Professional Documents
Culture Documents
CRAMM
: .
2010
CRAMM
,
,
,
,
.
.
CRAMM,
,
.
T NEC Unified Solutions
.
CRAMM
Abstract
Facing the emerging challenges of the Internet era, managers and information
security professionals inbusiness and government should manage specific risks to
their organizations to ensure efficient operations.
This paper explains basic components of risk analysis and management processes
and mentions different methodologies and approaches. It then describes and
discusses CRAMM, as an automated tool based on qualitativerisk assessment
methodology, by going through the stages of a CRAMM review. At last, a risk analysis
for a practical implementation scenario in a corporate network, is carried out, using
CRAMM tool.
The Information System of NEC Unified Solutions Company is the model on which i
build the whole study.
CRAMM
....................................................................................................................... 1
Abstract .......................................................................................................................... 2
.................................................................................................................. 3
.................................................................................................... 7
.................................................................................................................... 8
............................................................................................................................... 9
1
.............................................................................................................. 10
1.1
1.2
..................................................................... 10
() .. 11
2.1
............................................................................................................ 11
2.2
...................................................................................................... 13
2.3
3
.............................................. 14
..................................................... 15
3.1
............................................................................................................ 15
3.2
3.3
IT-Grundschutz .............................................................................................. 17
3.4
MARION ......................................................................................................... 18
3.4.1
0: .......................................................................... 18
3.4.2
1: ....................... 18
3.4.3
2: .................................................................. 19
3.4.4
3: ......................................................................... 19
3.4.5
...................................................... 19
3.5
CRAMM
3.6
3.7
3.8
COBRA ........................................................................................................... 21
3.8.1
3.9
COBRA...................................................................... 21
CounterMeasures .......................................................................................... 22
3.10
Proteus ....................................................................................................... 22
3.11
3.12
3.13
CRAMM .............................................................................................. 28
4.1
............................................................................................................ 28
4.2
CRAMM .............................................................. 29
4.2.1
1: ....................... 30
4.2.2
2: ..................................................... 32
4.2.3
3: .................................................. 34
....................................................................................................... 38
5.2
............................................................................. 38
5.3
................................................................................................. 40
5.3.1
................................................................................. 40
5.4
...................................................................................................... 44
5.5
...................................................................................................... 44
....................................................................................................... 45
6.2
.................................................. 45
CRAMM
6.3
6.3.1
NEC................................................... 48
6.3.2
........................................................... 53
6.3.3
....................................................................................... 58
6.3.4
.................................................................................................. 63
6.3.5
...................................................... 67
6.3.6
- ............................... 73
6.3.7
........................................................................................... 78
6.4
.................................................................................. 83
6.4.1
6.4.2
Prophix ................................................................................................... 84
6.5
7
.......................................................................... 48
............................................... 85
CRAMM - .......................... 86
7.1
....................................................................................................... 86
7.2
..................................................................... 86
7.2.1
............................................................. 86
7.2.2
.................................................................................................. 88
7.2.3
.......................................................... 89
7.3
- CRAMM . 90
7.6
Identification of Locations........................... 92
7.9
7.10
........................................... 95
7.11
......................... 97
CRAMM
7.12
........................................................................ 99
7.12.1 : .................................................... 99
7.12.2 : ........................................................... 99
7.12.3 : .................................................... 100
7.12.4 : .......................... 100
7.12.5 : ............... 101
7.12.6 : ......................................... 101
7.12.7 : .................................................................. 101
7.12.8 ..... 102
7.13
............................................................................. 104
......................................................................................... 113
7.13.11
7.13.12
....................................................................... 116
............................................................................................. 118
CRAMM
1: ........................................................................................ 14
2: CRAMM ................................................. 29
3: .................................................................................... 40
4: ................................ 85
5: ( ) ................................. 97
6: ( ) ....................................... 98
7: ( ) .................................. 98
8: ( e
Hardware) .................................................................................................................... 98
9: ( e Hardware)
...................................................................................................................................... 98
10: ( software) ........................ 98
11: ( hardware) ............................................... 98
12: : : SRV-DMS ...................... 99
13: : : SRV-DMS ............................. 99
14: : - : SRV-DMS ....................... 100
15: : HWNetwork ...................................................................................................................... 100
16: : ................. 101
17: : : HW-Network, SWSoftware ..................................................................................................................... 101
18: : : HW-File/Web server , HW-Network
.................................................................................................................................... 101
19: ................................................. 103
CRAMM
,
.
,
.
, ,
,
.
, ,
,
.
, 2010
CRAMM
CRAMM
CRAMM,
. ,
CRAMM,
.
.
CRAMM
1
1.1 NEC Unified Solutions
NEC Unified Solutions (NEC) 50
, ,
..
,
, .
, ,
,
,
.
1.2
NEC ,
CRAMM.
10
CRAMM
2
()
2.1
,
.
,
( ,
..).
.
, ,
,
.
,
, :
.
.
,
.
11
CRAMM
,
.
" ",
.
,
.
. , ,
,
' '.
,
:
;
;
;
;
;
,
.
, , ,
.
,
,
.
(risk), ,
, ,
.
12
CRAMM
2.2
.
,
,
/.
,
,
.
,
, ,
,
( 2472/1997, 10, . 3).
. , ,
.
.
, ,
:
.
(assets), (threats)
(vulnerability).
-
,
.
13
CRAMM
.
.
2.3
. ( 1)
.
(Information System, S)
(ssets)
(IS Security)
(Threat)
-
(Vulnerability)
(Risk)
(, , ,
, ),
.
,
,
.
, ,
, ,
.
.
.
,
.
1:
14
CRAMM
3
3.1
.
,
.
.
:
, .
.
. ,
.
, , ..,
.
...
.
,
.
,
, .
. ,
. ,
, ,
,
(software tools).
, ,
.
15
CRAMM
3.2
EBIOS software,
Central Information Systems Security Division.
16
CRAMM
3.3 IT-Grundschutz
(ISMS). 1994.
. ITGrundschutz : ,
,
, ,
, ,
, , ,
, ,
,
(). IT-Grundschutz Gstool
Federal Office for Information Security (BSI).
ISO/IEC 17799 ISO/IEC 27001. ( ., *6+)
17
CRAMM
3.4 MARION
MARION CLUSIF (Club dela
Scurit des Systmes d'Information Franais) 1987.
(1998) .
3.4.1 0:
. ,
.
3.4.2 1:
() .
"" 2.
27
. ,
,
.
1: MARION
18
CRAMM
3.4.3 2:
(Major Risks) (Simple Risks). ,
. 17 ,
, , ..
3.4.4 3:
.
, :
,
.
, .
,
.
,
, .
3.4.5
MARION :
,
.
,
.
.
.
. ( ., *9+)
19
CRAMM
20
CRAMM
3.8 COBRA
COBRA (Consultative, Objective & Bi-functional Risk Analysis)
ISO/IEC 17799. , C & A Security
Systems Ltd.
. Windows PC
, ,
.
What if , ,
.
.
.
.
3.8.1 COBRA
COBRA, engine, Visual FoxPro,
(knowledge bases).
(questionnaire modules)
,
, ( ),
.
:
i.
ii.
iii.
iv.
ISO 17799
E-Structure
IT Security
Operational Risk
21
CRAMM
v.
ISO 17799
. ,
, ,
. COBRA
.
(
) . ( ., *3])
3.9 CounterMeasures
Allion
US-NIST 800 OMB Circular A-130.
, tailor-made
, software
.
( ., *6+)
3.10 Proteus
Infogov, 1999.
ISO 17799
ISMS ISO 27001 (BS 77992). Proteus Enterprise Web-based
.
ISO/IEC 17799 ISO/IEC 27001. ( ., *6+)
22
CRAMM
23
CRAMM
(checklist),
. SBA Check
.
3.13.2 SBA Scenario
SBA Scenario SBA
(quantitative) .
,
,
.
:
Main analysis:
.
Ten analysis:
1-10.
Risk window:
.
SBA Scenario :
i.
ii.
iii.
iv.
(Preparation).
(Scenarios).
(Overview).
(Action Plan).
3.13.2.1 ( 1)
SBA.
.
,
.
.
24
CRAMM
,
. ,
, (,
..), () ,
,
..
3.13.2.2 ( 2)
,
(events).
,
,
. ,
.
,
,
.. ,
.
,
.
. ,
.
.
.
3.13.2.3 ( 3)
.
:
25
CRAMM
,
.
3.13.2.4 ( 4)
.
3.13.2.5
SBA .
.
:
,
.
,
.
, -
, , .
, .
,
.
. , ,
.
26
CRAMM
.
.
( ., *9+)
27
CRAMM
4 CRAMM
4.1
(standard)
CRAMM (CCTA Risk Analysis and Management Methodology). CRAMM
(Central Computer and Telecommunications Agency)
1987
. , CRAMM v.
5.1.
CRAMM :
.
1987 ,
.
, .
,
, ,
, .
CRAMM
.
, --, ,
.
, CRAMM
,
.
28
CRAMM
4.2 CRAMM
CRAMM ,
2
1.1:
1.
1.2:
1.3:
2.1:
2.
2.2:
2.3:
--
2.4:
3.1:
3.
3.2:
2: CRAMM
29
CRAMM
4.2.1 1:
.
:
1.1. .
1.2. .
1.3. .
, :
4.2.1.1 1.1:
. , ,
,
. .
, ,
, ,
.
. ,
. ,
,
.
4.2.1.2 1.2:
.
. ,
.
/
(impact) .
, -
30
CRAMM
(modification), (disclosure)
- (unavailability). , :
- * 15 , 1 , 3 , 12 , 1
, 2 , 1 , 2 , 1 , 2
+.
*
,
+.
*
,
, +.
- * ,
+.
* ,
(non-repudiation of origin),
(non-repudiation of receipt),
, (replay),
(misrouting), (traffic monitoring),
(out of sequence)].
.
1-10. CRAMM (guidelines)
:
31
CRAMM
CRAMM
(implied value) .
.
,
.
CRAMM
. ,
,
.
4.2.1.3 1.3:
. ,
.
.
.
4.2.2 2:
:
2.1.
2.2.
32
CRAMM
2.3.
.
--
2.4.
:
4.2.2.1 2.1:
,
. CRAMM ,
. ,
,
,
. ,
,
.
.
CRAMM
.
. , (..
) (..
),
(.. ,
, ).
4.2.2.2 2.2:
-
. .
1-5 (very low, low, medium, high, very
high) ,
.
1-3 (low, medium, high). -
33
CRAMM
.
-.
. ,
.
4.2.2.3 2.3: -
CRAMM -. , ,
,
--.
,
,
. ,
.
,
.
1-7.
- .
, .
- ,
.
4.2.2.4 2.4:
. ,
.
4.2.3 3:
( 2), CRAMM
(security plan).
- ,
34
CRAMM
.
:
3.1. .
3.2. .
:
4.2.3.1 3.1:
CRAMM .
, .
,
.
.
. 2.500
,
. .
CRAMM .
35
CRAMM
CRAMM
CRAMM
2:
36
CRAMM
4.2.3.2 3.2:
:
,
.
( ., *9+)
37
CRAMM
5 NEC Unified
Solutions
5.1
() NEC
, (hardware)
.
.
5.2
hardware (), software (),
(users) .
Fileserver, Web Server, switches routers,
(Clients) .
NEC Unified Solutions Datacenter
Internet
Router
File Server
Firewall
Web Server
Switch
CEO
Sales Manager
Financial Controller
Logistics
Technical Support 1
Secretary
-
Laser Printer
Technical Support 2
Scanner
38
CRAMM
To Hardware :
File Server
backup
Web Server internet
( )
Router Switch
(Clients)
(Printer, Scanner)
39
CRAMM
5.3
, , , ,
, , ,
. ,
().
,
, .
.
.
, .
:
:
5.3.1
NEC
:
-
(live backup)
3:
40
CRAMM
5.3.1.1 -
:
, ,
-
5.3.1.2 -
,
.
, Bonus
.
. , , ,
.
. ,
,
.
,
.
.
5.3.1.3 -
.
,
41
CRAMM
,
, , ,
(, )
5.3.1.4 -
, , , fax
5.3.1.5 - -
.
,
, .
:
.
,
.
.
42
CRAMM
5.3.1.6 -
File Server (log off)
.
(
& File Server).
5.3.1.7 -
. fax
.
.
43
CRAMM
5.4
server
.
Operating System:
Prophix:
( )
Business Connect: .
Conference SW:
5.5
. ( CRAMM)
:
Document Management Service (DMS):
.
: , ,
. ( : Other End User Service)
Prophix (service):
Prophix. :
, , . ( : Application to
Application, , )
BCT (service): BCT.
. ( : Application to
Application, Web browsing)
Conference SW: . (
: Voice Video)
44
CRAMM
6 NEC
Unified Solutions
6.1
,
.
,
CRAMM,
.
6.2
<1000
1.001 10.000
10.001 30.000
30.001 100.000
100.001 300.000
300.001 1.000.000
>1.000.001 ( )
>1.000.001 ( )
1
2
3
4
5
6
7
8
9
10
1
3
5
6
7
45
CRAMM
1
2
3
4
5
6
2
3
5
7
(confidential)
(secret)
(top secret)
7
9
10
46
CRAMM
10.000
100.000
1.000.000
10.000.000
10.000.000
1
2
3
4
5
6
7
8
9
<2.000
<10.000
<50.000
2
<250.000
10
,
10
3
4
5
6
7
3
4
7
8
47
CRAMM
1
2
3
4
5
6
7
8
9
10
6.3
NEC.
.
1-10.
6.3.1 NEC
5.3.1
.
6.3.1.1
.
,
.
48
CRAMM
CRAMM
(1 )
1-10
(1 )
1-10
(2 )
1-10
6.3.1.2
,
.
backup.
.
49
CRAMM
CRAMM
1.001
10.000
1-10
2
2
6.3.1.3 ()
,
.
,
.
.
( ).
CRAMM
()
10.001
30.000
1-10
3
5
6.3.1.4
.
50
CRAMM
.
CRAMM
1-10
6.3.1.5
.
.
CRAMM
1-10
51
CRAMM
6.3.1.6
.
, .
CRAMM
1-10
6.3.1.7
.
.
( )
CRAMM
1.001
10.000
1-10
2
3
52
CRAMM
6.3.2
.
6.3.2.1
-
.
. -
.
CRAMM
(1 )
1-10
(1 )
1-10
53
CRAMM
(2 )
1-10
6.3.2.2
.
backup
.
.
CRAMM
1.001
10.000
1-10
2
2
6.3.2.3 ()
. ,
.
.
54
CRAMM
CRAMM
()
30.001
100.000
1-10
4
4
6.3.2.4
.
.
CRAMM
<10.000
1-10
4
4
6.3.2.5
,
. .
55
CRAMM
NEC .
CRAMM
<50.000
2
100.000
1-10
5
3
6.3.2.6
.
CRAMM
- 1.001 10.000
1-10
2
2
56
CRAMM
6.3.2.7
.
.
CRAMM
10.001
30.000
1-10
3
3
57
CRAMM
6.3.3
.
.
6.3.3.1
.
.
CRAMM
(1 )
1-10
(1 )
1-10
58
CRAMM
(2 )
1-10
6.3.3.2
,
.
.
CRAMM
1.001
10.000
1-10
2
2
6.3.3.3 ()
,
,
.
. .
59
CRAMM
CRAMM
()
-
1.000.000
100.001
300.000
1-10
5
5
6.3.3.4 -
.
(: )
.
,
.
60
CRAMM
CRAMM
1.001
10.000
1-10
2
2
6.3.3.5
.
,
.
. ,
.
CRAMM
30.001
100.000
1.000.000
1-10
4
4
61
CRAMM
6.3.3.6 -
.
,
(: ).
CRAMM
- <10.000
1-10
4
4
6.3.3.7
,
. ,
.
CRAMM
30.0001
100.000
- <50.000
2
1-10
4
5
5
62
CRAMM
6.3.4
.
.
6.3.4.1
,
.
CRAMM
(1 )
1.001
10.000
1-10
2
2
(1 )
10.001
30.000
1-10
3
3
63
CRAMM
(2 )
10.001
30.000
1-10
3
3
6.3.4.2
.
(
, ).
.
CRAMM
1.001
10.000
1-10
2
2
6.3.4.3 ()
. .
,
.
, .
64
CRAMM
CRAMM
()
10.001
30.000
100.000
1-10
5
3
5
6.3.4.4
,
.
CRAMM
1-10
6.3.4.5
. ,
NEC ,
, ,
.
65
CRAMM
CRAMM
100.000
1-10
6.3.4.6
. ,
,
.
CRAMM
1.001
10.000
1-10
2
3
6.3.4.7
.
,
,
66
CRAMM
CRAMM
30.0001
100.000
100.000
1-10
4
3
4
6.3.5
.
.
6.3.5.1
.
projects.
.
CRAMM
(1 )
<1.000
1-10
1
2
67
CRAMM
(1 )
1.001 10.000
1-10
2
3
(2 )
1.001 10.000
1-10
2
3
68
CRAMM
6.3.5.2
.
backup
. .
CRAMM
1.001
10.000
1-10
2
2
6.3.5.3 ()
.
, ,
.
.
CRAMM
()
100.001
300.000
1-10
5
5
69
CRAMM
6.3.5.4
,
.
projects
.
CRAMM
1-10
2
2
6.3.5.5
.
.
projects .
, , .
70
CRAMM
CRAMM
1.000.000
1-10
6.3.5.6
,
,
projects.
.
CRAMM
1-10
6.3.5.7
,
.
.
71
CRAMM
CRAMM
30.0001
100.000
1-10
4
5
72
CRAMM
6.3.6 -
.
.
.
6.3.6.1
.
.
.
CRAMM
(1 )
1-10
(1 )
1-10
73
CRAMM
(2 )
30.001
100.000
1-10
4
4
6.3.6.2
.
CRAMM
1.001
10.000
1-10
2
3
6.3.6.3 ()
.
,
,
( , ).
.
74
CRAMM
CRAMM
()
- 300.001
1.000.000
1-10
6
7
6.3.6.4
. , , .
CRAMM
1-10
6.3.6.5
.
.
75
CRAMM
CRAMM
30.001
100.000
1.000.000
1-10
4
4
76
CRAMM
6.3.6.6
.
.
CRAMM
1-10
6.3.6.7
.
.
CRAMM
30.0001
100.000
1-10
4
5
77
CRAMM
6.3.7
. ,
,
.
6.3.7.1
.
CRAMM
(1 )
1-10
(1 )
1-10
(2 )
1-10
78
CRAMM
6.3.7.2
,
,
,
.
CRAMM
1.001
10.000
1-10
2
3
6.3.7.3 ()
,
. (logistics),
- .
, .
79
CRAMM
CRAMM
()
30.001
100.000
1-10
4
4
6.3.7.4
.
.
CRAMM
1-10
80
CRAMM
6.3.7.5
.
.
CRAMM
1-10
6.3.7.6
, ,
.
.
CRAMM
1.001
10.000
1-10
2
3
6.3.7.7
. .
81
CRAMM
CRAMM
30.0001
100.000
1-10
4
4
82
CRAMM
6.4
BCT Prophix.
6.4.1 Business Connect
6.4.1.1 BCT
BCT
.
,
.
CRAMM
(1 )
1-10
(1 )
1-10
83
CRAMM
(2 )
1-10
6.4.2 Prophix
6.4.2.1 Prophix
Prophix
.
.
CRAMM
(1 )
1-10
(1 )
1-10
84
CRAMM
(2 )
1-10
6.5
.
1h
1d
2d
4:
85
CRAMM
CRAMM
7.1
CRAMM.
- ,
.
7.2
,
,
.
7.2.1
.
.
86
CRAMM
(Data)
Operating System
(Software
File/Web Server
Computer Room
Prophix (Software)
File/Web Server
Computer Room
Ethernet
File/Web Server
Computer Room
Switches
Computer Room
Router
Computer Room
Printer
Scanner
Prophix (Service)
Raid 1
(_Backup)
Computer Room
5:
87
CRAMM
7.2.2
.
(Data)
Operating System
(Software
File/Web Server
Computer Room
BCT (Software)
File/Web Server
Computer Room
Ethernet
File/Web Server
Computer Room
Switches
Computer Room
BCT (Service)
Raid 1
(_Backup)
Computer Room
6:
88
CRAMM
7.2.3
.
.
Operating System
(Software
(Data)
DMS (Service)
File/Web Server
Computer Room
Ethernet
File/Web Server
Computer Room
Switches
Computer Room
Printer
Raid 1
(_Backup)
Computer Room
7:
89
CRAMM
7.3 -
CRAMM
,
, CRAMM.
CRAMM
. :
(Financial)
(Personal)
(Commercially Sensitive)
(Safety Related)
(Other Data Types)
(screenshot)
.
8: Screenshot
(Financial) (Personal).
90
CRAMM
Electronic Mail
Application to Application Messaging
Electronic Document Interchange
Ad-hoc File Transfer
Interactive Session
Web Browsing
Batch Processing
Voice - Video
(Other End User Service)
5, 5.5
screenshot ( )
.
9: Screenshot ( )
91
CRAMM
(Buiding)
Computer Room
10: NEC
92
CRAMM
(Funds Transfer)
(Financial)
(Safety Critical)
(Personal Information)
(General)
- (Bespoke Sensitive)
(Bespoke Non-sensitive)
(Packaged)
Operating System
Prophix
Business Connect
Conference Software
General
Financial
General
General
Packaged
Bespoke Sensitive
Bespoke Non-sencitive
Packaged
93
CRAMM
Workstations
Server
Network
Printers/Scanners
800
2500
200
250
11
1
2
2
94
CRAMM
7.10
, ,
. CRAMM
/ . ,
.
(threats) (vulnerabilities).
screenshots
.
11 hardware.
(
, ),
hardware. File/Web
Server . ( Server)
( b).
(Network)
CRAMM (a, b, c).
12 .
, ,
. ,
. b ( ).
13 ().
receptionist. b , .
95
CRAMM
96
CRAMM
7.11
CRAMM
.
.
Threat and Vulnerability Summary,
(Very High) .
Full Threat
Full Vuln
!SRV-Prophix
High
Medium
!SRV-BCT
Low
Low
!SRV-DMS
Very High
Medium
5: ( )
97
CRAMM
Full Threat
Full Vuln
!SRV-Prophix
High
Medium
!SRV-BCT
Low
Low
!SRV-DMS
Very High
Medium
6: ( )
Full Threat
Full Vuln
!SRV-Prophix
Low
High
!SRV-BCT
Low
Medium
!SRV-DMS
Very High
Medium
7: ( )
Full Threat
Full Vuln
!HW-Network
Very High
Medium
8: ( e Hardware)
Full Threat
Full Vuln
!HW-File/Web server
Very High
High
!!Workstation
Very High
High
!HW-Network
Very High
High
9: ( e Hardware)
Full Threat
Full Vuln
!SW-Software
Very High
High
10: ( software)
!HW-File/Web server
!HW-Network
Full Threat
Full Vuln
Very High
Medium
Very High
Medium
11: ( hardware)
98
CRAMM
7.12
CRAMM, ,
, ,
, ,
( ,
). ,
(VH).
7.12.1 :
Unavailability
15 M
: SRV-DMS
VH
Dest
Disclosure
Modific
Commun
Impacts
1H
3H
12 H
1D
2D
DM
Nd
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
12: : : SRV-DMS
7.12.2 :
Unavailability
Dest
Disclosure
Modific
Commun
Impacts
Tm
: SRV-DMS
VH
VH
VH
VH
13: : : SRV-DMS
99
CRAMM
7.12.3 :
Unavailability
Dest
Disclosure
Commun
Impacts
Modification
SE
WE
DM
In
Nd
Rp
Mr
Os
: SRV-DMS
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
14: : - : SRV-DMS
7.12.4 :
Unavailability
Dest
Disclosure
Modific
Commun
Impacts
15 M
: HW-Network
VH
1H
3H
12 H
Nd
Mr
Os
VH
VH
VH
VH
VH
VH
15: : HW-Network
100
CRAMM
7.12.5 :
Unavailability
15 M
: Workstation
VH
Dest
Disclosure
Modific
Commun
Impacts
1H
3H
12 H
SE
WE
Nd
Mr
VH
VH
VH
: HW-File/Web server
VH
VH
VH
VH
VH
16: :
7.12.6 :
Unavailability
15 M
: HW-Network
VH
Dest
Disclosure
Modific
Commun
Impacts
1H
3H
12 H
SE
WE
Nd
Mr
VH
VH
VH
VH
: SW-Software
VH
VH
VH
VH
7.12.7 :
Unavailability
15 M 1 H
: HW-File/Web server
VH
VH
Dest
Disclosure
Modific
Commun
Impacts
3H
12 H
SE
WE
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
VH
: HW-Network
VH
101
CRAMM
7.12.8
i.
ii.
iii.
iv.
v.
vi.
Unavailability - :
1 hour 1
1 day 1
2 days 2
Destruction :
Destruction since the last successful back-up
Total destruction including back-ups
Disclosure - :
Unauthorized disclosure to insiders -
Unauthorized disclosure to contracted service providers -
Unauthorized disclosure to outsiders -
Modification - :
small-scale errors -
widespread errors -
deliberate modification -
small-scale errors (for example, keying errors, duplication of input)
widespread errors (for example, caused by a programming error)
Insertion of false message
Communication Impacts
102
CRAMM
.
P
Physical destruction
15 M
Unavailability - 15 minutes
1 Hr
Unavailability - 1 hour
3 Hr
Unavailability - 3 hours
12 Hr
Unavailability - 12 hours
1 Dy
Unavailability - 1 day
2 Dy
Unavailability - 2 days
1W
Unavailability - 1 week
2W
Unavailability - 2 weeks
1M
Unavailability - 1 month
2M
Unavailability - 2 months
B
Loss of data since last back-up
T
Total loss of all data
I
Unauthorised disclosure to insiders
C
Unauthorised disclosure to contracted third parties
O
Unauthorised disclosure to outsiders
S E/T
Small-scale errors (for example, keying errors)/small-scale errors in
transmission
W E/T
Widespread errors (for example, programming errors)/widespread errors
in transmission
D S/T
Deliberate modification of stored data/deliberate modification of data in
transit
Or
Repudiation of origin
Rc
Repudiation of receipt
Nd
Non-delivery
Rp
Replay
Mr
Mis-routing
Tm
Traffic monitoring
Os
Out-of-sequence
In
Insertion of false message
19:
103
CRAMM
7.13
, ,
.
.
.
.
7.13.1 Mobile Computing
:
:
:
:
No
1.
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.2
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
Mobile computing
SRV DMS
SRV DMS
SRV DMS
SRV DMS
SRV DMS
SRV DMS
SRV DMS
SRV DMS
SRV DMS
, SRV DMS
,
SRV DMS
hardware software
SRV DMS
Back-up SRV DMS
104
CRAMM
1.2.7
1.2.8
SRV DMS
SRV DMS
,
7.13.2 (1/3)
:
No
1.
1.1
1.1.1
1.2
1.3
1.4
,
/
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
105
CRAMM
7.13.3 (2/3)
:
:
:
No
1.
1.1
1.1.1
1.1.2
1.2
1.2.1
1.2.2
1.3
1.3.1
1.3.2
1.4
1.4.1
1.4.2
checksum
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
106
CRAMM
7.13.4 (3/3)
:
:
:
No
1.
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.2
1.3
1.3.1
1.3.2
1.4
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
107
CRAMM
7.13.5
:
:
:
:
No
1.
1.1
1.2
1.2.1
Configuration Management (
),
(unauthorized)
,
SRV-DMS
Prophix
SRV-DMS
Prophix
SW-BCT,
SW-
SW-BCT,
SW-
SRV-DMS
Prophix
SW-BCT,
SW-
SRV-DMS
Prophix
SW-BCT,
SW-
108
CRAMM
7.13.6
:
:
:
:
No
1.
1.1
1.1.1
1.2
1.2.1
stand-by
109
CRAMM
7.13.7 /
:
/
:
:
,
No
1.
1.1
2
2.1
2.2
2.2.1
2.3
2.4
, ,
,
44mm
110
CRAMM
7.13.8 (1/2)
:
:
:
:
No
1.
1.1
1.2
1.3
1.3.1
1.4
1.4.1
1.4.2
1.5
1.5.1
1.5.2
1.5.3
1.6
1.6.1
13 amp
socket outlets
toner
,
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
111
CRAMM
7.13.9 (2/2)
:
:
:
:
No
1.
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.5
1.5.1
1.5.2
1.6
1.6.1
1.6.2
1.6.3
1.7
1.7.1
1.7.2
1.8
1.8.1
1.9
LOC Computer
Offices
LOC Computer
Offices
LOC Computer
Offices
30
LOC Computer
Offices
30
LOC Computer
Offices
LOC 4th floor
,
LOC 4th floor
, LOC 4th floor
Room, LOC Room, LOC Room, LOC Room, LOC Room, LOC Room, LOC -
112
CRAMM
7.13.10
:
:
:
:
No
1.
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.2
1.3
1.4
/
.
113
CRAMM
7.13.11 (1/2)
:
:
:
:
No
1.
1.1
1.2
SW BCT, SW - Prophix
SW BCT, SW - Prophix
SW BCT, SW - Prophix
114
CRAMM
7.13.12 (2/2)
:
:
:
:
No
1.
1.1
1.1.1
1.1.2
1.1.3
1.2
1.2.1
live
/
live
,
EDI (Electronic Data Interchange),
Knowledge-based,
SW BCT, SW - Prophix
SW BCT, SW - Prophix
SW BCT, SW - Prophix
SW BCT, SW Prophix
SW BCT, SW - Prophix
SW BCT, SW - Prophix
SW BCT, SW - Prophix
115
CRAMM
8
CRAMM,
NEC. ,
,
, , .
, ,
.
Document Management Service .
,
.
, CRAMM
. Document Management
Service
.
.
,
. Document Management Service
, .
, .
, .
.
File/Web server, workstations
.
.
.
.
116
CRAMM
, , File/Web server
. , ,
.
, NEC, ,
, ,
.
,
. ,
.
, ,
.
117
CRAMM
9
[1].
[2].
[3].
[4].
[5].
[6].
[7].
[8].
[9].
[10].
, : ,
, 2001
,
:
, 2004
. : , 2003
Crown Copyright: Cramm User Guide, Issue 5.1, July 2005
SANS Institute: A Qualitative Risk Analysis and Management Tool
CRAMM, 2002
, : ,
, :
, 2004
:
, 2009
, : ,
, :
CRAMM
118