Professional Documents
Culture Documents
CRAMMGuide
CRAMMGuide
© Crown Copyright
The CRAMM Risk Analysis and Management Method is
owned, administered and maintained by the Security Service
on behalf of the UK Government.
The intellectual property rights are protected by the
Controller of HMSO acting for and on behalf of the Crown.
Application for reproduction should be made to HMSO via
the Security Service at the address shown below.
Acknowledgements
CRAMM has been produced in consultation with the
Security Service and CESG, who are the UK Government
national security authorities.
Further information
Further information can be obtained from:
The CRAMM Manager
Insight Consulting
Churchfield House
5 The Quintet
Churchfield Road
Walton-on-Thames
Surrey, KT12 2TZ
Telephone: 01932-241000
TABLE OF CONTENTS
1. How to use the guide...................................................................................................................1-1
1.1 Objectives of the guide.........................................................................................................1-1
1.2 Target audience .....................................................................................................................1-1
1.3 Structure of the guide...........................................................................................................1-1
1.4 Conventions ...........................................................................................................................1-2
2. Introduction to CRAMM............................................................................................................2-1
2.1 Introduction ...........................................................................................................................2-1
2.2 What is CRAMM? .................................................................................................................2-1
2.3 Background to CRAMM ......................................................................................................2-1
2.4 What is new in CRAMM Version 4....................................................................................2-1
2.5 When CRAMM reviews should be conducted ................................................................2-2
2.6 The need for CRAMM ..........................................................................................................2-3
2.7 The benefits of CRAMM ......................................................................................................2-4
2.8 Standards and Source of Information ...............................................................................2-4
2.9 Section summary...................................................................................................................2-5
3. Overview of risk analysis and management .........................................................................3-1
3.1 Introduction ...........................................................................................................................3-1
3.2 Risk analysis...........................................................................................................................3-1
3.3 Risk management..................................................................................................................3-2
3.4 Overview of CRAMM ..........................................................................................................3-3
3.5 Post review .............................................................................................................................3-6
3.6 Section summary...................................................................................................................3-7
4. Overview of BS 7799 ...................................................................................................................4-1
4.1 Introduction to BS 7799........................................................................................................4-1
5. Using the CRAMM software .....................................................................................................5-1
5.1 Introduction ...........................................................................................................................5-1
5.2 Installing CRAMM................................................................................................................5-1
5.3 Initiating and exiting from the software...........................................................................5-2
5.4 Security for CRAMM data...................................................................................................5-3
5.5 Window and screen design .................................................................................................5-4
5.6 Entering data .........................................................................................................................5-7
5.7 Navigating through the CRAMM software ...................................................................5-11
5.8 Displaying the status of a review.....................................................................................5-13
5.9 Browsing through a review’s assets ................................................................................5-14
5.10 Using the keyboard.............................................................................................................5-15
5.11 Printing reports ...................................................................................................................5-16
5.12 Structure of Screen in CRAMM ........................................................................................5-16
5.13 Error messages.....................................................................................................................5-18
5.14 Help .......................................................................................................................................5-20
5.15 Section summary.................................................................................................................5-20
6. Initiation ........................................................................................................................................6-1
6.1 Introduction ...........................................................................................................................6-1
6.2 The role of the reviewer .......................................................................................................6-1
6.3 Management and control of a CRAMM review ..............................................................6-2
6.4 Creating a review..................................................................................................................6-4
6.5 Selecting a review .................................................................................................................6-6
6.6 Initiation Activities ...............................................................................................................6-9
6.7 Gathering background information ..................................................................................6-9
6.8 Identifying interviewees and scheduling interviews ...................................................6-12
6.9 Section summary.................................................................................................................6-16
7. Identification and valuation of assets.....................................................................................7-1
7.1 Introduction ...........................................................................................................................7-1
7.2 Tasks in Identification and Valuation of Assets ..............................................................7-2
♦ Section 9, Risk analysis: describes the tasks involved in determining the level
of security requirement based on the results of the asset valuation and threat
and vulnerability assessment
♦ Section 10, Risk management: describes the tasks in determining the
countermeasure CRAMM considers appropriate to meet the risks identified
during the risk analysis, and how this information can then be used to
♦ Section 11, Contingency planning: describes how to use CRAMM to look at
contingency planning requirements and options
♦ Section 12, Specialist security reports: describes how to produce various
security reports
♦ Section 13, Security resources: describes how CRAMM can be used to record
how security is actually delivered
♦ Section 14, What If scenarios: describes how to use CRAMM to support change
management or to model different system and security profiles
♦ Section 15, Post review: describes how to close down a CRAMM review and
what to do when the review is complete
♦ Section 16, CRAMM software administration facilities: describes how to carry
out software administration tasks such as taking backups and maintaining
the configuration of the system
♦ Section 17, Further information about CRAMM: lists sources of further
information about CRAMM, such as publications, training and consultancy.
♦ Annexes: provide detailed information to support the above sections.
Sections 6 to 14 describe how to use both the CRAMM method and the software that
supports the method.
1.4 Conventions
The following style and formatting conventions are used in this User Guide:
♦ The reader is assumed to have the role of a CRAMM reviewer, and is
referred to as ‘you’ throughout the Guide. Any other roles are named, for
example ‘management’.
♦ Each section starts with an introduction, which lists the topics that are
covered, and ends with a summary of the section.
The sections covering the CRAMM Stages (sections 6 to 14) contain
descriptions of how to use both the method and the software to carry out
the tasks involved in each stage. For each task, there is a description of the
method, followed by instructions on how to use the software to carry out
the task. The start of the software description is indicated by an
instruction such as the following: ‘to create new data assets or modify
existing data assets:’
♦ In the sections covering the CRAMM Stages, each sub-section starts with a
‘method concept’. This describes the basic concepts behind each particular
part of the CRAMM method. They are preceded by the heading ‘Method
Concept’.
♦ Where a task consists of a series of steps that must be carried out in order, a
numbered list of steps is used. For other lists of items, or for tasks that can be
carried out in any order, a bulleted list is used.
♦ Keyboard keys that you need to use are enclosed within angle brackets, for
example <Alt> and <Tab>.
♦ Diagrams and tables are numbered in sequence within each section, and
have captions in italic, for example
2. Introduction to CRAMM
2.1 Introduction
This section covers the following topics:
♦ what is CRAMM
♦ the background to CRAMM
♦ what is new in CRAMM version 4
♦ when CRAMM reviews should be conducted
♦ the need for and benefits of CRAMM
♦ the standards that CRAMM complies with.
− software assets
3 Threat Assessment
A Threat Assessment involves identifying and assessing the level of threat
to the assets of a system. Typical threats include:
− deliberate attacks such as hacking, spoofing, insertion of false
messages, introduction of damaging or disruptive software, theft,
wilful damage
− errors by individuals
− technical failures.
Analysis
Risks
Management
Countermeasures
3.4.1 Stage 1
Stage 1 consists of the following tasks:
♦ preparing a functional description of the system or project and agreeing with
management the boundary of the review
♦ identifying the data, software and physical assets within the scope of the
review and creating an asset model
♦ valuing data assets in terms of the business impacts that could result if they
were disclosed, modified, destroyed or made unavailable in an unauthorised
or unexpected manner. Interviews are held with appropriate members of the
user community, who may be the formal ‘data owners’ if such an approach is
in existence. CRAMM contains forms to help you structure the interview and
the ‘scenarios’ described by the interviewee are evaluated against the
guidelines contained in this User Guide
♦ valuing physical assets in terms of their replacement or reconstruction costs
♦ valuing the software assets held on the system. These can either be valued in
terms of their replacement and/or reconstruction cost only or, if they have an
intrinsic value in their own right, for the impacts of unavailability, disclosure
and modification.
3.4.2 Stage 2
Stage 2 of CRAMM investigates the threats and vulnerabilities to the system or
network. It consists of the following tasks:
♦ identifying the threats that require investigation in relation to particular
assets
♦ assessing the level of each threat (the likelihood of it occurring)
♦ assessing the extent of vulnerability to each threat (the likelihood of damage
or loss combined with the impact that this would cause)
♦ calculating the risks to the organisation caused by the threats to the system
or network (based on the asset valuation, threat assessment and vulnerability
assessment).
Threats and vulnerabilities are assessed using questionnaires produced by the
software tool. The questionnaires contain detailed questions to which a choice of
possible answers are given. As far as possible, existing countermeasures are ignored
during this exercise so that no incorrect assumptions are made as to their
effectiveness.
The calculation of risks is performed by the software tool using the risk matrix
included at Annex H.
3.4.3 Stage 3
Stage 3 of CRAMM is concerned with selecting the appropriate countermeasures to
manage the risks identified in Stage 2. It consists of the following tasks:
♦ identifying countermeasures to address the risks calculated in Stage 2. The
software tool does this
♦ where some countermeasures are already in place, comparing them with
those generated by CRAMM to identify areas of weakness or over-protection
♦ developing recommendations on suitable countermeasures for the system or
network. The software tool can place countermeasures into a suggested
priority list.
The introduction of new countermeasures or changes to existing countermeasures
may have implications in terms of cost, management and staff time, and the
acceptability, usability and ultimately business benefit of the system. You should
therefore discuss countermeasure recommendations with management. Options are
available in the software tool to extract reports and to ‘backtrack’ to justify the
selection of a recommended countermeasure.
A CRAMM review does not include any detailed review of the effective operation of
countermeasures. Whilst this is an important task, it should be performed as a
separate exercise.
The final choice of countermeasures to implement is the responsibility of
management and relies upon a number of considerations such as cost and
availability of resources. Therefore, the work to define an actual implementation plan
falls outside of a CRAMM review.
• Stage 2 Reports:
− Summary of the Threat and Vulnerability Assessment: shows the threat
and vulnerability ratings relating to the system or network
• Stage 3 Reports:
− Recommended Countermeasures Report: describes the countermeasures
that have been generated by CRAMM in response to the risk
assessment
4. Overview of BS 7799
4.1 Introduction to BS 7799
The standard is intended for use by managers and employees who are responsible
for initiating, implementing and maintaining information security. It is intended
that the standard should provide a comprehensive set of controls setting out the best
information security practices in current use. The guidance is intended to serve as a
single reference point for identifying the range of controls needed for most situations
where information systems are used and therefore can be applied to a wide range of
organisations, large, medium or small.
With increasing electronic networking between organisations there is a clear benefit
in having a common reference document for information security management. It
enables mutual trust to be established between the different organisations and
provides a basis for management of these systems between users and service
providers.
Not all of the controls described in BS 7799 will be relevant to every situation. It
cannot take account of local system, environmental or technical constraints or be
presented in a form that suits every potential user in an organisation. Consequently
the controls need to be reviewed in order to identify their applicability to the specific
environment under review.
The standard does not purport to include all the necessary provisions of a contract.
Users of the standard are warned that they are responsible for its correct application.
Compliance with a British Standard does not of itself confer immunity from legal
obligations.
The following diagram show the steps involved in complying with BS 7799 (as
defined in BS 7799 – Part II).
Information assets
Step 3 Threats, Undertake a Risk assessment
Vulnerabilities,
Risk Assessment
Impacts
Results and conclusions
Organisation’s approach
Step 4 to risk management Manage the
risk
Degree of assurance
required
Selected controls options
Step 5 Select control
BS 7799 control objectives
and controls objectives and
Additional controls controls to be
not in BS 7799 implemented
Selected control objectives and controls
Step 6 Prepare a statement Statement of applicability
of applicability
3 No password is set when CRAMM is first installed, but you can set one
by following the instructions in section 17.3.) Press the OK button in this
screen.
4 The Review window is then displayed.
back-up unless the contents of the hard disk have been lost, as the software has in-
built recovery features that will handle most interruptions to processing.
status line
Check Box:
Title Bar:
Group Box:
Option Button:
Buttons:
♦ option buttons: these are a group of buttons that are mutually exclusive. You
can select only one option at a time; if you already have an option selected, it
is replaced by your new selection. Examples of option buttons in this screen
are those contained in the Report Type group box.
Fields in a screen that are not available for you to use are shown in grey. Examples in
Figure 5-6 are the Assets and Status flag groups when the Security Checklist option is
selected.
Figure 5-7 shows part of another screen, the Countermeasure Assessment Reports
screen. This illustrates the use of check boxes.
A table is a set of rows and columns into which you can type text or select items from
a list.
You can select several rows at once in tables with a Set Many button. Do this as
follows:
♦ to select several adjacent rows:
− using the mouse, select the first row and drag the mouse over the
other rows that you wish to select
or
− select the first row, then hold down the <Shift> key and use the up or
down arrow key to move to the last row you wish to select - this will
select all of the rows that you move through
or
− select the first row, then hold down the <Ctrl> key and use the up or
down arrow key to move to the second row you wish to select - press
the <Spacebar> to select the second row
♦ to move forwards through the cells in a table, use the <Tab> key. To move
backwards, hold down the <Shift> key and press the <Tab> key.
Alternatively, use the mouse to click in the cell that you require.
diamonds. Double clicking on a leaf class will cause the class to be added to the
classification of the asset shown at the time. It is also possible to add a class by
‘dragging and dropping the class from the class selection list into the Asset’s Class
box.
To ‘collapse’ the display again, double-click on the branch class that you wish to
collapse or select it and press the <-> key on the keyboard number pad. You can
collapse to the top level by double-clicking on the trunk class at the top of the list
box. All lower classes disappear from the display. Double-click again on the trunk
class, and the display is returned to showing only the trunk and branch classes.
5.6.6 Note screens
Some screens contain a Note button which, when pressed, opens a Note screen. An
example of a Note button is shown in Figure 5-8. In most cases double clicking a field
where the note can be entered will cause the note screen to be automatically
displayed.
Note screens contain a text box into which you can type descriptive text about an
asset, and four editing buttons - Cut, Copy, Paste and Undo. There are also OK and
Cancel buttons.
Before you type any text into the note screen, the Note button is marked as ‘Empty’.
Once you have entered some text, this changes to ‘Note’, to let you know that a
comment has been written about the asset. You can edit the text as often as you like.
This opening screen shows the basic steps in completing a Risk Assessment, and the
order in which the steps need to be completed. Note: the Identification and
Valuation of Assets are shown to run in parallel with Threat and Vulnerability
Assessment but both tasks need to be completed before it is possible to carry out the
activities in the risk analysis stage.
Selecting any of the options will show how each of these tasks is divided up into
further sub-tasks. The complete list of all of the forms contained in CRAMM is
shown in Section 5.12.
The process flow style can also show where a task is optional. For example the
following diagram shows that completing the contingency planning aspects of the
CRAMM review is optional.
Step
1 In the CRAMM 4.0 application, from the Review menu choose Review
Status. The Review Status screen is displayed, as shown in Figure 5-15.
Initiation
• Gathering background information
• Identifying Interviewees and Interviewers
• Project Initiation Document
Identification and Valuation of Assets
• Modelling the system
− Identification of Data Assets
− Identification of End-User Services
− Identification of Physical Assets
− Identification of Locations
− Identification of Software Assets
− Creating Asset Models
• Valuing Assets
− Valuation of Data Assets
½ Valuation Reports
½ Impact Assessment Chart Wizard
½ Data Asset Dependencies
½ Impact Assessment Reports
− Stage 1 Backtrack
• Contingency Planning
− Print Data Recovery Reports
− Enter Data Recovery Information
Risk Analysis
• Calculating Measures of Risk
• Reviewing Measures of Risk
− Detailed Measures of Risks Report
− Summary Measures of Risks Report
Risk Management
• Calculating Recommended Countermeasures
• What-if
• Printing Security Checklists
− Countermeasure Library
• Security Resources
− Enter/Amend Security Resources
− Enter Resources to Countermeasures
− Print Security Resource Reports
CRAMM Administration
• General Configuration
• Maintain Tool Password
• Back-up/Restore/Delete Reviews
• Copy Review
• Maintain Impact Applicability
• Maintain Default Roles
• Maintain Status Flags
• Maintain Value Ranges
• Maintain Default Priority Factors
♦ the version number of the software (which you can find by choosing About
CRAMM from the Help menu)
♦ the nature of the problem, including:
− error messages
− data peculiarities
5.14 Help
CRAMM’s help facilities are available to you at any stage of a review to provide
context-specific help or more general information. If this is insufficient, contact your
CRAMM supplier for further information.
To obtain help on CRAMM from within Windows:
♦ double click on the CRAMM Help icon in the CRAMM 4.0 program group.
This is a standard Windows Help facility.
To obtain help on CRAMM from within the CRAMM software:
♦ choose Contents or Search from the Help menu. These are standard Windows
Help facilities
♦ within Contents there is an item, Process View. If you choose this item, a top-
level process diagram of the CRAMM method is displayed. If you double
click on one of the process boxes, a diagram of the sub-processes of that
process is displayed. You can double click on process boxes to see lower and
lower levels of process flow until you reach a process which has no sub-
processes. At this point you are shown the description of the process
♦ CRAMM also provides context-sensitive help for each CRAMM screen. To
use this, press the <F1> function key in the screen on which you want help. A
CRAMM help screen appears containing software help for the currently
displayed screen. At the top of this help screen is a ‘hotspot’ (some text in a
different colour) that, when selected, displays a screen containing method
help for the currently displayed CRAMM screen.
6. Initiation
6.1 Introduction
CRAMM is a comprehensive method that can be used to tackle a variety of security
related problems. Being comprehensive, however, can cause problems. If clearly
defined objectives are not set, time may be wasted investigating areas that are of
little or no interest to management, or alternatively the review may not explore
crucial areas in sufficient detail.
It is therefore essential that when setting up a CRAMM review, management clearly
defines its objectives and the required scope and deliverables from the review. You
will then be in a strong position to plan the review accurately.
This section covers the following topics:
♦ the role of the reviewer (section 6.2)
♦ management and control of a CRAMM review (section 6.3)
♦ creating, selecting and closing a review (sections 6.4and 6.5)
♦ gathering background information on the review (section 6.7)
♦ identifying interviewees and scheduling interviews (section 6.8).
You cannot have two reviews open at the same time - before opening a new review,
you need to close the current one.
If one of the objectives of the review is to construct a System Security Policy, you can
gather much of the information for that document at this stage. Section 13.2 contains
guidance on how to write a System Security Policy.
Once you have gathered the background information that you require, you need to
enter this into the CRAMM software.
3 Select the option button for the description you wish to create or edit. If
you have already created the description it will be displayed in the
Description Text text box, otherwise this will be blank. You can type into
the Description Text text box and use the Cut, Copy, Paste and Undo buttons
to create and edit the description.
4 If you wish to produce a report on the background information, press the
Background Information Report button. The Review Information Report
screen is displayed, as shown in Figure 6-26.
From the Initiation screen, choose Identifying Interviewees and Interviewers . The
Identifying Interviewees and Interviewers screen is displayed, as shown in Figure
6-27.
To create or edit the names of the people carrying out the interviews:
Step
1 Select the Interviewers option button.
2 The names of the interviewers already defined will be displayed in the
Interviewer Name table.
3 To add a new interviewer, press the New button, then type the name into
the row added to the end of the table. You can only add one name per
row.
4 To remove an interviewer, select the appropriate row in the table and
press the Delete button.
5 To edit the name of an interviewer, select the appropriate row in the table
and type in the alterations.
To create or edit the names of the people who will be interviewed to supply
valuation details of data and application software assets:
Step
1 Select the Interviewees option button.
2 The names of the interviewees already defined will be displayed in the
Interviewee Name table.
3 Add, remove or alter the names of interviewees in the same way as
described for interviewers.
− Integrity
− Availability
or
When an existing asset name is displayed you can change it by typing into the
text box. If you want to define a new asset when an existing asset name is
displayed, press the New button. This will clear the existing asset detail
from this and other fields. You can then type the name of the new asset
into the Name text box.
3 Use the Comment for <Asset Name> text box to add or modify descriptive
information about the asset. (If you are defining a new asset, this text box
is called Comment for new asset.) You can type text into the Comment for text
box and modify your typing using the standard Windows keys and key
combinations.
4 Use the Class Selection list box to select a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Add button.
Your selection appears in the Class list box.
5 If the asset has more than one class defined for it, the legend Multi
Function Asset will appear below the list box.
6 Use the Delete button to delete an asset from the review. Do this by
selecting it in the Name text box and pressing the Delete button. You
cannot delete an asset if it is linked into an asset model. To do this, you
first have to remove the asset from the model (see section 7.3.5).
7.3.2 Identifying End User Services
Method Concept: An important consideration in assessing risk and determining
security requirements is the type of service provided to the end user (where the end
user can be either a human being or an automated process). For example, the risks
and security requirements for a system that allows interactive access to a database
by human users will be different to those for a system that only allows messaging
between computer applications.
End User Services is a concept embedded with CRAMM as a way of modelling the
fact that the same data can be held, processed or transmitted in a variety of different
ways. These differences can lead to significant variances in terms of the types of
assets employed, the requirements for security and the types of number of
countermeasures that would be considered appropriate. For example, many
technical controls apply to the exchange of data over data communications links, but
would not be applicable if the same data were being transmitted by voice.
The end-user services defined in CRAMM are as follows:
• Electronic Mail;
• Application to Application Messaging;
• Electronic Document Interchange;
• Ad-hoc File Transfer;
• Interactive Session;
• Web Browsing
• Batch Processing;
• Voice;
• Video;
• Other End User Service.
Since they are fundamental to the selection of many technical controls, CRAMM
enforces a rule that Asset Models cannot be created without an End User Service.
However, the end-user service can be a multi-function asset.
To create new end user service or modify existing end user services:
Step
1 From the Modelling Assets screen, choose Identification of End User
Services button. The Create and Maintain End User Services screen is
displayed, as shown in Figure 7-31.
or
If an existing asset name is displayed you can change it by typing into the text
box. If you want to define a new asset when an existing asset name is
displayed, press the New button. This will clear the existing asset detail
from this and other fields. You can then type the name of the new asset
into the Name text box.
3 Press the Note button next to the Comment field to add or modify
descriptive information about the asset. This displays a screen in which
you can type and modify text. When you are satisfied with the
description, press the OK button in this screen.
4 Use the Class Selection list box to select a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Add button.
Your selection appears in the Class list box.
5 If the asset has more than one class defined for it, the legend Multi
Function Asset will appear below the list box.
Note: The primary asset, in a Multi Function Asset, must be an allowable
Physical to Software asset link
6 Use the Remove button to remove a class from the asset. Do this by
selecting the class in the Class list box and pressing the Remove button.
7 Use the Delete button to delete an asset from the review. Do this by
selecting the asset in the Name drop-down list box and pressing the Delete
button.
You cannot delete an asset if it is linked into an asset model. To do this,
you first have to remove the asset from the model (see section 7.3.5).
• where multiple assets of the same type are used, and are likely to be
subject to similar risks, these may be grouped together and only defined
once to the software tool. For example, fifty workstations of the same type
in the same location could be defined as a single instance of a physical
asset (workstation) rather than fifty instances
• where assets carry out multiple functions, they can be classified as multi-
function assets. For example, a single PC may be defined as a workstation,
server and gateway.
During Stage 3 of the review the CRAMM software tool will select countermeasures
which protect against the defined asset classes. If no assets of a particular asset class
have been defined, countermeasures for that asset class will not be put forward for
consideration.
or
If an existing asset name is displayed you can change it by typing into the
text box. If you want to define a new asset when an existing asset name is
displayed, press the New button. This will clear the existing asset detail
from this and other fields. You can then type the name of the new asset
into the Name text box.
3 Use the Quantity text box to alter the number of units for the asset. You
can alter the number by typing directly into the text box or by using the
increment/decrement controls of the text box.
4 Press the Note button next to the Comment field to add or modify
descriptive information about the asset. This displays a screen in which
you can type and modify text. When you are satisfied with the
description, press the OK button in this screen.
5 Use the Class Selection list box to select a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Add button.
Your selection appears in the Class list box.
6 If the asset has more than one class defined for it, the legend Multi
Function Asset will appear below the list box.
Note: The primary asset, in a Multi Function Asset, must be an allowable
Physical to Software asset link
7 Use the Remove button to remove a class from the asset. Do this by
selecting the class in the Class list box and pressing the Remove button.
8 Use the Delete button to delete an asset from the review. Do this by
selecting the asset in the Name drop-down list box and pressing the Delete
button.
You cannot delete an asset if it is linked into an asset model. To do this,
you first have to remove the asset from the model (see section 7.3.5).
Table 7/1 lists the physical asset classes.
TV
Video Video Telephone
Video-Conferencing
Other Externally Provided
Video Service
Video TV
Other Internally Provided
Video Service
Media
(Defined as any material used for Non-Electronic Input
the permanent or temporary storage Output
of information, for the preparation of Vital Records
information for communication or Other
transfer, or for the presentation of
information for input or output from Electronic Tapes
computer systems. Includes both Disks
electronic and non-electronic forms Other
of information.)
or
4 Use the Class Selection list box to define a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Select button.
Your selection appears in the Class list box.
An application software asset can only have one class defined for it. To
change the class, simply make another selection from the Class Selection
list box and press the Select button again.
5 Use the Delete button to delete an asset from the review. Do this by
selecting the asset in the Name text box and pressing the Delete button.
You cannot delete an asset if it is linked into an asset model. To do this,
you first have to remove the asset from the model (see section 7.3.5).
• for a site, select (Add New Site) in the Locations list box, or
• for a building without a site, select (No Site) in the Locations list box,
or
• for a building on a site, select the name of the site in the Locations list
box, or
• for a room, select the name of its building in the Locations list box.
3 Type the name of the new location into the New Location text box
4 Press the Note button next to the Comment field in the New Location group
box if you wish to add descriptive information about the location. This
displays the Description for location screen in which you can type and
modify text. When you are satisfied with the description, press the OK
button in this screen.
5 Press the New button.
The name that you typed into the New Location text box is displayed in the
Locations list box.
6 To edit the name of an existing location, select the location in the Locations
list box, and type the new name into the Existing Location text box. Note
that the new name is not displayed in the Locations list box until you select
it.
7 To add or modify descriptive information about an existing location,
select the location in the Locations list box and type into the Comment text
box in the Existing Location group box. You can modify text within this
list box using the standard Windows keys and key combinations. (Note
that you can also enter descriptive information for a new location as
described in step 4 above.)
8 To remove a location from the review, select it in the Locations list box, and
press the Delete button. If you select a site, all of the buildings on the site
and rooms in those buildings will be removed. If you a select a building,
all of the rooms in the building will be removed. Note that the delete
action will not be allowed if any of the locations which would be removed
is linked into an asset model, that is if a physical asset has been linked to
the location.
2 Define separate asset models for each pairing of data asset and end-user
service. For each asset model, the data asset should have a link to one and
only one end-user service.
3 Identify the links from the end-user service to those physical assets which
support the data asset/end-user service pairing
4 Identify the links from physical assets to locations (only where you wish
to investigate physical and environmental risks to those locations).
5 Identify the links from the data asset to those application software assets
which support the data asset/end-user service pairing. (Only where you
wish to investigate controls that apply to application software.)
6 Identify the links from these application software assets to the physical
asset on which each resides
7 Identify the links from the data asset to those media assets which support
the data asset/end-user service pairing. (Only where you wish to
investigate controls that apply to media assets.)
8 Repeat for the next data asset/end-user service asset pairing for the same
data asset.
9 Repeat for the next data asset.
Figure 7-35 describes a generic asset model. This shows that asset models are created
for each data asset/end-user service combination by:
• linking all physical assets (except those classified as ‘media’) that support
the data asset/end-user service combination to the end-user service
• linking application software assets that support the data asset directly to
the data asset
• linking each application software assets to the host or workstations on
which it resides
• linking media items that support the data asset directly to the data asset.
Data Asset
Workstation Location
Storage Device Location
Application Software
Media Location
XXX
House
FDDI Ring
Group A
Group B
File Servers
(Basement)
LAN Equipment
This could be modelled in CRAMM by creating the following two asset models:
Model 1
• use the Data Asset drop-down list box to select a data asset for which
you wish to create an asset model
• use the End User Service drop-down list box to select an end-user
service asset for which you wish to create an asset model with the
data asset in Data Asset. Only those end-user services that are not
already in an asset model will be displayed.
• use the End User Service drop-down list box to select an end-user
service asset for which an asset model has been defined with the data
asset selected in the Data Asset drop-down list box.
• use the Data Asset drop-down list box to select a data asset for which
you wish to create an asset model
• use the End User Service drop-down list box to select an end-user
service asset for which you wish to create an asset model with the
data asset in Data Asset. Only those end-user services that are not
already in an asset model will be displayed.
• use the End User Service drop-down list box to select an end-user
service asset for which an asset model has been defined with the data
asset selected in the Data Asset drop-down list box.
The remaining steps apply whether you are creating or modifying an asset
model.
5 Either double click on the asset shown in the source asset model that you
wish to be added or select the asset and press the Copy button.
medical history data which might result in a patient being treated with an unsuitable
drug.
Existing countermeasures should not been taken into account. This prevents you
from making any false assumptions about the effectiveness of these countermeasures,
and also enables CRAMM to determine whether they are truly justified. However,
you may take into consideration the existence of alternative manual processes, or
other automated systems outside the boundary of the review.
The objective when assessing data values is to determine the severity of the impact,
not the possible causes of an impact, nor the likelihood of such an event occurring.
These issues will be explored during the threat and vulnerability assessment in Stage
2 of CRAMM.
For each data asset, you need to discuss with the interviewee the effect of the
following impacts.
Unavailability
The consequences resulting from data being unavailable may vary depending on the
length of the loss of service. CRAMM allows you to investigate these consequences
against the following timeframes:
• less than 15 minutes
• 1 hour
• 3 hours
• 12 hours
• 1 day
• 2 days
• 1 week
• 2 weeks
• 1 month
• 2 months and over.
You do not need to assess the consequences of loss of service for all of these
timeframes - you should select those that are appropriate to the data asset. You
should, however, use a minimum of three time periods. CRAMM will make
assumptions about the time periods for which no asset value has been specified.
If one of the primary purposes of the review is to identify contingency planning
options, you should assign values to most or all of the time periods so that you
obtain a good understanding of the changing nature of the impact.
Destruction
This impact investigates the consequences that could result from:
• loss of data since the last successful back-up
• total loss of data including back-ups.
You need to find out how often back-ups are taken and where they are stored when
looking at this impact.
Disclosure
This impact is investigated in terms of:
• disclosure to insiders (those people working for the organisation, but who
are not authorised to see the data)
Step
1 Compare the scenarios outlined by the interviewee(s) against the
guidelines to identify which guideline corresponds most closely to the
scenario that has been described. Enter the guideline in the ‘Guideline’
section of the form.
2 Using the descriptions contained in the guidelines, decide on the data
valuation for each impact. For financial loss scenarios, you can enter the
actual financial loss in the ‘Financial value’ section of the form. For other
scenarios, enter the asset value indicated by the guidelines into the ‘Scale
value’ section of the form.
You need to gather enough information to quantify the severity of the
impact. For example, if an interviewee states that deliberate modification
could lead to financial loss, gather sufficient information to determine the
likely extent of the loss. You should not, however, show the guidelines to
the interviewee because this removes some of the objectivity required in
this activity.
Within the guidelines, descriptions are not always provided for every
scale value. You may select a scale value for which no description is
provided if you feel that it most accurately represents the potential
impact.
3 Record the reasoning behind your valuation in the ‘Valuation Scenario’
section of the form. An example of what you might enter in this section is
where an impact could result in an effect in terms of two or more criteria
(for example, an unauthorised disclosure resulting in financial loss and a
breach of personal privacy). In this case, you need to record a separate
data value for each effect. Only the highest value will be subsequently
input to the CRAMM software, but it is important to have a complete
picture.
4 Where more than one interviewee is consulted about the valuation of a
single data asset, you should record the valuations separately and then
consolidate them into a single valuation for the asset. The consolidated
valuation will be input into the CRAMM software.
Once you have completed the Data Asset Valuation form for the asset, you need to
enter the information into the CRAMM software. This is described in section 7.7.5.
6 You can use the Status text box to remind yourself of the status of the
valuation of the asset. Type a short message into the text box such as:
• not started
• in progress
• completed.
This text box is for your own use and you do not have to use it. It is not
used by any of the CRAMM method processes.
7 You can use the Date text box to enter the date of the valuation interview.
8 Use the table in the Assign Value group box to define the impact values.
This table has several columns which show the impact values of the asset.
Use these columns as follows:
• Impact: This column contains an entry for every impact which can
apply to a data asset. The impact will appear whether a value has
been assigned to it or not. The list of impact types is given in Annex
D
• Guideline: Use this column to select the valuation guideline for the
Scale and Impact in the same row. Do this by selecting from the
column’s drop-down list
• Scale: Use this column to enter the value on a scale of 1 to 10 for the
Impact and Guideline in the same row. If you set this to 0, it means
that this asset has no value for the impact
• Cost: Use this column to enter the financial value for the Impact in
the row. This is only used by the CRAMM method for Unavailability
and Physical Destruction impacts. You cannot define a financial
value which translates to a value greater than that in Scale for the
row. If the value in Scale is zero, then it will be reset to the value
translated from Cost
9 To clear an impact value, select (No Valuation) in the Guideline cell for that
impact.
10 If you want to define a scale value for an impact and a lower financial
value to be used for contingency planning purposes you can do this. You
should detail why the two are different in the Scenario Description column.
11 If you define a financial value for an impact which translates to a higher
scale value than the one currently defined, a warning message will be
displayed when you try to move out of the row for the impact. You
should clear the warning by either:
• setting the value in the Scale column to zero so that the software will
calculate the scale value from the financial value, or
• setting the scale value to a value higher than or equal to the value
which would result from the financial value.
Once you have entered the information into the software, you can print a completed
Data Asset Valuation form. See section 7.14 for details.
• Unit Cost: Use this text box to enter the financial replacement cost of
a unit of the asset
• Total Replacement Cost: This text box displays the financial value
derived from Quantity and Unit Cost. You cannot edit the
information in this text box
• Scale Value: This text box displays the value for the asset on a scale of
1 to 10. This is based upon its replacement and reconstruction cost,
using the financial loss guidelines included in Annex E. You cannot
edit the information in this text box
Once you have entered the information into the software, you can print a completed
Physical Asset Valuation form. See section 7.14 for details.
This approach ensures that time is not wasted on rigorously investigating a system
or network that only requires a low level of protection.
High Availability
and Confidentiality
Requirement
High Confidentiality Requirement
Data with
high availablity
requirements
Availability Conf Integrity
56 7 0 0 0 0
Physical
Asset
3 When you are satisfied that you have selected the content of the report
correctly, then press either the Preview button to see the report on screen
or the Print button to print the report directly.
• if you select Asset Groups, the list box in the Select group box is
labelled Asset Groups and shows the asset groups defined for the
review. For each group to be included in the report, select it and
press the Add button. The groups are added to the Report On list box.
The report produced is of the calculated impact values of the
component assets of each group. This option is not relevant in Stage
1 where asset groups will not have been created. However, the
reports can also be produced in Stage 2, when this option will be
relevant
• if you select Asset Classes, the list box in the Select group box is
labelled Asset Classes and shows the asset class hierarchy. Make a
selection from the Asset Type drop-down list box. For each class to be
included in the report, select it and press the Add button. The classes
are added to the Report On list box. The report produced is of the
calculated impact values of the assets of each class
• if you select Assets, the list box in the Select group box is labelled
Assets. Make a selection from the Asset Type drop-down list box. The
assets of the type selected are displayed in the Assets list box. For
each asset to be included in the report, select it and press the Add
button. The assets are added to the Report On list box. The report
produced is of the calculated impact values of the assets selected.
3 When you have selected the assets to be included in the report, use the
Impacts drop-down list box to select the set of impacts to report on.
Choose one of:
• Unavailability
4 Use the Value Type drop-down list box to select the type of value which
you want the report to include: either Scale, that is 1 to 10, or Financial.
5 If you chose Scale in the Value Type list box, use the Value Level text box to
type in a scale value. Only impact values equal to or above this value will
be included in the report.
6 If you wish to remove an item from the report, select it in the Report on list
box and press the Remove button.
7 When you are satisfied that you have selected the content of the report
correctly, use the Output to controls to select the destination of your
report, then press the Generate Report button to produce the report.
3 Use the Report on Asset drop-down list box to select the asset for which
you want to perform the backtrack. Only assets of the type selected in the
Asset Type group box are displayed.
4 When you are satisfied that you have selected the content of the report
correctly, use the Output to controls to select the destination of your
report, then press the Generate Report button to produce the report. The
report will contain details of all the associated data and application
software asset valuations that led to asset values being associated with the
selected asset.
− completed the form through interviews with users and support staff
The first activity in Threat and Vulnerability Assessment is to define the threats that
require investigation.
Similar assets are gathered together into ‘asset groups’. This is so that threats can be
investigated against several assets at once, rather than individually.
The following steps are required to define the threat/asset combinations which will
be investigated during Stage 2:
♦ creation of asset groups
♦ maintenance of asset groups
♦ definition of threats to asset groups
♦ confirmation of the impacts that could result from the threats to assets.
These steps are described in the following sections.
You may also decide to delete some of the generated groups because you do not wish
to investigate threats to them.
or
5 Use the Asset Classes drop-down list box to select the type of asset which
you wish to add to the asset group. The assets of the type which have
been defined in the review are then displayed in the Assets list box.
6 Use the Assets list box to select an asset which you wish to add to the asset
group, and press the Add button. The name of the asset then appears in
the Group Members list box.
7 If you wish to remove an asset from the group, select it in the Group
Members list box and press the Remove button.
8 Use the Delete button to remove an asset group from the review. Do this
by selecting it from the Asset Groups drop-down list box and pressing the
Delete button.
Once created, you can review the components of asset groups by producing an Asset
Group Component Report. Do this as follows.
3 Select one or both of the check boxes in the Report Contents group box if
you want to include assets which have dependencies with the
components of the asset groups.
4 Use the Output to controls to select the destination of your report, then
press the Generate Report button to produce the report.
To create relationships between the threats and asset groups in the review:
Step
1 From the Identifying Threats to Asset Groups screen, choose Relate
Threats to Groups. The Relate Threats to Asset Groups screen is displayed,
as shown in Figure 8-57 and Figure 8-58.
2 For ease of use, CRAMM allows you to either relate a selected threat to
several asset groups (for example, the threat of fire to the computer room,
communications room and user accommodation) or several threats to a
selected asset group (for example, the threats of masquerading by
outsiders, masquerading by insiders and communications infiltration to
the ‘order Entry’ end-user service).
3 Decide which of these two approaches is most convenient (you can mix
and match for different threats and asset groups) and select the
appropriate one of the two option buttons at the top of the window. The
fields in the window have different names depending on your choice, as
shown in Figures 7/4 and 7/5.
Figure 8-57 shows the screen if you select the Relate a Threat to One or More Asset
Groups option button.
Figure 8-58 shows the screen if you select the Relate an Asset Group to One or More
Threats option button.
3 Select the asset group from the Asset Group drop-down list box.
4 The Impact Applicability table has the following columns:
• Impact - lists all impacts
• Applicable - initially has the same setting as the Guide value of the
row.
− Security Officer/Manager
− Network Manager/Administrator
− Security Officer/Manager
− User Management
• technical failures:
− System Manager/Administrator
− Network Manager/Administrator
• human errors:
− System Manager/Administrator
− Network Manager/Administrator
− Development Manager
− User Management
• staff shortage:
− Personnel Manager.
2 Select the threat type from the Threat Type drop-down list box.
The table shows the current state of the threat/vulnerability analysis for
the chosen threat. This helps you to keep track of your progress in
completing the questionnaire and allows you to indicate to the software
when the questionnaire is complete. The section below describes how to
use this table.
3 Select the questionnaire you wish to complete by pressing the Threat...
button or the Vulnerability... button. This displays the Threat
Questionnaire or Vulnerability Questionnaire screen, depending on
which button you selected. Figure 8-63 shows the Threat Questionnaire
screen.
or
• select one or more rows in the table and double click on an answer in
the list box below the question. The Chosen Answer cell will be
changed to the letter for the chosen answer.
3 You can create, view or alter a comment which qualifies the chosen
answer for an asset group by selecting any field in the appropriate row
and pressing the Note button. A screen is then displayed into which you
can type or edit the comment. When you are satisfied with the comment,
press the OK button in this screen, and your description appears in the
Comments column. Alternatively, click in the Comments column, and a
small text box appears into which you can type text.
4 Use the Goto button if you want to move directly to a specific question.
The Go To Question screen is displayed, as shown in Figure 8-64.
Where necessary, questions should be considered as being in the future rather than
the present tense.
Vulnerability Guide
Rating
Low If an incident was to occur, there would be no more than a
33% chance of the worst case scenario (assessed during asset
valuation) being realised.
Medium If an incident was to occur, there would be a 33% to 66%
chance of the worst case scenario (assessed during asset
valuation) being realised.
High If an incident was to occur, there would be a higher then 66%
chance of the worst case scenario (assessed during asset
valuation) being realised.
Once ratings have been input, you can produce a Threat Vulnerability Assessment
Result Report, as described in section 8.15.
To set Threat and Vulnerability levels directly or override the levels calculated
from questionnaire answers:
Step
1 From the Assessing Threats and Vulnerabilities screen, choose Rapid
Risk Assessment option. The Rapid Risk Assessment screen is displayed,
as shown in Figure 8-65.
• the Impact (if specific) column shows the impacts for which specific
Threat and Vulnerability levels are calculated from the
questionnaire answers. If the entry in this column is blank, then
the levels shown in this row apply for all impacts applicable to
the threat and group, apart from those, if any, with specific rows
in this table
• use the Threat Level column to set an override threat level. Do this
by selecting the appropriate cell then selecting the required level
from its drop-down list box
The following figure shows a sample of the Threat and Vulnerability Summary
report:
• Environmental
• Physical
9. Risk analysis
9.1 Introduction
Method Concept: Asset values, threat levels and vulnerability levels combine
together to give measures of risks (or ‘security requirements’) which are then used to
select appropriate countermeasures.
The objective of risk analysis is to determine the level of requirement for security
relating to the system or network.
The topics covered in this section are:
♦ calculating measures of risks (section 9.2)
♦ reviewing measures of risks (section 9.3)
♦ carrying out a stage 2 backtrack (section 9.7)
♦ producing a Risk Analysis report (section 9.8)
♦ holding a Risk Analysis review meeting (section 9.9).
The Risk Analysis screen is shown below:
• If you have chosen to order the report by asset group select the
asset group you want to include from the Asset Groups combo
box, or select the All Asset Groups check box.
3 Use the Output to controls to select the destination of your report, then
press the Generate Report button to produce the report.
You should supply the Risk Analysis Report to the project board a week before the
meeting to allow them to consult and draw their conclusions. The focus of such a
report should be on the business issues and not on the numerical values that
CRAMM employs.
When reviewing asset values with management, it may be worth adopting a ‘risk
avoidance’ or ‘risk transfer’ strategy to reduce the asset values.
A ‘risk avoidance’ strategy involves avoiding the problem in the first place. For
example, it may be that only a few records in a database are considered to be highly
sensitive and the risk could be avoided by storing the sensitive records somewhere
else. This type of solution can be very effective and inexpensive, however it is often
only practical to implement if the system or network is still in the design stage.
A ‘risk transfer’ strategy reduces the requirements for security by transferring the
risks outside the organisation, or elsewhere within the organisation. For example, if
the management of a system or network was outsourced under a contract that
defined required service levels with penalties for non-compliance, certain risks may
be considered to have been transferred from the customer to the service provider.
Such a strategy may, of course, introduce additional risks that need to be managed,
such as failure of the service provider.
Formal minutes of the meeting should be made.
The review meeting should concentrate on agreeing on the major findings resulting
from the risk assessment, in particular the high or medium threat/vulnerability
ratings.
It is a management task to consider the accuracy and completeness of this
information and to justify any alteration necessary. Also, management must be
satisfied that all the information gathered so far is correct. (Correcting errors at this
stage is relatively quick and inexpensive, but becomes progressively slower and
more expensive as the review progresses through the Risk Management phase.)
The Risk Analysis phase of CRAMM dealt with establishing asset values and levels
of threat and vulnerability in order to determine the risks to the system or network.
The risk management is concerned with managing those risks. The objective of the
risk management phase is to identify an appropriate and justified set of security
countermeasure recommendations for the system or network under review.
The steps in the Stage 3 are as follows.
• Identifying, from an extensive countermeasure library, those
countermeasures which meet the risks that have been assessed.
• Identifying countermeasures that are already installed or for which plans
to install already exist.
• Investigating the differences between the countermeasures recommended
by CRAMM and the countermeasures that are in place.
• Hardware
• Software
• Communications
• Procedural
• Physical
• Personnel
• Environment.
The countermeasure sub-groups contain detailed, but generic ‘countermeasure
descriptions’. Examples of these are shown in Table 8/1.
Countermeasures in each sub-group are arranged in a hierarchical structure, with all
countermeasures being assigned to one of three possible categories:
• category 1: security objectives - a high-level statement
• category 2: a detailed description of the security functions that help to
achieve the security objectives
• category 3: examples of how the functions can be implemented.
Countermeasures have the following numbering system. Numbering begins at 1 for
the first Category 1 countermeasure in each sub-group. Any Category 2
countermeasures that support that objective are numbered as 1.# (for example, 1.1).
Category 3 countermeasures that support the Category 2 countermeasures are
numbered as 1.#.# (for example 1.1.1).
Table 8/1 illustrates the structure of the countermeasure library. Some
countermeasures are alternatives to each other and are presented as such when
selected. The Security Level is the lowest Measure of Risk value which an asset must
have for a particular threat which will result in the countermeasure being selected to
protect the asset.
1. All users should be allocated an identifier 1.1 The user id may be shared between a group
1 (user id). of users
or
1.2 A register of service users should be maintained
1.7 Inactive accounts to be suspended or 1.7.1 All accounts that had not been
used for more than 60 days should be
5 suspended.
1.8 Users IDs should not give any indication 1.8.1 The User ID should not indicate
of the user’s privilege the user’s job.
2. The system should maintain the 2.1 Access to information should be consistent with
7 clearances and authorisation granted to users. user’s clearances and privileges.
• Select the security aspect and category of the countermeasures you wish
to include in the report from the Security Aspect and Category drop-down
list boxes.
• Use the Output to controls to select the destination of the report, then
press the Generate Report button to produce the report.
• Select the security aspect and category of the countermeasures you wish
to include in the report from the Security Aspect and Category drop-down
list boxes.
• Use the Output to controls to select the destination of the report, then
press the Generate Report button to produce the report.
You need to identify and record any countermeasures that are already in place. You
can do this either before or after you have derived the recommended
countermeasures from CRAMM. Do this as follows.
Talk to people who can provide information on installed countermeasures. Examples
of such people are:
• system manager/administrator
• network manager
• development manager
• operations manager
• user management
• accommodation officer
• personnel manager.
These people are often the same as those interviewed during the threat and
vulnerability assessment and so, if required, you can carry out this process at the
same time. If you decide to do this, you should prepare a pack for each interview that
contains the countermeasures to be examined during the interview. You can produce
this using the Countermeasure Library - Other Information report (see section 10.5).
You can use the countermeasure packs as check-lists, simply identifying which
countermeasures are in place and which are not.
Where a ‘high-level’ or rapid CRAMM review is being undertaken you may elect to
investigate only Category 1 countermeasures. However, because the Category 1
countermeasures are policy statements, it is often difficult to know whether a policy
is being achieved without examining which of the functions that support the policy
are actually in place. You may therefore wish to review the Category 2
countermeasures for selected sub-groups during a high-level or rapid review.
When discussing the countermeasures with the interviewee you need to record:
• the status of the countermeasure
• any comments that the interviewee makes about it, such as future plans that
could affect the countermeasure or weaknesses in the way it is currently
implemented.
There are three statuses that you can allocate to a countermeasure at this stage, as
follows:
• if an existing or planned countermeasure fully meets the requirements laid
out in the countermeasure description, record it as Installed. All
countermeasures that are currently installed should be recorded, not just
those which have been, or may be, recommended on the basis of the risk
analysis. This enables CRAMM to print a list of countermeasures currently in
place which could not be justified on the basis of the risks determined during
the risk analysis. Countermeasures of any of the three categories can be
marked as installed. In practice, the most important requirement is to know
that the security functionality has been provided, that is that Category 2
countermeasures have been investigated and marked accordingly. Category
3 countermeasures are examples and are normally only used if further
information is required on what is meant by a particular Category 2
countermeasure
• if the countermeasure is not installed, or if the current implementation of a
countermeasure is weak in some respect, record its status as Under Discussion
• if a countermeasure is not appropriate to the asset it has been recommended
for, record it as Not Applicable. For example, if the countermeasure ‘rotate
shifts’ is recommended for operators of a particular system, but there is only
one shift of operators, you should mark the countermeasure as Not Applicable.
Only do this when a countermeasure could not be applied, not just when it
would be difficult to implement.
Once all the interviews have been completed, check that you have covered all
appropriate countermeasure groups and gathered all the required information.
Enter the status of the countermeasures into the CRAMM software using the either of
the three options shown on the Identifying Existing Countermeasure screen. The
reason for providing three options is to accommodate different ways of working:
• Enter Installed Countermeasure – By Countermeasures
This option allows you to see all of the assets for which a countermeasure
has been recommended, and to record the status of that countermeasure
with respect to those assets
• Enter Installed Countermeasure – By Asset
This option allows you to see all of the countermeasures in a sub group
and the status of these countermeasure with respect to a particular asset
• high.
CRAMM cannot determine the exact cost of implementing any particular
countermeasure because this will vary according to the size and complexity of the
system or network under review. However, it does provide an estimate of the costs
associated with each countermeasure. It does this as follows:
• an estimate was made of the cost of installing the countermeasure for a
fictitious general purpose system, located on a single site, and supporting
approximately 50 users. Since capital and running costs can be difficult to
compare the cost is based on an estimate of the annualised cost of
implementing each of the countermeasures
• for countermeasures that involve capital expenditure, the costs were
assumed to be written off over five years. For countermeasures that
involve the expenditure of staff time, a £250 per diem rate was assumed
• the costs were then assigned on the following basis:
low £0 to £500
medium £500 to £2,000
high More than £2,000
If you want to record more accurate costs that apply directly to the system or
network under review, use the Maintain Countermeasure Costs screen (see section
10.10).
• physical security: HM Government users must ensure that they comply with
minimum baseline measures for physical security described in the Manual of
Protective Security (MPS). (These measures are described in chapter 3,
section 1 ‘Guide to Physical Security’ of the MPS Framework and Guide.)
This list is not comprehensive, but it does indicate the complexity of the decision
making process. It is part of the reviewer’s responsibility to consider all of the factors
that could influence the decision when making recommendations.
• Use the Output to controls to select the destination of your report, then
press the Generate Report button to produce the report.
If you selected the Perform Related Stage 2 Backtrack check box in step 6, a separate
report will be produced for the Stage 2 backtrack and each associated
backtrack.
The Stage 2 Backtrack Report screen appears for each associated report. You
should select the output for the report, or not perform the specific
backtrack as required. You can also abandon the backtrack sequence at
any point.
11. BS 7799
11.1 Introduction
Method Concept: The full title of BS 7799 is ‘BS 7799: Code of Practice for
Information Security Management.’ The standard is intended for use by managers
and employees who are responsible for initiating, implementing and maintaining
information security. One of the key requirements of BS 7799 is the need to
complete a risk assessment, therefore CRAMM is ideally placed to help
organisations demonstrate their compliance with the standard. CRAMM provides a
complete range of support for all of the BS 7799 tasks, including conducting a gap
analysis and preparing a statement of applicability.
CRAMM assists organisations demonstrate their compliance with BS 7799. In
particularly, it contains:
♦ ability to produce organisational information security policies, scope of
Information Security Management Structure (ISMS), security management
framework documents
♦ a fully worked through risk assessment with the results related directly to
the sections contained in BS 7799
♦ ability to record management’s views on the need for particular controls
♦ ability to record what resources deliver those controls
♦ facilities to help prepare a security improvement programme
♦ facilities to help prepare a statement of applicability
This section covers the following topics:
♦ steps in BS 7799 assignment (Section 11.3)
♦ initiating a BS 7799 assignment (Section 11.4)
♦ conducting a gap analysis (Section 5)
♦ preparing a security improvement program (Section 0)
♦ preparing a statement of applicability (Section 0)
♦ the role of CRAMM in supporting BS 7799 (Section 0)
8 The Existing Reviews text box lists the names of existing reviews which
you have created to enable you to select an appropriate, unique name for
the review.
9 When you are satisfied with the details for the review, press the Create
Review button. The Enter New Review Password screen is displayed, as
shown in Figure 6-20.
If you want to set up a password for the review, type it into the New
Password text box. The password can be up to eight characters long. Type
it again into the Confirm New Password text box and press the OK button.
If you do not want to set up a password, select the Do not password protect
check box.
10 A screen is displayed when the review is being created that contains a
mobile activity indicator and a Cancel button. When the review has been
created, the Main BS 7799 screen process flow screen is displayed.
11 If you decide not to create a new review after all, simply press the Close
button to return to the Review application window.
The right hand panel shows a graphical representation of the all steps involved in a
BS 7799 assignment and the status of each step. If a step has been marked as
complete a green tick is shown next to the step, if it has yet to be marked as complete,
then a red cross appears next to the step.
It is possible to navigate to each step in BS 7799 either by pressing the relevant button
to show the lower level steps, or by double clicking on a step in the status panel on
the right hand side of the Main BS 7799 Screen
• The title of the most senior person in the organisation (e.g., chief
executive, permanent secretary).
Please Note: A royalty fee has been paid to BSI for the rights to reproduce
BS 7799 (Part II) in the CRAMM software. However, this only entitles the
user to use this material in conjunction with their use of the CRAMM
software. The report must not be further reproduced or distributed without
the written permission of BSI.
Once the BS 7799 Report has been printed, it can be used as the basis of a series of
interviews with members of the organisation’s staff to find out the current status of
the organisation against the standard.
The Print BS 7799 screen is shown below
To Record an Action
Step
1 Type in a brief description of the action
2 Record the status of the action. Allowable statuses are:
• Not Assigned
• Assigned
• Underway
• Complete
• Under Review
3 If the person who is to carry out the action has already been defined,
select their name from the drop down list. If the person who is to carry
out the action has not been already defined type their name in, and you
will be prompted if you wish to create that person as a security resource.
4 Type in an estimate of how much effort will be required to complete the
action
5 Record any notes you wish about the action that you have just created
6 To save the action, click on the Save Action button. The Action form
remains open so that you can create further actions if you require.
Stage 1
Initiate BCM
Initiation
Business Impact
Stage 2 Analysis
Requirements
& Strategy Risk Assessment
Business Continuity
Strategy
Organisation and
Stage 3 Implementation
Implementation Planning
Implement Develop Implement
Stand-by Business Recovery Risk Reduction
Arrangements Plans Measures
Develop Procedures
Initial Testing
Testing Change
Review
Control
Education
and Awareness Training
Assurance
Stage 4
Operational
Management
3 Investigate and record (on a separate piece of paper) any data assets that
must be recovered before the data asset in question, and the relative
priority of these.
4 Investigate and record (on a separate piece of paper) any application
software assets that must be recovered before the application software
asset that supports the data asset in question, and the relative priority of
these.
Once you have gathered your information, you need to enter it into the CRAMM
software. This is described in the section below.
• to create a new user group, press the New button and type the name
into the Name text box. Type the number of users in the user group in
the Number of Users text box
• to delete a user group, select it from the Name drop-down list box,
and press the Delete button. Note that a user group can only be
deleted if it has no relationship to a data asset. If any relationships
exist you must remove them using the controls in the User Details
group box in the Create and Maintain Data Recovery Details
screen, before deleting the user group (this is described in step 5).
5 The table in the User Details group box displays the user groups related to
the selected asset, and the maximum time period in which the asset must
be recovered for each group. You can do the following in this group box:
• to create a new relationship between a user group and the selected
asset, press the New button. The User Details screen is displayed, as
shown in Figure 12-119
6 Select a row in the User Details table and use the table in the Physical and
Software Assets Supporting Selected Data and Users group box to view, create
or edit the physical and software assets which support the data and user
group selected in the Data Asset drop-down list box and User Details table.
• type the number of assets into the Num Assets column in the table in
the Physical and Software Assets Supporting Selected Data and Users
group box in the Create and Maintain Data Recovery Details screen
• if the value entered into the Num Assets or Num Staff column
represents a resource which is shared with a different user group,
this can be indicated by typing an asterisk after the number. This will
be reproduced on the reports produced from this information.
• To remove an entry from the table, select the row and press the Delete
Support Asset button.
Once you have entered the information into the CRAMM software, you can produce
a range of reports. Section 12.5.3 describes how to do this.
• if you select Recovery Requirements for, select from the adjacent drop-
down list box:
− assets in a list
− assets in a group
− assets in a location
The name of the list box in the middle of the screen on the right changes
according to the selection you make. For each asset to be reported on,
select it and press the Add button. The assets are added to the Report
on list box.
3 If you wish to remove an item from the report, select it in the Report on list
box and press the Remove button.
4 When you are satisfied that you have selected the content of the report
correctly, use the Output to controls to select the destination of your
report, then press the Generate Report button to produce the report.
These reports show different views of the recovery objectives and minimum
requirements. They can be used in the costing and evaluation of recovery options for
contingency planning which are identified in the Risk Management Stage of
CRAMM.
• check that the option can support the minimum requirements and
dependencies that were identified in Stage 1.
To produce a report detailing the differences between the What If analysis and the
original review:
Step
• From the Stage 3 What If menu, choose Report. The What If Report screen
is displayed, as shown in Figure 15-130.
• The method recognises that effective control can only be achieved where
particular countermeasures are themselves supported by other
countermeasures. For example, when it is recommended that a task be
undertaken (a procedure), it may also be recommended that guidance is
drawn up (documentation) and possibly that staff be trained (personnel).
You should ensure that an appropriate mix of countermeasures from
different security aspects are implemented
16.4 Tidying up
Method Concept: To allow changes to be modelled effectively, and to support
follow up reviews, the CRAMM database relating to the review and all supporting
paper and electronic documentation may need to be tidied up.
On completion of the CRAMM review you should ensure that all documentation is
tidy and accessible, and that all reference documents are clearly marked and stored
securely. A copy of both the review data and CRAMM software should be made and
stored with the reports, preferably at a separate location from the PC running the
CRAMM software.
5 The Backup Review to File screen is displayed for you to supply the
details of the file to which you want the back-up copy to be written. (This
is based on the standard Windows file browse screen.) The file will be
given the suffix .CRM.
6 A screen is displayed whilst the back-up is taking place that contains a
mobile activity indicator and a Cancel button.
Note that two files will be created by the back-up operation. Both will have the
filename supplied in step 6; one will have the suffix .CRM and the other will have the
suffix .CTL. If the review is undergoing a What If analysis, a further two files will be
produced with the suffixes .CRW and .CTW. All files must be present in the same
directory when the review is restored.
The following table summarises the types of files produced by the CRAMM Back-up
routine:
Extension Contents of File
.CRM This file holds the data entered during a
CRAMM review
.CTL This file holds control data about a
particular review
.CRW This file holds the data related to a
What-if analysis performed on a
CRAMM review
.CTW This file holds the control data about a
particular What if analysis
5 Select the appropriate option button to either copy the whole review or
indicate how you wish to select part of the review to copy. The option
buttons are:
− Copy Entire Review: copies the whole review
− Physical Assets and their Locations: displays a list of the physical assets
in the source review from which you can select those to copy to the
new review. This also copies the locations of those assets to the new
review
− Software and Data Assets: displays a list of the software and data
assets in the source review from which you can select those to copy
to the new review
6 You can further qualify the above copy actions by selecting the following
check boxes:
− Include Countermeasure Details: this copies details of countermeasures
installed for the assets copied to the new review
Note that only the given valuations of the assets are copied, not the
implied values calculated by the software. The latter must be recalculated
in the new review.
7 To add items to be copied to the new review, select from the list box in the
bottom right corner of the screen and press the Add button. This will add
the items selected to the Items to Copy list box. You can remove items from
the Items to Copy list box by selecting them and pressing the Remove
button.
8 When you are satisfied with the details you wish to copy, press the Copy
Items button.
9 You may copy as many reviews as you like before pressing the Close
button to return to the CRAMM System Administration window.
When a CRAMM review has been completed the CRAMM software contains a
complete database of the system or network reviewed. It holds valuable information
covering all aspects of the system or network components and the data it processes.
This information can be used for system configuration management, where changes
or development to the system or network can be logged along with any changes to
the security requirements or countermeasures. The CRAMM database can be
beneficial to both the business and security aspects of IT systems as well as providing
a central point for audit information.
♦ Windows 2000
A.3 Installing CRAMM
B. Glossary of terms
Term Definition
Term Definition
Application layer The layer that provides means for the application
processes to access the OSI environment.
NOTES
1 This layer provides means for the application
processes to exchange information and it contains the
application-oriented protocols by which these
processes communicate.
Term Definition
archive file A file out of a collection of files set aside for later
research or verification, for security or for any other
purposes.
Term Definition
baseband LAN A local area network in which data are encoded and
are transmitted without modulation of carrier.
Term Definition
calling service user A service user that initiates a request for the
establishment of a connection.
Term Definition
check digit [check character] A check key consisting of a single digit [character].
Term Definition
computer security feature Hardware, firmware or software which are part of, or
added to, a computer system to enhance overall
security.
Term Definition
Term Definition
covert storage channel A covert channel that involves the direct or indirect
writing of a storage location by one process and the
direct or indirect reading of the storage location by
another process.
NOTE -- Covert storage channels typically involve a
finite resource (for example, sectors on a disc) that is
shared by two subjects at different security levels.
CSV format file Comma Separated Values format file. A file containing
values separated by commas.
cyclic redundancy check A redundancy check in which the extra digits or
CRC (abbreviation) characters are generated by a cyclic algorithm.
Term Definition
data link layer The layer that provides services to transfer data
between network layer * entities, usually in adiacent
nodes.
NOTES
1 The data link layer detects and possibly corrects
errors that may occur in the physical layer.
data processing system security The technological and administrative safeguards
computer system security established and applied to a data processing system to
protect hardware, *software, and data from accidental
or malicious modifications, destruction, or disclosure.
data protection The implementation of appropriate administrative,
technical or physical means to guard against the
unauthorized interrogation and use of procedures and
data.
Data Protection Act The Data Protection Act (1998) is concerned with the
protection of personal information
data quality The correctness, timeliness, accuracy, completeness,
relevance, and accessibility that make data appropriate
for their use.
data security The protection of data from either accidental or
unauthorized intentional modification, destruction, or
disclosure.
data validation
A process used to determine if data are inaccurate,
incomplete, or unreasonable.
NOTE-- Data validation may include format checks
completeness checks, check key tests, reasonableness
checks and limit checks.
data-dependent protection Application of protection to individual data elements
but no uniformly to the entire file.
Term Definition
Term Definition
Distance vector routing Dynamic routing technique where router builds its table
DVR (abbreviation) from information obtained secondhand from tables
advertised by adjacent routers. The routing
information protocal (RIP) is based on distance
vectors.
end open system An open system that provides services directly to end
users.
Alternatively :
An open system which is the source or the sink of the
data for a given instance of communication.
Reason : The phrase "end user" is ambiguous (if this
phrase designates the operator before a terminal, the
definition is not true).
end-of-file label An internal label that indicates the end of a file and
trailer label that may contain data for use in file control.
EOF (abbreviation) NOTE--An end-of-file label may include control totals
for comparison with counts accumulated during
processing.
end-of-volume label An internal label that indicates the end of the data
EOV (abbreviation) contained in a volume.
Term Definition
End User Service A description of the type of service provided to the end
user (where the end user can be either a human being or
an automated process). Possible end-user services
include electronic mail, application to application
messaging, electronic document interchange, web
browsing, ad-hoc file transfer, interactive session, batch
processing, voice and video.
entity In Open Systems Interconnection architecture, an
active element within a subsystem.
NOTE - Cooperation between entities in a layer is
controlled by one or more protocols.
error control software Software that monitors a computer system to detect,
record and possibly to correct errors
error recovery The process of correcting or bypassing the effect of a
fault to restore a computer system to a prescribed
condition
error-correcting code An error-detecting code designed to allow for the
automatic correction of certain types of errors.
ethernet frame An ethernet frame is a set of digital pulses transmitted
onto the transmission media in order to convey
information.
evaluation The detailed technical examination, by an appropriate
authority, of the security aspects of an data processing
system or network, or computer security product.
NOTES
1 The evaluation investigates the presence of required
security functionality, the absence of compromising
side-effects from such functionality and assesses the
incorruptibility of such functionality.
2 The evaluation determines the extent to which the
security requirements of an data processing system or
network, or the security claims of a computer security
product, are satisfied and establishes the assurance
level of the data processing system or network, or the
computer security product’s trusted function.
expedited data unit A short service data unit whose delivery to a peer
entity in the destination open system is ensured before
the delivery of any subsequent service data units sent
on that connection.
Term Definition
file transfer, access and An application service that enables user application
management processes to move files between end open systems and
FTAM (abbreviation) to manage and access a remote set of files, which may
be distributed.
Term Definition
Term Definition
frame check sequence The frame check sequence is used to insure that the
FCS (Abbreviation) data received is actually the data sent.
Functional security testing The portion of security testing in which the advertised
features of a system are tested for correct operation.
hypertext transfer protocol Used to communicate between Web browsers and Web
http (Abbreviation) clients. Every request for information creates a single
session which is terminated once that request has been
completed.
Term Definition
Term Definition
internet control message Supports the IP protocol rather than transmitting user
protocol data. Ping is as example, using ICMP to insure that
ICMP (abbreviation) there is connectivity between two hosts.
LAN broadcast address A LAN group address that identifies the set of all data
LAN global address stations on a local area network.
Term Definition
LAN multicast address A LAN group address that identifies a subset of the
data stations on a local area network.
Term Definition
Alternatively :
An attack on a system in which an unauthorised entity
pretends to be an authorised one for the purpose of
gaining access to system assets.
Medium interface connector In a local area network, the connector used to attach a
MIC (abbreviation) data station to a trunk coupling unit, *trunk cable, or
drop cable.
Term Definition
Term Definition
network file system A system which allows file sharing over a network.
NFS (abbreviation)
network layer The layer that provides for the entities in the transport
layer the means for transferring blocks of data, by
routing and switching through the network between the
open systems in which those entities reside.
NOTES
1 The network layer may use relay open systems.
network news transfer protocol A service, similar to e-mail, enabling news rather than
NNTP (abbreviation) mail to be delivered to newsgroups.
Term Definition
peer entities Entities in the same or different open systems that are
in the same layer.
NOTE - The communication between entities located
in the same open system is outside the scope of OSI.
Term Definition
Term Definition
real open system A real system that complies with the requirements of
open systems interconnection standards in its
communication with other real systems.
Term Definition
Receiving service user A service user that acts as a data sink during the data
transfer phase of a connection or during a particular
instance of connectionless-mode transmission.
Term Definition
residual risk The portion of risk that remains after security measures
have been applied.
routing information protocol A routing protocol which takes into account the
RIP (Abbreviation) numbers of ‘hops’ taken for a packet to traverse a
network. The basis of distance vector routing.
routing table Routing tables tell the router which logical networks
are available to deliver information to and which
routers are capable of forwarding information to that
network.
Scavenging Searching through residue for the purpose of
unauthorised data acquisition.
Term Definition
Term Definition
security policy The set of laws, rules and practices that regulate how
information is managed, protected and distributed in a
system or network.
The set of criteria for the provision of security services.
(ISO 7498-2/3.3.50)
NOTE -- A complete security policy will necessarily
address many concerns which are outside of the scope
of OSI.
sending service user A service user that acts as a data source during the
data transfer phase of a connection or during a
particular instance of connectionless-mode
transmission.
Term Definition
Service data unit A set of data that are sent by a user of the services of a
SDU (abbreviation) given layer and that must be transmitted to the peer
service user semantically unchanged.
simple network management A service used to monitor and control network devices.
protocol
SNMP (Abbreviation)
Term Definition
standby system Any system, other than the normal one, which enables
some continuation of work when the normal system has
failed.
star property A Bell-LaPadula security model rule allowing a
subject write access to an object only if the security
level of the subject is dominated by the security level of
the object.
Abbreviated *-property
static routing The simplest method of routing, generally used in IP
networks, where a static route is defined in the routing
table as the point leading to a specific network
strength of mechanism A measure of the effectiveness of a security mechanism
to prevent a breach of the system security policy,
assuming it has been correctly implemented.
Structured System Analysis and A structured system development method used widely
Design Method (SSADM) both within UK government departments and
commercially.
Security Operating Procedures Documentation specifying the procedures that need to
(SyOPs) be carried out in order to ensure the security of a
system.
sublayer In the Open Systems Interconnection reference model,
a conceptually complete group of services, functions,
and protocols that may extend across all open systems
and that is included in a layer.
Term Definition
Term Definition
system high security mode A mode of operation in which ALL individuals with
access to the data processing system or network are
cleared to the highest classification level of information
stored, processed or transmitted within the data
processing system or network, but NOT ALL
individuals with access to the data processing system or
network have a common need-to-know for the
information stored, processed or transmitted within the
data processing system or network.
NOTES
Term Definition
Term Definition
Term Definition
trusted function assurance level The overall assurance level that is established for a
trusted function of a system during the evaluation of
the system.
Term Definition
virtual local area network Using switches, software enables virtual networks to be
VLAN (Abbreviation) set up logically (work-group based) rather than
geographically.
Term Definition
Volume (header) label An internal label that identifies the volume and
Volume header indicates the beginning of its data.
C. Checklists
C.1 Stage 1 checklist
At the end of Stage 1 you will have done the following:
• obtained management authorisation and commitment to the review
• defined the overall project schedule
• established the boundary of the review
• entered the review boundary into CRAMM
• identified the data owners for interviewing
• created a Project Initiation Document (PID)
• obtained approval for the PID from management
• identified the physical assets
• identified the data assets
• identified the application software assets
• identified the locations
• modelled the interrelationships between the data, application software
and physical assets, and the locations
• printed the Data Asset Valuation forms
• interviewed appropriate staff using these forms
• entered the interview results into the CRAMM software
• if required:
− printed the Recovery Objectives form
− completed the form through interviews with users and support staff
D. Impact types
D.1 Introduction
CRAMM allows data assets to be valued against the following impacts:
• unavailability
• destruction
• disclosure
• modification.
These are described in section D.2.
P Physical destruction
15 M Unavailability - 15 minutes
1 Hr Unavailability - 1 hour
3 Hr Unavailability - 3 hours
12 Hr Unavailability - 12 hours
1 Dy Unavailability - 1 day
2 Dy Unavailability - 2 days
1W Unavailability - 1 week
2W Unavailability - 2 weeks
1M Unavailability - 1 month
2M Unavailability - 2 months
B Loss of data since last back-up
T Total loss of all data
I Unauthorised disclosure to insiders
C Unauthorised disclosure to contracted third parties
O Unauthorised disclosure to outsiders
S E/T Small-scale errors (for example, keying errors)/small-scale errors in
transmission
W E/T Widespread errors (for example, programming errors)/widespread
errors in transmission
D S/T Deliberate modification of stored data/deliberate modification of data
in transit
Or Repudiation of origin
Rc Repudiation of receipt
Nd Non-delivery
Rp Replay
Mr Mis-routing
Tm Traffic monitoring
Os Out-of-sequence
In Insertion of false message
E. Valuation guidelines
E.1 Introduction
The guidelines for the Official Profile are shown in Table E/1. Where a protective
marking (Restricted, Confidential, Secret or Top Secret) applies, it is indicated in
brackets. No such entry means that a protective marking is not justified or not
relevant.
Notes and examples on how to interpret the guidelines in specific circumstances are
provided in sections E.3 to E.14. Where examples are given, the numbers refer to the
numbers in the Asset Value column in Table E/1.
Issue 1.0
CRAMM User Guide
Personal safety
The unauthorised disclosure, modification or unavailability of information could
lead to the endangerment of personal safety. Examples are as follows:
• the unauthorised disclosure of the addresses of certain people could mean
that they are targeted by those who desire to cause them harm, whether
for political, grievance or other motives
• the unauthorised modification of information (for example associated with
manufacturing processes, travel movements and medical processes),
could mean the malfunctioning of equipment or incorrect decisions being
made, with resultant adverse effects on the safety or well-being of people
• the unavailability of information from some systems (again for example
associated with travel movements and medical processes), could result in
incorrect or late decisions, with resultant adverse effects on the safety or
well-being of people.
Examples
8 prejudice individual liberty: restrict the ability of persons to move around
freely, such as general police informants, and in some cases (other)
witnesses
9 seriously prejudice individual liberty: severely restrict the ability of persons
to move around freely, such as terrorist informants, witnesses to serious
crimes, and intelligence sources, particularly if a new identity were
disclosed.
In some circumstances this guideline will be related to the law enforcement
guideline.
Personal information
Many IT systems hold and process information about individuals, for example pay,
personnel appraisal and medical details. In such cases each person can readily be
identified.
It is morally and ethically correct, and in some circumstances legally required, that
information about people is protected against unauthorised disclosure. This
disclosure could result in, at best, embarrassment and reduction in self esteem and, at
worst, adverse legal action (for example under the data protection legislation).
Equally it is required that information about people is always correct, as
unauthorised modification resulting in incorrect information could have effects
similar to those caused by unauthorised disclosure.
It is also important that information about people is not made unavailable or
destroyed, as this could result in incorrect decisions or no action by a required time,
with effects similar to those caused by unauthorised disclosure or modification.
Where an adverse impact is likely to result in an infringement of, for example, the
Data Protection Act, or other legal action, the legal guidelines for assigning values
must also be reviewed. Where an adverse impact could have implications for the
safety of an individual, the personal safety guidelines should be referenced.
Example
6 group of individuals: examples are individual pressure groups, charities or
groups of patients.
Page E-8
Annex E
Valuation guidelines
Notes
Within the guideline, distress can be taken to mean anger, frustration,
disappointment, embarrassment or concern.
− the Computer Misuse Act of 1990 (see also the law enforcement
guideline)
− the Copyright Designs and Patents Act of 1988 (see also the
commercial and economic interests guideline)
− the Police and Criminal Evidence Act of 1984 (see also the law
enforcement guideline)
− the Civil Evidence Act of 1968 (see also the law enforcement
guideline).
E-9
CRAMM User Guide
Law enforcement
If certain types of information were to be disclosed or modified without authority,
crime might be facilitated. Similarly, if certain types of information were to be
disclosed or modified, or to become unavailable, there could be an adverse impact on
the investigation or prosecution of a crime. For example, the unauthorised disclosure
of personal information could lead to blackmail attempts or terrorist targeting.
The disclosure of information during a criminal investigation could result in suspects
being forewarned. During prosecution, if evidence were tampered with, or altered
inadvertently through, for example, software malfunction, or became unavailable,
this could interfere with the course of a trial. The leakage of address details of key
witnesses could also affect the outcome of a trial.
Notes
1 The following is one definition of a serious crime, although there are
others:
“Conduct which constitutes... one or more offences shall be regarded as a
serious crime if and only if (a) it involves the use of violence, results in
substantial financial gain or is conducted by a large number of persons in
pursuit of a common purpose, or (b) the offence or one of the offences is
an offence for which a person who has attained the age of 21 and has no
previous conviction could reasonably be expected to be sentenced to
imprisonment for a term of three years or more”.
Page E-10
Annex E
Valuation guidelines
Public order
Information may be held by a government organisation which, if compromised,
could jeopardise public order. This may take the form of information relating to a
local scheme (such as a motorway expansion scheme) which if compromised may
result in localised protest, or information relating to a national policy (such as the
poll tax) which if compromised may cause widespread protest. Similarly,
information may be held which if made unavailable or altered may threaten public
order, for example information associated with benefits payments.
Examples
1 unauthorised disclosure of plans to close a local service, such as a post
office
3 unauthorised disclosure of proposals for a ‘travellers’ commune that
would considerably affect the surrounding area
6 unauthorised disclosure of plans for a motorway expansion scheme with
economic ramifications such as the compulsory purchase of property
7 unauthorised disclosure of proposals for pay freezes, or redundancies in a
nationalised industry
9 unauthorised disclosure of a proposal or report on a topic for which
national policies are in the formative stage and which is extremely
unlikely to be acceptable to the general public and/or is significantly
against public opinion, for example the introduction of a three day week,
or of a harsh tax/tax increases
10 unauthorised disclosure of initial reports that detail the potential
endangerment of the majority of the UK population, related to such as
significant water pollution, toxic waste or nuclear incident, before the full
facts are made generally available, to the extent that there is public panic.
Notes
1 The reason that no protective marking is applicable to the descriptions for
asset values 1 to 7 and the first option for asset value 9 is that such actions
are legally permissible.
2 In some cases where using this guideline it will be necessary to cross refer
to the policy and operations of the public service guideline.
E-11
CRAMM User Guide
International relations
A number of government organisations (particularly the FCO, the MOD and the DTI)
produce and handle information that concerns the UK’s dealings with, and
relationships to, the governments of other countries (both friendly and unfriendly)
and international organisations. The unauthorised disclosure of some types of
information could affect the UK’s relationships with one or more countries, or an
international organisation. Similarly, unauthorised modification of some types of
information (for example changing the meaning of a new policy) could have adverse
effects. Unavailability of some types of information (for example at critical stages of
negotiations) could affect the UK’s position.
Examples
7 caused by formal protest or other sanctions
9 when the potential consequences could be the withdrawal of ambassadors
10 extreme cases where the consequence could be ‘results in war’.
Defence
The UK’s Defence forces perform a number of roles. These can be summarised as the
protection and security at home and abroad of the UK, its dependent territories and
allies, and the promotion of the UK’s wider security interests through the
maintenance of international peace and stability. Thus, defence-related information
is concerned with the policy, direction, preparation, training and engagement of the
Services in fulfilment of its roles, including associated support activities.
Note that this guideline in particular should be used with great care, because so
much depends on the characteristics of each particular situation. For instance, the
corruption of a military communications system would have more serious
consequences in time of war than it would in peacetime.
Examples
The examples must be used with great care, because much depends on the particular
situation.
3 unauthorised disclosure of information concerning security force radio
communications
unauthorised disclosure of counter-terrorist measures at a military unit
7 unauthorised disclosure of plans for a peacekeeping mission
unauthorised disclosure of information on the whereabouts and types of
vehicles on an operation
unauthorised disclosure of information concerning a military
communications system
9 unauthorised disclosure of a military plan
loss of information on an operational IT command and control system
disruption of data on an IT system leading to a loss of re-supply
capability
10 unauthorised disclosure of plans for wartime operations
unauthorised disclosure of information concerning a nuclear weapons
facility
Page E-12
Annex E
Valuation guidelines
E-13
CRAMM User Guide
Loss of goodwill
The unauthorised disclosure or modification, or indeed unavailability, of
information, could lead to a loss of goodwill towards an organisation, with resultant
damage to its reputation, loss of credibility and other adverse consequences.
Note that this guideline has only indirect relativity to the Protective Marking Scheme
and is not part of government national security policy. It should be used with
extreme care and only where the potential consequences from adverse impacts can be
fully justified.
Page E-14
Annex F
Threats
F. Threats
F.1 Introduction
Table F/1 shows all the threats covered by CRAMM, and the standard impacts that
each of the threats can cause. A ‘1’ indicates that an impact could be caused by the
threat. A key to impacts is provided at the end of the table.
Table F/2 shows typical asset groups for each threat. You need to select the
threat/asset group combinations relevant to the review. In theory, you could link
any threat to any asset group where an asset group can contain any instance of an
asset or combination of instances of assets.
Hardware Software
Impact / Threat Maintenance Maintenance User Error Fire
Error Error
Physical Destruction á
Unavailability
15 minutes á á á á
1 hour á á á á
3 hours á á á
12 hours á á á
1 day á á
2 days á
1 week á
2 weeks á
1 month á
2 months á
Loss of Data since last á á á á
Back-up
Total Loss of all Data
Unauthorised Disclosure
to Insiders á á á
to CSPs á á á
to Outsiders á á á
Small scale errors
eg, keying errors á á
in transmission á á
Widespread errors
eg, programming errors á
in transmission á
Deliberate Modification
of Stored Data
in Transmission
Repudiation of Origin
Repudiation of Receipt
Non-delivery á á á
Replay á
Mis-routing á á
Traffic Monitoring
Out-of-Sequence á
Insertion of False
Message
Theft by
Impact / Threat Water Natural Staff Shortage Insiders
Damage Disaster
Physical Destruction á á á
Unavailability
15 minutes á á á á
1 hour á á á á
3 hours á á á á
12 hours á á á á
1 day á á á á
2 days á á á á
1 week á á á á
2 weeks á
1 month á
2 months á
Loss of Data since last á á á
Back-up
Total Loss of all Data
Unauthorised Disclosure
to Insiders á á
to CSPs á á
to Outsiders á á
Small scale errors
eg, keying errors
in transmission
Widespread errors
eg, programming errors
in transmission
Deliberate Modification
of Stored Data á
in Transmission á
Repudiation of Origin
Repudiation of Receipt
Non-delivery
Replay
Mis-routing
Traffic Monitoring
Out-of-Sequence
Insertion of False
Message
Physical Destruction á á á á
Unavailability
15 minutes á á á á
1 hour á á á á
3 hours á á á á
12 hours á á á á
1 day á á á á
2 days á á á á
1 week á á á á
2 weeks á
1 month á
2 months á
Loss of Data since last á á á á
Back-up
Total Loss of all Data á á
Unauthorised Disclosure
to Insiders á
to CSPs á
to Outsiders á
Small scale errors
eg, keying errors
in transmission
Widespread errors
eg, programming errors
in transmission
Deliberate Modification
of Stored Data
in Transmission
Repudiation of Origin
Repudiation of Receipt
Non-delivery
Replay
Mis-routing
Traffic Monitoring
Out-of-Sequence
Insertion of False
Message
G. Risk matrix
G.1 Introduction
The measures of risk are calculated within CRAMM using the matrix shown in Table G/1.
Threat Very Low Very Low Very Low Low Low Low Medium Medium Medium High High High Very Very Very
High High High
Vuln. LOW MEDIUM HIGH LOW MEDIUM HIGH LOW MEDIUM HIGH LOW MEDIUM HIGH LOW MEDIUM HIGH
Asset
Value
1 1 1 1 1 1 1 1 1 2 1 2 2 2 2 3
2 1 1 2 1 2 2 2 2 3 2 3 3 3 3 4
3 1 2 2 2 2 3 2 3 3 3 3 4 3 4 4
4 2 2 3 2 3 3 3 3 4 3 4 4 4 4 5
5 2 3 3 3 3 4 3 4 4 4 4 5 4 5 5
6 3 3 4 3 4 4 4 4 5 4 5 5 5 5 6
7 3 4 4 4 4 5 4 5 5 5 5 6 5 6 6
8 4 4 5 4 5 5 5 5 6 5 6 6 6 6 7
9 4 5 5 5 5 6 5 6 6 6 6 7 7 7 7
10 5 5 6 5 6 6 6 6 6 6 7 7 7 7 7
Intrusion Detection
Intrusion Detection Software
Non-repudiation
Non-Repudiation
Data Confidentiality Over Networks
Policy on the use of cryptographic controls
Data Confidentiality Over Networks
Key Management
Regulations of Cryptographic Controls
Public Key Infrastructure
Registration
Key Generation
Key Storage
Certification
Certificate Revocation
Certificate Repository
Certificate Status Checking
Time-stamping
Notarisation
Network Access Controls
Application Authentication
Node Authentication
Mutual Authentication
Policy on use of Network Services
Segregation in Networks
Enforced Path
Remote Diagnostic Port Protection
Network Connection Control
Network Routing Control
Network Firewalls
Internet Firewalls
Publicly Available Systems
Network Management Traffic Control
Network Perimeter
Gateway/Firewall Policy and Procedures
Security of Routing Tables
Configuration of Gateways, Routers and
Bridges
Protecting Domain Name Servers
Physical Network Protection
Diagnostic and Control Equipment
Distribution and Termination Equipment
Protecting Cabling against Physical Damage
Message Security
Submission Acknowledgement
Message Origin Authentication
Delivery Checking
Security Policy for Electronic Mail
Electronic Commerce Security
Security Infrastructure
Outsourcing
Security Requirements in Third Party
Contracts
Data Protection Legalisation
Data Protection Management Structure
Notification of Processing
Processing Compliance
Data Subjects Rights
Data Protection Awareness Training
Reviewing of personal data and register entry
Incident Handling
Security Incident Reporting
Security Weaknesses Reporting
Reporting Software Malfunctions
Learning from Incidents
Collection of Evidence
Compliance Checks
Identification of Applicable Legislation
Intellectual Property Rights (IPR)
Compliance Checks
Accounting
Audit
Object Re-use
Security Testing
Software Integrity
Mobile Computing and Teleworking
Software Distribution
System Input/Output Controls
Network Security Management
Network Access Controls
System Administration Controls
Application Input/Output Controls
Back-up of Data
Security Education and Training
Security Policy
Security Infrastructure
Data Protection Legalisation
Incident Handling
Compliance Checks
Unauthorised Use of an Application
Identification and Authentication
Logical Access Control
Accounting
Audit
Security Testing
Software Integrity
Software Distribution
System Input/Output Controls
System Administration Controls
Application Input/Output Controls
Financial Accounting
Back-up of Data
Personnel
Security Education and Training
Security Policy
Security Infrastructure
Data Protection Legalisation
Incident Handling
Compliance Checks
Introduction of Damaging or Disruptive Software
Identification and Authentication
Logical Access Control
Protection Against Malicious Software
Software Distribution
System Input/Output Controls
Physical Media Transportation
Back-up of Data
Incident Handling
Misuse of System Resources
Accounting
Audit
Content Scanning
Capacity Planning
Communications Infiltration
Theft by Insiders
Theft by Outsiders
Software Change Controls
System and Network Software Failure
Application Software Failure
Software Maintenance Error
Software Distribution
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Introduction of Damaging or Disruptive Software
System and Network Software Failure
Application Software Failure
Software Maintenance Error
System Input/Output Controls
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Introduction of Damaging or Disruptive Software
Network Security Management
Masquerading of User Identity by Outsiders
Communications Infiltration
Communications Interception
Communications Manipulation
Repudiation
Technical Failure of Network Service
Wilful Damage by Insiders
Wilful Damage by Outsiders
Content Scanning
Misuse of System Resources
Communications Infiltration
Customer Authorisation
Communications Infiltration
Vulnerability Analysis
Communications Infiltration
Communications Interception
Intrusion Detection
Communications Infiltration
Communications Manipulation
Non-repudiation
Repudiation
Accidental Mis-routing
Data Confidentiality Over Networks
Communications Interception
Public Key Infrastructure
Communications Interception
Communications Manipulation
Repudiation
Network Access Controls
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted Service Providers
Natural Disaster
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Recovery Options for Media
Fire
Water Damage
Natural Disaster
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Business Continuity Planning
Communications Failure
Fire
Water Damage
Natural Disaster
Staff Shortage
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Back-up of Data
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Introduction of Damaging or Disruptive Software
Technical Failure of Host
Technical Failure of Storage Facility
Technical Failure of Network Distribution Component
Technical Failure of Network Gateway
Technical Failure of Network Management or Operation Host
Power Failure
System and Network Software Failure
Application Software Failure
Operations Error
Software Maintenance Error
User Error
Fire
Water Damage
Theft by Insiders
Theft by Outsiders
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Capacity Planning
Misuse of System Resources
Equipment Failure Protection
Technical Failure of Host
Technical Failure of Storage Facility
Technical Failure of Print Facility
Technical Failure of Network Distribution Component
Technical Failure of Network Gateway
Technical Failure of Network Management or Operation Host
Site / Building Physical Security
Theft by Outsiders
Wilful Damage by Outsiders
Terrorism
Accommodation Moves
Theft by Outsiders
Room / Zone Physical Security
Theft by Insiders
Theft by Outsiders
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Theft Protection
Theft by Insiders
Theft by Outsiders
Physical Equipment Protection
Theft by Insiders
Theft by Outsiders
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorist / Extremist Warnings
Terrorism
Delivered Item (DI) Protection
Terrorism
Bomb Detection
Terrorism
Internal and External Bomb Protection
Terrorism
Fire Protection
Fire
Water Protection
Water Damage
Natural Disaster Protection
Natural Disaster
Power Protection
Power Failure
Environmental Protection
Air Conditioning Failure
Personnel
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted Service Providers
Unauthorised Use of an Application
Theft by Insiders
Wilful Damage by Insiders
Security Education and Training
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Security Policy
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted Service Providers
Masquerading of User Identity by Outsiders
L. CRAMM reports
L.1 Introduction
Table O/1 lists all the reports that can be produced using the CRAMM software. The
reports are grouped according to which Stage they are produced in, and each one has
a brief description of its purpose plus a reference to its description in this User Guide.