Vera 2.0 by Cesare Gallotti Licensed Under A Creative Commons Attribution-Noncommercial-Share Alike 2.5 Italy License

Vera 2.
0
By Cesare Gallotti
Licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 Italy License

http://creativecommons.org/licenses/by-nc-sa/2.5/it/
0- Describe the scope Describe the service, considering: characteristics of the business, involved
organization considering business and IT and third parties, location, assets,
technology.
1- Assess service In the "Main table" sheet, put the value for CIA parameters of the service in
values cells C2-E2 following the criteria in worksheet "Criteria"
2- Assess threats In "Threats" sheet put value 1, 2, 3 for likelihood of threats. Insert the
motivation, following the criteria in worksheet "Criteria".
Copy and paste column C in the "Main table" sheet with the "Edit - Paste
Special - Transpose" command.
If new threats are considered, insert them considering that "inherent risk" is
calculated considering CIA impacted parameters.
If new threats are added, then they need also to be linked with the pertinent
controls in the "Main table" sheet.
3- Analyze controls In "Controls" sheet put value 1, 2, 3 for "Strength/Vulnerability" following the
criteria in worksheet "Criteria".
Insert the motivations in "Description" and "Vulnerability" fields.
Copy and paste column b in the "Main table" sheet.
Please note that the 133 controls are the ISO/IEC 27001:2005 controls. New
controls can be added, but they need also to be linked with the appropriate
threats in the "Main table" sheet.
4- Calculate risk level The sheet calculate the "inherent risk" with an easy formula that can be
checked in 8th row's cells.
Any and each control is linked to the threats it reduces with an X, and vice
versa (any threat is related to relevant controls with and X).
If inherent risk is lower than the strength of the control, then the cell is green;
otherwise it is red.
Conditional formatting is present for any cell. If new columns or rows are
added, check if and how the conditions are still valid.
5- Treat risks For accepted risks, the "X" shall be substituted by an "A" in the "Main table
sheet" and the cell becomes yellow (because of Conditional formatting). In
this case, the "Risk acceptance" sheet must be compiled.
For risks that are treated via reduction or transfer, the "X" shall be in place
and the "Risk treatment" sheet must be compiled.
Note to this VERA In "Main table" sheet, relations among threats and controls may be incorrect
version (i.e.: they are basically incorrect!)
Note: Criteria shall be customized considering the scope (e.g. industry sector, location, technology, etc.)
Criteria for Confidentiality, Integrity and Availability (From NIST SP 800-30)
Magnitude of Impact Definition

Impact
High (1) may result in the highly costly loss of major tangible assets
or resources;
(2) may significantly violate, harm, or impede an organization's
mission, reputation, or interest;
(3) may result in human death or serious injury.
Medium (1) may result in the costly loss of tangible assets or resources;
(2) may violate, harm, or impede an organization's mission,
reputation, or interest;
(3) may result in human injury.
Low (1) may result in the loss of some tangible assets or resources
(2) may noticeably affect an organization's mission, reputation,
or interest.
Criteria for Threats (From NIST SP 800-30)
Threat Level Threat definition

High The threat-source is highly motivated and sufficiently capable.
Events related to this threat are several.
Medium The threat-source is motivated and capable.
The number of events related to this threat are in line with
industry sector studies.
Low The threat-source lacks motivation or capability.
Rare previous events were recorded.
Criteria for Controls (From NIST SP 800-30)
Control Strength Definition

strength
High The control is fully implemented with:
• up-do-date products and processes
• updated documentation
• no recorded incident or vulnerabilities
• a good balance between effectiveness and efficiency (easy to
manage and update)
• enough trained people for its implementation and
maintenance
Medium The control presents one or two lacks of implementation and
maintenance, considering:
• recorded incident or vulnerabilities
• balance between effectiveness and efficiency (easy to manage
and update)
• number of trained people for its implementation and
maintenance
Low The control is not applied or presents a high number of lacks of
implementation and maintenance, considering:
• recorded incident or vulnerabilities
• balance between effectiveness and efficiency (easy to manage
and update)
• number of trained people for its implementation and
maintenance
N/A The control is not applicable to the organization, considering
relevant threats.
nology, etc.)
Control Strength/ Description
Vulnerability
A.5.1.1 Information security policy
3
document
A.5.1.2 Review of the information security 3
policy
A.6.1.1 Management commitment to 2
information security
A.6.1.2 Information security coordination 3
A.6.1.3 Allocation of information security OK Through organization chart
3
responsibilities
A.6.1.4 Authorization process for OK Through "Change Management"
information processing facilities 3
process
A.6.1.5 Confidentiality agreements OK with all suppliers
2
OK with all personnel
A.6.1.6 Contact with authorities Simple involvement with police and
3
fire brigades
A.6.1.7 Contact with special interest groups
2
A.6.1.8 Independent review of information
1
security
A.6.2.1 Identification of risks related to
3
external parties
A.6.2.2 Addressing security when dealing
2
with customers
A.6.2.3 Addressing security in third party
2
agreements
A.7.1.1 Inventory of assets 3
A.7.1.2 Ownership of assets 3
A.7.1.3 Acceptable use of assets 2
A.7.2.1 Classification guidelines 3
A.7.2.2 Information labeling and handling 1
A.8.1.1 Roles and responsibilities 3
A.8.1.2 Screening 3
A.8.1.3 Terms and conditions of
3
employment
A.8.2.1 Management responsibilities 2
A.8.2.2 Information security awareness,
2
education and training
A.8.2.3 Disciplinary process 3
A.8.3.1 Termination responsibilities 3
A.8.3.2 Return of assets 1
A.8.3.3 Removal of access rights 1
A.9.1.1 Physical security perimeter 3
A.9.1.2 Physical entry controls 2
A.9.1.3 Securing offices, rooms and
3
facilities
A.9.1.4 Protecting against external and
3
environmental threats
A.9.1.5 Working in secure areas 3
A.9.1.6 Public access, delivery and loading
3
areas
A.9.2.1 Equipment siting and protection 3
A.9.2.2 Supporting utilities 3
A.9.2.3 Cabling security 2
A.9.2.4 Equipment maintenance 2
A.9.2.5 Security of equipment off premises NA
A.9.2.6 Secure disposal or re-use of
2
equipment
A.9.2.7 Removal of property 2
A.10.1.1 Documented operating procedures
3
A.10.1.2 Change management 3
A.10.1.3 Segregation of duties 2
A.10.1.4 Separation of development, test
2
and operational facilities
A.10.2.1 Service delivery 2
A.10.2.2 Monitoring and review of third
2
party services
A.10.2.3 Managing changes to third party
3
services
A.10.3.1 Capacity management 3
A.10.3.2 System acceptance 3
A.10.4.1 Controls against malicious code 3
A.10.4.2 Controls against mobile code 3
A.10.5.1 Information back-up 3
A.10.6.1 Network controls 3
A.10.6.2 Security of network services 3
A.10.7.1 Management of removable media 2
A.10.7.2 Disposal of media 3
A.10.7.3 Information handling procedures 3
A.10.7.4 Security of system documentation 3
A.10.8.1 Information exchange policies and
3
procedures
A.10.8.2 Exchange agreements 3
A.10.8.3 Physical media in transit 3
A.10.8.4 Electronic messaging 3
A.10.8.5 Business information systems 3
A.10.9.1 Electronic commerce NA
A.10.9.2 On-line transactions NA
A.10.9.3 Publicly available information 3
A.10.10.1 Audit logging 2
A.10.10.2 Monitoring system use 3
A.10.10.3 Protection of log information 3
A.10.10.4 Administrator and operator logs 3
A.10.10.5 Fault logging 3
A.10.10.6 Clock synchronization 3
A.11.1.1 Access control policy 3
A.11.2.1 User registration 3
A.11.2.2 Privilege management 1
A.11.2.3 User password management 3
A.11.2.4 Review of user access rights 3
A.11.3.1 Password use 3
A.11.3.2 Unattended user equipment 3
A.11.3.3 Clear desk and clear screen policy
3
A.11.4.1 Policy on use of network services 3
A.11.4.2 User authentication for external
3
connections
A.11.4.3 Equipment identification in
3
networks
A.11.4.4 Remote diagnostic and
3
configuration port
A.11.4.5 Segregation in networks 3
A.11.4.6 Network connection control 3
A.11.4.7 Network routing control 3
A.11.5.1 Secure log-on procedures 3
A.11.5.2 User identification and
3
authentication
A.11.5.3 Password management system 3
A.11.5.4 Use of system utilities 3
A.11.5.5 Session time-out 3
A.11.5.6 Limitation of connection time 3
A.11.6.1 Information access restriction 3
A.11.6.2 Sensitive system isolation 3
A.11.7.1 Mobile computing and
3
communications
A.11.7.2 Teleworking 3
A.12.1.1 Security requirements analysis and
3
specification
A.12.2.1 Input data validation 3
A.12.2.2 Control of internal processing 3
A.12.2.3 Message integrity 3
A.12.2.4 Output data validation 3
A.12.3.1 Policy on the use of cryptographic
3
controls
A.12.3.2 Key management 3
A.12.4.1 Control of operational software 3
A.12.4.2 Protection of system test data 3
A.12.4.3 Access control to program source
3
code
A.12.5.1 Change control procedures 3
A.12.5.2 Technical review of applications
3
after operating
A.12.5.3 Restrictions on changes to
3
software packages
A.12.5.4 Information leakage 3
A.12.5.5 Outsourced software development
3
A.12.6.1 Control of technical vulnerabilities 3
A.13.1.1 Reporting information security
3
events
A.13.1.2 Reporting security weaknesses 3
A.13.2.1 Responsibilities and procedures 3
A.13.2.2 Learning from information security
3
incidents
A.13.2.3 Collection of evidence 3
A.14.1.1 Including information security in
the business continuity management 3
process
A.14.1.2 Business continuity and risk
3
assessment
A.14.1.3 Developing and implementing
continuity plans including information 3
security
A.14.1.4 Business continuity planning
3
framework
A.14.1.5 Testing, maintaining and
3
reassessing business continuity plans
A.15.1.1 Identification of applicable
3
legislation
A.15.1.2 Intellectual property rights (IPR) 3
A.15.1.3 Protection of organizational
3
records
A.15.1.4 Data protection and privacy of
3
personal information
A.15.1.5 Prevention of misuse of
3
information processing facilities
A.15.1.6 Regulation of cryptographic
3
controls
A.15.2.1 Compliance with security policies
3
and standards
A.15.2.2 Technical compliance checking 3
A.15.3.1 Information systems audit controls 3
A.15.3.2 Protection of information systems
audit tools
3
Vulnerability Documentation
None
None
The process involving temporary personnel

is not standardized
None Contact list (Fire brigades, Police, ...)
Threat Category Threat Likelihood Parameters
Physical Damage Fire 1 IA
Water Damage 1 A
Pollution - Dust - Corrosion - Freezing 1 A
Distruction of equipment or media 3 A
Bomb attack and use of arms 1 A

Natural events Climatic Phenomenon 1 A
Earthquake (or volcanic phenomenon) 1 A
Flooding 1 A
Lightning 1 A
Loss of essential Failure of air conditioning or water 1 A
services supply
Loss of power supply or power 2 A
fluctuation
Failure of telecommunication 2 CIA
components
Transmission errors (including 1 IA
Misrouting of messages)
Damage to lines 1 A
Traffic overloading 1 A
Staff shortage 1 A
Disturbance Electromagnetic radiation - Thermal 1 IA
radiation - Electromagnetic pulses
Compromise of Eavesdropping (including Traffic 1 C
information analysis)
Remote spying 1 CIA
Theft of media or documents 3 C
Theft of equipment 3 CA
Retrieval of recycled or discarded media 1 C
Disclosure 1 C
Data from untrustworhty sources 1 I
Communications infiltration (including 1 CIA
Rerouting of messages)
Repudiation 2 I
Technical failures Equipment failure or malfunction 2 IA
Saturation of the information system 2 IA
Software Malfunction 3 CIA
Harware or Systems maintenance error 3 IA
Unauthorised Unauthorised use of equipment 2 CIA

actions Illegal import/export of software 3 CIA
(fraudolent copying of sw, use of copied
sw)
Business data alteration by malicious 3 CIA
user
Malicious software 3 CIA
Network access by unauthorized users 1 CIA
Use of network facilities in an 2 CIA
unauthorized way
Compromise of Business user errors 3 CIA
functions Use of software by unauthorized users 1 CIA
Deterioration of storage media 2 IA
Use of software in an unauthorized way 1 CIA
Masquerading of user identity 1 CIA

Motivation
Fire brigade said that risk is low
Data Center is on the 2 floor
Highest umidity 100%, highest temperature
40°C.
Standard tools used. MTBF of 10 years.
Some carzy people around... Some incident
recorded in the last 2 years
Service Confidentiality Integrity Availability
Service 1 2 3
Physical Damage
Fire Water Pollution -
Damage Dust -
Corrosion -
Freezing
Treath
Probability 1 1 1
Parameters IA A A
Inherent Risk 0.83 1.00 1.00
A.5.1.1 Information security 3
policy document X X X
A.5.1.2 Review of the 3
information security policy X X X
A.6.1.1 Management 2
commitment to information
security X X X
coordination X
A.6.1.3 Allocation of 3
information security
responsibilities X X X
A.6.1.4 Authorization process 3
for information processing
facilities X X X
A.6.1.5 Confidentiality 2
agreements
A.6.1.6 Contact with 3
authorities X
A.6.1.7 Contact with special 2
interest groups
A.6.1.8 Independent review of 1
information security X X X
A.6.2.1 Identification of risks 3
related to external parties X X
A.6.2.2 Addressing security 2
when dealing with customers X
A.6.2.3 Addressing security in 2
third party agreements X X
A.7.1.1 Inventory of assets 3 X X X
A.7.1.2 Ownership of assets 3 X X X
A.7.1.3 Acceptable use of 2
assets
A.7.2.1 Classification 3
guidelines
A.7.2.2 Information labelling 1
and handling
A.8.1.1 Roles and 3
responsibilities X
A.8.1.2 Screening 3 X
A.8.1.3 Terms and conditions 3
of employment X
A.8.2.1 Management 2
responsibilities X
awareness, education and
training X
A.8.2.3 Disciplinary process 3 X
A.8.3.1 Termination 3
responsibilities
A.8.3.2 Return of assets 1
A.8.3.3 Removal of access 1
rights
A.9.1.1 Physical security 3
perimeter
A.9.1.2 Physical entry controls 2
A.9.1.3 Securing offices, 3

rooms and facilities X
A.9.1.4 Protecting against 3
external and environmental
threats X X X
A.9.1.5 Working in secure 3
areas X X
A.9.1.6 Public access, 3
delivery and loading areas X
A.9.2.1 Equipment siting and 3
protection X X X
A.9.2.2 Supporting utilities 3 X X X
A.9.2.3 Cabling security 2 X X X
A.9.2.4 Equipment 2
maintenance X X X
A.9.2.5 Security of equipment NA
offpremises X X X
A.9.2.6 Secure disposal or re- 2
use of equipment
A.9.2.7 Removal of property 2
A.10.1.1 Documented 3
operating procedures
A.10.1.2 Change 3
management X
A.10.1.3 Segregation of duties 2
A.10.1.4 Separation of 2
development, test and
operational facilities
A.10.2.1 Service delivery 2
A.10.2.2 Monitoring and 2
review of third party services X
A.10.2.3 Managing changes 3
to third party services X
A.10.3.1 Capacity 3
management X
A.10.3.2 System acceptance 3 X
A.10.4.1 Controls against 3
malicious code
A.10.4.2 Controls against 3
mobile code
A.10.5.1 Information back-up 3 X X X
A.10.6.1 Network controls 3
A.10.6.2 Security of network 3
services
A.10.7.1 Management of 2
removable media
A.10.7.2 Disposal of media 3
A.10.7.3 Information handling 3
procedures
A.10.7.4 Security of system 3
documentation
A.10.8.1 Information 3
exchange policies and
procedures
A.10.8.2 Exchange 3
agreements
A.10.8.3 Physical media in 3
transit
A.10.8.4 Electronic messaging 3
A.10.8.5 Business information 3

systems
A.10.9.1 Electronic commerce NA
A.10.9.2 On-line transactions NA

A.10.9.3 Publicly available 3
information
A.10.10.1 Audit logging 2
A.10.10.2 Monitoring system 3
use
A.10.10.3 Protection of log 3
information
A.10.10.4 Administrator and 3
operator logs
A.10.10.5 Fault logging 3
A.10.10.6 Clock 3
synchronization
A.11.1.1 Access control policy 3
A.11.2.1 User registration 3

A.11.2.2 Privilege 1
management
A.11.2.3 User password 3
management
A.11.2.4 Review of user 3
access rights
A.11.3.1 Password use 3
A.11.3.2 Unattended user 3
equipment
A.11.3.3 Clear desk and clear 3
screen policy
Network 3
A.11.4.1 Policy on use of
network services X
A.11.4.2 User authentication 3
for external connections
A.11.4.3 Equipment 3
identification in networks
A.11.4.4 Remote diagnostic 3
and configuration port
A.11.4.5 Segregation in 3
networks
A.11.4.6 Network connection 3
control
A.11.4.7 Network routing 3
control
Operating systems 3
A.11.5.1 Secure log-on
procedures
A.11.5.2 User identification 3
and authentication
A.11.5.3 Password 3
management system
A.11.5.4 Use of system 3
utilities
A.11.5.5 Session time-out 3
A.11.5.6 Limitation of 3
connection time
Applications and 3
information
A.11.6.1 Information access
restriction
A.11.6.2 Sensitive system 3
isolation
Mobile & telework 3
A.11.7.1 Mobile computing
and communications
A.11.7.2 Teleworking 3
A.12.1.1 Security 3
requirements analysis and
specification
A.12.2.1 Input data validation 3
A.12.2.2 Control of internal 3
processing
A.12.2.3 Message integrity 3
A.12.2.4 Output data 3
validation
A.12.3.1 Policy on the use of 3
cryptographic controls
A.12.3.2 Key management 3
A.12.4.1 Control of 3
operational software
A.12.4.2 Protection of system 3
test data
A.12.4.3 Access control to 3
program source code
A.12.5.1 Change control 3
procedures X
A.12.5.2 Technical review of 3
applications after operating
system changes
A.12.5.3 Restrictions on 3
changes to software packages
A.12.5.4 Information leakage 3

A.12.5.5 Outsourced software 3
development
A.12.6.1 Control of technical 3
vulnerabilities
A.13.1.1 Reporting 3
information security events X X X
A.13.1.2 Reporting security 3
weaknesses X X X
A.13.2.1 Responsibilities and 3
procedures X X X
A.13.2.2 Learning from 3
information security incidents X X X
A.13.2.3 Collection of 3
evidence X X X
A.14.1.1 Including information 3
security in the business
continuity management
process X X X
A.14.1.2 Business continuity 3
and risk assessment X X X
A.14.1.3 Developing and 3
implementing continuity plans
including information security X X X
A.14.1.4 Business continuity 3
planning framework X X X
A.14.1.5 Testing, maintaining 3
and reassessing business
continuity plans X X X
A.15.1.1 Identification of 3
applicable legislation X
A.15.1.2 Intellectual property 3
rights (IPR)
A.15.1.3 Protection of 3
organizational records
A.15.1.4 Data protection and 3
privacy of personal
information
A.15.1.5 Prevention of misuse 3
of information processing
facilities
A.15.1.6 Regulation of 3
cryptographic controls
A.15.2.1 Compliance with 3
security policies and
standards X
A.15.2.2 Technical compliance 3
checking X X
A.15.3.1 Information systems 3
audit controls
A.15.3.2 Protection of 3
information systems audit
tools
sical Damage Natural events
Distruction of Bomb attack Climatic Earthquake Flooding Lightning Failure of air
equipment or and use of Phenomenon (or volcanic conditioning
media arms phenomenon) or water
supply
3 1 1 1 1 1 1
A A A A A A A
3.00 1.00 1.00 1.00 1.00 1.00 1.00
X X X X X X X
X X X X X X X
X X X X X X
X X X X
X X X X X X X
X X X X X X X
X X
X X X X X X X
X X
X X
X X X X
X X X X X X
X X X X X X
X X
X X
X
X
X X
X
X X
X X X X
X X X X
X X
X X X X X X
X X X
X X
X X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X X
X X X
X
X X X
X X X
X X X
X X X
X X X X X X X
X
X
X
X X X
X
X
X
X X X
X X X X X
X X X X X
X X X X X
X X X X X
X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X
X X
X X X
Loss of essential services Disturbance
Loss of power Failure of Transmission Damage to Traffic Staff shortage Electromagnet
supply or telecommunic errors lines overloading ic radiation -
power ation (including Thermal
fluctuation components Misrouting of radiation -
messages) Electromagnet
ic pulses
2 2 1 1 1 1 1
A CIA IA A A A IA
2.00 1.33 0.83 1.00 1.00 1.00 0.83
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X X X X X
X X X X X X
x X
X X X X
X X X X
X X X
X X X X
X X X X X X
X X X X X X
X X X X
X X
X X
X X
X X
X X X
X
X X
X X X
X X X X
X X X
X X X
X X X X X X
X X X X
X X X X X
X X X X X
X X X X X
X X X X
X X X X
X X X
X X X
X X X
X X
X X X
X X X
X X X X
X X X
X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X X
X
X
X X
X X
X X
X X
X X
X
X
X X
X
X
X
X
X X
x X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X
X X
X
Compromise of information
Eavesdroppin Remote Theft of media Theft of Retrieval of Disclosure Data from
g (including spying or documents equipment recycled or untrustworhty
Traffic discarded sources
analysis) media
1 1 3 3 1 1 1
C CIA C CA C C I
0.33 0.67 1.00 2.00 0.33 0.33 0.67
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X X X
X X X X
X X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X X X X
X X X X X X
X X X X X
X X X X X X
X X X X
X X X
X X X X X X
X X X X X X
X X X X X
X X X
X X X
X X X
X X X
X X X
X X
X X X
X X
X X
X
X
X
X
X X
X X
X X
X X
X X X
X X X
X X X
X X
X X X
X X X X X
X X X
X X X
X X
X X
X X X
X X
X X
X
X X
X X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X X
X X
X X
X
X
X X X
X X
X X
X
X X
X X
X X
X X
X
X X
X X
X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X
X X
X X
X X
X X
X
Technical failures
Communicatio Repudiation Equipment Saturation of Software Harware or Unauthorised
ns infiltration failure or the Malfunction Systems use of
(including malfunction information maintenance equipment
Rerouting of system error
messages)
1 2 2 2 3 3 2
CIA I IA IA CIA IA CIA
0.67 1.33 1.67 1.67 2.00 2.50 1.33
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X X X X X X
X X X X X X X
X X X
X X X X
X X X X X X X
X X X X
X X X
X X X X X X
X X X X X X X
X X X X X X X
X X X X X
X X
X X
X X X X X
X X X X
X X X
X X X X X
X X
X X X X
X X X X
X X X
X X
X X X X
X X X X
X X
X X X
X X
X X
X
X X
X X
X X
X X X X X
X X
X X
X
X X
X X X X
X X X X
X X X
X
X X X X X
X X X X X
X X X X
X X X
X X X X
X X X X X X X
X X
X X
X A
X X
X X
X X
X X
X X
X X X
X X
X X
X X
X X
X X
X X
X
X X
X X
X
X X X X
X
X
X
X X
X X
X X
X X X
X X
X X X X
X X X
X X
X X X X
X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X X
X X X X
X X
X
Unauthorised actions Compromise of fu
Illegal Business data Malicious Network Use of Business user Use of
import/export alteration by software access by network errors software by
of software malicious user unauthorized facilities in an unauthorized
(fraudolent users unauthorized users
copying of sw, way
use of copied
sw)
3 3 3 1 1 3 1
CIA CIA CIA CIA CIA CIA CIA
2.00 2.00 2.00 0.67 0.67 2.00 0.67
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X
X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X
X X X X X
X X X X X X
X X
X X
X X X X X
X X X
X X X X X X
X X X X X X X
X X X X X
X X X X X X
X X X
X
X X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X X
X X
X
X X X
X X X
X X X
X X X X
X X X X X
X X X X X X X
X
X
X X
X X X X
X X X X
X X X X X
X X X X X
X X
X X
X X X
X X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X
X X X X X X X
X X X X
X X
X X X X X X X
X X
X X X
X X
X X X X
X X X X
X X
X
X X
X X X X
X X
X X X X X
X X X
X X
X X X X
X X X
X X X
X
X
X
X
X X X X
X X
X X X X X
X X X
X
X X X
X X X X
X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X
X X X X X
X X
X X X
X X X
X X X X
X X
Compromise of functions
Deterioration Use of Masquerading
of storage software in an of user
media unauthorized identity
way
2 1 1
IA CIA CIA
1.67 0.67 0.67
X X X 35
X X X 35
X X X 35
X X 28
X X X 34
X X 33
X 6
X X 13
X 16
X X X 32
X X 25
X X 21
X X 28
X X 31
X 29
X 23
X 19
X 15
X 18
X 19
X 14
X 18
X 11
X 7
X 7
X 8
X X 20
X 14
14
X 15
X X 20
X 4
2
X 11
X 13
X 6
X 6
7
4
10
X 7
X 7
X X 18
X 14
X 15
X 4
X 5
X 5
X 10
X 12
X X 7
X 11
X X 18
X X 13
X 11
X X 8
X X 19
X X 20
X X 17
X X 17
X 15
X X X 23
X X 13
X X 12
X X 11
X 8
X X 12
X 8
X 7
X 3
X X 16
X 8
X 10
X 7
X 11
X 10
X 9
X 5
X 6
X 5
X 8
X X 8
X X 7
X X 11
X X 7
X X 8
X X 10
X X 12
X X 8
5
4
X 7
X 7
X X 12
X 3
X 6
X X 15
X X 10
X X 7
X X 7
X X 13
X X 16
X X X 30
X X X 30
X X X 30
X X X 30
X X X 30
X 17
X 17
X 17
X 17
X 17
X X 15
X 3
X 8
X 5
X X 9
X 6
X 10
X X 16
X 6
X 5
Threat Inherent risk Control Strength/Vulnerabilit
y level
Unauthorised use of 2 A.11.2.2 Privilege 1
equipment management
Reason for acceptance
The number of system administrator is too low for having a proper privilege management policy
Threat Inherent risk Control Strength/
Vulnerability
Software Malfunction A.10.1.4 Separation of level
development, test and
3 operational facilities 2
Treatment
Action End date Responsible
A project of separation of facilities January Cesare
will be started in october. The
feasibility study has been done and
a draft project plan has been issued.

Vera 2.0 by Cesare Gallotti Licensed Under A Creative Commons Attribution-Noncommercial-Share Alike 2.5 Italy License

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vera 2.0 by Cesare Gallotti Licensed Under A Creative Commons Attribution-Noncommercial-Share Alike 2.5 Italy License

Uploaded by

Copyright:

Available Formats

Vera 2.

Licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 Italy License

Criteria for Confidentiality, Integrity and Availability (From NIST SP 800-30)

Magnitude of Impact Definition

Criteria for Threats (From NIST SP 800-30)

Threat Level Threat definition

Criteria for Controls (From NIST SP 800-30)

Control Strength Definition

The process involving temporary personnel

Distruction of equipment or media 3 A

Bomb attack and use of arms 1 A

Unauthorised Unauthorised use of equipment 2 CIA

Masquerading of user identity 1 CIA

A.9.1.3 Securing offices, 3

A.10.8.5 Business information 3

A.10.9.2 On-line transactions NA

A.11.2.1 User registration 3

A.12.5.4 Information leakage 3

You might also like