Sample – The Risk Management Worksheet Documents the Process
February 2, 2012The process is documented using the Risk Management Worksheet. Each step will provide general instructions as a guide through completion of the worksheet. Since the worksheet is generic to all systems, add attachments and / or references as necessary. Each system will have its own worksheet. In several of the steps, the advantages of more strenuous documentation than that required by the Worksheet are suggested.
Security controls, both technical and non-technical, should be allocated to system components as the design matures. Control allocations should be economically layered so that there is no single point of failure in the security protection. An ideal layering technique is the integration of technical and non-technical controls so that a potential weakness (vulnerability) in one type of control is offset by the strength in another.
It is necessary to maintain a global perspective on security controls throughout the risk management process. The following figure illustrates how different security controls implemented on various system components combine to form an economic and effective security barrier. Note the “system” context where a smaller “system” can, and often is, a part of a larger “system.”
Security controls are allocated during design to various architectural components of the system. Some controls are allocated to the platform (technical controls) and some to the environment (non-technical controls). Controls vary in the services they provide and some services are visible to the users while others are not. The following table provides examples of technical and non-technical security controls, where they might be applied within a system’s architecture, and the types of services they provide.
Architecture Component |
Security Services Required | Security Controls Allocated |
| Physical & Procedural | Identification and Authentication | Picture BadgesPersonal recognition |
|
Access Control | Guarded entryDoor keys and cipher locksSurveillance by coworkers and security administrators
Hardware locks |
| Confidentiality | Trash storage and removalControlling video displays and printing devices (ribbons, copy counting, labeling) | |
| Integrity | Physical inspections of equipmentProtection of software masters and small componentsConfiguration management | |
| Availability | Physical inspections of equipmentProtection of software mastersContingency plans
Backups |
|
| Processors | Identification and Authentication | User ID and PasswordsSecurity tokensBiometrics
Security Software |
|
Access Control | Security SoftwareUser ID and Password enforcementSecurity tokens
Separation of duties (to minimize fraud) Defined user shells Defined user permissions Discretionary Access Control (DAC) Access control lists Warning banner Audit Records |
| Confidentiality | Security SoftwareDiscretionary Access ControlsObject Reuse
Audit Records |
|
| Integrity | System diagnosticsNon-forgeable seals on casesSoftware checksums/CRCs
Audit Records |
|
| Availability | Processor redundancyDiversityBackups for contingency operations | |
| Local Communications | Identification and Authentication | User ID and PasswordsSecurity token technology |
| Access Control | User ID and PasswordsFirewallsWarning banner
Separation of duties |
|
|
Confidentiality | Discretionary Access ControlsEncryption |
|
Integrity | Configuration managementSystem self-diagnosticsNon-forgeable seals on cases
Software checksums |
|
Availability | RedundancyDiversityBackups for contingency operations |
| Communications Networks | Identification and Authentication | User ID and PasswordsSecured entry points |
|
Access Control | User ID and PasswordsAudit recordsFirewalls |
|
Confidentiality | EncryptionSecure modem entry |
|
Integrity | Network management |
|
Availability | RedundancyDiversityBackups for contingency operations |
www.bestitdocuments.com