Table of Contents | Appendix C-16 | Appendix C-18
Executive Summary
Provide information which would support the rationale for development of this system.
1.0 BACKGROUND
Provide brief history which may have lead to the development of this system.
2.0 PURPOSE
The purpose of the risk assessment is to assess the system's use of resources and controls (implemented and planned) to eliminate and/or manage vulnerabilities that are exploitable by threats to the Department. It will also identify any of the following possible vulnerabilities:
• risks associated with the system operational configuration;
• system's safeguards, threats and vulnerabilities;
• new threats and
risks that might exist and, therefore, will need to be addressed after the
current system is replaced;
and
• to review the system
relative to its conformance with DOJ order 2640.2C,
Telecommunications and
Automated Information System Security Manual.
The risk assessment is a determination of vulnerabilities that, if exploited, could result in the following:
• Unauthorized disclosure
of sensitive information, including information falling within the
purview of the Privacy
Act of 1974;
• Unauthorized modification of the system or its data;
• Denial of system service or access to data to authorized users.
3.0 SCOPE
The scope of this risk assessment is limited to the system with its present configuration. The scope also includes those physical, environmental, personnel, telecommunications, and administrative security services provided.
Included within the scope are:
• Hardware
• Software
• Firmware
• Data
• Operating procedures
4.0 ASSUMPTIONS
• The system design,
and operating procedures are required to respond and conform to the
information system security
requirements prescribed by DOJ Order 2640.2C.
• The system at the
(place the number of different sites) should be identically configured
according to a s\common
hardware/software design, which is controlled under centralized
configuration management
procedures.
5.0 DESCRIPTION OF SYSTEM
Provide a description of the system to include hardware, software, firmware and any telecommunications involved in the operations of this system.
5.1 System Attributes
Provide a description of the system security attributes to include hardware, software, firmware and any telecommunications involved in the operations of this system.
5.2 System Sensitivity
The system handles information that is considered sensitive but unclassified (SBU), which must be protected, as required by P.L. 100-235, 8 January 1988, (Computer Security Act of 1987).
6.0 SYSTEMS SECURITY
System security includes technical security, personnel security, physical security, environmental security, administrative security, and information (data) security.
6.1 Administrative Security
Administrative policies, and procedures provide employees with information about their responsibilities as users. These are the written guidelines that employees must follow as they use the system in the performance of their duties. Training helps employees learn how to use the system and reminds them of their responsibilities to safeguard the system.
6.2 Physical Security
Physical Security at the facility will not be directly impacted by the systems. Hardware, software and data are contained within the current controlled areas of each facility. The system is in compliance with the current policies and procedures covering physical access to buildings, computer rooms/areas and human resources in the facilities.
6.3 Technical Security - Hardware/Equipment Security
All equipment will be located within a locked, limited access room.
6.4 Software Security
Systemic Computer Security for the system is provided the software security within the application.
° Controls
- Single
User Log-on Control
- Access
Control
6.5 Telecommunications Security
Telecommunications Security requirements for the system does not currently apply for the following reasons:
• The system is a
standalone PC system that is not connected to any local, wide, or global
area network or to any
other system.
6.6 Personnel Security
All system analysts have undergone the usual DOJ background investigation. Only persons having duty assignments will be granted access to the computer programs, audit trail files, or any media associated with the system.
7.0 SYSTEM VULNERABILITY ASSESSMENT
Vulnerability assessment is a key component of a risk assessment, intended to identify system vulnerabilities and determine the likelihood of exploitation of those vulnerabilities. Once vulnerabilities are identified, a systematic approach is taken to reduce these risks to an acceptable level. The implementation of countermeasures or modification of the system design, must be appraised and planned for as part of the acceptance of identified risks.
7.1 Technical Vulnerability
Provide a brief description of any technical vulnerabilities.
Countermeasure
Provide a brief description of the countermeasure for the vulnerabilities listed above.
7.2 Personnel Vulnerability
Provide a brief description of any personnel vulnerabilities.
Countermeasure
Provide a brief description of the countermeasure for the vulnerabilities listed above
7.3 Telecommunication Vulnerability
Provide a brief description of any telecommunication vulnerabilities.
Countermeasure
Provide a brief description of the countermeasures for the vulnerabilities listed above.
7.4 Software Vulnerability
Provide a brief description of any software vulnerabilities.
Countermeasure
Provide a brief description of the countermeasures for the vulnerabilities listed above.
7.5 Environmental Vulnerability
Provide a brief description of any environmental vulnerabilities.
Countermeasure
Provide a brief description of the countermeasures for the vulnerabilities listed above.
7.6 Physical Vulnerability
Provide a brief description of any physical vulnerabilities.
Countermeasure
Provide a brief description of the countermeasures for the vulnerabilities listed above.
SECURITY RISK ASSESSMENT OUTLINE
Executive Summary
1.0 BACKGROUND
2.0 PURPOSE
3.0 SCOPE
4.0 ASSUMPTIONS
5.0 DESCRIPTION OF SYSTEM
5.1 System
Attributes
5.2 System
Sensitivity
6.0 SYSTEM SECURITY
6.1 Administrative
Security
6.2 Physical
Security
6.3 Technical
Security
6.4 Software
Security
6.5 Telecommunication
Security
6.6 Personnel
Security
7.0 SYSTEM VULNERABILITIES
7.1 Technical
Vulnerability
7.2 Personnel
Vulnerability
7.3 Telecommunication
Vulnerability
7.4 Software
Vulnerability
7.5 Environmental
Vulnerability
7.6 Physical
Vulnerability
8.0 GLOSSARY OF TERMS
9.0 ACRONYMS
Appendix A - Information Flow Diagram
Appendix B - Hardware Configuration