Table of Contents | Appendix C-16 | Appendix C-18

APPENDIX C-17

SECURITY RISK ASSESSMENT

Executive Summary

Provide information which would support the rationale for development of this system.

1.0      BACKGROUND

Provide brief history which may have lead to the development of this system.

2.0      PURPOSE

The purpose of the risk assessment is to assess the system's use of resources and controls (implemented and planned) to eliminate and/or manage vulnerabilities that are exploitable by threats to the Department. It will also identify any of the following possible vulnerabilities:

•      risks associated with the system operational configuration;

•      system's safeguards, threats and vulnerabilities;

•      new threats and risks that might exist and, therefore, will need to be addressed after the
       current system is replaced; and

•      to review the system relative to its conformance with DOJ order 2640.2C,
       Telecommunications and Automated Information System Security Manual.

The risk assessment is a determination of vulnerabilities that, if exploited, could result in the following:

•      Unauthorized disclosure of sensitive information, including information falling within the
       purview of the Privacy Act of 1974;

•      Unauthorized modification of the system or its data;

•      Denial of system service or access to data to authorized users.

3.0      SCOPE

The scope of this risk assessment is limited to the system with its present configuration. The scope also includes those physical, environmental, personnel, telecommunications, and administrative security services provided.

Included within the scope are:

•      Hardware

•      Software

•      Firmware

•      Data

•      Operating procedures

4.0      ASSUMPTIONS

•      The system design, and operating procedures are required to respond and conform to the
       information system security requirements prescribed by DOJ Order 2640.2C.

•      The system at the (place the number of different sites) should be identically configured
       according to a s\common hardware/software design, which is controlled under centralized
       configuration management procedures.

5.0      DESCRIPTION OF SYSTEM

Provide a description of the system to include hardware, software, firmware and any telecommunications involved in the operations of this system.

5.1      System Attributes

Provide a description of the system security attributes to include hardware, software, firmware and any telecommunications involved in the operations of this system.

5.2      System Sensitivity

The system handles information that is considered sensitive but unclassified (SBU), which must be protected, as required by P.L. 100-235, 8 January 1988, (Computer Security Act of 1987).

6.0      SYSTEMS SECURITY

System security includes technical security, personnel security, physical security, environmental security, administrative security, and information (data) security.

6.1      Administrative Security

Administrative policies, and procedures provide employees with information about their responsibilities as users. These are the written guidelines that employees must follow as they use the system in the performance of their duties. Training helps employees learn how to use the system and reminds them of their responsibilities to safeguard the system.

6.2      Physical Security

Physical Security at the facility will not be directly impacted by the systems. Hardware, software and data are contained within the current controlled areas of each facility. The system is in compliance with the current policies and procedures covering physical access to buildings, computer rooms/areas and human resources in the facilities.

6.3      Technical Security - Hardware/Equipment Security

All equipment will be located within a locked, limited access room.

6.4      Software Security

Systemic Computer Security for the system is provided the software security within the application.

        °      Controls
                -            Single User Log-on Control
                -            Access Control

        °      Permissions
                -            Resource Permissions
                -            User and File Permissions
                -            System Permissions

        °      Protection
                -            Data File Protection
                -            System Boot and Format Protection
                –           Object Reuse Protection
                –           Virus Protection

        1.04  Miscellaneous Features
                1.01      User changeable passwords
                1.02      Data encryption
                1.03      Audit trails

6.5      Telecommunications Security

Telecommunications Security requirements for the system does not currently apply for the following reasons:

•      The system is a standalone PC system that is not connected to any local, wide, or global
       area network or to any other system.

6.6      Personnel Security

All system analysts have undergone the usual DOJ background investigation. Only persons having duty assignments will be granted access to the computer programs, audit trail files, or any media associated with the system.

7.0      SYSTEM VULNERABILITY ASSESSMENT

Vulnerability assessment is a key component of a risk assessment, intended to identify system vulnerabilities and determine the likelihood of exploitation of those vulnerabilities. Once vulnerabilities are identified, a systematic approach is taken to reduce these risks to an acceptable level. The implementation of countermeasures or modification of the system design, must be appraised and planned for as part of the acceptance of identified risks.

7.1      Technical Vulnerability

Provide a brief description of any technical vulnerabilities.

Countermeasure

Provide a brief description of the countermeasure for the vulnerabilities listed above.

7.2      Personnel Vulnerability

Provide a brief description of any personnel vulnerabilities.

Countermeasure

Provide a brief description of the countermeasure for the vulnerabilities listed above

7.3      Telecommunication Vulnerability

Provide a brief description of any telecommunication vulnerabilities.

Countermeasure

Provide a brief description of the countermeasures for the vulnerabilities listed above.

7.4      Software Vulnerability

Provide a brief description of any software vulnerabilities.

Countermeasure

Provide a brief description of the countermeasures for the vulnerabilities listed above.

7.5      Environmental Vulnerability

Provide a brief description of any environmental vulnerabilities.

Countermeasure

Provide a brief description of the countermeasures for the vulnerabilities listed above.

7.6      Physical Vulnerability

Provide a brief description of any physical vulnerabilities.

Countermeasure

Provide a brief description of the countermeasures for the vulnerabilities listed above.

SECURITY RISK ASSESSMENT OUTLINE

Executive Summary

1.0       BACKGROUND

2.0       PURPOSE

3.0       SCOPE

4.0       ASSUMPTIONS

5.0       DESCRIPTION OF SYSTEM
            5.1       System Attributes
            5.2       System Sensitivity

6.0       SYSTEM SECURITY
            6.1       Administrative Security
            6.2       Physical Security
            6.3       Technical Security
            6.4       Software Security
            6.5       Telecommunication Security
            6.6       Personnel Security

7.0       SYSTEM VULNERABILITIES
            7.1       Technical Vulnerability
            7.2       Personnel Vulnerability
            7.3       Telecommunication Vulnerability
            7.4       Software Vulnerability
            7.5       Environmental Vulnerability
            7.6       Physical Vulnerability

8.0       GLOSSARY OF TERMS

9.0       ACRONYMS

Appendix A - Information Flow Diagram
Appendix B - Hardware Configuration

Table of Contents | Appendix C-16 | Appendix C-18