Relationship

Profile


Motive

Opportunity


Methods

Frequency
[H-M-L]

Impacts
[H-M-L]

Effective

Safeguards

Proven
Practices

Mandated
Controls
                   

Insiders:

(In-laws?)

Clueless
User

None

Access &
Authorization

Error &
Omissions

High

Low-Med

      
                   

 

Contractor

Varies

Weak
Controls

Exploits Lax
Controls

Unknown

Med-High

      
                   

 

Disgruntled
Stakeholder

Get Even

Insider
Insights

Exploits Lax
Controls

Low-Med

High

      
                   

 

Gamers
(MUDD)

Have Fun

After Hours
Diversions

Compromises
Controls

Low

Med-High

      
                   

Outsiders:

(Outlaws?)

Script
Kiddie

Intellectual
Curiosity

Spare Time
Lax Parents

Freeware

High

Low-Med

      
                   

 

Hacktivist

Political
Causes

See
Below

Various

Unknown

Med-High

      
                   

 

Coder / Pro
(Core Wars)

Peer
Recognition

Lax Software
Quality

Discovers
Loopholes

Low

High

(Day Zero)

      
                   

 

Comp Intel & Economic

Espionage

Economic
Gain

    

Medium

High

      
                   

 

State-Sponsored
Netspionage

Economic
& Political
Gains

    

Unknown


(See Survey)

High

      
                   

© 2001 by ACCTTS, LLC. All Rights Reserved Worldwide.

IE Only Ref: http://my.octopus.com/view.oce?v=6B3937A27CD749E39C510BCF93ED8934 [ACCTTS-SIRT Selection Support PKM]
 MISD 692Text: http://www.metases.com/aNd.htm#ecom & http://www.metases.com/gloss.htm [Glossary of Terns]

 

 

Operational

Risk

Factors:

Type Digital
Disruption

Outage
Impacts?
[H-M-L]

Outage
Scope?

Time- Critical
Window?

Outage
Duration?

Protection

Policy

Pre-Reqs

Defined

SIRT

Roles

Key
Resp. &
Resources

Desired
Results

Metrics?
                   

 

Anti-Social
Engineering

                
                   

 

Deletion

(Accidental)

                
                   

 

Denial of Service

                
                   
 

Destruction
(Intentional)

                
                   
 

Errors &
Omissions

                
                   
 

Unauthorized Access

                
                   
 

Unauthorized Disclosure

               
                   
 

Unauthorized
Duplication

                
                   
 

Unauthorized
Modification

                
                   
 

Network Abuse
or Misuse

                
                   

© 2001 by ACCTTS, LLC. All Rights Reserved Worldwide.

Gartner Group: Information Systems Security Dimensions

 

Requirement

Definitions

(Via DISA: ISO/IEC 7498-2)

Safeguard Technique

 

Non-Interference

Ensure that control is exercised over the entry and use
of an enterprise’s electronic assets.
  • User ID / Password
  • Firewall
  • Password nondisclosure
  • UCC4A unauthorized-use banner

Authentication

Ensure that users and/or applications are uniquely identified
in order to gain access to information assets.
  • User ID / Password
  • Token
  • Biometric device
  • PKI protocols
  • Location

Authorization

Ensure that a correctly authenticated user can access only
those resources to which the owner has given them approval.
  • Access control list
  • Attribute certificates

Confidentiality

Ensure that only those people who have a need
to see information are able t see it.
  • Encryption

Integrity

Ensure that it can be identified if a transaction has changed
between the sender and the receiver. [Correct, Complete & Timely]
  • Message Authentication Code (MAC) / hash

 

Gartner Group: Information Systems Security Dimensions

 

Requirement

Definitions

(Via DISA: ISO/IEC 7498-2)

Safeguard Technique

 

Privacy

Ensure that information provided by employees, customers and others is protected such that it is used solely for the stated purposes of the enterprise, the person authorised such use and the enterprise is
in compliance with all local privacy regulations.
  • Policies and procedures
  • Encryption
  • Policy management tools

 

Nonrepudiation

Ensure that both the sender and receiver of information can unequivocally prove that the exchange occurred
between the two parties.
(Repudiation: Rejecting a transaction’s validity in a court of law.)
  • Digital Signature
  • Timestamp

Availability

Ensure that the enterprise has suitable recoverability and protection from system failures, natural disasters or malicious attacks.
  • Redundancy
  • Load balancing
  • Policies and procedures
  • Exercised Business continuity plan
  • Alternate processing site(s)

Source:

http://mdev.temple.edu/gartner/research/ras/98600/98601/98601.html

ACCTTSalus-M_O_Matrix.htm