Professional Documents
Culture Documents
Crown Copyright
The CRAMM Risk Analysis and Management Method is
owned, administered and maintained by the Security Service
on behalf of the UK Government.
The intellectual property rights are protected by the
Controller of HMSO acting for and on behalf of the Crown.
Application for reproduction should be made to HMSO via
the Security Service at the address shown below.
Acknowledgements
CRAMM has been produced in consultation with the
Security Service and CESG, who are the UK Government
national security authorities.
Further information
Further information can be obtained from:
The CRAMM Manager
Insight Consulting
Churchfield House
5 The Quintet
Churchfield Road
Walton-on-Thames
Surrey, KT12 2TZ
Telephone: 01932-241000
TABLE OF CONTENTS
1. How to use the guide...............................................................................................................1-1
1.1 Copyright Notice..................................................................................................................1-1
1.2 Objectives of the guide ........................................................................................................1-1
1.3 Target audience ....................................................................................................................1-2
1.4 Structure of the guide ..........................................................................................................1-2
1.5 Conventions ..........................................................................................................................1-3
2. Introduction to CRAMM ........................................................................................................2-1
2.1 Introduction ..........................................................................................................................2-1
2.2 What is CRAMM? ................................................................................................................2-1
2.3 Background to CRAMM......................................................................................................2-1
2.4 What is new in CRAMM Version 5.0 and CRAMM Version 5.1...................................2-1
2.5 When CRAMM reviews should be conducted ................................................................2-3
2.6 The need for CRAMM .........................................................................................................2-3
2.7 The benefits of CRAMM......................................................................................................2-4
2.8 Standards and Source of Information ...............................................................................2-4
2.9 Section summary ..................................................................................................................2-5
3. Overview of risk analysis and management ......................................................................3-1
3.1 Introduction ..........................................................................................................................3-1
3.2 Risk analysis..........................................................................................................................3-1
3.3 Risk management.................................................................................................................3-2
3.4 Overview of CRAMM..........................................................................................................3-3
3.5 Post review ............................................................................................................................3-6
3.6 Section summary ..................................................................................................................3-7
4. Overview of BS 7799................................................................................................................4-1
4.1 Introduction to BS 7799 .......................................................................................................4-1
5. Using the CRAMM software .................................................................................................5-1
5.1 Introduction ..........................................................................................................................5-1
5.2 Installing CRAMM...............................................................................................................5-1
5.3 Initiating and exiting from the software ...........................................................................5-2
5.4 Creating a review .................................................................................................................5-3
5.5 Selecting a review.................................................................................................................5-5
5.6 Security for CRAMM data ..................................................................................................5-7
5.7 Window and screen design.................................................................................................5-8
5.8 Entering data.......................................................................................................................5-12
5.9 Navigating through the CRAMM software....................................................................5-16
5.10 Displaying the status of a review ................................................................................5-19
5.11 Browsing through a reviews assets............................................................................5-21
5.12 Using the keyboard .......................................................................................................5-22
5.13 Printing reports..............................................................................................................5-23
5.14 Structure of Screen in CRAMM...................................................................................5-25
5.15 Error messages...............................................................................................................5-31
5.16 Help .................................................................................................................................5-33
5.17 Section summary ...........................................................................................................5-34
6. Initiation ....................................................................................................................................6-1
6.1 Introduction ..........................................................................................................................6-1
6.2 The role of the reviewer.......................................................................................................6-1
6.3 Management and control of a CRAMM review...............................................................6-2
6.4 CRAMM Expert Opening Screen.......................................................................................6-4
6.5 Initiation Activities...............................................................................................................6-5
6.6 Gathering background information...................................................................................6-6
6.7 Identifying interviewees and scheduling interviews......................................................6-8
6.8 Section summary ................................................................................................................6-13
The CRAMM Risk Analysis and Management Method is owned, administered and
maintained by the Security Service on behalf of the UK Government.
The intellectual property rights are protected by the Controller of HMSO acting for
and on behalf of the Crown. Application for reproduction should be made to HMSO
via the Security Service at the address shown below.
CRAMM and the CRAMM motif used on the cover of this publication are
Trademarks.
Acknowledgements
CRAMM has been produced in consultation with the Security Service and CESG,
who are the UK Government national security authorities.
Further information
Further information can be obtained from:
The CRAMM Manager
Insight Consulting
Churchfield House
5 The Quintet
Churchfield Road
Walton-on-Thames
Surrey, K12 2TZ
Telephone: 01932 241000
5 The Quintet
Churchfield Road
Walton-on-Thames
Surrey, KT12 2TZ
Tel: 01932-241000
Fax: 01932-244590
E-mail: cramm@insight.co.uk
Section 13, Security resources: describes how CRAMM can be used to record
how security is actually delivered
Section 14, What If scenarios: describes how to use CRAMM to support change
management or to model different system and security profiles
Section 15, Post review: describes how to close down a CRAMM review and
what to do when the review is complete
Section 16, CRAMM software administration facilities: describes how to carry
out software administration tasks such as taking backups and maintaining
the configuration of the system
Section 17, Further information about CRAMM: lists sources of further
information about CRAMM, such as publications, training and consultancy.
Annexes: provide detailed information to support the above sections.
Sections 6 to 14 describe how to use both the CRAMM method and the software that
supports the method.
1.5 Conventions
The following style and formatting conventions are used in this User Guide:
The reader is assumed to have the role of a CRAMM reviewer, and is
referred to as you throughout the Guide. Any other roles are named, for
example management.
Each section starts with an introduction, which lists the topics that are
covered, and ends with a summary of the section.
The sections covering the CRAMM Stages (sections 6 to 14) contain
descriptions of how to use both the method and the software to carry out
the tasks involved in each stage. For each task, there is a description of the
method, followed by instructions on how to use the software to carry out
the task. The start of the software description is indicated by an
instruction such as the following: to create new data assets or modify
existing data assets:
In the sections covering the CRAMM Stages, each sub-section starts with a
method concept. This describes the basic concepts behind each particular
part of the CRAMM method. They are preceded by the heading Method
Concept.
Where a task consists of a series of steps that must be carried out in order, a
numbered list of steps is used. For other lists of items, or for tasks that can be
carried out in any order, a bulleted list is used.
Bold formatting is used to highlight important points and, in the sections
describing the software tool, for menu and screen names.
Italic formatting is used to highlight items where less emphasis than bold
formatting is required, for example the names of reports or parts of screens. It
is also used, in the sections describing the software tool, for options that you
choose from menus, and parts of the CRAMM screens, such as text boxes, list
boxes, buttons and tables. Examples of these formatting conventions are:
from the Modelling the System screen, choose Identification of Data
Assets. The Create and Maintain Data Assets screen is displayed
Keyboard keys that you need to use are enclosed within angle brackets, for
example <Alt> and <Tab>.
Diagrams and tables are numbered in sequence within each section, and have
captions in italic, for example
2. Introduction to CRAMM
2.1 Introduction
This section covers the following topics:
what is CRAMM
the background to CRAMM
what is new in CRAMM Version 5.0 and Version 5.1
when CRAMM reviews should be conducted
the need for and benefits of CRAMM
the standards that CRAMM complies with.
2.4 What is new in CRAMM Version 5.0 and CRAMM Version 5.1
Version 5.0 of CRAMM is a significant upgrade to both the method and the software
support tool. The key features of this new version are:
Introduction of CRAMM Express
Support for BS 7799 (Part 2): 2002
Enhanced coverage of Voice and Wireless LAN security issues.
2.4.2 CRAMM Version 5.1 Support for BS 7799 (Part 2): 2005
BSI updated BS7799:Part 2 and released this as BS7799/2005 (ISO27001) in October
2005. The new international version of the standard clarifies and strengthens the
requirements of the original British standard, and includes changes to the following
areas:
Risk assessment
Contractual obligations
Scope
Management decisions
Measuring the effectiveness of selected controls
software assets
errors by individuals
technical failures.
Analysis
Risks
Management
Countermeasures
3.4.1 Stage 1
Stage 1 consists of the following tasks:
preparing a functional description of the system or project and agreeing with
management the boundary of the review
identifying the data, software and physical assets within the scope of the
review and creating an asset model
valuing data assets in terms of the business impacts that could result if they
were disclosed, modified, destroyed or made unavailable in an unauthorised
or unexpected manner. Interviews are held with appropriate members of the
user community, who may be the formal data owners if such an approach is
in existence. CRAMM contains forms to help you structure the interview and
the scenarios described by the interviewee are evaluated against the
guidelines contained in this User Guide
3.4.2 Stage 2
Stage 2 of CRAMM investigates the threats and vulnerabilities to the system or
network. It consists of the following tasks:
identifying the threats that require investigation in relation to particular
assets
assessing the level of each threat (the likelihood of it occurring)
assessing the extent of vulnerability to each threat (the likelihood of damage
or loss combined with the impact that this would cause)
calculating the risks to the organisation caused by the threats to the system or
network (based on the asset valuation, threat assessment and vulnerability
assessment).
Threats and vulnerabilities are assessed using questionnaires produced by the
software tool. The questionnaires contain detailed questions to which a choice of
possible answers are given. As far as possible, existing countermeasures are ignored
during this exercise so that no incorrect assumptions are made as to their
effectiveness.
The calculation of risks is performed by the software tool using the risk matrix
included at Annex H.
3.4.3 Stage 3
Stage 3 of CRAMM is concerned with selecting the appropriate countermeasures to
manage the risks identified in Stage 2. It consists of the following tasks:
identifying countermeasures to address the risks calculated in Stage 2. The
software tool does this
where some countermeasures are already in place, comparing them with
those generated by CRAMM to identify areas of weakness or over-protection
developing recommendations on suitable countermeasures for the system or
network. The software tool can place countermeasures into a suggested
priority list.
The introduction of new countermeasures or changes to existing countermeasures
may have implications in terms of cost, management and staff time, and the
acceptability, usability and ultimately business benefit of the system. You should
therefore discuss countermeasure recommendations with management. Options are
available in the software tool to extract reports and to backtrack to justify the
selection of a recommended countermeasure.
A CRAMM review does not include any detailed review of the effective operation of
countermeasures. Whilst this is an important task, it should be performed as a
separate exercise.
Stage 2 Reports:
Summary of the Threat and Vulnerability Assessment: shows the threat
and vulnerability ratings relating to the system or network
Stage 3 Reports:
Recommended Countermeasures Report: describes the countermeasures
that have been generated by CRAMM in response to the risk
assessment
4. Overview of BS 7799
4.1 Introduction to BS 7799
The standard is intended for use by managers and employees who are responsible for
initiating, implementing and maintaining information security. It is intended that the
standard should provide a comprehensive set of controls setting out the best
information security practices in current use. The guidance is intended to serve as a
single reference point for identifying the range of controls needed for most situations
where information systems are used and therefore can be applied to a wide range of
organisations, large, medium or small.
With increasing electronic networking between organisations there is a clear benefit
in having a common reference document for information security management. It
enables mutual trust to be established between the different organisations and
provides a basis for management of these systems between users and service
providers.
Not all of the controls described in BS 7799 will be relevant to every situation. It
cannot take account of local system, environmental or technical constraints or be
presented in a form that suits every potential user in an organisation. Consequently
the controls need to be reviewed in order to identify their applicability to the specific
environment under review.
The standard does not purport to include all the necessary provisions of a contract.
Users of the standard are warned that they are responsible for its correct application.
Compliance with a British Standard does not of itself confer immunity from legal
obligations.
The following diagram show the steps involved in complying with BS 7799 (as
defined in BS 7799 Part II).
Information assets
Step 3 Threats, Undertake a Risk assessment
Vulnerabilities,
Risk Assessment
Impacts
Results and conclusions
Organisations approach
Step 4 to risk management Manage the
risk
Degree of assurance
required
Selected controls options
Step 5 Select control
BS 7799 control objectives
and controls objectives and
Additional controls controls to be
not in BS 7799 implemented
Selected control objectives and controls
Step 6 Prepare a statement Statement of applicability
of applicability
You can uninstall the CRAMM software using the add/remove programs option from
the Control Panel. You will need to uninstall by the Centura component of the
CRAMM software and the Access component of the CRAMM software separately.
Once you have removed all these components you will find that the CRAMM51
directory still remains because the uninstall program will not delete the Access
databases that contain some of the information you entered during the review. If you
no longer require these databases it is safe to delete the CRAMM v51 Access
Database directory.
CRAMM Express
BS 7799
Each of these types of review provides different functions which are capable of
supporting a users needs to produce different security deliverables.
An overview of CRAMM Expert can be found in Section 2.2.
An overview of BS 7799 can be found in Section 4.
An overview of CRAMM Express can be found in Section 12.
To create a review from scratch:
Step
1 Open the Review application by double-clicking on the CRAMM 5.1 icon.
Once you have entered the tool password (as described in section 5.6), the
Review application window is displayed, as shown in Figure 5-10.
2 From the Review menu, choose New. The Create Review screen is
displayed, as shown in Figure 5-5.
You cannot have two reviews open at the same time - before opening a new review,
you need to close the current one.
on the type of dongle) before attempting to run the software. Removing the dongle
during CRAMM operation will cause the CRAMM software to terminate.
Additional protection
Where additional protection is required, you should consider using removable media
or storing the PC containing review information in a secure cabinet. Where this is not
possible, an alternative is to use hardware encryption of the information. Further
advice can be obtained from your CRAMM supplier.
CRAMM also provides sensitivity markings on all hardcopy output. The sensitivity
marking for a review is defined when you create a review, using the Protective
Marking field in the Create Review screen (see section 5.4). You can change the
marking for an existing review using the Protective Marking field in the Maintain
Review Textual Information screen (see section 19.2).
Backup of data
The data should also be regularly backed up to removable media and the backups
stored in a location separate from that housing the PC. If a power failure or other
incident occurs whilst using the software, it should not be necessary to restore from a
back-up unless the contents of the hard disk have been lost, as the software has in-
built recovery features that will handle most interruptions to processing.
status line
Title Bar:
Group Box:
Option Button:
Buttons:
drop-down list box: this appears initially as a text box (see below) which
displays the current selection, or is blank if nothing is currently selected.
When you select the down arrow at the right of the box, a list of choices
appears. If there are more items than can fit in the box, vertical scroll bars are
provided. An example on this screen is the Countermeasure Set drop-down list
box
text box: this is a rectangular box into which you can type information. In
some cases, it has an associated drop-down list box (see above). You type
and edit text in a text box using the standard Windows keys and key
combinations. Different text boxes require different input from you: free text,
multi-line free text, a name or a numeric value, depending on the screen.
Your input is validated by the software, and an error message is displayed if
you enter the wrong type of information.
group box: this is a box that groups together related fields. An example on this
screen is the Select group box. The fields within this group box are used to
select the type of report to be generated
button: this is a rectangular item that you press (click with the mouse) to
carry out an action. An example on this screen are the Preview Report button
(looks like a magnifying glass.
dialog box: this is a box that appears when you need to supply additional
information to carry out a task. An example on this screen is the Save Report
As dialog box which opens when you press the Specify File button.
option buttons: these are a group of buttons that are mutually exclusive. You
can select only one option at a time; if you already have an option selected, it
is replaced by your new selection. Examples of option buttons in this screen
are those contained in the Report Type group box.
Fields in a screen that are not available for you to use are shown in grey. Examples in
Figure 5-11 are the Assets and Status flag groups when the Security Checklist option
is selected.
Figure 5-12 shows part of another screen, the Countermeasure Assessment Reports
screen. This illustrates the use of check boxes.
Most screens only allow you to select one item at a time. However, a few screens do
allow you to select more than one item. Do this as follows:
Step
1 if necessary, use the scroll bars to bring the required items into view
2 click on each item to select it
3 to deselect a selected item, click on it again.
You can select several rows at once in tables with a Set Many button. Do this as
follows:
to select several adjacent rows:
using the mouse, select the first row and drag the mouse over the
other rows that you wish to select
or
select the first row, then hold down the <Shift> key and use the up or
down arrow key to move to the last row you wish to select - this will
select all of the rows that you move through
or
select the first row, then hold down the <Ctrl> key and use the up or
down arrow key to move to the second row you wish to select - press
the <Spacebar> to select the second row
to move forwards through the cells in a table, use the <Tab> key. To move
backwards, hold down the <Shift> key and press the <Tab> key.
Alternatively, use the mouse to click in the cell that you require.
To expand the display to see lower levels, double-click on the class that you wish to
expand, or select the class and press the <+> key on the keyboard number pad. There
may be more than one level of branch class. Leaf classes are indicated by white
diamonds. Double clicking on a leaf class will cause the class to be added to the
classification of the asset shown at the time. It is also possible to add a class by
dragging and dropping the class from the class selection list into the Assets Class
box.
To collapse the display again, double-click on the branch class that you wish to
collapse or select it and press the <-> key on the keyboard number pad. You can
collapse to the top level by double-clicking on the trunk class at the top of the list
box. All lower classes disappear from the display. Double-click again on the trunk
class, and the display is returned to showing only the trunk and branch classes.
5.8.6 Note screens
Some screens contain a Note button which, when pressed, opens a Note screen. An
example of a Note button is shown in Figure 5-13. In most cases double clicking a
field where the note can be entered will cause the note screen to be automatically
displayed.
Note screens contain a text box into which you can type descriptive text about an
asset, and four editing buttons - Cut, Copy, Paste and Undo. There are also OK and
Cancel buttons.
Before you type any text into the note screen, the Note button is marked as Empty.
Once you have entered some text, this changes to Note, to let you know that a
comment has been written about the asset. You can edit the text as often as you like.
This opening screen shows the basic steps in completing a Risk Assessment, and the
order in which the steps need to be completed. Note: the Identification and
Valuation of Assets are shown to run in parallel with Threat and Vulnerability
Assessment but both tasks need to be completed before it is possible to carry out the
activities in the risk analysis stage.
Selecting any of the options will show how each of these tasks is divided up into
further sub-tasks. The complete list of all of the forms contained in CRAMM is
shown in Section 5.14.
The process flow style can also show where a task is optional. For example the
following diagram shows that completing the contingency planning aspects of the
CRAMM review is optional.
Step
1 In the CRAMM 5.1 application, from the Review menu choose Review
Status. The Review Status screen is displayed, as shown in Figure 5-20.
information given in the system error message, along with the CRAMM function
being executed when the error occurred.
If you have a problem with either the method or the software, you need to contact
your CRAMM supplier or CRAMM support desk. You should provide them with the
following information:
the date and time of failure
the version number of the software (which you can find by choosing About
CRAMM from the Help menu)
the nature of the problem, including:
error messages
data peculiarities
5.16 Help
CRAMMs help facilities are available to you at any stage of a review to provide
context-specific help or more general information. If this is insufficient, contact your
CRAMM supplier for further information.
To obtain help on CRAMM from within Windows:
double click on the CRAMM Help file found in both c:\program files\cramm
50 directory and the c:\programme files\cramm v5 access database.
To obtain help on CRAMM from within the CRAMM software:
choose Contents or Search from the Help menu. These are standard Windows
Help facilities
within Contents there is an item, Process View. If you choose this item, a top-
level process diagram of the CRAMM method is displayed. If you double
click on one of the process boxes, a diagram of the sub-processes of that
process is displayed. You can double click on process boxes to see lower and
lower levels of process flow until you reach a process which has no sub-
processes. At this point you are shown the description of the process
CRAMM also provides context-sensitive help for each CRAMM screen. To
use this, press the <F1> function key in the screen on which you want help. A
CRAMM help screen appears containing software help for the currently
displayed screen. At the top of this help screen is a hotspot (some text in a
different colour) that, when selected, displays a screen containing method
help for the currently displayed CRAMM screen.
6. Initiation
6.1 Introduction
CRAMM is a comprehensive method that can be used to tackle a variety of security
related problems. Being comprehensive, however, can cause problems. If clearly
defined objectives are not set, time may be wasted investigating areas that are of little
or no interest to management, or alternatively the review may not explore crucial
areas in sufficient detail.
It is therefore essential that when setting up a CRAMM review, management clearly
defines its objectives and the required scope and deliverables from the review. You
will then be in a strong position to plan the review accurately.
This section covers the following topics:
the role of the reviewer (section 6.2)
management and control of a CRAMM review (section 6.3)
creating, selecting and closing a review (sections 5.4and 5.5)
gathering background information on the review (section 6.6)
identifying interviewees and scheduling interviews (section 6.7).
Risk Analysis
Risk Management
Each of these steps will be broken down into further steps in later sections.
The following diagram depicts the steps involved in gathering that information.
3 Select the option button for the description you wish to create or edit. If
you have already created the description it will be displayed in the
Description Text text box, otherwise this will be blank. You can type into
the Description Text text box and use the Cut, Copy, Paste and Undo buttons
to create and edit the description.
4 If you wish to produce a report on the background information, press the
Background Information Report button. The Review Information Report
screen is displayed, as shown in Figure 6-26.
The ideal data owner is someone with day-to-day responsibility for overseeing the
work of a particular business function and who is able to describe accurately the
consequences should the data be either:
unavailable
destroyed
disclosed or
modified.
Support personnel
Information on the threats, vulnerabilities and countermeasures relating to physical
and software assets and specific locations can usually be obtained from the following
support personnel:
hardware: System Administrator, Operations Manager, or Network
Administrator
application software: Application Programming or Application Support
Manager
communications: Network Administrator
physical and environmental systems and services: Accommodation Officer or
Operations Manager.
It may prove useful to send a briefing note to the interviewees prior to the interview,
to outline the terms of reference of the review, explain the purpose of the interview
and detail any preparation that may be required.
Once you have decided who is to be interviewed, you need to input this information
into the CRAMM software.
To create or edit the names of the people carrying out the interviews:
Step
1 Select the Interviewers option button.
2 The names of the interviewers already defined will be displayed in the
Interviewer Name table.
3 To add a new interviewer, press the New button, then type the name into
the row added to the end of the table. You can only add one name per
row.
4 To remove an interviewer, select the appropriate row in the table and
press the Delete button.
5 To edit the name of an interviewer, select the appropriate row in the table
and type in the alterations.
To create or edit the names of the people who will be interviewed to supply
valuation details of data and application software assets:
Step
1 Select the Interviewees option button.
2 The names of the interviewees already defined will be displayed in the
Interviewee Name table.
3 Add, remove or alter the names of interviewees in the same way as
described for interviewers.
Integrity
Availability
or
When an existing asset name is displayed you can change it by typing into the
text box. If you want to define a new asset when an existing asset name is
displayed, press the New button. This will clear the existing asset detail
from this and other fields. You can then type the name of the new asset
into the Name text box.
3 Use the Comment for <Asset Name> text box to add or modify descriptive
information about the asset. (If you are defining a new asset, this text box
is called Comment for new asset.) You can type text into the Comment for
text box and modify your typing using the standard Windows keys and
key combinations.
4 Use the Class Selection list box to select a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Add button.
Your selection appears in the Class list box.
5 If the asset has more than one class defined for it, the legend Multi
Function Asset will appear below the list box.
6 Use the Delete button to delete an asset from the review. Do this by
selecting it in the Name text box and pressing the Delete button. You
cannot delete an asset if it is linked into an asset model. To do this, you
first have to remove the asset from the model (see section 7.3.6).
7.3.2 Identifying End User Services
Method Concept: An important consideration in assessing risk and determining
security requirements is the type of service provided to the end user (where the end
user can be either a human being or an automated process). For example, the risks
and security requirements for a system that allows interactive access to a database
by human users will be different to those for a system that only allows messaging
between computer applications.
If you have exported from an Express review you will need to create end user
services which represent the way in which the data is being handled.
End User Services is a concept embedded with CRAMM as a way of modelling the
fact that the same data can be held, processed or transmitted in a variety of different
ways. These differences can lead to significant variances in terms of the types of
assets employed, the requirements for security and the types of number of
countermeasures that would be considered appropriate. For example, many
technical controls apply to the exchange of data over data communications links, but
would not be applicable if the same data were being transmitted by voice.
The end-user services defined in CRAMM are as follows:
Electronic Mail;
Application to Application Messaging;
Electronic Document Interchange;
Ad-hoc File Transfer;
Interactive Session;
Web Browsing
Batch Processing;
Voice;
Video;
Other End User Service.
Since they are fundamental to the selection of many technical controls, CRAMM
enforces a rule that Asset Models cannot be created without an End User Service.
However, the end-user service can be a multi-function asset.
To create new end user service or modify existing end user services:
Step
1 From the Modelling Assets screen, choose Identification of End User
Services button. The Create and Maintain End User Services screen is
displayed, as shown in Figure 7-31.
or
If an existing asset name is displayed you can change it by typing into the text
box. If you want to define a new asset when an existing asset name is
displayed, press the New button. This will clear the existing asset detail
from this and other fields. You can then type the name of the new asset
into the Name text box.
3 Press the Note button next to the Comment field to add or modify
descriptive information about the asset. This displays a screen in which
you can type and modify text. When you are satisfied with the
description, press the OK button in this screen.
4 Use the Class Selection list box to select a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Add button.
Your selection appears in the Class list box.
5 If the asset has more than one class defined for it, the legend Multi
Function Asset will appear below the list box.
Note: The primary asset, in a Multi Function Asset, must be an allowable
Physical to Software asset link
6 Use the Remove button to remove a class from the asset. Do this by
selecting the class in the Class list box and pressing the Remove button.
7 Use the Delete button to delete an asset from the review. Do this by
selecting the asset in the Name drop-down list box and pressing the Delete
button.
You cannot delete an asset if it is linked into an asset model. To do this,
you first have to remove the asset from the model (see section 7.3.6).
In defining physical and application software assets, you should consider the
following guidelines:
only assets that are within the boundary of the review need to be defined
some assets may be within the boundary of the review (perhaps because a
broad description of the boundary has been used) but will not be of
interest from a security perspective - assets of this type need not be
defined
where multiple assets of the same type are used, and are likely to be
subject to similar risks, these may be grouped together and only defined
once to the software tool. For example, fifty workstations of the same type
in the same location could be defined as a single instance of a physical
asset (workstation) rather than fifty instances
where assets carry out multiple functions, they can be classified as multi-
function assets. For example, a single PC may be defined as a workstation,
server and gateway.
During Stage 3 of the review the CRAMM software tool will select countermeasures
which protect against the defined asset classes. If no assets of a particular asset class
have been defined, countermeasures for that asset class will not be put forward for
consideration.
or
If an existing asset name is displayed you can change it by typing into the
text box. If you want to define a new asset when an existing asset name is
displayed, press the New button. This will clear the existing asset detail
from this and other fields. You can then type the name of the new asset
into the Name text box.
3 Use the Quantity text box to alter the number of units for the asset. You
can alter the number by typing directly into the text box or by using the
increment/decrement controls of the text box.
4 Press the Note button next to the Comment field to add or modify
descriptive information about the asset. This displays a screen in which
you can type and modify text. When you are satisfied with the
description, press the OK button in this screen.
5 Use the Class Selection list box to select a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Add button.
Your selection appears in the Class list box.
6 If the asset has more than one class defined for it, the legend Multi
Function Asset will appear below the list box.
Note: The primary asset, in a Multi Function Asset, must be an allowable
Physical to Software asset link
7 Use the Remove button to remove a class from the asset. Do this by
selecting the class in the Class list box and pressing the Remove button.
8 Use the Delete button to delete an asset from the review. Do this by
selecting the asset in the Name drop-down list box and pressing the Delete
button.
You cannot delete an asset if it is linked into an asset model. To do this,
you first have to remove the asset from the model (see section 7.3.6).
Table 7/1 lists the physical asset classes.
Audio Video TV
Video Telephone
Video-Conferencing
Other Externally Provided
Video Service
Audio Video TV
Video Telephone
Video-Conferencing
Other Externally Provided
Video Service
or
When an existing asset name is displayed you can change it by typing into
the text box. If you want to define a new asset when an existing asset
name is displayed, press the New button. This will clear the existing asset
detail from this and other text boxes. You can then type the name of the
new asset into this text box.
3 Press the Note button next to the Comment field to add or modify
descriptive information about the asset. This displays a screen in which
you can type and modify text. When you are satisfied with the
description, press the OK button in this window.
4 Use the Class Selection list box to define a class for the asset. Do this by
selecting the required class in the hierarchy and pressing the Select button.
Your selection appears in the Class list box.
An application software asset can only have one class defined for it. To
change the class, simply make another selection from the Class Selection
list box and press the Select button again.
5 Use the Delete button to delete an asset from the review. Do this by
selecting the asset in the Name text box and pressing the Delete button.
You cannot delete an asset if it is linked into an asset model. To do this,
you first have to remove the asset from the model (see section 7.3.6).
The Locations list box shows the sites, buildings and rooms defined for the
review. They are displayed in a horizontal, four-level, hierarchic form
(that is organisations linked to sites, which are in turn linked to buildings
and then to rooms).
2 To add a new location, carry out this step and steps 3 to 5:
for an organisation, select (Add New Organisation) in the Locations
list, or
for a site, select (Add New Site) in the Locations list box, or
for a building without a site, select (No Site) in the Locations list box,
or
for a building on a site, select the name of the site in the Locations list
box, or
for a room, select the name of its building in the Locations list box.
3 Type the name of the new location into the New Location text box
4 Press the Note button next to the Comment field in the New Location group
box if you wish to add descriptive information about the location. This
displays the Description for location screen in which you can type and
modify text. When you are satisfied with the description, press the OK
button in this screen.
5 Press the New button.
The name that you typed into the New Location text box is displayed in the
Locations list box.
6 To edit the name of an existing location, select the location in the Locations
list box, and type the new name into the Existing Location text box. Note
that the new name is not displayed in the Locations list box until you select
it.
7 To add or modify descriptive information about an existing location,
select the location in the Locations list box and type into the Comment text
box in the Existing Location group box. You can modify text within this
list box using the standard Windows keys and key combinations. (Note
that you can also enter descriptive information for a new location as
described in step 4 above.)
8 To remove a location from the review, select it in the Locations list box, and
press the Delete button. If you select a site, all of the buildings on the site
and rooms in those buildings will be removed. If you a select a building,
all of the rooms in the building will be removed. Note that the delete
action will not be allowed if any of the locations which would be removed
is linked into an asset model, that is if a physical asset has been linked to
the location.
2 Define separate asset models for each pairing of data asset and end-user
service. For each asset model, the data asset should have a link to one and
only one end-user service.
3 Identify the links from the end-user service to those physical assets which
support the data asset/end-user service pairing
4 Identify the links from physical assets to locations (only where you wish
to investigate physical and environmental risks to those locations).
5 Identify the links from the data asset to those application software assets
which support the data asset/end-user service pairing. (Only where you
wish to investigate controls that apply to application software.)
6 Identify the links from these application software assets to the physical
asset on which each resides
7 Identify the links from the data asset to those media assets which support
the data asset/end-user service pairing. (Only where you wish to
investigate controls that apply to media assets.)
8 Repeat for the next data asset/end-user service asset pairing for the same
data asset.
9 Repeat for the next data asset.
Figure 7-35 describes a generic asset model. This shows that asset models are created
for each data asset/end-user service combination by:
linking all physical assets (except those classified as media) that support
the data asset/end-user service combination to the end-user service
linking application software assets that support the data asset directly to
the data asset
linking each application software assets to the host or workstations on
which it resides
linking media items that support the data asset directly to the data asset.
Data Asset
Workstation Location
Storage Device Location
Application Software
Media Location
XXX
H ouse
FDDI Ring
Group A
Group B
File Servers
(Basem ent)
This could be modelled in CRAMM by creating the following two asset models:
Model 1
Group As Information
Group Bs Information
use the Data Asset drop-down list box to select a data asset for which
you wish to create an asset model
use the End User Service drop-down list box to select an end-user
service asset for which you wish to create an asset model with the
data asset in Data Asset. Only those end-user services that are not
already in an asset model will be displayed.
use the End User Service drop-down list box to select an end-user
service asset for which an asset model has been defined with the data
asset selected in the Data Asset drop-down list box.
use the Data Asset drop-down list box to select a data asset for which
you wish to create an asset model
use the End User Service drop-down list box to select an end-user
service asset for which you wish to create an asset model with the
data asset in Data Asset. Only those end-user services that are not
already in an asset model will be displayed.
use the End User Service drop-down list box to select an end-user
service asset for which an asset model has been defined with the data
asset selected in the Data Asset drop-down list box.
The remaining steps apply whether you are creating or modifying an asset
model.
5 Either double click on the asset shown in the source asset model that you
wish to be added or select the asset and press the Copy button.
You need to ask the interviewee to describe the worst case scenarios which could
reasonably be expected to occur for each impact. Examples of such scenarios could
be modification of air traffic control data which might lead to two aircraft entering
the same air space and possibly colliding, or the unavailability of some particular
medical history data which might result in a patient being treated with an unsuitable
drug.
Existing countermeasures should not been taken into account. This prevents you
from making any false assumptions about the effectiveness of these countermeasures,
and also enables CRAMM to determine whether they are truly justified. However,
you may take into consideration the existence of alternative manual processes, or
other automated systems outside the boundary of the review.
The objective when assessing data values is to determine the severity of the impact,
not the possible causes of an impact, nor the likelihood of such an event occurring.
These issues will be explored during the threat and vulnerability assessment in Stage
2 of CRAMM.
For each data asset, you need to discuss with the interviewee the effect of the
following impacts.
Unavailability
The consequences resulting from data being unavailable may vary depending on the
length of the loss of service. CRAMM allows you to investigate these consequences
against the following timeframes:
less than 15 minutes
1 hour
3 hours
12 hours
1 day
2 days
1 week
2 weeks
1 month
2 months and over.
You do not need to assess the consequences of loss of service for all of these
timeframes - you should select those that are appropriate to the data asset. You
should, however, use a minimum of three time periods. CRAMM will make
assumptions about the time periods for which no asset value has been specified.
If one of the primary purposes of the review is to identify contingency planning
options, you should assign values to most or all of the time periods so that you
obtain a good understanding of the changing nature of the impact.
Destruction
This impact investigates the consequences that could result from:
loss of data since the last successful back-up
total loss of data including back-ups.
You need to find out how often back-ups are taken and where they are stored when
looking at this impact.
Disclosure
This impact is investigated in terms of:
disclosure to insiders (those people working for the organisation, but who
are not authorised to see the data)
disclosure to contracted service providers (staff of third party
organisations who may have legitimate access to the system or network,
but not necessarily to the data - examples include those organisations
running outsourced IT services or virtual private networks)
disclosure to outsiders (all other individuals).
Modification
The issues to explore when examining this impact vary according to the end-user
service that the data is using, as follows.
For interactive and batch processing end-user services, look at:
small scale errors (for example, keying errors, duplication of input)
widespread errors (for example, caused by a programming error)
deliberate modification (of stored data).
For voice and video end-user services, look at:
small-scale errors (in data transmission)
widespread errors (in data transmission)
deliberate modification (of data in transmission).
For electronic mail, application to application messaging, electronic data interchange
or web browsing end-user services, you should also look at the consequences of
small-scale, widespread and deliberate modification as appropriate. In addition, you
may investigate the consequences of:
insertion of false messages (for example, inserting an unauthorised
request for a payment)
repudiation of origin (for example, the sender of a message denying they
had actually sent the message)
repudiation of receipt (for example, the recipient of a message denying
they had actually received the message)
non-delivery (for example, an authorised request for payment failing to be
delivered, either accidentally or deliberately)
replay (for example, the accidental or deliberate duplication of an
authorised request for a payment)
mis-routing (for example, accidental or deliberate alteration of the
destination address so that data is sent to an unauthorised recipient)
traffic monitoring (for example, disclosing the volume of data being
transmitted, or the fact that two parties were communicating with each
other, but not the actual contents of the messages being passed)
out of sequence (for example, accidental or deliberate delivery of
authorised messages in the wrong order).
You need only investigate those impacts about which there is a particular concern.
Step
1 Compare the scenarios outlined by the interviewee(s) against the
guidelines to identify which guideline corresponds most closely to the
scenario that has been described. Enter the guideline in the Guideline
section of the form.
2 Using the descriptions contained in the guidelines, decide on the data
valuation for each impact. For financial loss scenarios, you can enter the
actual financial loss in the Financial value section of the form. For other
scenarios, enter the asset value indicated by the guidelines into the Scale
value section of the form.
You need to gather enough information to quantify the severity of the
impact. For example, if an interviewee states that deliberate modification
could lead to financial loss, gather sufficient information to determine the
likely extent of the loss. You should not, however, show the guidelines to
the interviewee because this removes some of the objectivity required in
this activity.
Within the guidelines, descriptions are not always provided for every
scale value. You may select a scale value for which no description is
provided if you feel that it most accurately represents the potential
impact.
3 Record the reasoning behind your valuation in the Valuation Scenario
section of the form. An example of what you might enter in this section is
where an impact could result in an effect in terms of two or more criteria
(for example, an unauthorised disclosure resulting in financial loss and a
breach of personal privacy). In this case, you need to record a separate
data value for each effect. Only the highest value will be subsequently
input to the CRAMM software, but it is important to have a complete
picture.
4 Where more than one interviewee is consulted about the valuation of a
single data asset, you should record the valuations separately and then
consolidate them into a single valuation for the asset. The consolidated
valuation will be input into the CRAMM software.
Once you have completed the Data Asset Valuation form for the asset, you need to
enter the information into the CRAMM software. This is described in section 7.7.5.
6 You can use the Status text box to remind yourself of the status of the
valuation of the asset. Type a short message into the text box such as:
not started
in progress
completed.
This text box is for your own use and you do not have to use it. It is not
used by any of the CRAMM method processes.
7 You can use the Date text box to enter the date of the valuation interview.
8 Use the table in the Assign Value group box to define the impact values.
This table has several columns which show the impact values of the asset.
Use these columns as follows:
Impact: This column contains an entry for every impact which can
apply to a data asset. The impact will appear whether a value has
been assigned to it or not. The list of impact types is given in Annex
D
Guideline: Use this column to select the valuation guideline for the
Scale and Impact in the same row. Do this by selecting from the
columns drop-down list
Scale: Use this column to enter the value on a scale of 1 to 10 for the
Impact and Guideline in the same row. If you set this to 0, it means
that this asset has no value for the impact
Cost: Use this column to enter the financial value for the Impact in
the row. This is only used by the CRAMM method for Unavailability
and Physical Destruction impacts. You cannot define a financial
value which translates to a value greater than that in Scale for the
row. If the value in Scale is zero, then it will be reset to the value
translated from Cost
9 To clear an impact value, select (No Valuation) in the Guideline cell for that
impact.
10 If you want to define a scale value for an impact and a lower financial
value to be used for contingency planning purposes you can do this. You
should detail why the two are different in the Scenario Description column.
11 If you define a financial value for an impact which translates to a higher
scale value than the one currently defined, a warning message will be
displayed when you try to move out of the row for the impact. You
should clear the warning by either:
setting the value in the Scale column to zero so that the software will
calculate the scale value from the financial value, or
setting the scale value to a value higher than or equal to the value
which would result from the financial value.
Once you have entered the information into the software, you can print a completed
Data Asset Valuation form. See section 7.14 for details.
Unit Cost: Use this text box to enter the financial replacement cost of
a unit of the asset
Total Replacement Cost: This text box displays the financial value
derived from Quantity and Unit Cost. You cannot edit the
information in this text box
Scale Value: This text box displays the value for the asset on a scale of
1 to 10. This is based upon its replacement and reconstruction cost,
using the financial loss guidelines included in Annex E. You cannot
edit the information in this text box
Once you have entered the information into the software, you can print a completed
Physical Asset Valuation form. See section 7.14 for details.
This screen contains the same controls as the Value Data Assets screen (see section
7.7.2) with the addition of a list box which displays the classification of the asset
alongside its name. The impacts displayed are those which can affect application
software.
Once you have entered the information into the software, you can print a completed
Application Software Asset Valuation form. See section 7.10 for details.
4 Select either the Blank Valuation Form or the Completed Valuation Form
option button, depending on whether you want to produce a form with
the name of the asset and all other fields blank, or a form containing the
information input using the appropriate Value Assets screen (see sections
7.7, 7.8and 7.9).
This approach ensures that time is not wasted on rigorously investigating a system or
network that only requires a low level of protection.
machine on which both depend has a high requirement for both availability and
confidentiality.
Implied asset values can be reviewed by producing the Impact Assessment Report.
This is described later in this section.
High Availability
and Confidentiality
Requirement
High Confidentiality Requirement
Data with
high availablity
requirements
Availability Conf Integrity
56 7 0 0 0 0
Physical
Asset
mobile activity indicator and a Cancel button. If you press the Cancel button the
calculation stops and the partial results are discarded.
Modification
2 Select from the assets that you wish to appear in the report.
3 When you are satisfied that you have selected the content of the report
correctly, then press either the Preview button to see the report on screen
or the Print button to print the report directly.
2 Select from the Report Type drop-down list box. Your choice determines
how you will select the assets whose calculated impact values will be
included in the report, as follows:
if you select Locations and components, the list box in the Select group
box is labelled Locations and components and shows the locations and
the assets in those locations that are defined for the review. For each
location to be included in the report, select it and press the Add
button. The locations are added to the Report On list box
if you select Asset Groups, the list box in the Select group box is
labelled Asset Groups and shows the asset groups defined for the
review. For each group to be included in the report, select it and
press the Add button. The groups are added to the Report On list box.
The report produced is of the calculated impact values of the
component assets of each group. This option is not relevant in Stage
1 where asset groups will not have been created. However, the
reports can also be produced in Stage 2, when this option will be
relevant
if you select Asset Classes, the list box in the Select group box is
labelled Asset Classes and shows the asset class hierarchy. Make a
selection from the Asset Type drop-down list box. For each class to be
included in the report, select it and press the Add button. The classes
are added to the Report On list box. The report produced is of the
calculated impact values of the assets of each class
if you select Assets, the list box in the Select group box is labelled
Assets. Make a selection from the Asset Type drop-down list box. The
assets of the type selected are displayed in the Assets list box. For
each asset to be included in the report, select it and press the Add
button. The assets are added to the Report On list box. The report
produced is of the calculated impact values of the assets selected.
3 When you have selected the assets to be included in the report, use the
Impacts drop-down list box to select the set of impacts to report on.
Choose one of:
Unavailability
4 Use the Value Type drop-down list box to select the type of value which
you want the report to include: either Scale, that is 1 to 10, or Financial.
5 If you chose Scale in the Value Type list box, use the Value Level text box to
type in a scale value. Only impact values equal to or above this value will
be included in the report.
6 If you wish to remove an item from the report, select it in the Report on list
box and press the Remove button.
7 When you are satisfied that you have selected the content of the report
correctly, use the Output to controls to select the destination of your
report, then press the Generate Report button to produce the report.
2 Select the option button in the Asset Type group box to select the type of
asset on which you want to perform a backtrack.
3 Use the Report on Asset drop-down list box to select the asset for which
you want to perform the backtrack. Only assets of the type selected in the
Asset Type group box are displayed.
4 When you are satisfied that you have selected the content of the report
correctly, use the Output to controls to select the destination of your
report, then press the Generate Report button to produce the report. The
report will contain details of all the associated data and application
software asset valuations that led to asset values being associated with the
selected asset.
completed the form through interviews with users and support staff
The first activity in Threat and Vulnerability Assessment is to define the threats that
require investigation.
Similar assets are gathered together into asset groups. This is so that threats can be
investigated against several assets at once, rather than individually.
The following steps are required to define the threat/asset combinations which will
be investigated during Stage 2:
creation of asset groups
maintenance of asset groups
definition of threats to asset groups
confirmation of the impacts that could result from the threats to assets.
These steps are described in the following sections.
or
8 Use the Delete button to remove an asset group from the review. Do this
by selecting it from the Asset Groups drop-down list box and pressing the
Delete button.
Once created, you can review the components of asset groups by producing an Asset
Group Component Report. Do this as follows.
To create relationships between the threats and asset groups in the review:
Step
1 From the Identifying Threats to Asset Groups screen, choose Relate
Threats to Groups. The Relate Threats to Asset Groups screen is displayed,
as shown in Figure 8-57 and Figure 8-58.
2 For ease of use, CRAMM allows you to either relate a selected threat to
several asset groups (for example, the threat of fire to the computer room,
communications room and user accommodation) or several threats to a
selected asset group (for example, the threats of masquerading by
outsiders, masquerading by insiders and communications infiltration to
the order Entry end-user service).
3 Decide which of these two approaches is most convenient (you can mix
and match for different threats and asset groups) and select the
appropriate one of the two option buttons at the top of the window. The
fields in the window have different names depending on your choice, as
shown in Figures 7/4 and 7/5.
Figure 8-57 shows the screen if you select the Relate a Threat to One or More Asset
Groups option button.
Figure 8-58 shows the screen if you select the Relate an Asset Group to One or More
Threats option button.
4 Select a threat or an asset group from the Threat Type/Asset Group drop-
down list box. The Related Asset Groups/Related Threat Types and Available
Asset Groups/Available Threat Types list boxes will show the appropriate
details for the selection.
5 To create an association, select from the Available Asset Groups/Available
Threat Types list box and press the Add button. The selection will appear in
the Related Asset Groups/Related Threat Types list box.
6 To delete an association, select it from the Related Asset Groups/Related
Threat Types list box and press the Remove button.
Applicable - initially has the same setting as the Guide value of the
row.
2 Select the threat(s) that you want to print questionnaires for in the
Threat Type list box.
3 Select one of the option buttons in the Questionnaire Type group box.
4 Select one of the option buttons in the Contents group box. A completed
questionnaire will contain details of all answers you have input so far. A
blank questionnaire will contain no answers even if you have input some.
5 Use the Output to controls to select the destination of the questionnaire(s)
selected, then press the Generate Report button to produce the report.
Security Officer/Manager
Network Manager/Administrator
Security Officer/Manager
User Management
technical failures:
System Manager/Administrator
Network Manager/Administrator
human errors:
System Manager/Administrator
Network Manager/Administrator
Development Manager
User Management
staff shortage:
Personnel Manager.
amend the calculated threat and vulnerability levels by using the rapid risk function,
which is effectively an over-ride facility (see section 8.14).
Any comments or observations recorded during information gathering can also be
recorded in the software. It is strongly recommended that you record the rationale
for any adjustment to the calculated threat and vulnerability levels.
Some of the questions in the questionnaires only apply to some of the impacts that
the threat may cause.
Questionnaires may be partially completed, and marked as such, and then further
information can be added as it is obtained from interviews. The questionnaire must
not be marked as complete in the software until all the data has been entered.
2 Select the threat type from the Threat Type drop-down list box.
The table shows the current state of the threat/vulnerability analysis for
the chosen threat. This helps you to keep track of your progress in
completing the questionnaire and allows you to indicate to the software
when the questionnaire is complete. The section below describes how to
use this table.
or
select one or more rows in the table and double click on an answer in
the list box below the question. The Chosen Answer cell will be
changed to the letter for the chosen answer.
3 You can create, view or alter a comment which qualifies the chosen
answer for an asset group by selecting any field in the appropriate row
and pressing the Note button. A screen is then displayed into which you
can type or edit the comment. When you are satisfied with the comment,
press the OK button in this screen, and your description appears in the
Comments column. Alternatively, click in the Comments column, and a
small text box appears into which you can type text.
4 Use the Goto button if you want to move directly to a specific question.
The Go To Question screen is displayed, as shown in Figure 8-64.
9 You can then either leave the Complete Threat and Vulnerability
Questionnaires screen using the Next Screens button or the Close button,
or you can choose another questionnaire to answer and continue as
described above.
Vulnerability Guide
Rating
Low If an incident were to occur, there would be no more than a
33% chance of the worst case scenario (assessed during asset
valuation) being realised.
Medium If an incident were to occur, there would be a 33% to 66%
chance of the worst case scenario (assessed during asset
valuation) being realised.
High If an incident were to occur, there would be a higher then 66%
chance of the worst case scenario (assessed during asset
valuation) being realised.
Once ratings have been input, you can produce a Threat Vulnerability Assessment
Result Report, as described in section 8.15.
To set Threat and Vulnerability levels directly or override the levels calculated
from questionnaire answers:
Step
1 From the Assessing Threats and Vulnerabilities screen, choose Rapid
Risk Assessment option. The Rapid Risk Assessment screen is displayed,
as shown in Figure 8-65.
the Impact column shows the impacts that this threat can cause.
use the Threat Level column to set an override threat level. Do this
by selecting the appropriate cell then selecting the required level
from its drop-down list box
Note: You can set these values for individual impacts if necessary
The following figure shows a sample of the Threat and Vulnerability Summary
report:
9. Risk analysis
9.1 Introduction
Method Concept: Asset values, threat levels and vulnerability levels combine
together to give measures of risks (or security requirements) which are then used
to select appropriate countermeasures.
The objective of risk analysis is to determine the level of requirement for security
relating to the system or network.
The topics covered in this section are:
calculating measures of risks (section 9.2)
reviewing measures of risks (section 9.3)
carrying out a stage 2 backtrack (section 9.7)
producing a Risk Analysis report (section 9.8)
holding a Risk Analysis review meeting (section 9.9).
The Risk Analysis screen is shown below:
If you have chosen to order the report by asset group select the
asset group you want to include from the Asset Groups combo
box, or select the All Asset Groups check box.
3 Use the Output to controls to select the destination of your report, then
press the Generate Report button to produce the report.
You should supply the Risk Analysis Report to the project board a week before the
meeting to allow them to consult and draw their conclusions. The focus of such a
report should be on the business issues and not on the numerical values that
CRAMM employs.
that they are correct. This agreement is critical to the accuracy, efficiency and
acceptability of the review as a whole. The countermeasure recommendations are
largely dependent upon these data assets values.
Management in this context would normally be a project board where all interested
parties are represented. The membership should ideally be more senior than the
interviewees from Stage 1. At the very least, you need a senior user to agree to the
data values.
The Risk Analysis phase of CRAMM dealt with establishing asset values and levels
of threat and vulnerability in order to determine the risks to the system or network.
The risk management is concerned with managing those risks. The objective of the
risk management phase is to identify an appropriate and justified set of security
countermeasure recommendations for the system or network under review.
The steps in the Stage 3 are as follows.
Identifying, from an extensive countermeasure library, those
countermeasures which meet the risks that have been assessed.
Identifying countermeasures that are already installed or for which plans
to install already exist.
Investigating the differences between the countermeasures recommended
by CRAMM and the countermeasures that are in place.
Hardware
Software
Communications
Procedural
Physical
Personnel
Environment.
The countermeasure sub-groups contain detailed, but generic countermeasure
descriptions. Examples of these are shown in Table 8/1.
Countermeasures in each sub-group are arranged in a hierarchical structure, with all
countermeasures being assigned to one of three possible categories:
category 1: security objectives - a high-level statement
category 2: a detailed description of the security functions that help to
achieve the security objectives
category 3: examples of how the functions can be implemented.
Countermeasures have the following numbering system. Numbering begins at 1 for
the first Category 1 countermeasure in each sub-group. Any Category 2
countermeasures that support that objective are numbered as 1.# (for example, 1.1).
Category 3 countermeasures that support the Category 2 countermeasures are
numbered as 1.#.# (for example 1.1.1).
Table 8/1 illustrates the structure of the countermeasure library. Some
countermeasures are alternatives to each other and are presented as such when
selected. The Security Level is the lowest Measure of Risk value which an asset must
have for a particular threat which will result in the countermeasure being selected to
protect the asset.
1. All users should be allocated an identifier 1.1 The user id may be shared between a group
1 (user id). of users
or
1.2 A register of service users should be maintained
1.7 Inactive accounts to be suspended or 1.7.1 All accounts that had not been
used for more than 60 days should be
5
suspended.
1.8 Users IDs should not give any indication 1.8.1 The User ID should not indicate
of the users privilege the users job.
2. The system should maintain the 2.1 Access to information should be consistent with
7 clearances and authorisation granted to users. users clearances and privileges.
Select the security aspect and category of the countermeasures you wish
to include in the report from the Security Aspect and Category drop-down
list boxes.
Use the Output to controls to select the destination of the report, then
press the Generate Report button to produce the report.
Select the asset you require in this list box. You can select a single
asset or a number of assets
Use the Output to controls to select the destination of the report, then
press the Generate Report button to produce the report.
You need to identify and record any countermeasures that are already in place. You
can do this either before or after you have derived the recommended
countermeasures from CRAMM. Do this as follows.
Talk to people who can provide information on installed countermeasures. Examples
of such people are:
system manager/administrator
network manager
development manager
operations manager
user management
accommodation officer
personnel manager.
These people are often the same as those interviewed during the threat and
vulnerability assessment and so, if required, you can carry out this process at the
same time. If you decide to do this, you should prepare a pack for each interview that
contains the countermeasures to be examined during the interview. You can produce
this using the Countermeasure Library - Other Information report (see section 10.5).
You can use the countermeasure packs as check-lists, simply identifying which
countermeasures are in place and which are not.
Where a high-level or rapid CRAMM review is being undertaken you may elect to
investigate only Category 1 countermeasures. However, because the Category 1
countermeasures are policy statements, it is often difficult to know whether a policy
is being achieved without examining which of the functions that support the policy
are actually in place. You may therefore wish to review the Category 2
countermeasures for selected sub-groups during a high-level or rapid review.
When discussing the countermeasures with the interviewee you need to record:
the status of the countermeasure
any comments that the interviewee makes about it, such as future plans that
could affect the countermeasure or weaknesses in the way it is currently
implemented.
There are three statuses that you can allocate to a countermeasure at this stage, as
follows:
if an existing or planned countermeasure fully meets the requirements laid
out in the countermeasure description, record it as Installed. All
countermeasures that are currently installed should be recorded, not just
those which have been, or may be, recommended on the basis of the risk
analysis. This enables CRAMM to print a list of countermeasures currently in
place which could not be justified on the basis of the risks determined during
the risk analysis. Countermeasures of any of the three categories can be
marked as installed. In practice, the most important requirement is to know
that the security functionality has been provided, that is that Category 2
countermeasures have been investigated and marked accordingly. Category
3 countermeasures are examples and are normally only used if further
information is required on what is meant by a particular Category 2
countermeasure
if the countermeasure is not installed, or if the current implementation of a
countermeasure is weak in some respect, record its status as Under Discussion
if a countermeasure is not appropriate to the asset it has been recommended
for, record it as Not Applicable. For example, if the countermeasure rotate
shifts is recommended for operators of a particular system, but there is only
one shift of operators, you should mark the countermeasure as Not Applicable.
Only do this when a countermeasure could not be applied, not just when it
would be difficult to implement.
Once all the interviews have been completed, check that you have covered all
appropriate countermeasure groups and gathered all the required information.
Enter the status of the countermeasures into the CRAMM software using the either of
the three options shown on the Identifying Existing Countermeasure screen. The
reason for providing three options is to accommodate different ways of working:
Enter Installed Countermeasure By Countermeasures
This option allows you to see all of the assets for which a countermeasure
has been recommended, and to record the status of that countermeasure
with respect to those assets
Enter Installed Countermeasure By Asset
This option allows you to see all of the countermeasures in a sub group
and the status of these countermeasure with respect to a particular asset
Display Countermeasure Tree
This option represents the countermeasure library as a tree structure,
allowing you to explore the countermeasure groups in a more flexible
manner and to see graphically how the hierarchical structure contained in
the countermeasure library
Table 8/2 describes the statuses that can be associated with a countermeasure.
Select the countermeasure group, security aspect, category and sub group
of the countermeasures you wish to view from the appropriate drop-
down list boxes. A description of the first countermeasure satisfying your
selections is displayed in the Countermeasure list box, along with its
number.
Use the Next and Previous buttons to move through the countermeasures
which satisfy the selections made in step 2.
The assets for which the countermeasure displayed in the Countermeasure
list box has been recommended will be listed in the Countermeasure Use
table. These assets have an R displayed in the Rec column of the table.
For each asset, select the status which reflects your decision from the
drop-down list box in the appropriate cell in the Implementation Status
column. Table 8/2 describes each status.
physical security: HM Government users must ensure that they comply with
minimum baseline measures for physical security described in the Manual of
Protective Security (MPS). (These measures are described in chapter 3,
section 1 Guide to Physical Security of the MPS Framework and Guide.)
This list is not comprehensive, but it does indicate the complexity of the decision
making process. It is part of the reviewers responsibility to consider all of the factors
that could influence the decision when making recommendations.
Select the countermeasure group, security aspect, category and sub group
of the countermeasures you wish to view from the appropriate drop-
down list boxes. The description of the first countermeasure satisfying the
selections will be displayed in the Countermeasure list box along with its
number.
Use the Next and Previous buttons to move through the countermeasures
which satisfy the selections made in step 2.
The assets for which the countermeasure you selected has been
recommended are displayed in the Report on Asset drop-down list box.
Select the asset you wish to produce the backtrack report for in the Report
on Asset drop-down list box.
If you want to produce the associated Stage 2 backtrack reports, select the
Perform Related Stage 2 Backtrack check box.
You can also produce the associated Stage 1 backtrack reports by selecting
the Perform Related Stage 1 Backtrack check box in the Stage 2 Backtrack
Report screen.
Use the Output to controls to select the destination of your report, then
press the Generate Report button to produce the report.
If you selected the Perform Related Stage 2 Backtrack check box in step 6, a
separate report will be produced for the Stage 2 backtrack and each
associated backtrack.
The Stage 2 Backtrack Report screen appears for each associated report. You
should select the output for the report, or not perform the specific
backtrack as required. You can also abandon the backtrack sequence at
any point.
The objective of the Risk Management Report is to present the overall findings,
conclusions and recommendations from the review. The report should set out the
recommendations made as a result of the review, and include a summary of the
findings and conclusions from Risk Analysis. It should also explain why these
recommendations have been made and provide a broad indication of the priority and
costs involved in implementing the recommendations.
Following the meeting, report(s) should be updated as necessary and final versions
distributed.
11. BS 7799
11.1 Introduction
Method Concept: The full title of BS 7799 is BS 7799: Code of Practice for
Information Security Management. The standard is intended for use by managers
and employees who are responsible for initiating, implementing and maintaining
information security. One of the key requirements of BS 7799 is the need to
complete a risk assessment, therefore CRAMM is ideally placed to help
organisations demonstrate their compliance with the standard. CRAMM provides a
complete range of support for all of the BS 7799 tasks, including conducting a gap
analysis and preparing a statement of applicability.
CRAMM assists organisations demonstrate their compliance with BS 7799. In
particularly, it contains:
ability to produce organisational information security policies, scope of
Information Security Management Structure (ISMS), security management
framework documents
a fully worked through risk assessment with the results related directly to the
sections contained in BS 7799
ability to record managements views on the need for particular controls
ability to record what resources deliver those controls
facilities to help prepare a security improvement programme
facilities to help prepare a statement of applicability
This section covers the following topics:
steps in BS 7799 assignment (Section 11.3)
initiating a BS 7799 assignment (Section 11.4)
conducting a gap analysis (Section 5)
preparing a security improvement program (Section 0)
preparing a statement of applicability (Section 0)
the role of CRAMM in supporting BS 7799 (Section 0)
8 The Existing Reviews text box lists the names of existing reviews which
you have created to enable you to select an appropriate, unique name for
the review.
9 When you are satisfied with the details for the review, press the Create
Review button. The Enter New Review Password screen is displayed, as
shown in Figure 5-6.
If you want to set up a password for the review, type it into the New
Password text box. The password can be up to eight characters long. Type
it again into the Confirm New Password text box and press the OK button.
If you do not want to set up a password, select the Do not password protect
check box.
10 A screen is displayed when the review is being created that contains a
mobile activity indicator and a Cancel button. When the review has been
created, the Main BS 7799 screen process flow screen is displayed.
11 If you decide not to create a new review after all, simply press the Close
button to return to the Review application window.
On opening a BS 7799 review, you are presented with the main BS 7799 form which is
shown below:
The steps in the Gap Analysis stage of a BS 7799 assignment are as follows:
Production of an Organisation Information Security Policy
Print BS 7799 (Part II)
Record the status of the BS 7799 Controls
Produce a Gap Analysis Report
These steps are defined in detail in the following sections.
The title of the most senior person in the organisation (e.g., chief
executive, permanent secretary).
Please Note: A royalty fee has been paid to BSI for the rights to reproduce
BS 7799 (Part II) in the CRAMM software. However, this only entitles the
user to use this material in conjunction with their use of the CRAMM
software. The report must not be further reproduced or distributed without
the written permission of BSI.
Once the BS 7799 Report has been printed, it can be used as the basis of a series of
interviews with members of the organisations staff to find out the current status of
the organisation against the standard.
The Print BS 7799 screen is shown below
To Record an Action
Step
1 Type in a brief description of the action
2 Record the status of the action. Allowable statuses are:
Not Assigned
Assigned
Underway
Complete
Under Review
3 If the person who is to carry out the action has already been defined,
select their name from the drop down list. If the person who is to carry
out the action has not been already defined type their name in, and you
will be prompted if you wish to create that person as a security resource.
4 Type in an estimate of how much effort will be required to complete the
action
5 Record any notes you wish about the action that you have just created
6 Enter a timescale by which you would like the action completed by.
7 To save the action, click on the Save Action button. The Action form
remains open so that you can create further actions if you require.
The steps in the Risk Management stage of a BS 7799 assignment are as follows:
Conduct a CRAMM review
Print a range of reports based on the findings of the CRAMM review in a
form that is directly relevant to BS 7799
These steps are defined in detail in the following sections.
The steps in the Requirements for BS 7799 Controls stage of a BS 7799 assignment are
as follows:
Print BS 7799 Measures of Risk Report
Print Detailed BS 7799 Countermeasures
Enter Status of BS 7799 Countermeasures
These steps are defined in detail in the following sections.
Figure 11-113: The Allocate Resources to, and Enter Status of BS 7799
Countermeasures Screen
CRAMM Express
BS 7799
Info
rma
isks
tion
sR
Project R
i n es
Sec
CRAMM Expert
Bus
uri
ty R
k
is k
In order that it is clear which items would be included in CRAMM Express and what
would not, the following figure shows a countermeasure sub group and the different
components of the sub group
Countermeasure Group
Group: Identification and Authentication
No: Description
1. All users should be allocated an identifier (user ID) Category 1 CMs
1.1 User ID may be shared between a group of users
1.2 A register of service users to be maintained Category 2 CMs
1.8 User IDs not to give any indication of the user's privilege level
1.8.1 The User ID not to indicate the user's job
1.8.2 The User ID not to indicate the user's level of authority
2. The system should maintain the clearances and authorisations granted
to users
This screen allows you to enter details of the review you wish to create, as follows.
1 Use the Name text box to enter a name for the review.
2 Use the Type of Review combo box to select the type of review that you
wish to conduct. The options are either CRAMM Expert, CRAMM
Express or BS 7799. To create a CRAMM Express review select CRAMM
Express.
3 Use the Protective Marking text box to enter the protective marking for the
review.
4 Use the Description text box to enter a description of the review.
5 Use the Report Header text box to enter the header to be used in reports
produced by the review.
6 The Existing Reviews text box lists the names of existing reviews which
you have created to enable you to select an appropriate, unique name for
the review.
7 When you are satisfied with the details for the review, press the Create
Review button. The Enter New Review Password screen is displayed, as
shown in Figure 5-6.
If you want to set up a password for the review, type it into the New
Password text box. The password can be up to eight characters long. Type
it again into the Confirm New Password text box and press the OK button.
If you do not want to set up a password, select the Do not password protect
check box.
8 A screen is displayed when the review is being created that contains a
mobile activity indicator and a Cancel button. When the review has been
created, the Main CRAMM Express screen process flow screen is
displayed.
9 If you decide not to create a new review after all, simply press the Close
button to return to the Review application window.
Figure 12-123: CRAMM Express Set Threat and Vulnerability Levels Screen
The Countermeasure Report screen allows you produce three types of report:
Measure of Risk Report
Summary Report
Detailed Report
The measures of risk report shows the results of the threat and vulnerability
assessment, the highest impact that the threats can cause and the measures of risk
that have been determined by combining these factors together using the risk matrix.
The summary report shows which threats have lead to which countermeasure groups
being recommended, and the measures of risk associated with these threats.
The Detailed Report allows the user to print out details of the countermeasures that
have been recommended on the basis of the assessments of risk.
The column on the right hand of the screen shows the Category of the
countermeasure. The default is that CRAMM Express only contains Category 1
countermeasures but it is possible to add further more detailed countermeasures
using the Maintain CRAMM Express Countermeasures facility.
To Enter Installed Status in CRAMM Express
Step
1 Select the Countermeasure Group of interest
2 Either select a Status Flag from the box labelled Status for all
Countermeasures to apply one status flag to all the recommended
countermeasures in that group.
3 Alternatively select the appropriate Status Flag for each countermeasure
individually.
4 You can record comments about the countermeasure in the comments
box. If you double click on the box a larger text box will appear which
will make it easier to enter lengthy comments.
Having entered the status flags and comments, the information that you have entered
will appear on the Detailed Countermeasure Reports shown previously.
Stage 1
Initiate BCM
Initiation
Business Impact
Stage 2 Analysis
Requirements
& Strategy Risk Assessment
Business Continuity
Strategy
Organisation and
Stage 3 Implementation
Implementation Planning
Implement Develop Implement
Stand-by Business Recovery Risk Reduction
Arrangements Plans Measures
Develop Procedures
Initial Testing
Testing Change
Review
Control
Education
and Awareness Training
Assurance
Stage 4
Operational
Management
3 Investigate and record (on a separate piece of paper) any data assets that
must be recovered before the data asset in question, and the relative
priority of these.
4 Investigate and record (on a separate piece of paper) any application
software assets that must be recovered before the application software
asset that supports the data asset in question, and the relative priority of
these.
Once you have gathered your information, you need to enter it into the CRAMM
software. This is described in the section below.
to create a new user group, press the New button and type the name
into the Name text box. Type the number of users in the user group in
the Number of Users text box
to delete a user group, select it from the Name drop-down list box,
and press the Delete button. Note that a user group can only be
deleted if it has no relationship to a data asset. If any relationships
exist you must remove them using the controls in the User Details
group box in the Create and Maintain Data Recovery Details
screen, before deleting the user group (this is described in step 5).
5 The table in the User Details group box displays the user groups related to
the selected asset, and the maximum time period in which the asset must
be recovered for each group. You can do the following in this group box:
to create a new relationship between a user group and the selected
asset, press the New button. The User Details screen is displayed, as
shown in Figure 13-135
6 Select a row in the User Details table and use the table in the Physical and
Software Assets Supporting Selected Data and Users group box to view, create
or edit the physical and software assets which support the data and user
group selected in the Data Asset drop-down list box and User Details table.
type the number of assets into the Num Assets column in the table in
the Physical and Software Assets Supporting Selected Data and Users
group box in the Create and Maintain Data Recovery Details screen
if the value entered into the Num Assets or Num Staff column
represents a resource which is shared with a different user group,
this can be indicated by typing an asterisk after the number. This will
be reproduced on the reports produced from this information.
To remove an entry from the table, select the row and press the Delete
Support Asset button.
Once you have entered the information into the CRAMM software, you can produce
a range of reports. Section 13.5.3 describes how to do this.
if you select Recovery Requirements for, select from the adjacent drop-
down list box:
assets in a list
assets in a group
assets in a location
The name of the list box in the middle of the screen on the right changes
according to the selection you make. For each asset to be reported on,
select it and press the Add button. The assets are added to the Report
on list box.
3 If you wish to remove an item from the report, select it in the Report on list
box and press the Remove button.
4 When you are satisfied that you have selected the content of the report
correctly, use the Output to controls to select the destination of your
report, then press the Generate Report button to produce the report.
These reports show different views of the recovery objectives and minimum
requirements. They can be used in the costing and evaluation of recovery options for
contingency planning which are identified in the Risk Management Stage of
CRAMM.
check that the option can support the minimum requirements and
dependencies that were identified in Stage 1.
that have been pulled through from the data asset scenarios, or the factors
behind the assessment of threats and vulnerabilities.
Screen 5 Save/Print/Export report
This screen allows users to specify which appendices they wish to include
in their report, and then to either preview the report, print the report or to
export it into MS Word format for further editing.
status flags together to produce a report showing the extent to which risks are
treated or untreated
The screens in the Wizard are as follows:
Screen 1 Select the type of report
This screen gives the user the opportunity to choose which type of report
they wish to create. The types that can be selected include:
IT Security
Network Security
Physical Security
Environmental Security
Administrative Security
All
It is also possible to select the level of detail that the countermeasures
have been explored to by using the Select Category combo box.
Screen 2 Select the style of report
This screen gives the user the opportunity to identify which
countermeasure status flags they wish to regarded as
Treated Risks
Untreated Risk
Accepted Risks
Once the Security Inspection Questionnaire has been printed, it can be used as the
basis of a series of interviews with members of the organisations staff to find out the
current status of the organisation against the questionnaire.
The Print Security Inspection Questionnaire screen is shown below
To Record an Action
Step
1 Type in a brief description of the action
2 Record the status of the action. Allowable statuses are:
Not Assigned
Assigned
Underway
Complete
Under Review
3 If the person who is to carry out the action has already been defined,
select their name from the drop down list. If the person who is to carry
out the action has not been already defined type their name in, and you
will be prompted if you wish to create that person as a security resource.
4 Record the priority of the action. Allowable priority are:
Mandatory
Recommendation
Observation
To produce a report detailing the differences between the What If analysis and the
original review:
Step
From the Stage 3 What If menu, choose Report. The What If Report screen
is displayed, as shown in Figure 17-159.
The method recognises that effective control can only be achieved where
particular countermeasures are themselves supported by other
countermeasures. For example, when it is recommended that a task be
undertaken (a procedure), it may also be recommended that guidance is
drawn up (documentation) and possibly that staff be trained (personnel).
You should ensure that an appropriate mix of countermeasures from
different security aspects are implemented
18.4 Tidying up
Method Concept: To allow changes to be modelled effectively, and to support
follow up reviews, the CRAMM database relating to the review and all supporting
paper and electronic documentation may need to be tidied up.
On completion of the CRAMM review you should ensure that all documentation is
tidy and accessible, and that all reference documents are clearly marked and stored
securely. A copy of both the review data and CRAMM software should be made and
stored with the reports, preferably at a separate location from the PC running the
CRAMM software.
2 Select the review you wish to back up in the Existing Reviews list box.
3 Press the Backup button.
4 If the review you selected is password protected, the Review
Authentication screen is displayed in which you need to type the
password.
5 The Backup Review to File screen is displayed for you to supply the
details of the file to which you want the back-up copy to be written. (This
is based on the standard Windows file browse screen.) The file will be
given the suffix .CRM.
Physical Assets and their Locations: displays a list of the physical assets
in the source review from which you can select those to copy to the
new review. This also copies the locations of those assets to the new
review
Software and Data Assets: displays a list of the software and data
assets in the source review from which you can select those to copy
to the new review
6 You can further qualify the above copy actions by selecting the following
check boxes:
Include Countermeasure Details: this copies details of countermeasures
installed for the assets copied to the new review
Note that only the given valuations of the assets are copied, not the
implied values calculated by the software. The latter must be recalculated
in the new review.
7 To add items to be copied to the new review, select from the list box in the
bottom right corner of the screen and press the Add button. This will add
the items selected to the Items to Copy list box. You can remove items from
the Items to Copy list box by selecting them and pressing the Remove
button.
8 When you are satisfied with the details you wish to copy, press the Copy
Items button.
9 You may copy as many reviews as you like before pressing the Close
button to return to the CRAMM System Administration window.
When a CRAMM review has been completed the CRAMM software contains a
complete database of the system or network reviewed. It holds valuable information
covering all aspects of the system or network components and the data it processes.
This information can be used for system configuration management, where changes
or development to the system or network can be logged along with any changes to
the security requirements or countermeasures. The CRAMM database can be
beneficial to both the business and security aspects of IT systems as well as providing
a central point for audit information.
The installation process makes the necessary changes to the following files to ensure
the correct configuration:
system.ini
config.sys
autoexec.bat.
If you have specific configuration requirements for other applications which you run
you should make back-up copies of these three files. Following the CRAMM
installation, you should compare the two sets of files to ensure that the needs of both
CRAMM and your other applications will be met.
The installation process puts the following files in your Windows directory:
sql.ini
cramm.ini
sentinel.386.
CRAMM is supplied with a hardware dongle. You must ensure that the dongle is
connected to the parallel printer port before attempting to run the software. If you
remove the dongle whilst the software is running, the software will close down.
A.2 Software requirements
Windows 2000
Windows XP
Please note, CRAMM will not run on Windows 3.1, Windows 3.11 or Windows 95
machines.
4. When prompted by the software, you can choose to install the user guide or the
adobe acrobat reader
5. If you see messages about DLLs in use, please take a note of the names of
these DLLs but choose the Ignore option
6. Reboot the machine when prompted by the software
7. You should now be able to run the CRAMM software. Remember the software
is copy protected, by the use of a dongle, so you will need to have the dongle
in the printer port before you can run the software
Once CRAMM has started, you should select New from the Review Menu in order
to create a new review.
After the CRAMM V5.1software has been installed, a shortcut will appear on the
desktop which can then be used to start up the CRAMM software
You can uninstall the CRAMM software using the add/remove programs option from
the Control Panel. You will need to uninstall by the Centura component of the
CRAMM software and the Access component of the CRAMM software separately.
Once you have removed all these components you will find that the CRAMM51
directory still remains because the uninstall program will not delete the Access
databases that contain some of the information you entered during the review. If you
no longer require these databases it is safe to delete the CRAMM51 and CRAMM
v5.1 Access Database directories.
B. Glossary of terms
Term Definition
Term Definition
Application layer The layer that provides means for the application
processes to access the OSI environment.
NOTES
1 This layer provides means for the application
processes to exchange information and it contains the
application-oriented protocols by which these
processes communicate.
Term Definition
archive file A file out of a collection of files set aside for later
research or verification, for security or for any other
purposes.
Term Definition
baseband LAN A local area network in which data are encoded and
are transmitted without modulation of carrier.
Term Definition
Term Definition
calling service user A service user that initiates a request for the
establishment of a connection.
check digit [check character] A check key consisting of a single digit [character].
Term Definition
computer security feature Hardware, firmware or software which are part of, or
added to, a computer system to enhance overall
security.
Term Definition
Term Definition
Term Definition
data link layer The layer that provides services to transfer data
between network layer * entities, usually in adiacent
nodes.
NOTES
1 The data link layer detects and possibly corrects
errors that may occur in the physical layer.
data processing system security The technological and administrative safeguards
computer system security established and applied to a data processing system to
protect hardware, *software, and data from accidental
or malicious modifications, destruction, or disclosure.
data protection The implementation of appropriate administrative,
technical or physical means to guard against the
unauthorized interrogation and use of procedures and
data.
Data Protection Act The Data Protection Act (1998) is concerned with the
protection of personal information
data quality The correctness, timeliness, accuracy, completeness,
relevance, and accessibility that make data appropriate
for their use.
data security The protection of data from either accidental or
unauthorized intentional modification, destruction, or
disclosure.
data validation
A process used to determine if data are inaccurate,
incomplete, or unreasonable.
NOTE-- Data validation may include format checks
completeness checks, check key tests, reasonableness
checks and limit checks.
Term Definition
Term Definition
Distance vector routing Dynamic routing technique where router builds its
DVR (abbreviation) table from information obtained secondhand from
tables advertised by adjacent routers. The routing
information protocal (RIP) is based on distance
vectors.
end open system An open system that provides services directly to end
users.
Alternatively :
An open system which is the source or the sink of the
data for a given instance of communication.
Reason : The phrase "end user" is ambiguous (if this
phrase designates the operator before a terminal, the
definition is not true).
end-of-file label An internal label that indicates the end of a file and
trailer label that may contain data for use in file control.
EOF (abbreviation) NOTE--An end-of-file label may include control totals
for comparison with counts accumulated during
processing.
end-of-volume label An internal label that indicates the end of the data
EOV (abbreviation) contained in a volume.
Term Definition
Term Definition
file transfer, access and An application service that enables user application
management processes to move files between end open systems and
FTAM (abbreviation) to manage and access a remote set of files, which may
be distributed.
Term Definition
Term Definition
frame check sequence The frame check sequence is used to insure that the
FCS (Abbreviation) data received is actually the data sent.
Functional security testing The portion of security testing in which the advertised
features of a system are tested for correct operation.
Term Definition
Term Definition
internet control message Supports the IP protocol rather than transmitting user
protocol data. Ping is as example, using ICMP to insure that
ICMP (abbreviation) there is connectivity between two hosts.
LAN broadcast address A LAN group address that identifies the set of all data
LAN global address stations on a local area network.
Term Definition
LAN multicast address A LAN group address that identifies a subset of the
data stations on a local area network.
Term Definition
Alternatively :
An attack on a system in which an unauthorised entity
pretends to be an authorised one for the purpose of
gaining access to system assets.
Medium interface connector In a local area network, the connector used to attach a
MIC (abbreviation) data station to a trunk coupling unit, *trunk cable, or
drop cable.
Term Definition
Term Definition
network file system A system which allows file sharing over a network.
NFS (abbreviation)
network layer The layer that provides for the entities in the transport
layer the means for transferring blocks of data, by
routing and switching through the network between
the open systems in which those entities reside.
NOTES
1 The network layer may use relay open systems.
network news transfer protocol A service, similar to e-mail, enabling news rather than
NNTP (abbreviation) mail to be delivered to newsgroups.
Term Definition
peer entities Entities in the same or different open systems that are
in the same layer.
NOTE - The communication between entities located
in the same open system is outside the scope of OSI.
Term Definition
Term Definition
Term Definition
real open system A real system that complies with the requirements of
open systems interconnection standards in its
communication with other real systems.
Receiving service user A service user that acts as a data sink during the data
transfer phase of a connection or during a particular
instance of connectionless-mode transmission.
Term Definition
Term Definition
routing information protocol A routing protocol which takes into account the
RIP (Abbreviation) numbers of hops taken for a packet to traverse a
network. The basis of distance vector routing.
routing table Routing tables tell the router which logical networks
are available to deliver information to and which
routers are capable of forwarding information to that
network.
Scavenging Searching through residue for the purpose of
unauthorised data acquisition.
Term Definition
security policy The set of laws, rules and practices that regulate how
information is managed, protected and distributed in a
system or network.
The set of criteria for the provision of security
services.
(ISO 7498-2/3.3.50)
NOTE -- A complete security policy will necessarily
address many concerns which are outside of the scope
of OSI.
Term Definition
sending service user A service user that acts as a data source during the
data transfer phase of a connection or during a
particular instance of connectionless-mode
transmission.
Service data unit A set of data that are sent by a user of the services of a
SDU (abbreviation) given layer and that must be transmitted to the peer
service user semantically unchanged.
Term Definition
standby system Any system, other than the normal one, which enables
some continuation of work when the normal system
has failed.
star property A Bell-LaPadula security model rule allowing a
subject write access to an object only if the security
level of the subject is dominated by the security level
of the object.
Abbreviated *-property
static routing The simplest method of routing, generally used in IP
networks, where a static route is defined in the routing
table as the point leading to a specific network
strength of mechanism A measure of the effectiveness of a security
mechanism to prevent a breach of the system security
policy, assuming it has been correctly implemented.
Term Definition
Structured System Analysis and A structured system development method used widely
Design Method (SSADM) both within UK government departments and
commercially.
Security Operating Procedures Documentation specifying the procedures that need to
(SyOPs) be carried out in order to ensure the security of a
system.
sublayer In the Open Systems Interconnection reference model,
a conceptually complete group of services, functions,
and protocols that may extend across all open systems
and that is included in a layer.
Term Definition
system high security mode A mode of operation in which ALL individuals with
access to the data processing system or network are
cleared to the highest classification level of
information stored, processed or transmitted within the
data processing system or network, but NOT ALL
individuals with access to the data processing system
or network have a common need-to-know for the
information stored, processed or transmitted within the
data processing system or network.
NOTES
Term Definition
Term Definition
Term Definition
trusted function assurance level The overall assurance level that is established for a
trusted function of a system during the evaluation of
the system.
Term Definition
virtual local area network Using switches, software enables virtual networks to
VLAN (Abbreviation) be set up logically (work-group based) rather than
geographically.
Term Definition
Volume (header) label An internal label that identifies the volume and
Volume header indicates the beginning of its data.
C. Checklists
C.1 Stage 1 checklist
At the end of Stage 1 you will have done the following:
obtained management authorisation and commitment to the review
defined the overall project schedule
established the boundary of the review
entered the review boundary into CRAMM
identified the data owners for interviewing
created a Project Initiation Document (PID)
obtained approval for the PID from management
identified the physical assets
identified the data assets
identified the application software assets
identified the locations
modelled the interrelationships between the data, application software
and physical assets, and the locations
printed the Data Asset Valuation forms
interviewed appropriate staff using these forms
entered the interview results into the CRAMM software
if required:
printed the Recovery Objectives form
completed the form through interviews with users and support staff
D. Impact types
D.1 Introduction
CRAMM allows data assets to be valued against the following impacts:
unavailability
destruction
disclosure
modification.
These are described in section D.2.
P Physical destruction
15 M Unavailability - 15 minutes
1 Hr Unavailability - 1 hour
3 Hr Unavailability - 3 hours
12 Hr Unavailability - 12 hours
1 Dy Unavailability - 1 day
2 Dy Unavailability - 2 days
1W Unavailability - 1 week
2W Unavailability - 2 weeks
1M Unavailability - 1 month
2M Unavailability - 2 months
B Loss of data since last back-up
T Total loss of all data
I Unauthorised disclosure to insiders
C Unauthorised disclosure to contracted third parties
O Unauthorised disclosure to outsiders
S E/T Small-scale errors (for example, keying errors)/small-scale errors in
transmission
W E/T Widespread errors (for example, programming errors)/widespread
errors in transmission
D S/T Deliberate modification of stored data/deliberate modification of data
in transit
Or Repudiation of origin
Rc Repudiation of receipt
Nd Non-delivery
Rp Replay
Mr Mis-routing
Tm Traffic monitoring
Os Out-of-sequence
In Insertion of false message
E. Valuation guidelines
E.1 Introduction
The guidelines for the Standard Profile are shown in Table E/1. Where a protective
marking (Restricted, Confidential, Secret or Top Secret) applies, it is indicated in
brackets. No such entry means that a protective marking is not justified or not
relevant.
Notes and examples on how to interpret the guidelines in specific circumstances are
provided in sections E.3 to E.14. Where examples are given, the numbers refer to the
numbers in the Asset Value column in Table E/1.
E-5
CRAMM User Guide
Personal safety
E-7
CRAMM User Guide
Personal information
Many IT systems hold and process information about individuals, for example pay,
personnel appraisal and medical details. In such cases each person can readily be
identified.
It is morally and ethically correct, and in some circumstances legally required, that
information about people is protected against unauthorised disclosure. This
disclosure could result in, at best, embarrassment and reduction in self esteem and, at
worst, adverse legal action (for example under the data protection legislation).
Equally it is required that information about people is always correct, as
unauthorised modification resulting in incorrect information could have effects
similar to those caused by unauthorised disclosure.
It is also important that information about people is not made unavailable or
destroyed, as this could result in incorrect decisions or no action by a required time,
with effects similar to those caused by unauthorised disclosure or modification.
Where an adverse impact is likely to result in an infringement of, for example, the
Data Protection Act, or other legal action, the legal guidelines for assigning values
must also be reviewed. Where an adverse impact could have implications for the
safety of an individual, the personal safety guidelines should be referenced.
Example
6 group of individuals: examples are individual pressure groups, charities or
groups of patients.
Notes
Within the guideline, distress can be taken to mean anger, frustration,
disappointment, embarrassment or concern.
E-9
CRAMM User Guide
Data held and processed by an organisation may be subject to legal and regulatory
obligations, or data may be held and processed by an organisation in order to allow it
to comply with legal and regulatory obligations. Failure to comply, either
intentionally or unintentionally, may result in legal or administrative actions taken
against individuals within the organisation concerned. These actions may result in
fines and/or prison sentences.
Note that the inclusion of valuations in the guideline for legal and regulatory
obligations is not intended for any other reason than to give weight to, and assist in
highlighting through the method, the countermeasures that are justified to prevent
the compromise occurring.
Notes
1 The following is a list of the main acts of law and regulations which are
relevant to this guideline. This is not intended to be a complete list:
the Data Protection Act of 1984 (see also the personal information
guideline)
the Computer Misuse Act of 1990 (see also the law enforcement
guideline)
the Copyright Designs and Patents Act of 1988 (see also the
commercial and economic interests guideline)
the Police and Criminal Evidence Act of 1984 (see also the law
enforcement guideline)
the Civil Evidence Act of 1968 (see also the law enforcement
guideline).
E-11
CRAMM User Guide
Law enforcement
E-13
CRAMM User Guide
Notes
1 The second and third entries against asset value 3, where no financial
values are mentioned, should be considered in relation to the financial
value threshold used in the first entry against asset value 3.
2 The word could in the description of asset value 7 should be interpreted
as indirectly causing the impact, and for asset values 9 and 10 the word
would should be interpreted as directly causing the impact.
Some IT systems store and process information which is concerned directly with
financial transactions or has a bearing on the financial well-being of the organisation
concerned. The consequences of unauthorised disclosure and modification, as well as
unavailability and destruction, of such information could well be financial loss.
Examples are loss from a reduction in share prices, fraud or breach of contract
because of late or no action.
Equally, the consequences of unavailability or destruction of any information could
be disruptions to users. To rectify and/or recover from such incidents takes time and
effort. This will in some cases be significant and should be considered. In order to use
a common denominator, the time to recover should be calculated in man months and
converted to a financial cost. This cost should be calculated by reference to the
normal cost for a man month at the appropriate grade/level within the organisation.
Notes
1 If the losses were large enough, that is the effects on the organisation were
very significant, there might be cases where a protective marking, or a
treat as a protective marking, could apply.
E-15
CRAMM User Guide
Public order
2 In some cases where using this guideline it will be necessary to cross refer
to the policy and operations of the public service guideline.
E-17
CRAMM User Guide
International relations
A number of government organisations (particularly the FCO, the MOD and the DTI)
produce and handle information that concerns the UKs dealings with, and
relationships to, the governments of other countries (both friendly and unfriendly)
and international organisations. The unauthorised disclosure of some types of
information could affect the UKs relationships with one or more countries, or an
international organisation. Similarly, unauthorised modification of some types of
information (for example changing the meaning of a new policy) could have adverse
effects. Unavailability of some types of information (for example at critical stages of
negotiations) could affect the UKs position.
Examples
7 caused by formal protest or other sanctions
9 when the potential consequences could be the withdrawal of ambassadors
10 extreme cases where the consequence could be results in war.
Defence
Asset Defence
Value
1 Is likely to make it more difficult to maintain the operational
effectiveness or security of UK or allied forces at a local level
2 No entry
3 Is likely to make it more difficult to maintain the operational
effectiveness or security of UK or allied forces beyond a local level
(Restricted)
4 No entry
5 No entry
6 No entry
7 Is likely to cause damage to the operational effectiveness or security of
UK or allied forces
(Confidential)
8 No entry
9 Is likely to cause serious damage to the operational effectiveness or
security of UK or allied forces
(Secret)
10 Is likely to cause exceptionally grave damage to the operational
effectiveness or security of UK or allied forces
(Top Secret)
The UKs Defence forces perform a number of roles. These can be summarised as the
protection and security at home and abroad of the UK, its dependent territories and
allies, and the promotion of the UKs wider security interests through the
maintenance of international peace and stability. Thus, defence-related information is
concerned with the policy, direction, preparation, training and engagement of the
Services in fulfilment of its roles, including associated support activities.
Note that this guideline in particular should be used with great care, because so
much depends on the characteristics of each particular situation. For instance, the
corruption of a military communications system would have more serious
consequences in time of war than it would in peacetime.
Examples
The examples must be used with great care, because much depends on the particular
situation.
3 unauthorised disclosure of information concerning security force radio
communications
unauthorised disclosure of counter-terrorist measures at a military unit
7 unauthorised disclosure of plans for a peacekeeping mission
unauthorised disclosure of information on the whereabouts and types of
vehicles on an operation
unauthorised disclosure of information concerning a military
communications system
9 unauthorised disclosure of a military plan
loss of information on an operational IT command and control system
disruption of data on an IT system leading to a loss of re-supply capability
E-19
CRAMM User Guide
E-21
CRAMM User Guide
Information may be such that its compromise would prejudice the effective
performance of a public service organisation or organisations. For example,
information relating to a change in a government policy may, if disclosed, provoke
public reaction to the extent that it would not be possible to implement the policy.
Similarly, information relating to the staff of a public sector organisation (such as
changes in conditions of employment) may, if compromised prior to consultation,
lead to bad staff relations and thus undermine the proper management of that public
sector organisation. Modification or unavailability of information concerned with
financial aspects, or computer software, could also have serious ramifications for the
operation of a public sector organisation.
Note that this guideline should not be blindly applied to all possible compromises;
each case should be considered carefully to decide what is appropriate.
Examples
3 the unauthorised disclosure of staff-related information, the compromise
of which could seriously affect staff morale and therefore the operation of
the organisation, or detail of management decisions
5 the unauthorised disclosure of details of changes to the machinery of
government, such as proposals for relocations or redundancies, prior to or
without consultation
6 the unauthorised disclosure of contract material which could affect the
governments position, or information relating to a privatisation exercise
7 the unauthorised disclosure of plans which are against public opinion. If,
for example, plans to privatise air traffic control were made public
prematurely it would be difficult to get such policy adopted, and there
could be knock-on effects on the air traffic control service because of strike
action. Similar situations could arise related to negotiating positions with
unions, on road schemes, and on benefits.
Loss of goodwill
E-23
CRAMM User Guide
Constitute a breach of
proper undertakings to
maintain the confidence
of information provided
by third parties
(Restricted)
Value Management and Personal Safety Personal Information Legal and Regulatory Law Enforcement Commercial and Financial Loss/Disruption
Business Operations Obligations Economic Interests to Activities
4 No entry Is likely to lead to A breach in a legal, Civil suit or criminal Cause the Be of value to a Result directly or indirectly
minor injury to several regulatory or ethical offence resulting in investigation or trial of competitor to a value in losses of between
individuals requirement or publicised damages/penalty of a crime to be that is between 30,001 and 100,000
(Restricted) intention on the protection between 2,001 and abandoned 100,001 and
of information, leading to 10,000 (Restricted) 1,000,000 (turnover)
minor distress to a group of
individuals
(Restricted)
5 Impede the effective No entry A breach in a legal, Civil suit or criminal No entry Be of value to a Result directly or indirectly
development or regulatory or ethical offence resulting in competitor to a value in losses of between
operation of the requirement or publicised damages/penalty of that is between 100,001 and 300,000
organisations policies intention on the protection between 10,001 and 1,000,001 and
of information, leading to 50,000, or a prison 10,000,000 (turnover)
substantial distress to an term of up to two years
individual
(Restricted)
6 Disadvantage the Is likely to lead to A breach in a legal, Civil suit or criminal No entry Be of value to a Result directly or indirectly
organisation in more than a minor regulatory or ethical offence resulting in competitor to a value in losses of between
commercial or policy injury, restricted to an requirement or publicised damages/penalty of that is more than 300,001 and 1,000,000
negotiations with individual intention on the protection between 50,001 and 10,000,000 (turnover)
others (Restricted) of information, leading to 250,000, or a prison
substantial distress to a term in excess of two
group of individuals years and up to ten
(Restricted) years
E-25
CRAMM User Guide
Value Management and Personal Safety Personal Information Legal and Regulatory Law Enforcement Commercial and Financial Loss/Disruption
Business Operations Obligations Economic Interests to Activities
7 Seriously impede the Is likely to lead to No entry Civil suit or criminal Facilitate the Could substantially Result indirectly in losses of
development or more than minor injury offence resulting in commission of a undermine national more than 1,000,000
operation of major to several individuals unlimited serious crime, or economic and
organisational policies, (Confidential) damages/penalty, or a impede the commercial interests
or shut down or prison term in excess investigation of a (Confidential), or
otherwise substantially of ten years serious crime
disrupt significant (Confidential) Work substantially
operations against national finances
(Confidential), or
Substantially undermine
the financial viability of
major organisations
(Confidential)
8 No entry Is likely to prejudice No entry No entry Cause the No entry Result directly in losses of
individual investigation or trial of more than 1,000,000
security/liberty (for a serious crime to be
example, is likely to abandoned
lead to the life of an (Confidential)
individual or group of
individuals being
threatened)
(Confidential)
9 No entry Is likely to lead to the No entry No entry No entry Would be likely to cause No entry
death of an individual, substantial material
and/or seriously damage to national
prejudice individual economic and
security/liberty commercial interests
(Secret) (Secret)
Value Management and Personal Safety Personal Information Legal and Regulatory Law Enforcement Commercial and Financial Loss/Disruption
Business Operations Obligations Economic Interests to Activities
10 No entry Is likely to lead to the No entry No entry No entry Would be likely to cause No entry
widespread loss of life severe long term
(Top Secret) damage to the UK
economy
(Top Secret)
E-27
CRAMM User Guide
Value Public Order International Defence Security and Policy and Loss of Goodwill
Relations Intelligence Operations of Public
Service
1 Is likely to cause very No entry Is likely to make it more No entry Inefficient operation of No entry
localised or community difficult to maintain the one part of an
level protest operational effectiveness or organisation
security of UK or allied
forces at a local level
2 No entry No entry No entry No entry No entry Adversely affect relations
with other parts of the
organisation
3 Is likely to cause Adversely affect Is likely to make it more No entry Undermine the proper Adversely affect relations
limited or localised diplomatic relations difficult to maintain the management of a with other organisations or
protest (Restricted) operational effectiveness or public sector the public, but with the
security of UK or allied organisation and its adverse publicity confined
forces beyond a local level operation to the immediate
(Restricted) (Restricted) geographic vicinity and with
no lasting effects
4 No entry No entry No entry No entry No entry No entry
5 No entry No entry No entry No entry Impede the effective Adversely affect relations
development or with other organisations or
operation of the public, with the adverse
government policies publicity more widespread
(Restricted) than just the immediate
geographic vicinity
6 Is likely to cause No entry No entry No entry Disadvantage No entry
demonstrations, or government in
significant lobbying, or commercial or policy
localised industrial negotiations with
action others
(Restricted)
Value Public Order International Defence Security and Policy and Loss of Goodwill
Relations Intelligence Operations of Public
Service
7 Is likely to cause Materially damage Is likely to cause damage to Cause damage to the Seriously impede the Significantly affect relations
industrial action with diplomatic relations the operational effectiveness of development or with other organisations or
nationally felt effects (Confidential) effectiveness or security of valuable security or operation of major the public, resulting in
UK or allied forces intelligence operations government policies widespread adverse
(Confidential) (Confidential) (Confidential), or publicity
Shut down or
otherwise substantially
disrupt significant
national operations
(Confidential)
8 No entry No entry No entry No entry No entry No entry
9 Is likely to cause Raise international Is likely to cause serious Cause serious damage No entry No entry
widespread industrial tension damage to the operational to the continuing
action, for example a (Secret), or effectiveness or security of effectiveness of highly
general strike, or Is UK or allied forces valuable security or
likely to seriously Seriously damage intelligence operations
prejudice public order relations with friendly (Secret) (Secret)
(Secret) governments
(Secret)
10 Threaten directly the Cause exceptionally Is likely to cause Cause exceptionally No entry No entry
internal stability of the grave damage to exceptionally grave damage grave damage to the
UK relations with friendly to the operational continuing
(Top Secret) governments effectiveness or security of effectiveness of
(Top Secret), or UK or allied forces extremely valuable
(Top Secret) security or intelligence
Threaten directly the operations
internal stability of (Top Secret)
friendly countries
(Top Secret)
E-29
Annex F
Threats
F. Threats
F.1 Introduction
Table F/1 shows all the threats covered by CRAMM, and the standard impacts that
each of the threats can cause. A 1 indicates that an impact could be caused by the
threat. A key to impacts is provided at the end of the table.
Table F/2 shows typical asset groups for each threat. You need to select the
threat/asset group combinations relevant to the review. In theory, you could link any
threat to any asset group where an asset group can contain any instance of an asset or
combination of instances of assets.
F.2 Threats
Technical Failure of Host This questionnaire identifies the factors that increase
the threat of technical failure of a network host. This
threat covers failures of the CPU or other hardware
items.
Technical Failure of Print This questionnaire identifies the factors that increase
Facility the threat of technical failure of the print facility.
Power Failure The threat of power failure covers the possibility that
the power supply to the building may fail. The types
of power failure covered by this threat include:
- spikes
- surges
- brown outs
- black outs
Air Conditioning Failure The threat of air conditioning failure covers the
possibility that work may have to be suspended
because temperatures in the location fall outside of
acceptable parameters.
System and Network The threat of system and network software failure
Software Failure covers the possibility that the system or network
software might fail.
User Error The threat of user error covers the possibility that the
users might make mistakes when using the
application.
Staff Shortage The threat of staff shortage covers the possibility of the
absence of key personnel for whatever reason and the
ease with which they could be replaced. The
vulnerability to staff shortage depends on the extent to
which shortage of staff would affect the business
processes.
Hardware Software
Impact / Threat Maintenance Maintenance User Error Fire
Error Error
Physical Destruction
Unavailability
15 minutes
1 hour
3 hours
12 hours
1 day
2 days
1 week
2 weeks
1 month
2 months
Loss of Data since last
Back-up
Total Loss of all Data
Unauthorised Disclosure
to Insiders
to CSPs
to Outsiders
Small scale errors
eg, keying errors
in transmission
Widespread errors
eg, programming errors
in transmission
Deliberate Modification
of Stored Data
in Transmission
Repudiation of Origin
Repudiation of Receipt
Non-delivery
Replay
Mis-routing
Traffic Monitoring
Out-of-Sequence
Insertion of False
Message
Theft by
Impact / Threat Water Natural Staff Shortage Insiders
Damage Disaster
Physical Destruction
Unavailability
15 minutes
1 hour
3 hours
12 hours
1 day
2 days
1 week
2 weeks
1 month
2 months
Loss of Data since last
Back-up
Total Loss of all Data
Unauthorised Disclosure
to Insiders
to CSPs
to Outsiders
Small scale errors
eg, keying errors
in transmission
Widespread errors
eg, programming errors
in transmission
Deliberate Modification
of Stored Data
in Transmission
Repudiation of Origin
Repudiation of Receipt
Non-delivery
Replay
Mis-routing
Traffic Monitoring
Out-of-Sequence
Insertion of False
Message
Physical Destruction
Unavailability
15 minutes
1 hour
3 hours
12 hours
1 day
2 days
1 week
2 weeks
1 month
2 months
Loss of Data since last
Back-up
Total Loss of all Data
Unauthorised Disclosure
to Insiders
to CSPs
to Outsiders
Small scale errors
eg, keying errors
in transmission
Widespread errors
eg, programming errors
in transmission
Deliberate Modification
of Stored Data
in Transmission
Repudiation of Origin
Repudiation of Receipt
Non-delivery
Replay
Mis-routing
Traffic Monitoring
Out-of-Sequence
Insertion of False
Message
15 1 3 12 1 2 1 2 1 2 S W D
NAME P B T I C O In Or Rc Nd Rp Mr Tm Os
M H H H D D W W M M E E M
Communications Infiltration Y Y Y Y Y Y Y Y Y Y Y Y
Communications Interception Y Y Y Y
Communications Manipulation Y Y Y Y Y Y Y Y Y Y Y
Repudiation Y Y
Communications Failure Y Y Y Y Y Y Y Y Y
Accidental Mis-routing Y Y Y Y Y
15 1 3 12 1 2 1 2 1 2 S W D
NAME P B T I C O In Or Rc Nd Rp Mr Tm Os
M H H H D D W W M M E E M
Power Failure Y Y Y Y Y Y
Operations Error Y Y Y Y Y Y Y Y Y Y Y
User Error Y Y Y Y Y Y Y Y Y
Fire Y Y Y Y Y Y Y Y Y Y Y Y
Water Damage Y Y Y Y Y Y Y Y Y
Natural Disaster Y Y Y Y Y Y Y Y Y Y Y Y
Staff Shortage Y Y Y Y Y Y
15 1 3 12 1 2 1 2 1 2 S W D
NAME P B T I C O In Or Rc Nd Rp Mr Tm Os
M H H H D D W W M M E E M
Theft by Insiders Y Y Y Y Y Y Y Y Y
Theft by Outsiders Y Y Y Y Y Y Y Y Y
Terrorism Y Y Y Y Y Y Y Y Y Y Y Y
G. Risk matrix
G.1 Introduction
The measures of risk are calculated within CRAMM using the matrix shown in Table G/1.
Threat Very Low Very Low Very Low Low Low Low Medium Medium Medium High High High Very Very Very
High High High
Vuln. LOW MEDIUM HIGH LOW MEDIUM HIGH LOW MEDIUM HIGH LOW MEDIUM HIGH LOW MEDIUM HIGH
Asset
Value
1 1 1 1 1 1 1 1 1 2 1 2 2 2 2 3
2 1 1 2 1 2 2 2 2 3 2 3 3 3 3 4
3 1 2 2 2 2 3 2 3 3 3 3 4 3 4 4
4 2 2 3 2 3 3 3 3 4 3 4 4 4 4 5
5 2 3 3 3 3 4 3 4 4 4 4 5 4 5 5
6 3 3 4 3 4 4 4 4 5 4 5 5 5 5 6
7 3 4 4 4 4 5 4 5 5 5 5 6 5 6 6
8 4 4 5 4 5 5 5 5 6 5 6 6 6 6 7
9 4 5 5 5 5 6 5 6 6 6 6 7 7 7 7
10 5 5 6 5 6 6 6 6 6 6 7 7 7 7 7
CM GRP Picture
NAME
ID
10 Identification and
Authentication
30 Accounting
40 Audit
50 Object Re-use
CM GRP Picture
NAME
ID
60 Security Testing
70 Software Integrity
80 Protection Against
Malicious Software
CM GRP Picture
NAME
ID
110 System Input/Output
Controls
CM GRP Picture
NAME
ID
128 Intrusion Detection
CM GRP Picture
NAME
ID
165 Wireless LAN Security
CM GRP Picture
NAME
ID
176 Anti-spamming controls
CM GRP Picture
NAME
ID
190 Preservation of Message
Sequencing
CM GRP Picture
NAME
ID
250 Application Programmer
Controls
CM GRP Picture
NAME
ID
310 Hardcopy Output Controls
CM GRP Picture
NAME
ID
380 Recovery Options for Media
395 Insurance
CM GRP Picture
NAME
ID
440 Accommodation Moves
CM GRP Picture
NAME
ID
500 Bomb Detection
CM GRP Picture
NAME
ID
560 Environmental Protection
570 Personnel
605 Outsourcing
CM GRP Picture
NAME
ID
610 Incident Handling
Network Resilience
Protection against Delay in Delivery
Quality of Network Service
Protection against Denial of Service Attacks
Recovery Options for Network Services
Business Continuity Planning
Embedding of Malicious Code
Protection Against Malicious Software
Network Access Controls
Mobile Code Protection
Accidental Mis-routing
Non-repudiation
Message Security
Technical Failure of Host
Recovery Option for Hosts
Recovery Options for Network Services
Back-up of Data
Equipment Failure Protection
Technical Failure of Storage Facility
Recovery Option for Hosts
Back-up of Data
Equipment Failure Protection
Technical Failure of Print Facility
Equipment Failure Protection
Technical Failure of Network Distribution Component
Recovery Option for Hosts
Recovery Options for Network Services
Back-up of Data
Equipment Failure Protection
Technical Failure of Network Gateway
Recovery Option for Hosts
Recovery Options for Network Services
Back-up of Data
Equipment Failure Protection
Technical Failure of Network Management or Operation Host
Recovery Option for Hosts
Recovery Options for Network Services
Back-up of Data
Equipment Failure Protection
Technical Failure of Network Interface
Recovery Options for Network Interfaces
Technical Failure of Network Service
Network Security Management
Recovery Options for Network Services
Power Failure
Back-up of Data
Power Protection
Environmental Protection
Air Conditioning Failure
Environmental Protection
System and Network Software Failure
Software Integrity
Software Change Controls
Software Distribution
System Administration Controls
Software Maintenance Controls
Back-up of Data
Application Software Failure
Software Integrity
Software Change Controls
Software Distribution
System Administration Controls
Application Development Controls
Application Programmer Controls
Software Maintenance Controls
Back-up of Data
Operations Error
Operations Controls
Back-up of Data
Hardware Maintenance Error
Operations Controls
Hardware Maintenance Controls
Recovery Option for Hosts
Software Maintenance Error
Software Integrity
Software Change Controls
Software Distribution
System Administration Controls
Software Maintenance Controls
Back-up of Data
User Error
Logical Access Control
Accounting
Audit
User Control
Application Input/Output Controls
Financial Accounting
Hardcopy Output Controls
Document / Media Controls
Back-up of Data
Data Protection Legislation
Fire
Document / Media Controls
Recovery Option for Hosts
Recovery Options for Accommodation
Recovery Options for Media
Business Continuity Planning
Insurance
Back-up of Data
Fire Protection
Water Damage
Document / Media Controls
Recovery Option for Hosts
Recovery Options for Accommodation
Recovery Options for Media
Business Continuity Planning
Insurance
Back-up of Data
Water Protection
Natural Disaster
Document / Media Controls
Recovery Option for Hosts
Recovery Options for Accommodation
Recovery Options for Media
Business Continuity Planning
Insurance
Natural Disaster Protection
Staff Shortage
Business Continuity Planning
Insurance
Theft by Insiders
Mobile Computing and Teleworking
Hardcopy Output Controls
Document / Media Controls
Physical Media Transportation
Insurance
Back-up of Data
Room / Zone Physical Security
Theft Protection
Physical Equipment Protection
Personnel
Incident Handling
Compliance Checks
Theft by Outsiders
Mobile Computing and Teleworking
Hardcopy Output Controls
Document / Media Controls
Physical Media Transportation
Insurance
Back-up of Data
Site / Building Physical Security
Accommodation Moves
Room / Zone Physical Security
Theft Protection
Physical Equipment Protection
Incident Handling
Compliance Checks
Wilful Damage by Insiders
Network Security Management
Recovery Option for Hosts
Recovery Options for Accommodation
Recovery Options for Media
Business Continuity Planning
Insurance
Back-up of Data
Room / Zone Physical Security
Physical Equipment Protection
Personnel
Incident Handling
Compliance Checks
Wilful Damage by Outsiders
Network Security Management
Recovery Option for Hosts
Recovery Options for Accommodation
Recovery Options for Media
Business Continuity Planning
Insurance
Back-up of Data
Site / Building Physical Security
Room / Zone Physical Security
Physical Equipment Protection
Incident Handling
Compliance Checks
Terrorism
Recovery Option for Hosts
Recovery Options for Accommodation
Recovery Options for Media
Business Continuity Planning
Insurance
Back-up of Data
Site / Building Physical Security
Room / Zone Physical Security
Terrorist / Extremist Warnings
Delivered Item (DI) Protection
Bomb Detection
Internal and External Bomb Protection
Incident Handling
Compliance Checks
Table I/1: Threat/Countermeasure Groups
Countermeasure
Group Threat
Identification and Authentication
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Introduction of Damaging or Disruptive Software
Logical Access Control
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Introduction of Damaging or Disruptive Software
User Error
Accounting
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Misuse of System Resources
User Error
Audit
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Misuse of System Resources
User Error
Object Re-use
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Security Testing
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Software Integrity
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
System and Network Software Failure
Non-repudiation
Repudiation
Accidental Mis-routing
Data Confidentiality Over Networks
Communications Interception
Public Key Infrastructure
Communications Interception
Communications Manipulation
Repudiation
Network Access Controls
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Communications Infiltration
Communications Manipulation
Embedding of Malicious Code
Security of Routing Tables
Communications Infiltration
Communications Interception
Communications Manipulation
Physical Network Protection
Communications Interception
Wireless LAN Security
Communications Infiltration
Communications Interception
Communications Manipulation
Protection of Voice over IP (VOIP) Traffic
Communications Infiltration
Communications Interception
Communications Manipulation
Message Security
Communications Manipulation
Repudiation
Accidental Mis-routing
Electronic Commerce Security
Communications Infiltration
Mobile Code Protection
Embedding of Malicious Code
Network Resilience
Communications Failure
Anti-spamming controls
Communications Infiltration
Protection against Delay in Delivery
Communications Manipulation
Communications Failure
Quality of Network Service
Communications Failure
Protection against Denial of Service Attacks
Communications Interception
Communications Failure
Data Integrity over Network
Communications Manipulation
Repudiation
Preservation of Message Sequencing
Communications Manipulation
Traffic Padding
Communications Interception
PBX Security
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Communications Infiltration
Communications Interception
Communications Manipulation
Operations Controls
Operations Error
Hardware Maintenance Error
System Administration Controls
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
System and Network Software Failure
Application Software Failure
Software Maintenance Error
Application Development Controls
Application Software Failure
Application Programmer Controls
Application Software Failure
Software Maintenance Controls
System and Network Software Failure
Application Software Failure
Software Maintenance Error
Hardware Maintenance Controls
Hardware Maintenance Error
User Control
User Error
Application Input/Output Controls
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
User Error
Financial Accounting
Unauthorised Use of an Application
User Error
Hardcopy Output Controls
User Error
Theft by Insiders
Theft by Outsiders
Document / Media Controls
User Error
Fire
Water Damage
Natural Disaster
Theft by Insiders
Theft by Outsiders
Physical Media Transportation
Introduction of Damaging or Disruptive Software
Theft by Insiders
Theft by Outsiders
Recovery Option for Hosts
Technical Failure of Host
Technical Failure of Storage Facility
Technical Failure of Network Distribution
Component
Technical Failure of Network Gateway
Technical Failure of Network Management or
Operation Host
Hardware Maintenance Error
Fire
Water Damage
Natural Disaster
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Recovery Options for Network Interfaces
Technical Failure of Network Interface
Recovery Options for Network Services
Communications Failure
Technical Failure of Host
Technical Failure of Network Distribution
Component
Technical Failure of Network Gateway
Technical Failure of Network Management or
Operation Host
Technical Failure of Network Service
Recovery Options for Accommodation
Fire
Water Damage
Natural Disaster
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Recovery Options for Media
Fire
Water Damage
Natural Disaster
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Business Continuity Planning
Communications Failure
Fire
Water Damage
Natural Disaster
Staff Shortage
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Insurance
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Fire
Water Damage
Natural Disaster
Staff Shortage
Theft by Insiders
Theft by Outsiders
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Back-up of Data
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Introduction of Damaging or Disruptive Software
Technical Failure of Host
Technical Failure of Storage Facility
Technical Failure of Network Distribution
Component
Technical Failure of Network Gateway
Technical Failure of Network Management or
Operation Host
Power Failure
System and Network Software Failure
Application Software Failure
Operations Error
Software Maintenance Error
User Error
Fire
Water Damage
Theft by Insiders
Theft by Outsiders
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Capacity Planning
Misuse of System Resources
Equipment Failure Protection
Technical Failure of Host
Technical Failure of Storage Facility
Technical Failure of Print Facility
Technical Failure of Network Distribution
Component
Technical Failure of Network Gateway
Technical Failure of Network Management or
Operation Host
Site / Building Physical Security
Theft by Outsiders
Wilful Damage by Outsiders
Terrorism
Accommodation Moves
Theft by Outsiders
Room / Zone Physical Security
Theft by Insiders
Theft by Outsiders
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Theft Protection
Theft by Insiders
Theft by Outsiders
Physical Equipment Protection
Theft by Insiders
Theft by Outsiders
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorist / Extremist Warnings
Terrorism
Delivered Item (DI) Protection
Terrorism
Bomb Detection
Terrorism
Internal and External Bomb Protection
Terrorism
Fire Protection
Fire
Water Protection
Water Damage
Natural Disaster Protection
Natural Disaster
Power Protection
Power Failure
Environmental Protection
Power Failure
Air Conditioning Failure
Personnel
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Unauthorised Use of an Application
Theft by Insiders
Wilful Damage by Insiders
Security Education and Training
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Security Policy
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Security Infrastructure
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Outsourcing
Masquerading of User Identity by Contracted
Service Providers
Data Protection Legislation
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
User Error
Incident Handling
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Introduction of Damaging or Disruptive Software
Theft by Insiders
Theft by Outsiders
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
Compliance Checks
Masquerading of User Identity by Insiders
Masquerading of User Identity by Contracted
Service Providers
Masquerading of User Identity by Outsiders
Unauthorised Use of an Application
Theft by Insiders
Theft by Outsiders
Wilful Damage by Insiders
Wilful Damage by Outsiders
Terrorism
L. CRAMM reports
L.1 Introduction
Table O/1 lists all the reports that can be produced using the CRAMM software. The
reports are grouped according to which Stage they are produced in, and each one has
a brief description of its purpose plus a reference to its description in this User Guide.