- ISC2 Community
- :
- Discussions
- :
- Tech Talk
- :
- Re: Threat and Vulnerability Scorecard used for Mo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Threat and Vulnerability Scorecard used for Modeling and Risk Management Procedures
Does your threat and vulnerability scorecard procedure look like this?
Work Tasks
1). Identify Threats: This work task documents threat(s) to the Enterprise asset(s) for use in the risk analysis process defined in RA Worksheet including the threat identification, description, and rating. This task includes description of threats, classification of threats, determining threat likelihood, identifying the consequences, impact and exposure and summarizing the threat assessment. Sources for Threats can be identified through the Enterprise Risk Assessment process, Management or Subject Matter Experts who may be made aware through their connections with special interest groups or through active and detective monitoring of events affecting assets and anomaly activity may detect new patterns. Identification of new threats may also occur during investigation stages of incident triage, root-cause-analysis of incidents and problems or fault reporting.
2). Identify Vulnerabilities: This work task documents vulnerabilities identified within the Enterprise asset(s) for use in the risk analysis process defined in RA Worksheet including the threat identification, description, and rating. This task includes a description of the vulnerability, determining vulnerability likelihood and impact based on severity and exposure. Identifying the sources of vulnerabilities can occur during the Enterprise Risk Assessment process, Management discussions or Subject Matter Experts may become aware through their connections with special interest groups or through active and monitoring of events affecting assets. On occasion anomalies might occur and any new patterns of activity leading up to the event investigated. Additional intelligence may be gathered during investigation into these events, incident triage, root-cause-analysis of incidents and problems or fault reporting.
3). Evaluation: This work task lists and evaluates specific criteria used during the assessment of Threats and Vulnerabilities. This criteria is used to calculate an overall rating which helps to prioritize threats and vulnerabilities for corrective or preventive action.
4). Report and Management Decision: This work task identifies the reporting stage, summarizing the analysis and rolled up values attributed to threats and vulnerabilities that will be used to calculate the overall risk rating. The Enterprise Security Management Oversight Board will receive the assessment and provide leadership by prioritizing resources and follow up activities.
7. Work Steps for completing Threat table maintenance.
NOTE: Appendix "A" provides an example for the completed threat score card used for modeling and Enterprise Risk Assessments. This completed score card is used to help stablize and focuse the Enterprise Risk Management Methodology. The score card may be updated annually but may only change id applied to a different industry including critical infrastructure.
Step 1. Create a unique identification that distinguishes the threat from other threats. Try to create a name that associates it with the asset or technology that it impacts.
Step 2. Add a brief description of the threat that will summarize what it is and what is does. Several parent and child groups have already been created in the table and it might be useful for you to reference them.
Step 3. Based on the available ‘threats classifications’ choose the one that is most appropriate. Others might apply but choose the class that is most obvious. The choices are: Disclosure, Interruption, Modification, Destruction, or Removal
Step 4. Based on the existing categories of ‘Threat Agents’ choose the one that is most appropriate. The choices are Human Malicious, Human Non-Malicious, and Act of God
Step 5. The quantification of threats requires assessment of three groups of nine unique characteristics that becomes a factor in determining if the threat is real and could impact the Enterprise.
Step 6. Knowledge: A measure of intelligence publically available to the threat concerning a potential assets and its vulnerabilities. The assessment values are as follows:
• Scores 3 - The threat agent can easily acquire source code knowledge of the target.
• Scores 2 - The threat agent can easily acquire engineering knowledge of the target.
• Scores 1 - The threat agent can acquire indirect knowledge of the target through former employees.
• Scores 0 - The threat agent cannot acquire knowledge of the target.
Step 7. Skill: A measure of the threat agent’s competency based on the skills necessary to exploit knowledge used to engineer the target. The assessment values are as follows:
• Scores 3 - The threat agent is an expert on the engineering techniques used to construct the target.
• Scores 2 - The threat agent is experienced on a few of the engineering techniques used with the target.
• Scores 1 - The threat agent is an amateur on the engineering techniques used to construct the target.
• Scores 0 - The threat agent does not have the skills necessary to exploit the target.
Step 8. Resources: A measure of the threat agent’s access to resources with the skill and knowledge necessary to exploit vulnerabilities within the target. The assessment values are as follows:
• Scores 3 - The threat agent has on hand resources necessary to exploit vulnerabilities within the target.
• Scores 2 - The threat agent will take 6 months to acquire the resources necessary to exploit the target.
• Scores 1 - The threat agent will take 12 months to acquire the resources necessary to exploit the target.
• Scores 0 - The threat agent cannot acquire the resources necessary to exploit the target.
Step 9. Summarize the total values to obtain a likelihood rating.
Step 10. Capability: A measure of the threats ability to execute an attack against the target from a single person and single location or using multiple resources from multiple locations in a coordinated attack.
• Scores 3 - The threat possess a team capable of attacking the target from multiple locations.
• Scores 2 - The threat possess a team capable of attacking the target from a single location.
• Scores 1 - The threat possess individual capability to attack the target from a single location.
• Scores 0 - The threat agent does not possess the capability to launch an attack against the target.
Step 11. Motive: A measure of the threats motivation to execute an attack against the target.
• Scores 3 - The threat is motivated by money to attack the target.
• Scores 2 - The threat is motivated by political beliefs to attack the target.
• Scores 1 - The threat is motivated by personal grudge to attack the target.
• Scores 0 - The threat agent is not motivated to attack the target.
Step 12. Summarize the total values to obtain a exposure rating.
Step 13. Summarize the total values of likelihood and exposure to obtain the overall threat rating.
8. Work Steps for completing Vulnerability table maintenance.
A Vulnerability represents a weakness associated with an asset that could be exploited by a threat resulting in the loss or degradation of confidentiality, integrity or availability. Examples of such losses include the following: Loss of Service, Loss of Reputation, Financial Loss, Legal Implications, Loss of Trust, Loss of Privacy, Loss of Employment, Loss of Life, and Injury to Individuals.
NOTE: Appendix "B" provides an example for the completed vulnerability score card used for modeling and Enterprise Risk Assessments. This completed score card is used to help stablize and focuse the Enterprise Risk Management Methodology. The score card may be updated annually but may only change id applied to a different industry including critical infrastructure.
Step 1. Confidentiality: A degree of measurement associated with the loss of protection for an asset.
• Scores 3 - Full exploitation of this vulnerability will lead to complete loss of security.
• Scores 2 - Full exploitation of this vulnerability will lead to a partial loss of security.
• Scores 1 - Partial exploitation of this vulnerability will not lead to a loss of security.
• Scores 0 - This vulnerability cannot be exploited.
Step 2. Integrity: A degree of measurement associated with the loss of data and information quality.
• Scores 3 - Full exploitation of this vulnerability will lead to complete losses of data and information.
• Scores 2 - Full exploitation of this vulnerability will lead to partial losses of data and information.
• Scores 1 - Partial exploitation of this vulnerability will not interfere with regular operations.
• Scores 0 - This vulnerability cannot be exploited.
Step 3. Availability: A degree of measurement associated with the loss of access to data and information.
• Scores 3 - Full exploitation of this vulnerability will lead to completely loss of services.
• Scores 2 - Full exploitation of this vulnerability will lead to partial loss of services.
• Scores 1 - Partial exploitation of this vulnerability will not interfere with regular operations.
• Scores 0 - This vulnerability cannot be exploited.
Step 4. Severity: A degree of measurement associated with the loss of access to data and information.
• Scores 3 - Full exploitation of this vulnerability completely stops the Enterprise from operating.
• Scores 2 - Full exploitation of this vulnerability will lead partial shutdown of the Enterprise.
• Scores 1 - Partial exploitation of this vulnerability will interfere with regular operations.
• Scores 0 - This vulnerability cannot be exploited.
Step 5. Exposure: A degree of measurement associated with the unauthorized disclosure of information.
• Scores 3 - Full exploitation of this vulnerability will damage the Enterprise reputation.
• Scores 2 - Full exploitation of this vulnerability will lead to regulatory fines and investigations.
• Scores 1 - Partial exploitation of this vulnerability will interfere with regular operations.
• Scores 0 - This vulnerability cannot be exploited.
Step 6. Summarize the total values of consequence and impact to obtain the overall threat rating.
9. Report and Management Decision.
Once the analysis has been completed, a report can be generated to present our threat and vulnerability analysis, which will also be used to rank and prioritize management decisions concerning resources and corrective and preventive action plans. The report should include the following information at a minimum.
• Threat and vulnerability rating which has been calculated using the assessment criteria for each respective threat and vulnerability. This criteria will be utilized within the risk assessment process.
• Include the source of new threats and vulnerabilities. Valuable intelligence can be gathered during the monitoring and tracking sources of new threats and vulnerabilities.
• Prepare recommendations to risk mitigate the top 5 threats and vulnerabilities.
10. Related Documents
Related the Enterprise Corporate Policies include:
• Information Security Policy
• Acceptable Use Policy
• Access Control Policy
• Change Control Policy
• Cryptography Policy
• Physical Security Policy
• Information Handling and Classification Practice
• Threat and Risk Assessment Practice
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, We use that procedure you mentioned. we adapted by NIST docu.
@mesbernard wrote:Does your threat and vulnerability scorecard procedure look like this?
Work Tasks
1). Identify Threats: This work task documents threat(s) to the Enterprise asset(s) for use in the risk analysis process defined in RA Worksheet including the threat identification, description, and rating. This task includes description of threats, classification of threats, determining threat likelihood, identifying the consequences, impact and exposure and summarizing the threat assessment. Sources for Threats can be identified through the Enterprise Risk Assessment process, Management or Subject Matter Experts who may be made aware through their connections with special interest groups or through active and detective monitoring of events affecting assets and anomaly activity may detect new patterns. Identification of new threats may also occur during investigation stages of incident triage, root-cause-analysis of incidents and problems or fault reporting.
2). Identify Vulnerabilities: This work task documents vulnerabilities identified within the Enterprise asset(s) for use in the risk analysis process defined in RA Worksheet including the threat identification, description, and rating. This task includes a description of the vulnerability, determining vulnerability likelihood and impact based on severity and exposure. Identifying the sources of vulnerabilities can occur during the Enterprise Risk Assessment process, Management discussions or Subject Matter Experts may become aware through their connections with special interest groups or through active and monitoring of events affecting assets. On occasion anomalies might occur and any new patterns of activity leading up to the event investigated. Additional intelligence may be gathered during investigation into these events, incident triage, root-cause-analysis of incidents and problems or fault reporting.
3). Evaluation: This work task lists and evaluates specific criteria used during the assessment of Threats and Vulnerabilities. This criteria is used to calculate an overall rating which helps to prioritize threats and vulnerabilities for corrective or preventive action.
4). Report and Management Decision: This work task identifies the reporting stage, summarizing the analysis and rolled up values attributed to threats and vulnerabilities that will be used to calculate the overall risk rating. The Enterprise Security Management Oversight Board will receive the assessment and provide leadership by prioritizing resources and follow up activities.
7. Work Steps for completing Threat table maintenance.
NOTE: Appendix "A" provides an example for the completed threat score card used for modeling and Enterprise Risk Assessments. This completed score card is used to help stablize and focuse the Enterprise Risk Management Methodology. The score card may be updated annually but may only change id applied to a different industry including critical infrastructure.
Step 1. Create a unique identification that distinguishes the threat from other threats. Try to create a name that associates it with the asset or technology that it impacts.
Step 2. Add a brief description of the threat that will summarize what it is and what is does. Several parent and child groups have already been created in the table and it might be useful for you to reference them.
Step 3. Based on the available ‘threats classifications’ choose the one that is most appropriate. Others might apply but choose the class that is most obvious. The choices are: Disclosure, Interruption, Modification, Destruction, or Removal
Step 4. Based on the existing categories of ‘Threat Agents’ choose the one that is most appropriate. The choices are Human Malicious, Human Non-Malicious, and Act of God
Step 5. The quantification of threats requires assessment of three groups of nine unique characteristics that becomes a factor in determining if the threat is real and could impact the Enterprise.
Step 6. Knowledge: A measure of intelligence publically available to the threat concerning a potential assets and its vulnerabilities. The assessment values are as follows:
• Scores 3 - The threat agent can easily acquire source code knowledge of the target.
• Scores 2 - The threat agent can easily acquire engineering knowledge of the target.
• Scores 1 - The threat agent can acquire indirect knowledge of the target through former employees.
• Scores 0 - The threat agent cannot acquire knowledge of the target.
Step 7. Skill: A measure of the threat agent’s competency based on the skills necessary to exploit knowledge used to engineer the target. The assessment values are as follows:
• Scores 3 - The threat agent is an expert on the engineering techniques used to construct the target.
• Scores 2 - The threat agent is experienced on a few of the engineering techniques used with the target.
• Scores 1 - The threat agent is an amateur on the engineering techniques used to construct the target.
• Scores 0 - The threat agent does not have the skills necessary to exploit the target.
Step 8. Resources: A measure of the threat agent’s access to resources with the skill and knowledge necessary to exploit vulnerabilities within the target. The assessment values are as follows:
• Scores 3 - The threat agent has on hand resources necessary to exploit vulnerabilities within the target.
• Scores 2 - The threat agent will take 6 months to acquire the resources necessary to exploit the target.
• Scores 1 - The threat agent will take 12 months to acquire the resources necessary to exploit the target.
• Scores 0 - The threat agent cannot acquire the resources necessary to exploit the target.
Step 9. Summarize the total values to obtain a likelihood rating.
Step 10. Capability: A measure of the threats ability to execute an attack against the target from a single person and single location or using multiple resources from multiple locations in a coordinated attack.
• Scores 3 - The threat possess a team capable of attacking the target from multiple locations.
• Scores 2 - The threat possess a team capable of attacking the target from a single location.
• Scores 1 - The threat possess individual capability to attack the target from a single location.
• Scores 0 - The threat agent does not possess the capability to launch an attack against the target.
Step 11. Motive: A measure of the threats motivation to execute an attack against the target.
• Scores 3 - The threat is motivated by money to attack the target.
• Scores 2 - The threat is motivated by political beliefs to attack the target.
• Scores 1 - The threat is motivated by personal grudge to attack the target.
• Scores 0 - The threat agent is not motivated to attack the target.
Step 12. Summarize the total values to obtain a exposure rating.
Step 13. Summarize the total values of likelihood and exposure to obtain the overall threat rating.
8. Work Steps for completing Vulnerability table maintenance.
A Vulnerability represents a weakness associated with an asset that could be exploited by a threat resulting in the loss or degradation of confidentiality, integrity or availability. Examples of such losses include the following: Loss of Service, Loss of Reputation, Financial Loss, Legal Implications, Loss of Trust, Loss of Privacy, Loss of Employment, Loss of Life, and Injury to Individuals.
NOTE: Appendix "B" provides an example for the completed vulnerability score card used for modeling and Enterprise Risk Assessments. This completed score card is used to help stablize and focuse the Enterprise Risk Management Methodology. The score card may be updated annually but may only change id applied to a different industry including critical infrastructure.
Step 1. Confidentiality: A degree of measurement associated with the loss of protection for an asset.
• Scores 3 - Full exploitation of this vulnerability will lead to complete loss of security.
• Scores 2 - Full exploitation of this vulnerability will lead to a partial loss of security.
• Scores 1 - Partial exploitation of this vulnerability will not lead to a loss of security.
• Scores 0 - This vulnerability cannot be exploited.
Step 2. Integrity: A degree of measurement associated with the loss of data and information quality.
• Scores 3 - Full exploitation of this vulnerability will lead to complete losses of data and information.
• Scores 2 - Full exploitation of this vulnerability will lead to partial losses of data and information.
• Scores 1 - Partial exploitation of this vulnerability will not interfere with regular operations.
• Scores 0 - This vulnerability cannot be exploited.
Step 3. Availability: A degree of measurement associated with the loss of access to data and information.
• Scores 3 - Full exploitation of this vulnerability will lead to completely loss of services.
• Scores 2 - Full exploitation of this vulnerability will lead to partial loss of services.
• Scores 1 - Partial exploitation of this vulnerability will not interfere with regular operations.
• Scores 0 - This vulnerability cannot be exploited.
Step 4. Severity: A degree of measurement associated with the loss of access to data and information.
• Scores 3 - Full exploitation of this vulnerability completely stops the Enterprise from operating.
• Scores 2 - Full exploitation of this vulnerability will lead partial shutdown of the Enterprise.
• Scores 1 - Partial exploitation of this vulnerability will interfere with regular operations.
• Scores 0 - This vulnerability cannot be exploited.
Step 5. Exposure: A degree of measurement associated with the unauthorized disclosure of information.
• Scores 3 - Full exploitation of this vulnerability will damage the Enterprise reputation.
• Scores 2 - Full exploitation of this vulnerability will lead to regulatory fines and investigations.
• Scores 1 - Partial exploitation of this vulnerability will interfere with regular operations.
• Scores 0 - This vulnerability cannot be exploited.
Step 6. Summarize the total values of consequence and impact to obtain the overall threat rating.
9. Report and Management Decision.
Once the analysis has been completed, a report can be generated to present our threat and vulnerability analysis, which will also be used to rank and prioritize management decisions concerning resources and corrective and preventive action plans. The report should include the following information at a minimum.
• Threat and vulnerability rating which has been calculated using the assessment criteria for each respective threat and vulnerability. This criteria will be utilized within the risk assessment process.
• Include the source of new threats and vulnerabilities. Valuable intelligence can be gathered during the monitoring and tracking sources of new threats and vulnerabilities.
• Prepare recommendations to risk mitigate the top 5 threats and vulnerabilities.
10. Related Documents
Related the Enterprise Corporate Policies include:
• Information Security Policy
• Acceptable Use Policy
• Access Control Policy
• Change Control Policy
• Cryptography Policy
• Physical Security Policy
• Information Handling and Classification Practice
• Threat and Risk Assessment Practice
