CRAMM

CRAMM

: .

2010

 CRAMM

,
,
,
,
.


.
CRAMM,

,
.
T NEC Unified Solutions
.

 CRAMM

Abstract
Facing the emerging challenges of the Internet era, managers and information
security professionals inbusiness and government should manage specific risks to
their organizations to ensure efficient operations.
This paper explains basic components of risk analysis and management processes
and mentions different methodologies and approaches. It then describes and
discusses CRAMM, as an automated tool based on qualitativerisk assessment
methodology, by going through the stages of a CRAMM review. At last, a risk analysis
for a practical implementation scenario in a corporate network, is carried out, using
CRAMM tool.
The Information System of NEC Unified Solutions Company is the model on which i
build the whole study.

 CRAMM

....................................................................................................................... 1
Abstract .......................................................................................................................... 2
.................................................................................................................. 3
.................................................................................................... 7
.................................................................................................................... 8
............................................................................................................................... 9
1

.............................................................................................................. 10
1.1

NEC Unified Solutions ........................................ 10

1.2

..................................................................... 10

() .. 11
2.1

............................................................................................................ 11

2.2
...................................................................................................... 13
2.3
3

.............................................. 14

..................................................... 15
3.1

............................................................................................................ 15

3.2

EBIOS (Expression des Besoins et Identification des Objectifs de Scurit) . 16

3.3

IT-Grundschutz .............................................................................................. 17

3.4

MARION ......................................................................................................... 18

3.4.1

0: .......................................................................... 18

3.4.2

1: ....................... 18

3.4.3

2: .................................................................. 19

3.4.4

3: ......................................................................... 19

3.4.5

...................................................... 19

3.5

MEHARI (Mthode Harmonise d Analyse de Risques Informatiques) ....... 20

 CRAMM

3.6

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)

20

3.7

Callio Secura .................................................................................................. 21

3.8

COBRA ........................................................................................................... 21

3.8.1
3.9

COBRA...................................................................... 21

CounterMeasures .......................................................................................... 22

3.10

Proteus ....................................................................................................... 22

3.11

RA2 art of risk ............................................................................................ 22

3.12

RiskWatch for Information Systems & ISO 17799 ..................................... 23

3.13

Security by Analysis (SBA) .......................................................................... 23

3.13.1 SBA Check............................................................................................... 23

3.13.2 SBA Scenario .......................................................................................... 24
3.14
4

Information Security Forums (ISF) Standard of Good Practice ................ 27

CRAMM .............................................................................................. 28
4.1

............................................................................................................ 28

4.2

CRAMM .............................................................. 29

4.2.1

1: ....................... 30

4.2.2

2: ..................................................... 32

4.2.3

3: .................................................. 34

NEC Unified Solutions........................ 38

5.1

....................................................................................................... 38

5.2

............................................................................. 38

5.3

................................................................................................. 40

5.3.1

................................................................................. 40

5.4

...................................................................................................... 44

5.5

...................................................................................................... 44

NEC Unified Solutions .......... 45

6.1

....................................................................................................... 45

6.2

.................................................. 45

 CRAMM

6.3

6.3.1

NEC................................................... 48

6.3.2

........................................................... 53

6.3.3

....................................................................................... 58

6.3.4

.................................................................................................. 63

6.3.5

...................................................... 67

6.3.6

- ............................... 73

6.3.7

........................................................................................... 78

6.4

.................................................................................. 83

6.4.1

Business Connect ................................................................................... 83

6.4.2

Prophix ................................................................................................... 84

6.5
7

.......................................................................... 48

............................................... 85

CRAMM - .......................... 86
7.1

....................................................................................................... 86

7.2

..................................................................... 86

7.2.1

............................................................. 86

7.2.2

.................................................................................................. 88

7.2.3

.......................................................... 89

7.3

- CRAMM . 90

7.4 Identification of End User

Services .................................................................................................................... 91
7.5

Identification of Physical Assets ......... 92

7.6

Identification of Locations........................... 92

7.7 Identification of Software

Assets 93
7.8

Valuation of Data Assets............................................ 94

7.9

Valuation of Physical Assets ...................... 94

7.10

........................................... 95

7.11

......................... 97

 CRAMM

7.12

........................................................................ 99

7.12.1 : .................................................... 99
7.12.2 : ........................................................... 99
7.12.3 : .................................................... 100
7.12.4 : .......................... 100
7.12.5 : ............... 101
7.12.6 : ......................................... 101
7.12.7 : .................................................................. 101
7.12.8 ..... 102
7.13

............................................................................. 104

7.13.1 Mobile Computing ..................................................... 104

7.13.2 (1/3) ............................ 105
7.13.3 (2/3) ............................ 106
7.13.4 (3/3) ............................ 107
7.13.5 ..................................................................... 108
7.13.6 ................................................... 109
7.13.7 / ................................................... 110
7.13.8 (1/2) .......................................................... 111
7.13.9 (2/2) .......................................................... 112
7.13.10

......................................................................................... 113

7.13.11

(1/2) .............................................. 114

7.13.12

(2/2) .............................................. 115

....................................................................... 116

............................................................................................. 118

 CRAMM

1: ........................................................................................ 14
2: CRAMM ................................................. 29
3: .................................................................................... 40
4: ................................ 85
5: ( ) ................................. 97
6: ( ) ....................................... 98
7: ( ) .................................. 98
8: ( e
Hardware) .................................................................................................................... 98
9: ( e Hardware)
...................................................................................................................................... 98
10: ( software) ........................ 98
11: ( hardware) ............................................... 98
12: : : SRV-DMS ...................... 99
13: : : SRV-DMS ............................. 99
14: : - : SRV-DMS ....................... 100
15: : HWNetwork ...................................................................................................................... 100
16: : ................. 101
17: : : HW-Network, SWSoftware ..................................................................................................................... 101
18: : : HW-File/Web server , HW-Network
.................................................................................................................................... 101
19: ................................................. 103

 CRAMM

,
.
,
.
, ,
,
.
, ,
,
.

, 2010

 CRAMM

CRAMM

CRAMM,
. ,
CRAMM,
.
.

 CRAMM

1
1.1 NEC Unified Solutions
NEC Unified Solutions (NEC) 50
, ,
..
,
, .
, ,
,
,
.

1.2

NEC ,
CRAMM.

10

 CRAMM

2
()
2.1

,

.
,
( ,
..).

.
, ,
,

.
,
, :

.

.

,
.

11

 CRAMM

,
.
" ",
.


,
.

. , ,
,
' '.
,
:

;
;
;
;
;
,
.
, , ,
.
,
,
.
(risk), ,

, ,
.

12

 CRAMM

2.2

.

,
,
/.
,
,
.
,
, ,
,

( 2472/1997, 10, . 3).

. , ,
.


.

, ,
:

.

(assets), (threats)
(vulnerability).
-
,

.

13

 CRAMM

.

.

2.3

. ( 1)
.

(Information System, S)

(ssets)

(IS Security)

(Threat)
-
(Vulnerability)
(Risk)

(, , ,
, ),

.
,
,
.
, ,
, ,



.

.

.
,

.

1:

14

 CRAMM

3
3.1
.
,
.

.
:

, .

.

. ,

.
, , ..,
.

...

.
,
.
,
, .

. ,
. ,
, ,
,
(software tools).
, ,
.

15

 CRAMM

3.2

EBIOS (Expression des Besoins et Identification des Objectifs de

Scurit)

EBIOS 1995 DCSSI (Direction Centrale de la Scurit des

Systmes d Information) .
.


,
.
. 1 ,
. 2 3
.
4 5 .
, ,
.

EBIOS software,
Central Information Systems Security Division.

EBIOS ISO/IEC 27001, ISO/IEC 13335

(GMITS), ISO/IEC 15408 (Common Criteria), ISO/IEC 17799 ISO/IEC 21827.
( ., *6+)

16

 CRAMM

3.3 IT-Grundschutz

(ISMS). 1994.


. ITGrundschutz : ,
,
, ,
, ,
, , ,
, ,
,
(). IT-Grundschutz Gstool
Federal Office for Information Security (BSI).
ISO/IEC 17799 ISO/IEC 27001. ( ., *6+)

17

 CRAMM

3.4 MARION
MARION CLUSIF (Club dela
Scurit des Systmes d'Information Franais) 1987.
(1998) .
3.4.1 0:
. ,
.
3.4.2 1:

() .
"" 2.
27
. ,
,
.

1: MARION

18

 CRAMM

3.4.3 2:


(Major Risks) (Simple Risks). ,

. 17 ,
, , ..
3.4.4 3:

.
, :

,
.
, .
,
.
,
, .

3.4.5
MARION :

,
.
,
.
.

.

. ( ., *9+)

19

 CRAMM

3.5 MEHARI (Mthode Harmonise d Analyse de Risques Informatiques)

CLUSIF (Club de la Scurit Informatique
Franais) MARION MELISA.
1996.
.

. .
ISO/IEC 17799 ISO/IEC 13335. ( ., *6+)

3.6 OCTAVE (Operationally Critical Threat, Asset, and Vulnerability

Evaluation)
, , (The
Operationally Critical Threat, Asset, and Vulnerability EvaluationSM - OCTAVE)


. ,
, (
)
.
OCTAVE, OCTAVE-S
. OCTAVE-S
( 100 ) . Octave Automated Tool
Advanced Technology Institute (ATI)
OCTAVE.


.
1999, Software Engineering Institute Carnegie-Mellon
University. OCTAVE ,
/
. ( .,
[6])

20

 CRAMM

3.7 Callio Secura

Callio Technologies 2001. multiuser Web
application database
ISMS
ISO 27001 / 17799
BS 7799-2. ,
COBIT, HIPAA Sarbanes-Oxley. Callio Secura
ISO/IEC 17799 ISO/IEC 27001. ( ., *6+)

3.8 COBRA
COBRA (Consultative, Objective & Bi-functional Risk Analysis)


ISO/IEC 17799. , C & A Security
Systems Ltd.
. Windows PC
, ,
.
What if , ,

.
.
.
.
3.8.1 COBRA
COBRA, engine, Visual FoxPro,
(knowledge bases).
(questionnaire modules)
,
, ( ),
.
:
i.
ii.
iii.
iv.

ISO 17799
E-Structure
IT Security
Operational Risk

21

 CRAMM

v.

High Level Risk

ISO 17799
. ,

, ,
. COBRA
.
(
) . ( ., *3])

3.9 CounterMeasures
Allion
US-NIST 800 OMB Circular A-130.
, tailor-made
, software
.
( ., *6+)

3.10 Proteus
Infogov, 1999.
ISO 17799
ISMS ISO 27001 (BS 77992). Proteus Enterprise Web-based
.
ISO/IEC 17799 ISO/IEC 27001. ( ., *6+)

3.11 RA2 art of risk

AEXIS, RA Software Tool
2000.
ISMS ISO/IEC 27001:2005 (
BS 7799 Part 2:2002) ISO/IEC 27002. RA2 Information
Collection Device, ,

.
ISO/IEC 17799 ISO/IEC 27001. ( ., *6+)

22

 CRAMM

3.12 RiskWatch for Information Systems & ISO 17799

RiskWatch. RiskWatch for Financial
Institutions, RiskWatch for HIPAA Security, RiskWatch for Physical & Homeland
Security, RiskWatch for University and School Security, RiskWatch for NERC
(Electrical North American Reliability Council) and C-TPAT-Supply Chain.

. ISO 17799 USNIST 800-26.
( ., *6+)

3.13 Security by Analysis (SBA)

SBA (Security By Analysis)
'80. ,

. SBA

.
SBA
,
,
.


.
SBA ,
.
SBA Check SBA Scenario.
, .
3.13.1 SBA Check
SBA Check
.
, , ,
, ISO/IEC 17799
(checklist model).

23

 CRAMM

(checklist),
. SBA Check

.
3.13.2 SBA Scenario
SBA Scenario SBA
(quantitative) .
,
,
.
:
Main analysis:

.
Ten analysis:
1-10.
Risk window:
.
SBA Scenario :
i.
ii.
iii.
iv.

(Preparation).
(Scenarios).
(Overview).
(Action Plan).

3.13.2.1 ( 1)

SBA.
.
,

.
.

24

 CRAMM

,
. ,
, (,
..), () ,
,
..
3.13.2.2 ( 2)
,
(events).
,
,
. ,
.

,
,
.. ,
.

,
.

. ,

.
.
.
3.13.2.3 ( 3)

.
:

25

 CRAMM

,



.

3.13.2.4 ( 4)


.
3.13.2.5
SBA .


.
:

,

.

,


.
, -
, , .
, .

,
.

. , ,
.

26

 CRAMM

.
.
( ., *9+)

3.14 Information Security Forums (ISF) Standard of Good Practice

. ,
: ,
, , ,
.
FIRM (Fundamental Information Risk Management)

. Information Risk Scorecard FIRM. Scorecard
.
ISFs Information Security Status Survey
. SARA (Simple to Apply Risk Analysis)
. SPRINT (Simplified
Process for Risk Identification)

. ISO/IEC 17799.
( ., *6+)

27

 CRAMM

4 CRAMM
4.1
(standard)
CRAMM (CCTA Risk Analysis and Management Methodology). CRAMM

(Central Computer and Telecommunications Agency)
1987
. , CRAMM v.
5.1.
CRAMM :

.
1987 ,
.

, .
,
, ,
, .

CRAMM
.
, --, ,
.
, CRAMM
,
.

28

 CRAMM

4.2 CRAMM
CRAMM ,
2

(identification and valuation

of assets)
(risk analysis)
(risk management)

1.1:

1.

1.2:

1.3:
2.1:

2.

2.2:
2.3:
--
2.4:
3.1:

3.

3.2:

2: CRAMM

29

 CRAMM

4.2.1 1:

.
:
1.1. .
1.2. .
1.3. .
, :
4.2.1.1 1.1:

. , ,
,
. .
, ,
, ,
.

. ,

. ,
,
.
4.2.1.2 1.2:


.
. ,

.
/
(impact) .
, -

30

 CRAMM

(modification), (disclosure)
- (unavailability). , :

- * 15 , 1 , 3 , 12 , 1
, 2 , 1 , 2 , 1 , 2
+.

*
,
+.

*
,
, +.

- * ,
+.

* ,
(non-repudiation of origin),
(non-repudiation of receipt),
, (replay),
(misrouting), (traffic monitoring),
(out of sequence)].

.
1-10. CRAMM (guidelines)
:

31

 CRAMM

CRAMM
(implied value) .

.

,

.
CRAMM

. ,
,
.
4.2.1.3 1.3:

. ,
.

.
.
4.2.2 2:
:

2.1.

2.2.

32

 CRAMM

2.3.
.

--

2.4.

:
4.2.2.1 2.1:

,

. CRAMM ,

. ,
,

,
. ,
,
.
.
CRAMM
.
. , (..
) (..
),
(.. ,
, ).
4.2.2.2 2.2:
-

. .
1-5 (very low, low, medium, high, very
high) ,
.

1-3 (low, medium, high). -

33

 CRAMM

.
-.
. ,

.
4.2.2.3 2.3: -
CRAMM -. , ,
,
--.
,
,
. ,
.

,
.
1-7.
- .
, .
- ,

.
4.2.2.4 2.4:

. ,
.
4.2.3 3:
( 2), CRAMM
(security plan).
- ,

34

 CRAMM

.
:

3.1. .

3.2. .

:
4.2.3.1 3.1:
CRAMM .
, .
,
.

.
. 2.500
,
. .

CRAMM .

35

 CRAMM

CRAMM

CRAMM

2:

36

 CRAMM

4.2.3.2 3.2:

:

,

.
( ., *9+)

3: Cramm Main screen

37

 CRAMM

5 NEC Unified
Solutions
5.1
() NEC
, (hardware)
.
.

5.2
hardware (), software (),
(users) .

Fileserver, Web Server, switches routers,
(Clients) .
NEC Unified Solutions Datacenter

Internet
Router
File Server

Firewall

Web Server

Switch

CEO

Sales Manager

Channel Sales Manager Sales Engineer

Financial Controller

Logistics

Technical Department Manager IT Coordinator

Technical Support 1

Secretary
-

Laser Printer

Technical Support 2

Scanner

4: Nec Unified Solutions Datacenter

38

 CRAMM

To Hardware :

File Server
backup
Web Server internet
( )
Router Switch
(Clients)
(Printer, Scanner)

39

 CRAMM

5.3
, , , ,
, , ,
. ,
().
,
, .
.

.
, .
:



:



5.3.1
NEC
:

-
(live backup)

3:

40

 CRAMM

5.3.1.1 -

:

, ,



-

5.3.1.2 -

,
.
, Bonus
.
. , , ,
.
. ,
,
.
,
.
.

5.3.1.3 -

.
,

41

 CRAMM

,


, , ,






(, )
5.3.1.4 -

, , , fax


5.3.1.5 - -

.
,
, .
:

.
,
.
.

42

 CRAMM

5.3.1.6 -

File Server (log off)
.
(
& File Server).
5.3.1.7 -


. fax
.
.

43

 CRAMM

5.4

server
.
Operating System:
Prophix:
( )
Business Connect: .

Conference SW:

5.5

. ( CRAMM)
:
Document Management Service (DMS):
.
: , ,
. ( : Other End User Service)
Prophix (service):
Prophix. :
, , . ( : Application to
Application, , )
BCT (service): BCT.
. ( : Application to
Application, Web browsing)
Conference SW: . (
: Voice Video)

44

 CRAMM

6 NEC
Unified Solutions
6.1
,
.
,
CRAMM,
.

6.2

<1000
1.001 10.000
10.001 30.000
30.001 100.000
100.001 300.000
300.001 1.000.000
>1.000.001 ( )
>1.000.001 ( )

1
2
3
4
5
6
7
8
9
10

1
3
5
6
7

45

 CRAMM

1
2
3
4
5
6

2
3
5
7

(confidential)

(secret)

(top secret)

7
9
10

46

 CRAMM

10.000

100.000

1.000.000

10.000.000

10.000.000

1
2
3
4
5
6
7
8
9

<2.000
<10.000
<50.000
2
<250.000
10
,
10

3
4
5
6
7

3
4
7
8

47

 CRAMM

1
2
3
4
5
6
7
8
9
10

6.3


NEC.

.
1-10.
6.3.1 NEC
5.3.1
.
6.3.1.1

.
,

.

48

 CRAMM

CRAMM

(1 )

1-10

(1 )

1-10

(2 )

1-10

6.3.1.2
,
.
backup.

.

49

 CRAMM

CRAMM

1.001
10.000
1-10

2
2

6.3.1.3 ()
,

.
,
.
.

( ).
CRAMM
()

10.001
30.000
1-10

3
5

6.3.1.4



.

50

 CRAMM

.
CRAMM

1-10

6.3.1.5

.

.
CRAMM

1-10

51

 CRAMM

6.3.1.6

.
, .
CRAMM

1-10

6.3.1.7

.
.

( )
CRAMM

1.001
10.000
1-10

2
3

52

 CRAMM

6.3.2


.
6.3.2.1

-
.

. -
.
CRAMM

(1 )

1-10

(1 )

1-10

53

 CRAMM

(2 )

1-10

6.3.2.2

.
backup
.

.
CRAMM

1.001
10.000
1-10

2
2

6.3.2.3 ()

. ,

.
.

54

 CRAMM

CRAMM
()

30.001
100.000
1-10

4
4

6.3.2.4


.
.
CRAMM

<10.000

1-10

4
4

6.3.2.5

,
. .

55

 CRAMM

NEC .
CRAMM

<50.000
2


100.000
1-10

5
3

6.3.2.6


.
CRAMM

- 1.001 10.000
1-10

2
2

56

 CRAMM

6.3.2.7

.
.
CRAMM

10.001
30.000
1-10

3
3

57

 CRAMM

6.3.3
.

.
6.3.3.1

.

.
CRAMM

(1 )

1-10

(1 )

1-10

58

 CRAMM

(2 )

1-10

6.3.3.2

,

.
.
CRAMM

1.001
10.000
1-10

2
2

6.3.3.3 ()
,
,
.
. .

59

 CRAMM

CRAMM
()

-

1.000.000

100.001
300.000
1-10

5
5

6.3.3.4 -

.
(: )
.
,

.

60

 CRAMM

CRAMM

1.001
10.000
1-10

2
2

6.3.3.5

.

,
.
. ,

.
CRAMM

30.001
100.000


1.000.000
1-10

4
4

61

 CRAMM

6.3.3.6 -

.
,
(: ).
CRAMM

- <10.000

1-10

4
4

6.3.3.7

,
. ,

.
CRAMM

30.0001
100.000
- <50.000
2
1-10

4
5
5

62

 CRAMM

6.3.4
.

.
6.3.4.1

,
.
CRAMM

(1 )

1.001
10.000
1-10

2
2

(1 )

10.001
30.000
1-10

3
3

63

 CRAMM

(2 )

10.001
30.000
1-10

3
3

6.3.4.2
.

(
, ).
.
CRAMM

1.001
10.000
1-10

2
2

6.3.4.3 ()


. .

,
.
, .

64

 CRAMM

CRAMM
()

10.001
30.000


100.000
1-10

5
3
5

6.3.4.4


,
.
CRAMM

1-10

6.3.4.5

. ,
NEC ,
, ,
.

65

 CRAMM

CRAMM

100.000
1-10

6.3.4.6


. ,
,
.
CRAMM

1.001
10.000
1-10

2
3

6.3.4.7

.
,
,

66

 CRAMM

CRAMM

30.0001
100.000


100.000
1-10

4
3
4

6.3.5
.

.
6.3.5.1

.
projects.
.
CRAMM

(1 )

<1.000

1-10

1
2

67

 CRAMM

(1 )

1.001 10.000
1-10

2
3

(2 )

1.001 10.000
1-10

2
3

68

 CRAMM

6.3.5.2

.
backup
. .
CRAMM

1.001
10.000
1-10

2
2

6.3.5.3 ()
.
, ,
.
.
CRAMM
()

100.001
300.000
1-10

5
5

69

 CRAMM

6.3.5.4

,
.
projects
.
CRAMM

1-10

2
2

6.3.5.5

.
.
projects .
, , .

70

 CRAMM

CRAMM

1.000.000
1-10

6.3.5.6
,
,
projects.
.
CRAMM

1-10

6.3.5.7
,
.
.

71

 CRAMM

CRAMM

30.0001
100.000
1-10

4
5

72

 CRAMM

6.3.6 -
.
.
.
6.3.6.1

.
.
.
CRAMM

(1 )

1-10

(1 )

1-10

73

 CRAMM

(2 )

30.001
100.000
1-10

4
4

6.3.6.2

.
CRAMM

1.001
10.000
1-10

2
3

6.3.6.3 ()
.
,
,
( , ).
.

74

 CRAMM

CRAMM
()

- 300.001
1.000.000
1-10

6
7

6.3.6.4


. , , .
CRAMM

1-10

6.3.6.5


.

.

75

 CRAMM

CRAMM

30.001
100.000


1.000.000
1-10

4
4

76

 CRAMM

6.3.6.6

.
.
CRAMM

1-10

6.3.6.7


.
.
CRAMM

30.0001
100.000
1-10

4
5

77

 CRAMM

6.3.7

. ,
,
.
6.3.7.1


.
CRAMM

(1 )

1-10

(1 )

1-10

(2 )

1-10

78

 CRAMM

6.3.7.2

,
,
,
.
CRAMM

1.001
10.000
1-10

2
3

6.3.7.3 ()

,

. (logistics),

- .
, .

79

 CRAMM

CRAMM
()

30.001
100.000
1-10

4
4

6.3.7.4

.
.
CRAMM

1-10

80

 CRAMM

6.3.7.5

.
.
CRAMM

1-10

6.3.7.6
, ,

.
.
CRAMM

1.001
10.000
1-10

2
3

6.3.7.7


. .

81

 CRAMM

CRAMM

30.0001
100.000
1-10

4
4

82

 CRAMM

6.4

BCT Prophix.
6.4.1 Business Connect
6.4.1.1 BCT
BCT
.
,

.
CRAMM

(1 )

1-10

(1 )

1-10

83

 CRAMM

(2 )

1-10

6.4.2 Prophix
6.4.2.1 Prophix
Prophix
.
.
CRAMM

(1 )

1-10

(1 )

1-10

84

 CRAMM

(2 )

1-10

6.5

.

1h

1d

2d

4:

85

 CRAMM

CRAMM

7.1

CRAMM.
- ,

.

7.2
,

,
.
7.2.1

.
.

86

 CRAMM

(Data)

Operating System
(Software

File/Web Server

Computer Room

Prophix (Software)

File/Web Server

Computer Room

Ethernet

File/Web Server

Computer Room

List Line (connection)

Switches

Computer Room

Router

Computer Room

Printer

Scanner

Prophix (Service)

Raid 1
(_Backup)

Computer Room

5:

87

 CRAMM

7.2.2
.

(Data)

Operating System
(Software

File/Web Server

Computer Room

BCT (Software)

File/Web Server

Computer Room

Ethernet

File/Web Server

Computer Room

Switches

Computer Room

BCT (Service)

Raid 1
(_Backup)

Computer Room

6:

88

 CRAMM

7.2.3

.
.

Operating System
(Software

(Data)

DMS (Service)

File/Web Server

Computer Room

Ethernet

File/Web Server

Computer Room

Switches

Computer Room

Printer

Raid 1
(_Backup)

Computer Room

7:

89

 CRAMM

7.3 -
CRAMM
,
, CRAMM.
CRAMM
. :

(Financial)
(Personal)
(Commercially Sensitive)
(Safety Related)
(Other Data Types)

(screenshot)
.

8: Screenshot

(Financial) (Personal).

90

 CRAMM

7.4 Identification of End User

Services
CRAMM :

Electronic Mail
Application to Application Messaging
Electronic Document Interchange
Ad-hoc File Transfer
Interactive Session
Web Browsing
Batch Processing
Voice - Video
(Other End User Service)

5, 5.5
screenshot ( )
.

9: Screenshot ( )

91

 CRAMM

7.5 Identification of Physical Assets

CRAMM,
hardware (workstations, printers, servers ),
(coaxial, fiber, patch panel ), (switch, modem, router ),
(HTTP, WAP, FTP ) ..

5.2,
.

7.6 Identification of Locations

.
: ,
computer room .

(Buiding)

Computer Room

10: NEC

92

 CRAMM

7.7 Identification of Software

Assets
.
5.4 Operating System, Prophix, Business
Connect Conference Software. CRAMM :

(Funds Transfer)
(Financial)
(Safety Critical)
(Personal Information)
(General)

- (Bespoke Sensitive)
(Bespoke Non-sensitive)
(Packaged)

Operating System
Prophix
Business Connect
Conference Software

General
Financial
General
General

Packaged
Bespoke Sensitive
Bespoke Non-sencitive
Packaged

93

 CRAMM

7.8 Valuation of Data Assets

, CRAMM
. ,
6.5. CRAMM

.

7.9 Valuation of Physical Assets

. .

Workstations
Server
Network
Printers/Scanners

800
2500
200
250

11
1
2
2

94

 CRAMM

7.10
, ,
. CRAMM

/ . ,
.
(threats) (vulnerabilities).
screenshots
.
11 hardware.
(
, ),
hardware. File/Web
Server . ( Server)
( b).
(Network)
CRAMM (a, b, c).
12 .

, ,
. ,
. b ( ).
13 ().

receptionist. b , .

95

 CRAMM

11: Screenshot Hardware Maintenance Error

12: Screenshot Software Maintenance Error

96

 CRAMM

13: Screenshot Theft by Outsiders

7.11
CRAMM
.
.

Threat and Vulnerability Summary,
(Very High) .

Full Threat

Full Vuln

!SRV-Prophix

High

Medium

!SRV-BCT

Low

Low

!SRV-DMS

Very High
Medium
5: ( )

97

 CRAMM

Full Threat

Full Vuln

!SRV-Prophix

High

Medium

!SRV-BCT

Low

Low

!SRV-DMS

Very High
Medium
6: ( )

Full Threat

Full Vuln

!SRV-Prophix

Low

High

!SRV-BCT

Low

Medium

!SRV-DMS

Very High
Medium
7: ( )

Full Threat
Full Vuln

!HW-Network
Very High
Medium
8: ( e Hardware)

Full Threat

Full Vuln

!HW-File/Web server

Very High

High

!!Workstation

Very High

High

!HW-Network
Very High
High
9: ( e Hardware)

Full Threat

Full Vuln

!SW-Software
Very High
High
10: ( software)

!HW-File/Web server
!HW-Network

Full Threat

Full Vuln

Very High

Medium

Very High
Medium
11: ( hardware)

98

 CRAMM

7.12

CRAMM, ,
, ,
, ,
( ,
). ,
(VH).
7.12.1 :
Unavailability
15 M
: SRV-DMS

VH

Dest

Disclosure

Modific

Commun
Impacts

1H

3H

12 H

1D

2D

DM

Nd

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

12: : : SRV-DMS

7.12.2 :
Unavailability

Dest

Disclosure

Modific

Commun
Impacts

Tm

: SRV-DMS

VH

VH

VH

VH

13: : : SRV-DMS

99

 CRAMM

7.12.3 :
Unavailability

Dest

Disclosure

Commun
Impacts

Modification

SE

WE

DM

In

Nd

Rp

Mr

Os

: SRV-DMS

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

14: : - : SRV-DMS

7.12.4 :
Unavailability

Dest

Disclosure

Modific

Commun
Impacts

15 M
: HW-Network

VH

1H

3H

12 H

Nd

Mr

Os

VH

VH

VH

VH

VH

VH

15: : HW-Network

100

 CRAMM

7.12.5 :
Unavailability
15 M
: Workstation

VH

Dest

Disclosure

Modific

Commun
Impacts

1H

3H

12 H

SE

WE

Nd

Mr

VH

VH

VH

: HW-File/Web server

VH
VH

VH

VH

VH

16: :

7.12.6 :
Unavailability
15 M
: HW-Network

VH

Dest

Disclosure

Modific

Commun
Impacts

1H

3H

12 H

SE

WE

Nd

Mr

VH

VH

VH

VH

: SW-Software

VH

VH

VH

VH

17: : : HW-Network, SW-Software

7.12.7 :
Unavailability
15 M 1 H
: HW-File/Web server

VH
VH

Dest

Disclosure

Modific

Commun
Impacts

3H

12 H

SE

WE

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

VH

: HW-Network

VH

18: : : HW-File/Web server , HW-Network

101

 CRAMM

7.12.8

i.

ii.

iii.

iv.

v.
vi.

Unavailability - :
1 hour 1
1 day 1
2 days 2
Destruction :
Destruction since the last successful back-up
Total destruction including back-ups

Disclosure - :
Unauthorized disclosure to insiders -

Unauthorized disclosure to contracted service providers -

Unauthorized disclosure to outsiders -

Modification - :
small-scale errors -
widespread errors -
deliberate modification -
small-scale errors (for example, keying errors, duplication of input)
widespread errors (for example, caused by a programming error)
Insertion of false message
Communication Impacts

102

 CRAMM

.

P
Physical destruction
15 M
Unavailability - 15 minutes
1 Hr
Unavailability - 1 hour
3 Hr
Unavailability - 3 hours
12 Hr
Unavailability - 12 hours
1 Dy
Unavailability - 1 day
2 Dy
Unavailability - 2 days
1W
Unavailability - 1 week
2W
Unavailability - 2 weeks
1M
Unavailability - 1 month
2M
Unavailability - 2 months
B
Loss of data since last back-up
T
Total loss of all data
I
Unauthorised disclosure to insiders
C
Unauthorised disclosure to contracted third parties
O
Unauthorised disclosure to outsiders
S E/T
Small-scale errors (for example, keying errors)/small-scale errors in
transmission
W E/T
Widespread errors (for example, programming errors)/widespread errors
in transmission
D S/T
Deliberate modification of stored data/deliberate modification of data in
transit
Or
Repudiation of origin
Rc
Repudiation of receipt
Nd
Non-delivery
Rp
Replay
Mr
Mis-routing
Tm
Traffic monitoring
Os
Out-of-sequence
In
Insertion of false message
19:

103

 CRAMM

7.13
, ,
.
.

.
.
7.13.1 Mobile Computing
:
:
:
:

No
1.

1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.2
1.2.1
1.2.2
1.2.3

1.2.4

1.2.5
1.2.6

Mobile computing

SRV DMS

SRV DMS

SRV DMS

SRV DMS

SRV DMS

SRV DMS

SRV DMS

SRV DMS

SRV DMS

, SRV DMS
,

SRV DMS

hardware software
SRV DMS
Back-up SRV DMS

104

 CRAMM

1.2.7
1.2.8

SRV DMS

SRV DMS
,

7.13.2 (1/3)
:

No
1.

1.1
1.1.1
1.2
1.3

1.4

,

/

HW-File/Web server

HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server

HW-File/Web server

105

 CRAMM

7.13.3 (2/3)
:

:

:

No
1.
1.1
1.1.1
1.1.2
1.2
1.2.1
1.2.2
1.3
1.3.1
1.3.2
1.4
1.4.1
1.4.2

checksum

HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server

106

 CRAMM

7.13.4 (3/3)
:

:

:

No
1.

1.1

1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.2
1.3
1.3.1
1.3.2

1.4

HW-File/Web server

HW-File/Web server

HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server
HW-File/Web server

HW-File/Web server

107

 CRAMM

7.13.5
:
:
:
:

No
1.
1.1

1.2

1.2.1

Configuration Management (
),

(unauthorized)



,

SRV-DMS
Prophix
SRV-DMS
Prophix

SW-BCT,

SW-

SW-BCT,

SW-

SRV-DMS
Prophix

SW-BCT,

SW-

SRV-DMS
Prophix

SW-BCT,

SW-

108

 CRAMM

7.13.6
:

:

:

:


No
1.
1.1
1.1.1
1.2
1.2.1

stand-by

LOC - 4th floor, LOC Ktirio

LOC - 4th floor, LOC Ktirio
LOC - 4th floor, LOC Ktirio
LOC - 4th floor, LOC Ktirio
LOC - 4th floor, LOC Ktirio

109

 CRAMM

7.13.7 /
:
/
:

:

,

No
1.

1.1
2

2.1
2.2
2.2.1

2.3
2.4

, ,

,

44mm

LOC Computer Room

LOC Computer Room

LOC Computer Room

LOC Computer Room

LOC Computer Room
LOC Computer Room

LOC Computer Room

LOC Computer Room

110

 CRAMM

7.13.8 (1/2)
:
:
:
:

No
1.
1.1
1.2
1.3

1.3.1
1.4
1.4.1
1.4.2
1.5
1.5.1
1.5.2
1.5.3
1.6
1.6.1

13 amp
socket outlets






toner




,

LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio

LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio
LOC Ktirio

111

 CRAMM

7.13.9 (2/2)
:
:
:
:

No
1.
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.5
1.5.1
1.5.2
1.6
1.6.1
1.6.2
1.6.3
1.7
1.7.1
1.7.2
1.8
1.8.1
1.9

LOC 4th floor

LOC 4th floor
LOC 4th floor
LOC 4th floor

LOC 4th floor

LOC 4th floor
LOC 4th floor
LOC 4th floor
LOC 4th floor
LOC 4th floor
LOC 4th floor
LOC Computer
Offices

LOC Computer
Offices

LOC Computer
Offices

LOC Computer

Offices
30
LOC Computer
Offices
30
LOC Computer
Offices
LOC 4th floor
,
LOC 4th floor
, LOC 4th floor

Room, LOC Room, LOC Room, LOC Room, LOC Room, LOC Room, LOC -

112

 CRAMM

7.13.10
:
:
:
:

No
1.
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.2

1.3

1.4

/

.

LOC - 4th floor

LOC - 4th floor
LOC - 4th floor
LOC - 4th floor
LOC - 4th floor
LOC - 4th floor
LOC - 4th floor
LOC - 4th floor
LOC - 4th floor

113

 CRAMM

7.13.11 (1/2)
:
:
:
:

No
1.
1.1
1.2

SW BCT, SW - Prophix
SW BCT, SW - Prophix
SW BCT, SW - Prophix

114

 CRAMM

7.13.12 (2/2)
:
:
:
:

No
1.

1.1
1.1.1
1.1.2
1.1.3

1.2

1.2.1

live



/
live

,

EDI (Electronic Data Interchange),
Knowledge-based,

SW BCT, SW - Prophix

SW BCT, SW - Prophix
SW BCT, SW - Prophix
SW BCT, SW Prophix
SW BCT, SW - Prophix

SW BCT, SW - Prophix

SW BCT, SW - Prophix

115

 CRAMM

8

CRAMM,
NEC. ,
,
, , .
, ,

.

Document Management Service .
,
.
, CRAMM
. Document Management
Service
.
.

,
. Document Management Service
, .

, .
, .

.
File/Web server, workstations
.
.

.
.

116

 CRAMM

, , File/Web server
. , ,
.
, NEC, ,
, ,
.
,
. ,
.
, ,
.

117

 CRAMM

9
[1].
[2].
[3].
[4].
[5].
[6].
[7].
[8].

[9].
[10].

, : ,
, 2001

,
:

, 2004
. : , 2003
Crown Copyright: Cramm User Guide, Issue 5.1, July 2005
SANS Institute: A Qualitative Risk Analysis and Management Tool
CRAMM, 2002
, : ,

, :
, 2004
:

, 2009
, : ,

, :
CRAMM

118