 

Total Control Cost

$10,000.00

 

 

 

 

 

 

 

 

Vulnerability Maps

Vulnerability Name: Natural Disasters

Threats

Controls

Assets

Fire

Floods

Earth quake

UPS

Generator

Building Insurance

Incremental/Differential backups

Offsite backup

Waterproof storage

Fire Detectors

Data

Hardware

Vulnerability Name: Human Caused Physical Threats

Threats

Controls

Assets

Malicious Code

Denial of service attack

Unauthorised Physical Access

Authentication

Anti-virus software

Audits

Virtual Private Network

Education, user awareness

Encryption

Firewall

Policies and Procedures

Document and media destruction

Data

People

Software

Vulnerability Name: Technical Threats

Threats

Controls

Assets

Electro Magnetic Interference

Filters

Shielding

Hardware

Software

Data

Vulnerability Name: Physical Disaster

Threats

Controls

Assets

Power Supply

Power Surge

UPS

Surge protections

Filters

CCTV Cameras

Key cards

Hardware

Software

Data

Vulnerability Name: Environmental Threats

Threats

Controls

Assets

Inappropriate Temperature and Humidity

Water Damage

Dust Damage

Environmental control equipment

Combinations of Alarm system

Air conditioning

Equipment power off switch

Good house keeping

Hardware

Software

Data

The key conclusion of this report is that the economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but organization based defenses can be more robust, scalable and cost- effective. This paper allows an informed assessment of the security risks and benefits of using Plastpack computing - providing security guidance for potential and existing users of our computing.

Timetable for Implementation of Recommended Controls