Scribd
Upload
64 views3 pages

Assignment 4

This assignment requires the student to analyze threats, vulnerabilities, and risks to three information assets of a company based on the ISO/IEC TR 13335-3:1998 standard. The student will: 1) Select three information assets of their organization and categorize them based on the ISO. 2) Identify three vulnerabilities for each asset from the ISO appendix and the possible threat resulting from each vulnerability. 3) Identify three threats for each asset from the ISO appendix. 4) Use a risk measurement method from the ISO appendix to create a matrix assessing the impact, probability, and risk measure of each threat. Assign a threat rank. 5) List possible losses for each threat

Uploaded by

fimey80500
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
64 views3 pages

Assignment 4

This assignment requires the student to analyze threats, vulnerabilities, and risks to three information assets of a company based on the ISO/IEC TR 13335-3:1998 standard. The student will: 1) Select three information assets of their organization and categorize them based on the ISO. 2) Identify three vulnerabilities for each asset from the ISO appendix and the possible threat resulting from each vulnerability. 3) Identify three threats for each asset from the ISO appendix. 4) Use a risk measurement method from the ISO appendix to create a matrix assessing the impact, probability, and risk measure of each threat. Assign a threat rank. 5) List possible losses for each threat

Uploaded by

fimey80500
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Assignment 4

Theme:
“Working with ISO/IEC TR 13335-3:1998
Information technology — Guidelines for the management of information
technology security — Part 3: Techniques for the management of
information technology security (IDT)”

In this assignment you will work with the ISO standard to set the threats of the
company’s assets and methods to analyze and estimate the risks related to these
assets.

Tasks:
1) Download ГОСТ Р ИСО/МЭК ТО 13335-3-2007 «Методы и средства
обеспечения безопасности. Part 3 «Методы менеджмента безопасности
информационных технологий» from Assignment 4 folder in moodle.

2) Check out Appendices C, D and E of ГОСТ.

3) Choose three different information assets of your organization from previous


assignments, but additionally categorize it based on the ISO.
For example:
Organization - an Aquapark.
1) Digital asset - customers database.
2) Paper and digital assets - blueprints for pools.
3) Equipment asset - a system (sensors and centralized software) for monitoring temperature
and planned water filtration.

4) From Appendix D of ГОСТ, select three specific vulnerabilities of the protection


system of the three information assets, chosen in step 3 (translate the vulnerabilities from
Russian to English). Add in brackets the possible threat because of the listed
vulnerability (for each), either directly from Appendix D or write your own version.
For example:
Digital asset:
a) «Software» category. Lack of testing or insufficient testing of software (there may be a
threat of using the software and access to personal data of customers by unauthorized users).
b) ….
c) ….
Paper and digital assets :
a ) «Documents» category. Storage in unprotected places (possible threat of theft).
b) ….
c) …
Equipment asset :
a) «Personnel» category. Lack of tracking mechanisms (there may be a threat of using the
software in an unauthorized way).
b) ….
c) …
Continue the following lists (3 vulnerabilities for 3 assets)
5) Use Appendix C of ГОСТ, write three threats, the implementation of which is
possible until the vulnerabilities mentioned in step 4 are eliminated in the system (again,
translate from Russian to English).
For example:
Digital asset:
a) Using the software in an unauthorized manner («A» - accidental act, «D» - deliberate act
b) …
c) …
Continue the list. Similarly, write threats for other two assets (each has three
vulnerabilities, from step 4).

6) Read and understand three methods of measuring risks in Appendix E of ГОСТ. Use
the method #2 on your threats (which caused by vulnerabilities from step 4). Create
matrix based on the method, as shown below.

Table 2 (Appendix E, page 43)


Threat descriptor Impact Probability of Risk Threat
assessment threat measure rank
occurrence
Threat A. Lack of testing or 5 2 10 ?
insufficient testing of
software

Impact assessment is rated from 1 (low) to 5 (high).


Probability of threat occurrence is rated from 1 (low) to 5 (high).
Risk measure is evaluated by multiplying Impact assessment by Probability of threat
occurrence.
Threat rank is rated from 1 (high) to infinity, depending on the Risk Measure value.

Tips for setting the Threat rank:


For example you have 9 threats overall with the following Risk Measures:
Risk Measures: Threat A =10, Threat B =20, Threat C =6, Threat D =16, Threat E =1,
Threat F =15, Threat G =1, Threat H = 5, Threat I =15.
Then you should place these threats in descending order, starting from the maximum:
Risk Measures: Threat B =20, Threat D =16, Threat F =15, Threat I =15, Threat A
=10, Threat C =6, Threat H =5, Threat E =1, Threat G =1.
Place the numbers, starting from 1, for the Threat Rank of each threat following the
logic:
Threat Rank: Threat B =1 (because of the maximum risk measure); next Threat D =2;
Threat F and I have the same value of risk measure (=5), that’s why the
Threat Rank of Threat F=3 and Threat I=3; next Threat A=4; Threat
C=5, and so on.

No need to write these steps in your report (about Threat Rank evaluations); add the
obtained values for the Threat Rank into your table.
7) Assess the value of an information asset based on possible losses for the organization
in the event of a threat.
For the same nine Threats, use the Appendix B to list the possible loses in case of attack
(page 36). You should translate from Russian to English the list of possible loses from
ISO.

For example:
Threat descriptor Possible losses
Threat A - Lack of testing or insufficient 1) A decline in business efficiency
testing of software 2) Loss of prestige / negative impact on the
reputation
3) Breach of confidentiality of personal
data
4) Negative impact on law enforcement
5) Financial losses
6) Business disruption
… …

You might also like